Thanks for the office Ashish; I'd rather not post the entire sho tech,

but here's the tunnel-group and group-policy that we are trying to use

DHCP with:

tunnel-group TestDHCP type remote-access

tunnel-group TestDHCP general-attributes

authentication-server-group UVM_LDAP

default-group-policy TestDHCP_Policy

dhcp-server x.y.201.21

tunnel-group TestDHCP webvpn-attributes

group-alias TestDHCP enable

group-url https://sslvpn.uvm.edu/TestDHCP enable

group-policy TestDHCP_Policy internal

group-policy TestDHCP_Policy attributes

dhcp-network-scope x.y.23.0

I don't have a wireshark capture from the DHCP server but I can tell you

that it does not see any DHCP requests for the x.y.23.0 network.

When I've set up DHCP previously, the VPN client pool was in the same

subnet as the inside of the VPN, which is not true in this case- so I

wonder if the dhcp-network-scope is not working properly. Or have I

missed setting something up?

Lynne

Hello Lynne,

Under "group-policy TestDHCP_Policy attributes". Change the  "dhcp-network-scope" to a specific ip address instead of network

For ex - "x.x.23.1" in place of "x.x.23.0"

Regards

Ashish

Thanks Ashish for the suggestion.

Unfortunately that did not fix the problem.

Here's what I see is the DHCP debugs

DHCP: Adding x.y.201.21 as DHCP server

DHCP: SDiscover attempt # 1 for entry:

DHCP: SDiscover unicast 356 bytes on interface 2

DHCP Unicast to x.y.201.21 from x.y.92.4

DHCP: SDiscover attempt # 2 for entry:

DHCP: SDiscover unicast 356 bytes on interface 2

DHCP Unicast to x.y.201.21 from x.y.92.4

DHCP: SDiscover attempt # 3 for entry:

DHCP: SDiscover unicast 356 bytes on interface 2

DHCP Unicast to x.y.201.21 from x.y.92.4

DHCP: SDiscover attempt # 4 for entry:

DHCP: SDiscover unicast 356 bytes on interface 2

DHCP Unicast to x.y.201.21 from x.y.92.4

%Unknown DHCP problem.. No allocation possible

DHCP: Removing route for x.y.23.1

DHCP: Removing rule -1181046848 for interface inside for addr x.y.23.1

DHCP Proxy command failed

UTL_ProcIpAddrQEvent DHCP Failed - trying local pool

it seems that ASA is relaying the dhcp discover packet which client  is sending

Here in this case x.y.92.4 should be the ip  address of the interface which is connected to DHCP server.

Debugs shows that ASA is sending unicase dhcp discover packet but there is no reply from the server

If there is a router between dhcp server and asa. it should have a route for x.y.23.0 network pointing it to ASA

Could you take wireshark captures on the server , first we need to make sure that the discover packets are reaching to the server and its responding.

Regards

Ashish

Ashish,

FIgured it out; there was a routing interface that was snatching the

DHCP replies before they got to the ASA.

Turned down the routing interface and bingo!

Thanks so much for your help.

Lynne

I am glad to know that the issue is resolved.

please rate all usefull replies given by me and mark this thread as answered if everything is working fine.

Regards

Ashish.

Hmm, can't figure out how to mark the thread as answered...