Showing results for 
Search instead for 
Did you mean: 


Trouble with dhcpd on ASA 5506-x sub interface

I swear this sub interface used to give out addresses from this pool without issue. Something got wrecked though.

Here's the interface + sub interface config:

interface GigabitEthernet1/3
 description SonosDirectConnectionPort
 no nameif
 no security-level
 no ip address

interface GigabitEthernet1/3.103
 description VLAN103_Sonos
 vlan 103
 nameif insideSonos
 security-level 50
 ip address

Here's the pertinent dhcp config:

dhcpd address insideSonos
dhcpd dns isp.dns.1 isp.dns.2 interface insideSonos
dhcpd lease 604800 interface insideSonos
dhcpd enable insideSonos

Trial and error previously led me to think it was necessary to disable call-home to get dhcpd to work properly, not 100% convinced this is necessary now. Related to this had executed:

no service call-home
clear configure call-home

The physical port here will have a dumb switch wired-in so not 100% this NAT config is necessary either. Had configured:

object network Sonos

object network Sonos
 nat (insideSonos,outside) dynamic interface

Finally, had defined catch-all ACL for the interface via access-group:

access-list ForVLAN103 line 1 extended permit ip any any
access-group ForVLAN103 in interface insideSonos


Whether via link runner, client directly wired into port 1/3, or dumb switch wired into port 1/3 — clients do not get a DHCP address. tcpdump on wired-in client shows no inbound bootpc/DHCP frames whatsoever...despite the outbound discover frames from ==>

dhcpd state appears correct:

asa5506x# show dhcpd state
Context  Configured as DHCP Server
Interface insideSonos, Configured for DHCP SERVER

dhcp statistics are very uninteresting. dhcpd bindings...well there simply aren't any.

Necessary DHCP processes appear to be running on the ASA:

asa5506x# show processes | include dhcp
Mwe 0x000055e7be3f66a4 0x00007fa6569cadb8 0x000055e7c5bb4060         47 0x00007fa6569c3030 30896/32768 dhcp_daemon 223
asa5506x# show processes | include DHCP
Msi 0x000055e7be4193b2 0x00007fa6569d5e38 0x000055e7c5bb4060         14 0x00007fa6569ce030 31776/32768 DHCPRA Monitor 222
Mwe 0x000055e7be3f198c 0x00007fa6569e0ec8 0x000055e7c5bb4060          9 0x00007fa6569d9030 31872/32768 DHCPD Timer 221
Msi 0x000055e7be41ac85 0x00007fa65768ae98 0x000055e7c5bb4060          8 0x00007fa657683030 30128/32768 DHCP Network Scope Monitor 75

I think I'm executing a packet-tracer that should shed light on the behavior:

asa5506x(config)# packet-tracer input insideSonos udp bootpc 255.255.2$

Phase: 1
Subtype: Resolve Egress Interface
Result: ALLOW
Additional Information:
found next-hop using egress ifc  identity

Phase: 2
Result: DROP
Implicit Rule
Additional Information:

input-interface: insideSonos
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Please correct me if this syntax is not useful here.

Scratching my head.

Not sure why clients can't get an address.

What did I configure incorrectly?

Everyone's tags (3)
VIP Engager

Re: Trouble with dhcpd on ASA 5506-x sub interface

your configuration looks fine. it could be your dump switch is playing up. make sure the dump switch to firewall and from your pc to dump switch are in correct order (cabling etc).


what this command show you

show interface GigabitEthernet1/3
please do not forget to rate.

Re: Trouble with dhcpd on ASA 5506-x sub interface

Sheraz was on the right track. The dumb switch attached to 1/3 couldn't do VLAN tagging nor could any direct connected wired clients.


So I changed the config to drop VLAN103 and assign the IP directly to the 1/3 interface.


Everything working smoothly now.

VIP Engager

Re: Trouble with dhcpd on ASA 5506-x sub interface

kindly please mark this post answered.


Thank you.

please do not forget to rate.