Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

issues with DHCP proxy over VPN

Dear all,

We have a customer with a Cisco ASA, their remote users are using dhcp server that is there locally on the subnet they should arrive. We have also configured a local pool if their pool does not respond.


The problem at the moment is that they are getting the pool on the Cisco ASA and not the one delivered by their DHCP, i had the customer check the DHCP server and it seems ok to them. Also the address seems correct in the group policies, now i'm thinking that maybe their DHCP server is not responding fast enough and that ASA has a short timeout somewhere.


Does anyone know if that timeout (if there is any) can be configured on the Cisco ASA, i have requested the customer to disable "Conflict Detection" on de windows DHCP server, because i'm thinking that the server will ping the address he will give before he gives it and that could be a sign towards ASA that it takes to long and he takes an address from the local pool.





Yannick Vranckx


Hi, Could you please confirm



Could you please confirm this is what you are looking for?

Remote Users LAN -----VPN Tunnel -----<ASA>----->DHCP Server (Customer LAN)


Remote users should get the DHCP address through the VPN tunnel? is it a site to site tunnel??




New Member

The remote users should

The remote users should receive the DHCP from the local DHCP server. This is via DHCP proxy if i'm not mistaken?


What we are seeing if users are connecting, the customer DHCP is not responding or not fast enough and the remote users are getting an IP from the local pool. If i remove the local pool (in asa) then it will not connect.

This is a site to site tunnel yes

what you mean by local dhcp

what you mean by local dhcp server? you mean they have the local dhcp server @ the remote end itself or they have the dhcp server @ other end....


let say site 1 and site 2..... site 1 users should get the dhcp address from the site2 dhcp server that is what your requirement... instead they are getting dhcp from the site1 asa itself..... right???


You need to have the DHCP relay configured, if you want to get the DHCP via VPN tunnel then


dhcprelay server <DHCP Server IP Address> outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60


and crypto ACL's pointing like the below.

Remote site end:

access-list crypto_acl extended permit ip host <asa outside ip> host <dhcp server ip>

access-list crypto_acl extended permit ip host <asa inside ip> host <dhcp server ip>


Hub Site end:

access-list crypto_acl extended permit ip  host <dhcp server ip> host <asa outside ip>

access-list crypto_acl extended permit ip  host <dhcp server ip> host <asa inside ip>




CreatePlease to create content