Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to assign addresses using dhcp to vpn-clients?

Hi all!

I’m trying to configure DHCP for an IPSec VPN on an ASA5510 8.2(1), but just can’t get it to work.

On the same ASA5510, I have about 20 working IPSec peers, using either EasyVPN (with nem) or local pool addresses. The new tunnel -group I’m configuring is the first that must use DHCP because I’ll have to provide clients (IP Phones) with more information than just an address.

The server is used by other systems as well so I’m certain it’s working properly. In fact, ASA5510 uses it for radius which rules out any internal communication issues.


vpn-addr-assign dhcp

tunnel-group vpnphone general-attributes

default-group-policy vpnphone-policy

dhcp-server X.X.X.X

group-policy vpnphone-policy attributes



<132>:Mar 11 10:26:54 CEST: %ASA-ipaa-4-737019: IPAA: Unable to get address from group-policy or tunnel-group local pools

<132>:Mar 11 10:26:54 CEST: %ASA-ipaa-4-737012: IPAA: Address assignment failed

<131>:Mar 11 10:26:54 CEST: %ASA-vpn-3-713132: Group = vpnphone, Username = secpeph000, IP = X.X.X.X, Cannot obtain an IP address for remote peer

There’s no log at all on the DHCP server because ASA5510 is not even trying to use it.

Can anyone point me in the right direction on this one?



Everyone's tags (4)

Re: How to assign addresses using dhcp to vpn-clients?

Is your tunnel group an internal or external group?  

New Member

Re: How to assign addresses using dhcp to vpn-clients?

It’s an internal group.

Anyway, it seems like the problem solved itself a few minutes ago. There was an old unused dhcp-server in the configuration that used to be dhcp-relay target. When I removed the server definition, dhcp immediately began to work. This is obviously a bug.

Nevertheless, thank you for taking time looking into my problem.