Solved: External DHCP for Anchor Controller

bret · ‎02-21-2014

I have a new wireless network with a foreign and anchor controller. The anchor sits in a DMZ with a PIX firewall that has a nat for my management interface for connectivity to the Internet. I want to use an external DHCP server for guest traffic and my OEAP connections coming in from the anchor controller that will connect to my foreign controller. I have mobility established between the two controllers, the wlans are identical, and my OEAP's are connected to the anchor controller.

My problem is when the guest traffic connects they are not getting an IP address, but I do see them getting on the anchor controller and debugs show they cannot get an IP. If I remove the mobility anchor from my guest WLAN I do get an IP. I have proxy enabled and have tried it with and without proxy. Im guessing since the PIX is not relaying my dhcp proxy and dropping the packets I need a firewall rule of sorts, but wanted to get advice from those who have experienced this before.

If I do need a firewall rule will it be to allow DHCP between the two controller management interfaces, or between the anchor and dhcp servers?

Thanks in advance for your help.

Scott Fella · ‎02-21-2014

So on the anchor you have the guest mapped to the management Vlan. Is the DHCP scope on that Vlan? I
Would try to get the anchor WLC to hand out DHCP before trying to get the PIX to do dhcp. If the anchor WLC management is on the same subnet as what is defined for the guest on the PIX, you don't need an IP helper. When using the WLC as a DHCP server, DHCP proxy needs to be enabled. DHCP proxy can still be enabled if not using the WLC as a DHCP, but there are some DHCP servers that do not like DHCP to be proxie'd.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎02-24-2014

Bret,

An ip helper isn't required when you are tunneling the guest traffic to the anchor WLC. A guest client associates to an ssid from and AP that is joined to the foreign WLC. The foreign WLC then tunnels that traffic back to the guest anchor WLC and the guest WLC is the one that either hands out DHCP or forwards the dhcp request to the dhcp server.

The guest anchor is in the DMZ correct? Because if you set an ip helper on the internal network to point the the DMZ, it seems like the user is not being tunneled properly.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎02-21-2014

Make sure you have disabled DHCP proxy in the anchor WLC. That should fix the DHCP issue you are having. The PIX/ASA doesn't like DHCP being proxie'd.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎02-21-2014

How you can test that DHCP works is to use the anchor WLC as the DHCP server and enable DHCP proxy. If the clients get an IP address, then you know that everything is configured properly on the wireless side. Then disable the DHCP server on the anchor WLC and disable DHCP proxy and it should work. If it doesn't, then the PIX is the issue.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

bret · ‎02-21-2014

Im glad you chimed in Scott its nice having a VIP help out :-).

I tried dhcp on the WLC heres my debug.

(Cisco Controller) >*mmListen: Feb 21 07:54:55.939: 90:18:7c:96:bd:1d Adding mobile on Remote AP 00:00:00:00:00:00(0)
*mmListen: Feb 21 07:54:55.939: 90:18:7c:96:bd:1d Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*mmListen: Feb 21 07:54:55.939: 90:18:7c:96:bd:1d Re-applying interface policy for client

*mmListen: Feb 21 07:54:55.939: 90:18:7c:96:bd:1d 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2202)
*mmListen: Feb 21 07:54:55.939: 90:18:7c:96:bd:1d 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2223)
*mmListen: Feb 21 07:54:55.940: 90:18:7c:96:bd:1d apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*mmListen: Feb 21 07:54:55.940: 90:18:7c:96:bd:1d Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*mmListen: Feb 21 07:54:55.940: 90:18:7c:96:bd:1d Re-applying interface policy for client

*mmListen: Feb 21 07:54:55.940: 90:18:7c:96:bd:1d 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2202)
*mmListen: Feb 21 07:54:55.940: 90:18:7c:96:bd:1d 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2223)
*mmListen: Feb 21 07:54:55.940: 90:18:7c:96:bd:1d 0.0.0.0 START (0) Initializing policy
*mmListen: Feb 21 07:54:55.940: 90:18:7c:96:bd:1d 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)

*mmListen: Feb 21 07:54:55.940: 90:18:7c:96:bd:1d 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)

*mmListen: Feb 21 07:54:55.940: 90:18:7c:96:bd:1d 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)

*mmListen: Feb 21 07:54:55.940: 90:18:7c:96:bd:1d Resetting web IPv4 acl from 255 to 255

*mmListen: Feb 21 07:54:55.940: 90:18:7c:96:bd:1d Resetting web IPv4 Flex acl from 65535 to 65535

*mmListen: Feb 21 07:54:55.940: 90:18:7c:96:bd:1d Stopping deletion of Mobile Station: (callerId: 53)
*mmListen: Feb 21 07:54:55.940: 90:18:7c:96:bd:1d 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpAnchor, client state=APF_MS_STATE_ASSOCIATED
*mmListen: Feb 21 07:54:55.940: 90:18:7c:96:bd:1d 0.0.0.0 DHCP_REQD (7) Change state to DHCP_REQD (7) last state DHCP_REQD (7)

*mmListen: Feb 21 07:54:55.940: 90:18:7c:96:bd:1d 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5752, Adding TMP rule
*mmListen: Feb 21 07:54:55.940: 90:18:7c:96:bd:1d 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:00:00:00:00:00, slot 0, interface = 13, QOS = 0
IPv4 ACL ID = 255, IP
*mmListen: Feb 21 07:54:55.940: 90:18:7c:96:bd:1d 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 0, Local Bridging intf id = 0
*mmListen: Feb 21 07:54:55.941: 90:18:7c:96:bd:1d 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*pemReceiveTask: Feb 21 07:54:55.941: 90:18:7c:96:bd:1d Set bi-dir guest tunnel for 90:18:7c:96:bd:1d as in Export Anchor role
*pemReceiveTask: Feb 21 07:54:55.941: 90:18:7c:96:bd:1d 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x4
*pemReceiveTask: Feb 21 07:54:55.941: 90:18:7c:96:bd:1d Sent an XID frame

Scott Fella · ‎02-21-2014

Bret,

So to get this straight, even with the anchor WLC doing DHCP, with DHCP proxy enabled, the user doesn't get an IP address?

If this is the case, it seems like it may be a configuration issue. Make sure that the foreign and guest anchor WLC WLAN configuration is exactly the same. Double check this!!! The only difference might be the interface used. Make sure that the foreign WLC WLAN is anchored to the anchor WLC and that the anchor WLC guest SSID is anchored to itself.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

bret · ‎02-21-2014

First thanks for helping out Scott.. Yes anchor doing DHCP and proxy enabled no IP, which leads me to think it is a firewall issue. I dont think I am allowing DNS through the firewall for the controller, will this prevent me from getting an IP?

From the CLI I did a show wlan 4 on both the anchor and foreign controller- the configs are identical.

I have tried removing dhcp proxy from the foreign controller and enableing it on the anchor, then with both enabled and no IP.

I have the helper configured on the management interface of the anchor and foreign with the scope created on the anchor and enabled. I tried the NAT as the helper and still no IP.

Unfortunately, the controllers are at my remote Data Center, so I cant do any further trouble shooting.

Anchor:

Mobility Anchor List

WLAN ID IP Address Status

------- --------------- ------

4 192.168.95.7 Up

Enabled.......................................... Yes

Lease Time....................................... 86400 (1 day )

Pool Start....................................... 10.254.4.50

Pool End......................................... 10.254.5.254

Network.......................................... 10.254.4.0

Netmask.......................................... 255.255.254.0

Default Routers.................................. 10.254.4.1 0.0.0.0 0.0.0.0

DNS Domain.......................................

DNS.............................................. 0.0.0.0 0.0.0.0 0.0.0.0

Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0

Pool Usage....................................... 0%

Foreign:

Mobility Anchor List
WLAN ID     IP Address            Status
-------     ---------------       ------
4           192.168.95.7          Up

Scott Fella · ‎02-21-2014

Bret,

Can you post the show wlan on both WLC's.... the full output.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

bret · ‎02-21-2014

Anchor:

(Cisco Controller) >show wlan 4

WLAN Identifier.................................. 4
Profile Name..................................... Guest-Wireless
Network Name (SSID)..............................
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
    Radius Profiling ............................ Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
    Local Profiling ............................. Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 12 hours
User Idle Threshold.............................. 0 Bytes
NAS-identifier...................................
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
    PMIPv6 MAG Profile........................... Unconfigured
    PMIPv6 Default Realm......................... Unconfigured
    PMIPv6 NAI Type.............................. Hexadecimal
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Per-Client Rate Limits........................... Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ Disabled
   Accounting.................................... Disabled
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security

   802.11 Authentication:........................ Open System
   FT Support.................................... Disabled
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Disabled
   WAPI.......................................... Disabled
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Enabled
        IPv4 ACL........................................ Unconfigured
        IPv6 ACL........................................ Unconfigured
        Web-Auth Flex ACL............................... Unconfigured
        Web Authentication server precedence:
        1............................................... local
        2............................................... radius
        3............................................... ldap
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Enabled
   FlexConnect Local Switching................... Disabled
   flexconnect Central Dhcp Flag................. Disabled
   flexconnect nat-pat Flag...................... Disabled
   flexconnect Dns Override Flag................. Disabled
   flexconnect PPPoE pass-through................ Disabled
   flexconnect local-switching IP-source-guar.... Disabled
   FlexConnect Vlan based Central Switching ..... Disabled
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Enabled
   Client MFP.................................... Optional but inactive (WPA2 not configured)
   PMF........................................... Disabled
   PMF Association Comeback Time................. 1
   PMF SA Query RetryTimeout..................... 200
   Tkip MIC Countermeasure Hold-down Timer....... 60
   Eap-params.................................... Not Applicable
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel (Printers).......................... Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled

Mobility Anchor List
WLAN ID     IP Address            Status
-------     ---------------       ------
4           192.168.95.7          Up

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------
Priority Policy Name
-------- ---------------

Foreign:

(Cisco Controller) >show wlan 4

WLAN Identifier.................................. 4
Profile Name..................................... Guest-Wireless
Network Name (SSID)..............................
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
    Radius Profiling ............................ Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
    Local Profiling ............................. Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 12 hours
User Idle Threshold.............................. 0 Bytes
NAS-identifier...................................
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
    PMIPv6 MAG Profile........................... Unconfigured
    PMIPv6 Default Realm......................... Unconfigured
    PMIPv6 NAI Type.............................. Hexadecimal
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Per-Client Rate Limits........................... Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ Disabled
   Accounting.................................... Disabled
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security

   802.11 Authentication:........................ Open System
   FT Support.................................... Disabled
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Disabled
   WAPI.......................................... Disabled
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Enabled
        IPv4 ACL........................................ Unconfigured
        IPv6 ACL........................................ Unconfigured
        Web-Auth Flex ACL............................... Unconfigured
        Web Authentication server precedence:
        1............................................... local
        2............................................... radius
        3............................................... ldap
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Enabled
   FlexConnect Local Switching................... Disabled
   flexconnect Central Dhcp Flag................. Disabled
   flexconnect nat-pat Flag...................... Disabled
   flexconnect Dns Override Flag................. Disabled
   flexconnect PPPoE pass-through................ Disabled
   flexconnect local-switching IP-source-guar.... Disabled
   FlexConnect Vlan based Central Switching ..... Disabled
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Enabled
   Client MFP.................................... Optional but inactive (WPA2 not configured)
   PMF........................................... Disabled
   PMF Association Comeback Time................. 1
   PMF SA Query RetryTimeout..................... 200
   Tkip MIC Countermeasure Hold-down Timer....... 60
   Eap-params.................................... Not Applicable
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel (Printers).......................... Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled

Mobility Anchor List
WLAN ID     IP Address            Status
-------     ---------------       ------
4           192.168.95.7          Up

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------
Priority Policy Name
-------- ---------------

Scott Fella · ‎02-21-2014

So on the anchor you have the guest mapped to the management Vlan. Is the DHCP scope on that Vlan? I
Would try to get the anchor WLC to hand out DHCP before trying to get the PIX to do dhcp. If the anchor WLC management is on the same subnet as what is defined for the guest on the PIX, you don't need an IP helper. When using the WLC as a DHCP server, DHCP proxy needs to be enabled. DHCP proxy can still be enabled if not using the WLC as a DHCP, but there are some DHCP servers that do not like DHCP to be proxie'd.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

bret · ‎02-21-2014

Thanks again for all your help Scott!

I do have the guest mapped to the management vlan and dhcp configured appropriately. Im sure its going to be something stupid and after hours of trouble shooting Ill be kicking myself. I have a ticket open, but as of late the tech support has not been the best, thats why I tried the support forums. Their really good a sending links you've already read.

I dont want to have the PIX do DHCP but use an internal DHCP server on my network. That is the end goal.

Scott Fella · ‎02-21-2014

You would then need to open FW rules to allow DHCP for the guest DMZ network. When you create a DHCP scoop on the guest anchor, the scope is for the management network that the WLC is on correct?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

bret · ‎02-21-2014

The dhcp scope is for the management network that the WLC is on. Im think I will try a dynamic interface and see what happens.

Scott Fella · ‎02-21-2014

That shouldn't make a difference.... if you map the wlan to the management, the user once anchored to the anchor WLC, should get an ip address.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎02-21-2014

Bret,

On the DMZ controller did you anchor the guest WLAN to itself ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

bret · ‎02-24-2014

George, thanks for stepping in the disucssion. Yes I did anchor the guest WLAN to itself. I really have tried everything, so Im leaning towards a PIX issue. I have a TAC case open and will work with them today, so I have a third set of eyes checking out, since Scott helped me out extensively already. If there is something from a config perspective hopefully TAC finds it. If not I have a fierwall change going in and that may do it. The firewall is managed by a third party, so I have very limited visibility in trouble shooting.

On our PIX I am doing something like this and dont claim to be a pix expert, does it look right.

name dhcp-server-name server ip

object-group network DHCP-Servers

network-object host dhcp-server-name

access-list 197 permit udp host dmz-controller eq 67 object-group DHCP-Servers eq 67