I have users VPN from the outside currently i use a address pool. but i want to use the DHCP server instead. I have a test lab setup useing a asa5510 and a 3750 as the dhcp server. the interface between them are trunked: 3750: vlan4 10.0.4.1, vlan 5 10.0.5.1, vlan6 10.0.6.1 and the 5510: insidevlan4: 10.0.4.2, insidevlan5 10.0.5.2, insidevlan6 10.0.6.2, outside 18.104.22.168. ospf is enable between the 3750 and 5510 at the 10.0.0.0/8.
dhcprelay sever 10.0.6.1 insidevlan6
dhcprelay enable outside
dhcprelay setroute outside
ip address pool none
-if i address a address-pool the connection works.
-if i remove the address-pool and put in the dhcp relay, the syslog on 5510 show the connection. DHCP enable, no response.
-the 3750 does not show the request from the firewall.
-right now for the test lab i am using a local username. i will end up using SDI for authx in production.
What am i missing, please help?
Good Catch Nicholas!
Looks like you could be running into the same symptoms experienced in bug
CSCsf22066: ASA - dhcp-network-scope/DHCP-proxy giaddr issue with RFC2131
This was a duplicate of enhancement request CSCsm60591 which has been resolved in the latest ASA images. See bug toolkit for more details.
I also came across this in the configuration guide:
"When it receives a DHCP request, the security appliance sends a discovery message to the DHCP server. This message includes the IP address (within a subnetwork) configured with the dhcp-network-scope command in the group policy. If the server has an address pool that falls within that subnetwork, it sends the offer message with the pool information to the IP address—not to the source IP address of the discovery message.
•For example, if the server has a pool of the range 22.214.171.124 to 126.96.36.199, mask 255.255.255.0, and the IP address specified by the dhcp-network-scope command is 188.8.131.52, the server sends that pool in the offer message to the security appliance."
This is why you stated that "I can see the 3750 sending the requested address back to 10.0.6.0". The ASA sets the GIADDR field in the DHCP Discover to be the dhcp-network-scope defined within your group-policy. It's my impression that by setting the ip address to 10.0.6.2 the DHCP Offer will be returned to a host address that the ASA can listen for as opposed to the subnet's network address which the ASA ignores.