Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • D dhcp
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 109
    • Issues 109
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 12
    • Merge requests 12
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • dhcp
  • Issues
  • #144

Closed
Open
Created Nov 02, 2020 by Gunnar Haslinger@gunnar

Cisco ASA / AnyConnect VPN using ISC DHCPD - reassign IP-Address-leases to same VPN-Clients

Scenario:

  • Cisco AnyConnect VPN-Clients
  • Cisco ASA Appliance as DHCP-Client for the VPN-Clients
  • ISC DHCPD as DHCP-Server for the Cisco ASA

We like to have a lease-time of e.g. 8 days. A client connecting today should get the same IP as it got yesterday. Our idea is to provide an IP-lease-Pool big enough to have pseudo-static Client-IP-Addresses. The address the client gets on it's first connect should be the same it gets the following days/months.

Currently VPN-Clients are not assigned the same IP-Address, because:

  • Cisco ASA is acting as DHCP-Client for the VPN-Clients
  • The Client-MAC of all VPN-Clients is the same (the ASA MAC)

The Client-UID (Client identifier) sent by the ASA is a combined-string of "cisco-$MAC-$Hostname$Counter-inside".

  • For example: cisco-0050.5680.4b04-ClientA4567-inside

  • The Prefix "cisco" + MAC-Address of the Cisco-ASA is always the same: cisco-0050.5680.4b04

  • The Hostname (e.g. "ClientA") is the real (unique) Hostname of our Client-Machines

  • The counter counts up on every connection.

  • Suffix "-inside" is always the same

  • If "ClientA" disconnects and connects again it will be like cisco-0050.5680.4b04-ClientA4568-inside (the last digits count up)

  • There seem to be no way to configure the Cisco ASA to not count up the Client-UIDs last digits on each connection

  • We tried to use Option "ignore-client-uids true;" to reassign the same IP-Address - but this does not work, because without UID only the MAC-Address is used to re-assign the IP-Address, but all Clients have the same (Cisco ASA) MAC-Address.

Are there any suggestions?

  • If there is no solution for this scenario, we are interested to implement an new ISC DHCPd Option "hostname-as-uid true;" to create the possibility to address this scenario.

  • This option "hostname-as-uid true;" could be used like the existing "ignore-client-uids true;" Option, but instead of not saving the Client-UID we would override the received Client-UID with the received hostname-option.

  • All functionality like storing the uid to the lease-file, checking if there is a lease for the client with the given Client-UID etc... will be done with the "replaced uid" (= Hostname) instead of the real received Client-UID.

  • Are there any other suggestions or comments on this?

  • Is there interest to accept a merge request if we implement such a feature?

Edited Nov 17, 2020 by Gunnar Haslinger
Assignee
Assign to
Time tracking