NWC23466 2015-09-17 14:39:25 – JSA – [10.139.1.60] rkrakovic(PULSE01)[PULSE01-RED] – VPN Tunneling: IPv4 address cannot be allocated to user rkrakovic. Solution: Check IPv4 Address Pools / DHCP server state.
IP Address Assignment Flow
The Pulse Connect Secure (PCS) appliance acts as a Dynamic Host Configuration Protocol (DHCP) proxy in order to assign IP addresses to the VPN tunneling client. If DHCP server(s) are configured, then it initiates DHCP requests to the DHCP server on behalf of the client. The flow is as follows:
- The VPN tunneling client tries to make a connection to the PCS appliance. There are two possible methods which can be used to obtain an IP address for the VPN tunneling client (Users > Resource Policies > VPN Tunneling > Connection Profile):
– DHCP server(s)
– IP address pool
If IP address pool configuration is in use, then the PCS will automatically select an available IP address from the pool and assign it to the client.
If DHCP server is used, the PCS will begin initiating DORA (Discover, Offer, Request, and ACK) messages to the DHCP server on behalf of the VPN Tunneling client, as in this example:
Source Destination Protocol Info
10.10.2.25 10.10.2.30 DHCP DHCP Discover
10.10.2.30 10.10.2.25 DHCP DHCP Offer
10.10.2.25 10.10.2.30 DHCP DHCP Request
10.10.2.30 10.10.2.25 DHCP DHCP ACK
Note: If a DHCP server has been setup with IP address scopes which are different from the PCS’s internal IP subnet, refer to KB22611 – Network Connect: Assign IP addresses from a DHCP scope not on the IVE internal interface subnet.
- The PCS will then pass down the VPN tunneling parameters (IP address, subnet mask, DNS \ WINS Servers, and VPN Tunnel Server IP address) to the Network Connect (NC) service on the client.
- The NC service on the client then enables the virtual adapter and passes the VPN tunneling parameters to the virtual adapter driver.
- By default DHCP is enabled in the virtual adapter, so when the NC Services enable the virtual adapter, the TCP/IP stack initiates the DORA process. Since the NC service has already received the VPN tunneling parameters directly from the PCS appliance, the DORA process which happens on the client is initialized in compliance with the Dynamic IP assignment or DHCP standards defined in Requests for Comments (RFCs) published by the Internet Engineering Task Force (IETF). For your reference: RFC 2131 and RFC 2132.When the virtual adapter driver receives the DHCP Discover and DHCP Request packets, it responds to the DHCP Offer and DHCP ACK by using the VPN Tunnel Server IP (10.200.200.200), which is provided by the NC service. As these packets are sent, before IP address assignment of the VPN tunnel, the tunnel is not operational and these packets never actually reach the PCS. The NC Service always uses the VPN Tunnel Server IP that is configured on the PCS as the dummy DHCP on the client, when assigning the IP address.The default IP address that is already configured on the PCS appliance is 10.200.200.200 (System > Network > Network Connect). This is why the VPN tunnel Server IP is the default DHCP server for every VPN tunnel, regardless of the configuration being used to assign IP addresses (DHCP server or IP address pool).The VPN tunneling server IP address can be changed; but as it cannot be both the DHCP server and the assigned IP address, ensure that the IP address you choose is not part of an IP address pool that is specified as a part of a VPN tunneling Connection Profile (Users > Resource Policies > VPN Tunneling > Connection Profile). That is, the IP address cannot be in the range of the IP address pool that is configured for VPN tunneling or an IP address that may be assigned by a DHCP server.
Source Destination Protocol Info 0.0.0.0 255.255.255.255 DHCP DHCP Discover 10.200.200.200 255.255.255.255 DHCP DHCP Offer 0.0.0.0 255.255.255.255 DHCP DHCP Request 10.200.200.200 255.255.255.255 DHCP DHCP ACK
Note: The PCS will honor the DHCP parameters pushed down from your server, and pass them down to the VPN client using Pulse Secure’s proprietary protocol. However, from the client perspective, many of the parameters actually set on the client will remain static. See the following KB articles for more specific information in regards the parameters listed below:
Mac Address (See KB23018 – What would be the MAC addressed presented by the SA to the DHCP server in NC or Junos Pulse)
Lease Time (See KB19210 – [SSLVPN/MAG] Network Connect clients DHCP lease duration)
Default Gateway (See KB16551 – Network Connect (NC) default gateway is blank or 0.0.0.0 on Windows client)
IP Address Assignment Flow Chart