DHCP Split Scope - Scope Full

Good Morning,
I have 2 DHCP svrs offering split scope on more a 50/50 type bases (no delay).... I'm wondering if one DHCP svr runs out of addresses will the second svr's range cover the request?
I see all this configuration as more a one server is down the other covers, I'm not really sure how it handles things like a range out of addresses... I know the device would send out a DHCP request and the fastest responding server wins but if one server
can't offer an address does it reply with anything?
Thanks All
Paul

Hi,
Summary of the conversation (about generating IP lease) between client and DHCP server:
Client - DHCP discover: ask for IP lease.
DHCP server - DHCP offer: populated with the IP address the server is offering the client.
Client - DHCP request: specify which offer(IP) it choose, and ask for detailed information about this IP.
DHCP server - DHCP ACK: detailed information about IP lease send to the client.
When a client send discover packet to ask for a lease, all DHCP server which can receive this packet will answer with offer packet. If the DHCP has ran out of IP address or down, it will not broadcast offer packet.
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Similar Messages

DHCP Split-Scope Configuration Wizard showing error "Not enough storage is available to process this command".

Hi,
I'm trying to split the DHCP scope between two Servers using the DHCP Split-Scope Configuration Wizard.
Server one is a VM hosted on Hyper-V and is running Windows Small Business Server 2008 (I think this was previously SBS2003 and was upgraded at some point in time). The whole DHCP scope is currently configured on here.
Server two is a VMware VM running Windows Server 2012 R2.
I've installed the DHCP Server role on Server two (2012R2) and authorized the Server. When I launch DHCP Manager, add the SBS2008 Server in the MMC, right click the scope and choose "Advanced > Split-Scope", and then run through the wizard,
I get as far as the "Percentage of Split" screen, and when I click next I get the error "Not enough storage is available to process this command".
I've searched online for this particular error message and I've come across articles suggesting AV exclusions are not in place for the DHCP database and files, however in this case the exclusions are definitely in place and I've also tried completely disabling
AV on both Servers and this made no difference to the outcome.
I also came across articles suggesting the "IRPStackSize" registry DWORD needed to be added and set to a decimal value of 15 or larger. Again, I've tried adding this and rebooted both Servers but I get the same result.
Anyway have any ideas?
Thanks,
Craig

Hi Eve,
No, there were no related events in the event logs. I've since tried splitting the DHCP scope manually but this did not work - the DHCP Server on the SBS would just stop and event: 1053 was displayed when trying to start the service again. I noticed
that as soon as I de-activated DHCP Server on the 2012 Server then the DHCP Server on the SBS would start again.
I then found the following in a TechNet article that would suggest I cannot have another DHCP Server on the network if using Small Business Server.
Notes
A DHCP server running Microsoft Small Business Server will not operate if another DHCP server is active on its network.
Detection of unauthorized DHCP servers requires the deployment of Active Directory Domain Services and the DHCP service. Other DHCP servers do not attempt to determine whether they are authorized by Active Directory Domain Services before offering IP address
leases.

DHCP Split Scope Monitoring

Hello :
I have an interesting scenario where I need to setup some kind of monitoring around DHCP Scope exhaustion. Now each site has two DHCP servers with the Scopes split. So If I setup event log monitor and one server reports that a scope is running out of IP
addresses, it does not mean that the second server is also running out of free IP. Is there a way to use SCOM to monitor both DHCP servers and alert if the scope is out of free IP on both servers? There is a nice article on this for Solarwinds - https://thwack.solarwinds.com/docs/DOC-174909
but I would like to achieve this using SCOM.
PS: I know IPAM can be a good solution, but I am really interested in ways to do this using SCOM and I am open to any scripted solution or custom MPs.
Any pointers will be highly appreciated.
-A

Hi,
How about using an aggregate rollup monitor to group multiple monitors into one monitor and then use that monitor to set the health state and generate an alert.
Or Dependency Monitors with Percentage policy set:
http://technet.microsoft.com/en-us/library/hh457606.aspx
In addition, would suggest you look at DHCP failover in WS2012, which opens up some new options for HA design.
DHCP failover: This feature provides the ability to have two DHCP servers serve IP addresses and option configuration to the same subnet or scope, providing for continuous availability of DHCP service to clients. The two DHCP servers replicate lease information
between them, allowing one server to assume responsibility for servicing of clients for the entire subnet when the other server is unavailable. It is also possible to configure failover in a load-balancing configuration with client requests distributed between
the two servers in a failover relationship. For more information about DHCP failover, see Step-by-Step:
http://technet.microsoft.com/en-us/library/hh831385.aspx
Regards,
Yan Li
Regards, Yan Li

Swapping DHCP Split-Scope

Hi all,
I have a site with 2 DHCP servers, one in production environment and another in DR. For whatever reason, the DR server was setup to server the majority of the DHCP leases (10.50 -> 10.209) and the production server only 30 addresses (10.210 -> 10.240).
We want to change this around and I have a couple of questions:
1. Our documented process is to remove the exclusion ranges and then setup new exclusion ranges as a complete opposite of the current setup to give the production server the majority of the leases.
2. What happens to active client leases e.g. Client connected on the DR scope, lets say 10.100. When the ranges are switched over, presumably 10.100 will then become available on the production scope and will be dished out to a new client but the old client
will receive an IP conflict error OR is DHCP smart enough to know this?
Any help would be appreciated.
David Robertson

Hi,
I suppose the main purpose is to extend IP address pool of your product. If so, I think we can shrink the IP pool in DR, then we should wait until the lease is expired. As
you referred, we can reduce the lease time first. Once the lease is expired, we can enlarge another DHCP pool.
Since you have two DHCP for one network, how do you determine which computer to get an IP from production network? Do you have DHCP reservation for them? Personally, I think
configure two subnet and router between them could be a better choice.
Hope this helps.

DHCP Server 2008 R2 Scope Full Warning

Is there a way to disable DHCP Scope Full Warning message from flooding my event logs? We use DHCP to lock down the ports at our office. Is there some registry setting I can do to prevent them from writing to the event logs so often?

Hi,
Thank you for your post.
Is there a way to disable DHCP Scope Full Warning message from flooding my event logs?
No special way to disable only DHCP event log. If you want to disable DHCP event log, you have to disable all system integrity events on your server.
To display the current audit policy for all subcategories, run command:
auditpol /get /category:*
To disable system integrity events on your server, run command:
auditpol /set /subcategory:"System Integrity" /success: disable /failure: disable
Since your DHCP scope pool reach full, you need to re-subnet your DHCP scope or extend your DHCP pool. Please refer to this
thread.
If there are more inquiries on this issue, please feel free to let us know.
Regards
Rick Tan
TechNet Community Support

DHCP scope full, event ID 1020

Hi, one of our Windows 2008 R2 Domain controllers is returning the following warning message on almost a daily basis:
Log Name:      System
Source:        Microsoft-Windows-DHCP-Server
Date:          19/11/2014 11:32:41 AM
Event ID:      1020
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      computername.domain.x.x
Description:
Scope, 10.x.x.0, is 83 percent full with only 39 IP addresses remaining.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-DHCP-Server" Guid="{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}" EventSourceName="DhcpServer" />
    <EventID Qualifiers="0">1020</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-11-19T00:32:41.000000000Z" />
    <EventRecordID>12980</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>computer.domain.x.x</Computer>
    <Security />
</System>
<EventData>
    <Data>10.x.x.x</Data>
    <Data>83</Data>
    <Data>39</Data>
</EventData>
</Event>
Upon review of Microsoft Support online, I found the following article which illustrates a few options:
http://support.microsoft.com/kb/255999/en-au
What would be the logical choice for us, having the 10.x.x network?
Ideally, it would be good not having to re-subnet anything if possible, or re-create the scope.
Would a scope extension require a reboot of the server? Never done this before, so thought I should ask.

Hi,
According to your description, my understanding is that DC prompts an warning event ID 1020, indicate 83% full with DHCP scope.
By default, the threshold value for firing of event 1020 is 80%. Estimate devices number, contrast with the number of IP address in this scope, if the percentage is less than 80%, you may try to reduce the lease duration and decrease the cleanup interval.
This can help to speed the reclaiming of expired scope IP addresses.
To reduce the lease duration:
1.At the DHCP server, click Start, point to Administrative Tools, and then click
DHCP.
2.In the DCHP console tree, right-click the scope you want to configure, and then click
Properties.
3.On the General tab, under Lease duration for DHCP clients, type the new lease duration.
To use a Netsh command to set the cleanup interval time:
1.At the DHCP server, click Start, click Run, type
cmd, and then press ENTER.
2.Type netsh dhcp set databasecleanupinterval <NewInterval> (where "NewInterval" is the amount of time in minutes between DHCP database cleanups).
As an existing DHCP scope, its subnet mask can’t be changed. If the Start Address and
End Address do not currently include all addresses for your specific subnet, you can increase the number of addresses in the scope by extending the
Start Address or End Address in the scope properties. This operation needn’t reboot.
If neither of above 2 suggestions is applicable, new a DHCP scope or reference
KB255999 (resubnetting and superscoping). At the same time, you need to change your network topology.
Best Regards,
Eve Wang

DHCP: Splitting 10.10.120.0/23 between 2 servers, why exclude?

I understand that best practice is to split a scope between 2 dhcp servers on the same subnet. We have a rather larger subnet 10.10.120.0/23
Server1 with pool 10.10.120.50-10.10.120.230
Server2 with pool 10.10.121.50-10.10.121.230
What's the purpose of expanding the scope in each server and configuring exclusions? If each server have technically a different subnet, there will never be a conflict. I would like to know if there's any benefit to expand the range and add exclusions.
Server1 with pool 10.10.120.50-10.10.121.230 exclude 10.10.120.231-10.10.121.230
Server2 with pool 10.10.120.50-10.10.121.230 exclude 10.10.120.50-10.10.121.49

If this is your config:
Server1 with pool 10.10.120.50-10.10.120.230 /23
Server2 with pool 10.10.121.50-10.10.121.230 /23
Then those are NOT different subnets. Those are properly split DHCP scopes.
The subnet in this case is from 10.10.120.0 - 10.10.121.255 and that is what you're splitting.
For your second example:
Server1 with pool 10.10.120.50-10.10.121.230 exclude 10.10.120.231-10.10.121.230
Server2 with pool 10.10.120.50-10.10.121.230 exclude 10.10.120.50-10.10.121.49
This will give you problems:
1) The servers are offering the same IPs, they might even issue the same IP to two different devices because they won't know the other gave it away.
2) Server 1 has some exclusions that Server 2 won't know about. That means Server 2 will issue IPs from Server 1's exclusion range.
3) This is not a recommended setup.
- If you have found my post to be helpful, or the answer, please mark it appropriately.
Chris Ream

Bizarre split screen in full screen mode

Hi,
I've having some weird display issue when in full screen mode. Please see attached picture.
Can anyone help.
Thx in advance.

Each of the images you want to have in the split screen need to be in separate video tracks. If you are doing a 2-part split screen, then each of the 2 clips you are using need to be on separate video tracks (say, v1 and v2).
Next, with Image + Wireframe turned on, you can move & resize the images in the canvas so they are placed where you want them on screen (you do this with one image at a time).
Piero's QuarterPIP filter makes this a lot easier. You may want to try it.

DHCP Mirgation from 2008 to 2012

Hi,
I am migrating DHCP server 2008 to 2012
Environment. Please let me know the Best practice of migration.
I have configured DHCP failover in Windows 2008 R2
Environment.
Any help would be very grateful.
Thankx & Regards,
DD6

Hi,
This type of question is already running in technet portal.
http://social.technet.microsoft.com/Forums/en-US/fed16caa-fb53-4037-a578-5f8dfc61e4e3/dhcp-failover-migrate-dhcp-server-to-another-machine?forum=winservergen
Process of Migration DHCP Server 2008R2 to Windows 2012
• Firstly, you can disable the DHCP role in Windows Server 2008 R2. However, if the Windows Server 2012 is down, the clients cannot renew their IP lease duration and obtain IP address.
Therefore, it is recommended to leave the DHCP role in Windows Server 2008 R2 and deploy high availability. Windows Server 2012 brings the new feature: DHCP failover. However it requires both DHCP Servers are Windows Server 2012. Consider another Server
is Windows Server 2008 R2, we have to choose one of the following:
>> DHCP in a Windows failover cluster. This option places the DHCP server in a cluster with an additional server configured with the DHCP service that assumes the load if the primary DHCP server fails. The clustering deployment option uses a single
shared storage. This makes the storage a single point of failure, and requires additional investment in redundancy for storage. In addition, clustering involves relatively complex setup and maintenance.
>> Split scope DHCP. Split scope DHCP uses two independent DHCP servers that share responsibility for a scope. Typically 70% of the addresses in the scope are assigned to the primary server and the remaining 30% are assigned to the backup server.
If clients cannot reach the primary server then they can get an IP configuration from the secondary server. Split scope deployment does not provide IP address continuity and is unusable in scenarios where the scope is already running at high utilization of
address space, which is very common with Internet Protocol version 4 (IPv4).
More references:
Step-by-Step: Configure DHCP for Failover (Windows
Server 2012)
How
to configure split-scope using wizard
DHCP
Step-by-Step Guide: Demonstrate DHCP Split Scope with Delay on a Secondary Server in a Test Lab
DHCP
Step-by-Step Guide: Demonstrate DHCP Failover – Clustering in a Test Lab
If you need snap shot of migration then follow these links.
http://blogs.technet.com/b/canitpro/archive/2013/04/29/step-by-step-migration-of-dhcp-from-windows-server-2003-to-windows-server-2012.aspx
http://www.mehrban.net/migrating-dhcp-from-windows-2008-to-windows-2012
Deepak Kotian. MCP, MCTS, MCITP Exchange 2010 Ent. Administrator Disclaimer: Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable. This helps the community, keeps the forums tidy, and recognizes useful
contributions. Thanks! All the opinions expressed here is mine. This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

DHCP Failover / Migrate DHCP Server to another Machine

We have DHCP Server Installed in Domain Controller with Windows Server 2008 R2 Based OS.
I have Checked that there is no way to make the DHCP Failover in Server 2008 R2.
Can anyone help me to get some level of Failover in DHCP?
or
If I want to migrate the DHCP to Server 2012 what is the Best Practice?

Hello,
There is no big challenge for configuring DHCP failover in Windows 2008 platform. Kindly go through with this link for configuring DHCP failover. I am sure it will help you to completing your task.
1> Step-by-Step: Configure DHCP for Failover
http://technet.microsoft.com/en-us/library/hh831385.aspx
2> DHCP Step-by-Step Guide: Demonstrate DHCP Failover – Clustering in a Test Lab
http://technet.microsoft.com/en-us/library/ee405263(v=ws.10).aspx
Process of Migration DHCP Server 2008R2 to Windows 2012
• Firstly, you can disable the DHCP role in Windows Server 2008 R2. However, if the Windows Server 2012 is down, the clients cannot renew their IP lease duration and obtain IP address.
Therefore, it is recommended to leave the DHCP role in Windows Server 2008 R2 and deploy high availability. Windows Server 2012 brings the new feature: DHCP failover. However it requires both DHCP Servers are Windows Server 2012. Consider another Server
is Windows Server 2008 R2, we have to choose one of the following:
>> DHCP in a Windows failover cluster. This option places the DHCP server in a cluster with an additional server configured with the DHCP service that assumes the load if the primary DHCP server fails. The clustering deployment option uses
a single shared storage. This makes the storage a single point of failure, and requires additional investment in redundancy for storage. In addition, clustering involves relatively complex setup and maintenance.
>> Split scope DHCP. Split scope DHCP uses two independent DHCP servers that share responsibility for a scope. Typically 70% of the addresses in the scope are assigned to the primary server and the remaining 30% are assigned to the backup server.
If clients cannot reach the primary server then they can get an IP configuration from the secondary server. Split scope deployment does not provide IP address continuity and is unusable in scenarios where the scope is already running at high utilization of
address space, which is very common with Internet Protocol version 4 (IPv4).
More references:
Step-by-Step: Configure DHCP for Failover (Windows
Server 2012)
How
to configure split-scope using wizard
DHCP
Step-by-Step Guide: Demonstrate DHCP Split Scope with Delay on a Secondary Server in a Test Lab
DHCP
Step-by-Step Guide: Demonstrate DHCP Failover – Clustering in a Test Lab
If you need snap shot of migration then follow these links.
http://blogs.technet.com/b/canitpro/archive/2013/04/29/step-by-step-migration-of-dhcp-from-windows-server-2003-to-windows-server-2012.aspx
http://www.mehrban.net/migrating-dhcp-from-windows-2008-to-windows-2012
Deepak Kotian.
MCP, MCTS, MCITP Exchange 2010 Ent. Administrator
Disclaimer:
Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!
All the opinions expressed here is mine. This posting is provided "AS IS" with no
warranties or guarantees and confers no rights.

Multiple Sites - Single domain - Server 2008r2

Hi,
I have six (6) sites all connected to a Head Office site by a high speed VPN. Currently all use different domain names on their local servers but with new hardware coming i would like to have all sites share the one single domain name for simplicity.
Head Office has two (2) AD Servers configured handling DNS, DHCP (split scope) etc, both are GC's for redundancy.
For the branches i was considering setting these up as Secondary AD servers with the Head Office domain and as GC's too. Each branch server will have their own DHCP scope for their networks and DNS forwarded to Head Office AD servers. Each branch server
will also be used for file and printer sharing.
I need to make sure local users to the branch servers authenticate on their own AD server and not hit Head Office which would slow down the process a little.
Is the above the correct way to do this?
Cheers.

Sounds like you want to configure a Hub and Spoke model, with the Spokes being the branch offices. This is a good topology. By default when a branch office is configured the DC for that spoke (Defined by the subnets in that physical site) the
dcLocator process on each client will default to the local DC unless there are problems that force the client to reach out. As far as forwarding there is no such thing from a DC perspective but there is from a DNS perspective.
So after you build out your new domain just make sure you follow the best practice for Sites and Serviecs and you should be good to go.
http://technet.microsoft.com/en-us/library/cc755768(WS.10).aspx
dcLocator process
http://msmvps.com/blogs/acefekay/archive/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records.aspx
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security, BS CSci
2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup.
This posting is provided AS IS with no warranties, and confers no rights.

ASA Migration of DHCP Scope to a Server

Hello All,
We migrated the DHCP scope from the ASA to a MS DHCP server with this configuration:
group-policy BV-SSL1 internal
group-policy BV-SSL1 attributes
no address-pools value remotepool4 remotepool2 remotepool3
no intercept-dhcp enable
dhcp-network-scope 10.180.49.0
exit
tunnel-group BVVPN10 general-attributes
no address-pool remotepool2
no address-pool remotepool3
no address-pool remotepool4
dhcp-server 10.182.14.55
exit
tunnel-group BV-SSL general-attributes
no address-pool remotepool2
no address-pool remotepool3
no address-pool remotepool4
dhcp-server 10.182.14.55
exit
no vpn-addr-assign aaa
no vpn-addr-assign local
vpn-addr-assign dhcp
This is running good, until we used all 254 addresses that was specified in the dhcp-network-scope.
My question is should i have specified dhcp-network-scope none to allow for all 3 scopes can be used to hand out IP addresses for the remote users?
Thanks,
Kimberly

Okay, that's at least a good start. Can you monitor the ULS logs while you attempt to browse to the site to see what form of error(s) you're getting?
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Windows 2008 R2 DHCP scope change - Netsh Exec not working

OK, there seems to be a disconnect between Netsh documentation and how it actually works. We are in the process of re-addressing ALL our DHCP scopes (joys of a buy-out) and using the steps outlined in numerous MS articles and Blogs etc... we should
be able to use "Netsh dhcp server scope 192.168.1.0 dump > scope1.cfg" then modify the cfg file with the new scope address (i.e. change all 192.168.1. to lets say 10.10.5.). Then use netsh exec scope1.cfg (yes, the file modified) to
create the new scope which would contain all the "stuff" the current scope has (reservations, options, etc).
Well, all we get is the response "The following command was not found: |".
Environment is as follows:
Account is a domain admin
working on a RDP session on the DHCP server
Server is Windows 2008 R2 (current functioning DHCP server)
Using administrative CMD (elevated)
have tried changing context into Netsh | DHCP | Server and default CMD - all "no go"
supporting link from MS: http://technet.microsoft.com/en-us/library/cc772372(v=ws.10).aspx#BKMK_1
There's a lot of discussions around this, but I haven't seen any response that says how to actually do it. export/import won't work for us since we have to update the scope info. With almost 100 scopes to update, we really need this functionality!
(or similar method)
Any assistance would be greatly appreciated.

OK... It seems the issue is with the dump file. I actually got exec to run once with a dump file which wasn't modified.  The stupid part is it only ran one time, I could not duplicate it.   Since
I've beat this thing to death and no one could offer any assistance (Hello MS?), I'm not wasting any more time on it.   Luckily, I was able to figure out an alternate method.
Looking at the dump file I realized all the lines are just a straight NetSh commands, which means all I needed to do is grab the lines and preface them with NetSh. Like this...
for /f "tokens=*" %a in ('type scope.cfg ^| find /i "dhcp"') do NetSh %a
where scope.cfg is your dump file.   This runs perfect and seems to be the exact thing that exec should be doing. I did flip the "SET STATE 1" to "0" so the scope was deactivated (Don't forget to run it in an elevated
prompt).
Hope this helps someone else so they aren't spending days for nothing!

3000 series and Multiple DHCP scopes (DHCP-relay)

I need to send different DHCP options to users; however, I need to put certain groups in different subnets. Is it possible to setup the concentrator to relay for addresses from different scopes?

- Configuration
- System
- IP Routing
- DHCP Relay
a. Enable 'Enabled' checkbox
b. Select Forward to
c. Address == 192.168.10.8 255.255.255.0
- Address Management
- Assignment
a. Enable 'Use DHCP'
- User Management
- Groups
- Select 'groupA'
- Modify Group
- Click General tab
- Enter 'DHCP Network Scope' x.x.x.x
- Select 'groupA'
- Remove Address Pool
Now I get the following error:
118 02/08/2005 13:29:00.720 SEV=3 DHCPDBG/39 RPT=34
DHCP discover timeout: no response from polled servers (xid 3821297335)
I can ping the server, and it is serving up this scope to other devices (just not from the concentrator)

Remote access VPN with ASA 5510 using DHCP server

Hi,
Can someone please share your knowledge to help me find why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
ASA Version 8.2(5)
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.6.0.12 255.255.254.0
ip local pool testpool 10.6.240.150-10.6.240.159 mask 255.255.248.0 !(worked with this)
route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface inside
crypto isakmp enable inside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
vpn-addr-assign aaa
vpn-addr-assign dhcp
group-policy testgroup internal
group-policy testgroup attributes
dhcp-network-scope 10.6.192.1
ipsec-udp enable
ipsec-udp-port 10000
username testlay password *********** encrypted
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
default-group-policy testgroup
dhcp-server 10.6.20.3
tunnel-group testgroup ipsec-attributes
pre-shared-key *****
I got following output when I test connect to ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDO
4024 bytesR copied in 3.41 0 secs (1341 by(tes/sec)13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ISA_KE payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received DPD VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: False
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received NAT-Traversal ver 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, Connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing IKE SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ISAKMP SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for Responder...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Cisco Unity VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing xauth V6 VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Traversal VID ver 02 payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Fragmentation VID + extended capabilities payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
kens-mgmt-012# P = 10.15.200.108, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing MODE_CFG Reply attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: IP Compression = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, User (testlay) authenticated.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg ACK attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=49ae1bb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg Request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 net mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DNS server address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for WINS server address!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Received unsupported transaction mode attribute: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Save PW setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Default Domain Name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split Tunnel List!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Browser Proxy Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for backup ip-sec peer list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Application Version!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Client Type: WinNT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DHCP hostname for DDNS is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=b04e830f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE received response of type [] to a request from the IP address utility
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Cannot obtain an IP address for remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE TM V6 FSM error history (struct &0xd8030048) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE AM Responder FSM error history (struct &0xd82b6740) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b terminating: flags 0x0945c001, refcnt 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending delete/delete with reason message
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing IKE delete payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=9de30522) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Regards,
Lay

For RADIUS you need a aaa-server-definition:
aaa-server NPS-RADIUS protocol radius
aaa-server NPS-RADIUS (inside) host 10.10.18.12
key *****
authentication-port 1812
accounting-port 1813
and tell your tunnel-group to ask that server:
tunnel-group VPN general-attributes
authentication-server-group NPS-RADIUS LOCAL
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

DHCP Split Scope - Scope Full

Similar Messages

Maybe you are looking for