Preview Tool

Cisco Bug: CSCvh90944 - IP address in DHCP GIADDR field is reversed after sending DHCP DECLINE to DHCP server

Last Modified

Sep 20, 2019

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.6(4) 9.8(2)

Description (partial)

The GIADDR field in DHCP DISCOVER packets from an ASA or FTD or may get flipped (placed into reverse octet order) after the device sends a DHCP DECLINE packet to the DHCP server.

The DECLINE may be sent for various reasons including:

1.  The IP address offered to the VPN client by the DHCP server is assigned to one of the firewall's interfaces (and is therefore already in use as defined in RFC 2131).
2.  The IP address offered to the VPN client by the DHCP server is invalid for some other reason.  This has been observed in lab testing when the default gateway being assigned is the same as the IP being offered to the client.  

There may be other conditions where the ASA/FTD checks the validity of the DHCP Offer and sends back a DECLINE on behalf of the VPN client.

This has been observed on ASA and FTD versions running Lina 9.8(2) and 9.6(4) code but may affect other versions as well.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.