Obtain DHCP from remote server via VPN

Unanswered Question
May 29th, 2007


I've updated our firewall (a pix 525) from 7.04 to the latest release and after that the DHCP via VPN seems to fail. Before the clients got their addresses form two internal servers via a dhcp-server statment under the tunnel-group.

After the upgrade it work fine for a while but after a couple of days it stopped leasing addresses. I temporarily solved the problem by setting up a local pool in the pix. What do I have to do to get the servers working again. Do I have to configure DHCP relay?

Best regards


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ggilbert Tue, 05/29/2007 - 09:03


Before you upgraded the PIX to version 7.0.4 did you have DHCP relay enabled.


a. When you say DHCP via VPN - Is the Site to Site (Lan to Lan) tunnels or Remote access VPN client connections.

b. When it fails, are you able to ping the DHCP server at that time?

c. Does the DHCP server have any lease available at the time the failure happens

d. Did you run any DHCP debugs on the PIX firewall to see if there was any error messages?

Let me know.



Eyas Tue, 05/29/2007 - 09:36

Hi Gilbert

I've been through the old config but couldn't find any dhcprelay enable.

And then the answers:

a. It's RA

b. Yes, I can ping them from the firewall

c. Yes, the have. In the DHCP server I get a message about "bad address"

d. Nope, haven't done that. Tried to write debug dhcp and tab but couldn't find any commands. Was a bit short of time though.

Do I need to enable dhcprelay to be able to get an address from the server? How do one normally set it up? Usually I just use the internal DHCP.


ggilbert Tue, 05/29/2007 - 10:04


For the VPN clients, its the normal DHCP server. You do not need to set up the DHCP relay for the vPN client connections.

When this happens, would it be possible to put a sniffer trace between the ASA and the DHCP server. See where it fails?

Let me know.



Eyas Tue, 05/29/2007 - 22:43

It should be, I'll give it a try. As I understand it, the following config should be enough to enable the DHCP:

group-policy VPN_IL attributes


tunnel-group VPN_IL general-attributes



The same servers acts as radius for the VPN RA.


ggilbert Wed, 05/30/2007 - 05:38


Also the command "vpn-addr-assign dhcp" should be configured globally.

Apart from that, the other commands looks good.




This Discussion