When you say config what parts are you looking for, anything in specific? CLI or SS from FMC? 

Thanks

CLI of FMC 
and please share the topology, are the DHCP server connect directly to INside or there is L3 between DHCP server and FTD ?

Karsten,

I went through both a good and bad capture and discovered 3 items that need some more research.

1. Under the DHCP section and Relay agent IP it looks like this. "Relay agent IP address: 10.1.1.0 (10.1.1.0)" this is on the FTD that's having issues vs the good FTD doesn't have the extra IP inside the parenthesis (). 

2. Same scenario for source address under the IPv4 section bad FTD has "source address: 10.1.1.1 (10.1.1.1) and the good FTD doesn't have the extra IP inside the parenthesis again ()

3. I don't think this one matters, but I will post it anyways, as I do find it odd, but the mac addresses are the same. On the good FTD inside the Ethernet frame, the destination shows VMware_X:X:X (mac address), and the bad FTD cap shows destination to be the actual server name example DC1.test.local (mac address). I find this one odd because the name on the bad FTD cap is what I would expect to see on both captures. Since both Mac addresses are the same, I'm not overly concerned, but it must be something quirky within VM but I'm not a server guy. 

Yes I think this is issue here, 
the relay agent and IP address of DHCP packet source, 
but still I need to see the topology 

There are quite a few items between the FTD box and the actual DHCP server. This is our backup FTD at the backup datacenter, so it's going through FTD-Core Switch-WAN Rtr-through our WAN over to another WAN Rtr-L3 switch, and finally the DHCP server. Again, there is connectivity, and all my routing checks out, as I have double checked this. The client mac address inside the DHCP section is that of the inside interface of the FTD, just like it is on my good FTD, so I don't believe this is any kind of routing issue.  HTH 

you need IP helper in L3SW receive the DHCP discover message from FTD 
also are you config DHCP-scope ??
for more info. please check this link

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215854-configure-anyconnect-vpn-client-on-ftd.html

I will look the doc over but remember everything was already working prior to my upgrade as I've already made all the necessary steps for DHCP to flow through the network and back to the FTD. The one thing I have not tried which I'm doing now is blow away all DHCP settings on my AnyConnect profile on the FMC and rebuild those. I will let you know if that does anything. 

DHCP scope needed. add it and I hope this solve your issue. 

That did nothing. I will blow away the entire profile once and setup from scratch over the weekend and report back if I don't resolve it before then. 

I just tried to replicate the Issue on my FTD but it directly worked. This is the config that I ended up with:

tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool POOL-56-32
 authentication-server-group ISE
 accounting-server-group ISE
 dhcp-server 10.255.192.101
 dhcp-server 10.255.192.102

 I still have a pool in my tunnel-group, but the Client IP didn't came from this pool, it's from my DHCP server.

group-policy DfltGrpPolicy attributes
 dhcp-network-scope 10.255.56.41

 My session shows an IP of 10.255.56.41 which is the one I see as a lease in the Windows 2019 DHCP-server:

SSL-Tunnel:
  Tunnel ID    : 16.2
  Assigned IP  : 10.255.56.41           Public IP    : 81.62.223.179
  Encryption   : AES-GCM-128            Hashing      : SHA256
  Ciphersuite  : TLS_AES_128_GCM_SHA256
  Encapsulation: TLSv1.3                TCP Src Port : 52465
  TCP Dst Port : 444                    Auth Mode    : userPassword
  Idle Time Out: 30 Minutes             Idle TO Left : 22 Minutes
  Client OS    : Mac OS X
  Client Type  : SSL VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Mac OS X 5.0.01242
  Bytes Tx     : 6780                   Bytes Rx     : 0
  Pkts Tx      : 1                      Pkts Rx      : 0
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0

 What is different ... I am running FTD 7.3 because I wanted to have TLS1.3 support and not version 7.2.x.

Thank you for that. If rebuilding the profile doesn't help, I will jump to 7.3, but I typically don't like to be on the latest software. I did discover that the information in my discover packet inside the () is normal because I had name resolution enabled. I was looking at the pcaps on separate PCs, so when comparing them on the instance of Wireshark that I captured them, both are exactly the same.

The IP Helper is not needed here, the FTD is the Relay-Agent.