ASA DHCPD Pools

So I got a call today about an office that just installed new computers and half of them weren’t working. The guy on site said he did a wireshark capture and the DHCP server was out of IPs. It’s rare to get someone calling ME with a pcap, but he wants me to increase the DHCP pool size. Better to be careful with that, I log into the ASA 5505.

I verify all the leases are used up:

asa5505# show dhcpd statistics
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0

Address pools 1
Automatic bindings 126
Expired bindings 293
Malformed messages 0

Message Received
BOOTREQUEST 0
DHCPDISCOVER 7561
DHCPREQUEST 20779
DHCPDECLINE 2124
DHCPRELEASE 208
DHCPINFORM 852276

Message Sent
BOOTREPLY 0
DHCPOFFER 7047
DHCPACK 872932
DHCPNAK 118

Uh-oh, we are out of addresses! I do a

show dhcpd bindings all

to see the current leases. Omitted here, I can see it’s full. I check the inside interface and see it’s a /23, while the DHCP pool is only a /25:

interface Vlan1
nameif inside
security-level 100
ip address 10.0.48.254 255.255.255.0

dhcpd address 10.0.48.1-10.0.48.127 inside

Maybe I can just extend the pool like he wants

Will the extended pool work with the existing config? I check that the access-lists used for tunnels and nat don’t need to be modified. In my case, that’s not a problem:

nat (inside) 0 access-list no-nat

crypto map tunnels 10 match address acl_remote1

crypto map tunnels 15 match address acl_remote2

access-list no-nat extended permit ip 10.0.48.0 255.255.255.0 192.168.0.0 255.255.254.0

access-list acl_remote1 extended permit ip 10.0.48.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list acl_remote2 extended permit ip 10.0.48.0 255.255.255.0 192.168.1.0 255.255.255.0

I’d like to increase the dhcpd range to solve my problem now, but i can’t:

asa5505# show arp


inside 10.0.48.130 00ab.cd0e.9753 7479
inside 10.0.48.131 00ab.cd0e.9755 7479

there are static ips just outside the range! I could

#clear dhcpd binding all

But then all the computers that are working would need a release/renew, ugh. It turns out, he only needs about 20 more addresses right now.

So I go through the list, pinging each host, and when I find a dead one, I check the arp and verify it’s clear.
After a few minutes, I have a list of bindings to clear:

clear dhcpd binding 10.0.48.3
clear dhcpd binding 10.0.48.7

clear dhcpd binding 10.0.48.55

Then I do a quick

#show dhcpd bindings all

and

#sh arp

again to verify the newly freed IPs are being used. Problem solved!

vitro-di-trina

The economy is always in a the depression all the time.

We’re gonna show you how you can use that depression to make a better equity profile that’s overflowing with markets!