Loading...
Loading...
After upgrading the ASA to 9.3.2, IP address assignmen via DHCP fails for Anyconnect users. We get the following error message in logs on the ASA for Anyconnect: No assigned address webvpn_cstp_send_error: 503 Service Unavailable
1. The ASA running 9.3.2 and above. 2. Anyconnect users configured to get IP address via DHCP. 3. The group-policy for Anyconnect configured for DHCP-network-Scope. 4. The dhcp-network-scope IP address is same as one of the an interface/sub-interface.
1. Assign Subnet ID or any other IP address as dhcp-network-scope except the interface IP address. 2. OR, assign IP address locally from the ASA.
After upgrading the ASA to 9.3.2, IP address assignment via DHCP fails for Anyconnect users. We get the following error message in logs on the ASA for Anyconnect: On taking packet captures between the ASA and the DHCP server we could see in the DORA process competing as below: DHCP debugs on the ASA, that the Discover request goes out from inside interface( behind which the DHCP server is located) towards the DHCP server. with Relay Agent as the dhcp-network-scope IP address configured under group-policy. The offer comes from the DHCP server pointing towards the DHCP network-scope ip address offering an IP address. The Request again goes out from the inside interface towards the DHCP server, relay agent being the dhcp-network-scope iP address. The Acknowledgment comes from the DHCP server towards the dhcp-network-scope ip address. From the DHCP relay debugs, we could see the following messages: Sep 05 2016 09:15:29: %ASA-7-737035: IPAA: Session=0x00002000, 'IPv4 DHCP address failed' message queued Sep 05 2016 09:15:29: %ASA-7-737001: IPAA: Session=0x00002000, Received message 'IPv4 DHCP address failed'
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.