already done.

ciscoasa# sh run all vpn-addr-assign
no vpn-addr-assign aaa
vpn-addr-assign dhcp
no vpn-addr-assign local

but still not working. error message as below

%ASA-7-737001: IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'
%ASA-5-737018: IPAA: DHCP request attempt 1 failed
%ASA-5-737003: IPAA: DHCP configured, no viable servers found for tunnel-group 'GoldCoinVPN'
%ASA-4-737012: IPAA: Address assignment failed
%ASA-7-715042: Group = GoldCoinVPN, Username = test, IP = 120.138.83.233, IKE received response of type [] to a request from the IP address utility
%ASA-3-713132: Group = GoldCoinVPN, Username = test, IP = 120.138.83.233, Cannot obtain an IP address for remote peer

Seems like you are trying to connect from "GoldCoinVPN" tunnel-group, however, your DHCP is configured under "test" tunnel-group.

sorry, test tunnel-group was just my simulation only.

my production configuration is as below.

tunnel-group GoldCoinVPN type remote-access
tunnel-group GoldCoinVPN general-attributes
default-group-policy GoldCoinVPN
dhcp-server 10.1.1.200
tunnel-group GoldCoinVPN ipsec-attributes
pre-shared-key *

group-policy GoldCoinVPN internal
group-policy GoldCoinVPN attributes
dhcp-network-scope 192.168.135.0
ipsec-udp enable
ipsec-udp-port 10000

i was trying to configure the dhcprelay, but seems not working also.

Thanks, please also confirm that there is DHCP scope of 192.168.135.0 configured on the DHCP server.

below is my dhcp configuration.

I have similar problem. Not solved so far...

vpn-addr-assign dhcp
no vpn-addr-assign aaa
no vpn-addr-assign local

group-policy test-group internal
group-policy test-group attributes
dhcp-network-scope 192.168.100.0

tunnel-group test type remote-access
tunnel-group test general-attributes
authentication-server-group vpn
default-group-policy test-group
dhcp-server 192.168.0.2
tunnel-group test ipsec-attributes
pre-shared-key *

When debugging, I get the followin message

%ASA-7-737001: IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'
%ASA-6-737017: IPAA: DHCP request attempt 1 succeeded
%ASA-6-737005: IPAA: DHCP configured, request succeeded for tunnel-group 'test'
%ASA-6-302016: Teardown UDP connection 127 for outside:XX.XX.XX.103/3044 to identity:XX.XX.XX.104/500 duration 0:02:20 bytes 2283
%ASA-7-737001: IPAA: Received message 'UTL_IP_DHCP_INVALID_ADDR'

On the switch 192.168.0.2, I have the following config

ip dhcp pool VPN-test
   network 192.168.100.0 255.255.255.0
   dns-server 10.1.1.1 10.1.1.2
   domain-name vpn.ca

And it assigns addresses when requested, but the ASA does not accept them...

Switch#sh ip dhcp binding
IP address       Client-ID/              Lease expiration        Type
                 Hardware address
192.168.100.5    00FF.FFFF.0000.0038.    May 10 2010 02:57 PM    Automatic

Hi wbarboza,

i'm not really understand. can i say that,

1.) when you configure dhcp-server setting in your asa and your dhcp-server actually is a cisco switches, then your vpn client able to get the ip address?

2.) when you configure dhcp-server setting in your asa and your dhcp-server acutally is a DHCP server, then is not working?

because i found that your case is abit different from mine, because your debug is showing your dhcp-server is found and attempt successfully.

%ASA-6-737017: IPAA: DHCP request attempt 1 succeeded

but mine is, DHCP-Server is not viable. even i try to turn on the Wireshark in the DHCP-Server, i found no any dhcp request msg to the server also. i'm suspecting the dhcp-server setting is not really function or bugs might be (but i haven't log the TAC case yet). just used ip local address pool as alternative solution.

1) The ASA does NOT forward the IP address received from the switch to the VPN Client. It requests successfully, but it does NOT receive successfull.

2) That's it, it is NOT working so far...

hi wbarboza,

Have you ever tried configure ip-local pool in the asa. btw it should work. i'm just quite wondering how come your dhcp-server attempt is successful. is it possible you to post your full config?

The problem was a lack of a route to the IP address configured in the DHCP range back to the ASA. In spite of the fact that the switch was directly configured, the default gateway was not the ASA, as it used to redistribute the routes over EIGRP.

When I put a static route in the switch pointing to the ASA, it worked right away...

ip route 192.168.100.0 255.255.255.0 192.168.0.1

In my case, the inside IP address was 192.168.0.1/24 and the scope address was 192.168.100.0/24

It's working after adding the static route in the core switch pointing to the ASA and

issue this command no vpn-addr-assign local to force the ASA to get the IP address from the DHCP server.

Make sure vpn-addr-assign dhcp is enable.

I am currently testing this using my iPhone but get the same result when I use the Cisco VPN client on my laptop. Attached is the full syslog copy of my connection attempt.