Cisco ASA / AnyConnect VPN using ISC DHCPD - reassign IP-Address-leases to same VPN-Clients
- Cisco AnyConnect VPN-Clients
- Cisco ASA Appliance as DHCP-Client for the VPN-Clients
- ISC DHCPD as DHCP-Server for the Cisco ASA
We like to have a lease-time of e.g. 8 days. A client connecting today should get the same IP as it got yesterday. Our idea is to provide an IP-lease-Pool big enough to have pseudo-static Client-IP-Addresses. The address the client gets on it's first connect should be the same it gets the following days/months.
Currently VPN-Clients are not assigned the same IP-Address, because:
- Cisco ASA is acting as DHCP-Client for the VPN-Clients
- The Client-MAC of all VPN-Clients is the same (the ASA MAC)
The Client-UID (Client identifier) sent by the ASA is a combined-string of
The Prefix "cisco" + MAC-Address of the Cisco-ASA is always the same:
The Hostname (e.g. "ClientA") is the real (unique) Hostname of our Client-Machines
The counter counts up on every connection.
Suffix "-inside" is always the same
If "ClientA" disconnects and connects again it will be like
cisco-0050.5680.4b04-ClientA4568-inside(the last digits count up)
There seem to be no way to configure the Cisco ASA to not count up the Client-UIDs last digits on each connection
We tried to use Option "
ignore-client-uids true;" to reassign the same IP-Address - but this does not work, because without UID only the MAC-Address is used to re-assign the IP-Address, but all Clients have the same (Cisco ASA) MAC-Address.
Are there any suggestions?
If there is no solution for this scenario, we are interested to implement an new ISC DHCPd Option "
hostname-as-uid true;" to create the possibility to address this scenario.
This option "
hostname-as-uid true;" could be used like the existing "
ignore-client-uids true;" Option, but instead of not saving the Client-UID we would override the received Client-UID with the received hostname-option.
All functionality like storing the uid to the lease-file, checking if there is a lease for the client with the given Client-UID etc... will be done with the "replaced uid" (= Hostname) instead of the real received Client-UID.
Are there any other suggestions or comments on this?
Is there interest to accept a merge request if we implement such a feature?