Hi David,
I had just reviewed your SR# xxxxx4935. If am right then you are following the topology drawn below :
dhcp server -- router --> asa <--- vpn clients
The last update i see on case is, the DHCP request seen is seen on router going to the DHCP server. I am sure this must have been checked that there is no rule on the router's interface facing the DHCP server network which might be denying the return traffic. I would like to know how many hops away is the MS DHCP server from the router and did u get a chance to get the captures/sniffers as suggested. If yes, then can you post them here so that i can further look into it. Can you please make sure DHCP server is correctly configured for the DHCP address assignment request coming from the ASA for VPN clients or ASA is configured with the correct DHCP server ip address under the tunnel-group remote-access1 ( though am sure this must have been verified earlier during live troubleshooting but just in case). Your configuration on ASA is pretty straight forward.
Are you able to ping the DHCP server from ASA ? If not, then please make sure we have the relevant routes in place on the intermediate devices.
Command to ping from ASA
Ping LAN " DHCP server ip address"
I see the DHCP server ip address is public which is also configured as aaa-server on ASA. Can you please make sure there is no packet drop either due to translation for the DHCP (if any) or internal routing ?
If you could, please post the output for "deb cry isa 200 and deb cry ipse 200" when client is configured for DHCP address assignment.
Awaiting your response on this so that we can proceed further on this and make sure things get in good shape for you soon.
Regards
M
Mohit Paul
CCIE-Security 35496
P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries