DHCP Limitation with ASA 5505?

mike.keller · ‎02-22-2009

I am trying to lab up a config and I have a 5505 configured to provide IP addressing for RA VPNs and Anyconnect clients via a DHCP server on the "INSIDE" network. I also have other networks (VLANS) configured that need DHCP as well. I only have 1 dhcp server, on the inside. When I try adding the server as a dhcp relay (dhcprelay server x.x.x.x INSIDE), I am not able to. I get this error: DHCP: Cannot enable DHCP Relay on an interface running DHCP Proxy. Remove VPN DHCP config first. If I remove the DHCP server config from my tunnel groups, I am then able to add the dhcprelay server (tunnel-group x, no dhcp-server x.x.x.x), and then reload the ASA (I have to reload it), I can then add the dhcprelay server, and enable dhcprelay on the interfaces that I want. Both of these work, but they dont work at the same time. For the workaround, I have dhcprelay enabled, and I am using an IP pool for VPN clients. I would like to have the DHCP server give IP addresses for VPN clients, AND have it be a dhcp relay server. I would also like to know why the asa has to be reloaded every time I switch between dhcprelay and VPN dhcp server. I have two 5520s, but I havent tried on them, as the 5505 is the "lab", so I am not sure if it is an ASA problem or if it is specific to the 5505 platform.

carenas123 · ‎02-27-2009

Make sure that the number of DHCP pool addresses that can be assigned depends upon the licence used in the Security Appliance (PIX/ASA). If you use the Base/Security Plus license then these limits apply to the DHCP pool. If the Host limit is 10 hosts, you limit the DHCP pool to 32 addresses. If the Host limit is 50 hosts, you limit the DHCP pool to 128 addresses. If the Host limit is unlimited, you limit the DHCP pool to 256 addresses. Thus the address pool is limited based on the number of Hosts.

Farrukh Haroon · ‎03-01-2009

This is a known (and documented) limitation of the DHCP relay feature on all ASA platforms:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1041663

"The following restrictions apply to the use of the DHCP relay agent:

â€¢The relay agent cannot be enabled if the DHCP server feature is also enabled. "

Please Rate if Helpful.

Regards

Farrukh

mike.keller · ‎03-02-2009

Hi, thanks for the replies. I am running security plus, so I have unlimited protected IPs. I am not trying to run the DHCP server, I am trying to have the same dhcp server (a linux box on the INSIDE interface) deliver IP addresses as a DHCP relay and for VPN clients. I am only able to do one or the other, but not both simultaniously. The scenario would be that this one server is configured to give IPs to VPN clients, and would also be listed as a dhcp relay for other vlans. I also have to do a reload on the asa when I switch from one to the other. For example, if I configure the asa's tunnel-group to use the DHCP server instead of a local pool it works fine. When I try to add this same server as a dhcp-relay, it will not work. If I want to use the dhcp-relay, I have to remove the configuration from the tunnel-group, reload, then add it as a dhcp-relay (which is how it is configured now). When I try to add the dhcp server back to the tunnel group by typing "dhcp-server x.x.x.x", it takes the command, and it shows up in the config, but I dont get an IP address. If I remove the dhcp-relay, then reload it works. Basically, the problem is that I can do dhcp-relay dhcp-server for the tunnel-group, but not both at the same time. I can post a config if it would help.