1 Reply Latest reply on Oct 28, 2015 8:37 AM by lnurmi

    Failed to acquire virtual IP address

    bblanchard

      I am trying to configure our NGFW 5.9.1 with IPSec remote access (and the McAfee IPSec VPN client 5.9.1) and I always get a "Failed to acquire virtual IP address" error.

       

      I configured an unused interface with the IP 192.168.125.1/24 and set that interface as a DHCP Server:

       

      DHCP Mode: DHCP Server

      DHCP Range: 192.168.125.100-192.168.125-200 (an object that I named VPN-Users)

      Primary DNS Server: 8.8.8.8

      Default Gateway: 192.168.125.1

       

      For the endpoint tab, i enabled only the internet-facing interface:

       

      IP Address: <public IP>

      Mode: Active

      NAT-T: Enabled

      Phase-1 ID: <public>

      VPN Type: All Type

       

       

      For the VPN Client tab:

       

      VPN Type:  IPsec VPN

      Local Security Check: None selected

      Virtual IP Address:  Enabled

      Use Proxy ARP: Enabled. I used my VPN-User (192.168.125.100-192.168.125-200) object in the IPv4 Address Range.

      Restrict Virtual Address Ranges: Enabled. I used my VPN-User (192.168.125.100-192.168.125-200) object in the IPv4 Address Range.

      Use DHCP: Enabled.  DHCP Server is set as my FW interface IP (192.168.125.1)

      Use Local Relay: Enabled

      Interface for DHCP Relay: 192.168.125.1 interface

       

       

      In my policy, I added the following rule:

       

      From: VPN-Users (192.168.125.100-192.168.125.200)

      Destination: Any

      Service: Any

      Action: Enforce VPN: Remote Access (my VPN definition)

      Authentication: my user

       

       

      Are are the logs from my VPN client:

       

      09:05:35Using IKEv2
      09:05:35Initiator's proposing IKE SA payload SA([0] protocol = IKE (1), AES CBC key len = 256, AES CBC key len = 128, 3DES, HMAC-SHA256-128, HMAC-SHA1-96, HMAC-MD5-96, HMAC-SHA256 PRF, HMAC-SHA1 PRF, HMAC-MD5 PRF, 2048 bit MODP, 1536 bit MODP, 1024 bit MODP; )
      09:05:35Authenticating...
      09:05:35Prompting for user name and password.
      09:05:38Initiator's proposing IPsec SA payload SA([0] protocol = ESP (3), spi_len = 4, spi = 0x00000000, AES CBC key len = 256, AES CBC key len = 128, 3DES, HMAC-SHA256-128, HMAC-SHA1-96, AES-XCBC-96, HMAC-MD5-96, No ESN, ESN; )
      09:05:38Authenticating...
      09:05:38Gateway certificate issued by an unknown CA:
      09:05:38Prompting for gateway fingerprint validation.
      09:05:39Gateway fingerprint validated.
      09:05:39Client authentication successful
      09:05:39User authentication successful.
      09:05:39Acquiring virtual IP address...
      09:05:39Received IPsec error notify Internal address failure (36)

       

       

       

      And here are the error logs from the FW:

       

      Failed to resolve DHCP interface: no match to ifnum (7)

      Failed to resolve DHCP interface

      DHCP session (a8c00f0), error: error

      DHCP session (a8c00f0), dropping ipsec session 100000e: Failed to resolve DHCP interface

       

       

       

      I have pretty the exact setup in my lab and it works perfectly so I know that the issue is not with my PC/VPN Client.

      Is there anything that I'm missing to have DHCP work on this firewall?

        • 1. Re: Failed to acquire virtual IP address
          lnurmi

          Hi,

           

          this:

          >Failed to resolve DHCP interface: no match to ifnum (7)

           

          is result of this:

          >I configured an unused interface with the IP 192.168.125.1/24 and set that interface as a DHCP Server:

           

          The interface used as DHCP Server must be up, otherwise it cannot distribute IP addresses. Hence the resolving error.

           

          If you just plug a cable to this interface so it's up, you should get a virtual IP then.

           

          BR,

          Lauri