Showing results for 
Search instead for 
Did you mean: 

AnyConnect and Windows DHCP Server

Good day everyone,


I am trying to setup AnyConnect 4.1 to use a Windows DHCP server, however I am not having any luck.  I have everything configured as the guides and other posts in these forums show, but my client does not receive an IP address.


I did a packet capture on the ASA and what I saw was repeated DHCP Discover packets (coming from the ASA) and DHCP Offer Packets (coming from my DHCP server).  So it appears that for some reason the ASA is not forwarding the requests to the client (in the one capture I took, the DHCP server offered 4 different addresses.


I have the server configured correctly in the tunnel group and I believe I have the group policy correct as well (the option is set to which is my DHCP subnet).  In the packet capture, I see the DHCP Offers sent to as the relay agent).


I thought perhaps there was an access-list issue, so for the heck of it I allowed all bootpc and bootps traffic from the server through the firewall.  No luck.


I am not sure what exactly I am missing.  Note that if I use an internal pool on the ASA with the same subnet everything works great.


This is ASA 9.4.1 with ASDM 7.4.2.


Thanks in advance for any suggestions.

Abaji Rawool


You can apply capture on ASA interface facing the DHCP server and check if the server is responding to DHCP requests and also use "debug webvpn anyconnect 255" to check the errors if any.

To stop debugs "undebug all"





I did do a capture and found the following:


DHCP Discover being sent out from the ASA

DHCP Offer being sent back to the address configured under the group policy dhcp-network-scope option

And that is it...I never see anything else.  The above just keeps happening (the server offers 4 addresses before giving up).

From what I can tell, the client or the ASA is never accepting the address or receiving the offer.


Any ideas what might be causing that scenario?

Could you post the relevant config and exported captures in pcap here?



Realize this is an old issue, but you might want to set your DHCP subnet to a real IP, in your case you have you should change that to For some reason ASA/Windows DHCP require a real IP address to work on the 9.x code. 

Hope you figured it out. 

I get the same issue no matter what.. I also allowed it through the firewall just to make sure...


%ASA-2-106006: Deny inbound UDP from to on interface INSIDE
%ASA-2-106006: Deny inbound UDP from to on interface INSIDE



Im on 9.8

Did you ever find a fix for this?

Nope, I gave up and just ended up doing a pool. When it did work it would just stop, very flaky feature in my opinion. I was using a context and there where loads of incompatible features.

Ah, okay! We are having the issue where the DHCP server sends an OFFER, but then nothing back from ASA and AnyConnect client never gets IP. Configured the dhcp-subnet under the group and the tunnel-group to use that subnet-RFC thing, but no go. Working with TAC now.



Did the TAC help you resolve the use of a MS DHCP server? I'm seeing the same thing you were. 

So the answer for me here was to use the route-lookup argument as the end of the NAT statement for the VPN clients. Ensure that is there and let me know if it works for you!

Realize this is an old thread but was struggling with this on an ASA migration (was using local pools on old ASA and wanted to use MS DHCP on new).  The route-lookup at the end of the NAT statement for the anyconnect traffic resolved the issue for me. Thanks for fix.

Recognize Your Peers
Content for Community-Ad