I have a hub site with a Cisco 2811 and several remote sites, running a mixture of Cisco 851 and 871 routers configured for site-to-site VPN. I am in the process of adding DHCP scopes and DNS zones for the remote computers to enable easier management, and have several of these sites successfully pulling IP addresses and registering in DNS at the central site. Here's a sample of the spoke config from a working site, which I copied to another site (10.30.1.1):
interface Vlan1
description Site 302
ip address 10.30.2.1 255.255.255.0
ip helper-address 172.16.0.1
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
And here's UDP packet debug from the non working site, 10.30.1.1 which has identical configuration (hardware and software, both Cisco 870 running c870-advipservicesk9-mz.124-15.T7.) As you can see, the router is correctly packing up the broadcast from a CPU sending a DHCP broadcast and sending it on to the helper address.
000150: .Nov 16 20:50:33.752: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=308
000151: .Nov 16 20:50:33.752: UDP: sent src=10.30.1.1(67), dst=172.16.0.1(67), length=308
000152: .Nov 16 20:50:38.862: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=263
000153: .Nov 16 20:50:38.866: UDP: sent src=10.30.1.1(67), dst=172.16.0.1(67), length=263
000154: .Nov 16 20:50:49.683: UDP: rcvd src=0.0.0.0(68), dst=255.255.255.255(67), length=308
000155: .Nov 16 20:50:49.683: UDP: sent src=10.30.1.1(67), dst=172.16.0.1(67), length=308
But at this site, the helper address never replies, or the replies never get through. I have not yet put a monitor on the DHCP server, as I'm out at the spoke site...that's the next step. But all the access-lists are the same, and what's more, communication to the DHCP server, say, via remote desktop, works flawlessly. Database connections to servers at central site are fine. Every form of communication works, TCP or UDP, except DHCP queries.
So, what have I missed? The DHCP server is a Windows 2008 server, and has several scopes on it already, is there a limit to the total number of scopes allowed? I didn't think so.
Obviously the scope is activated. The addresses match. The same DHCP server is happily serving addresses to all the other remote sites.
Double check your scope on the DHCP server, It almost sounds like DHCP is not seeing a valid scope definition for this subnet. Make sure your router address is correct in the scope options.
Try removing the scope and re-adding it from scratch to see if you may have something entered incorrectly that you're not seeing.
I have exactly the same senario and have located the problem, but don't have a solution :-(
The unicast dhcp request is created before the NAT takes place and the IP Address of the inside interface is included in the request as part of the data field as well as being the IP source address. The IP source address gets NATed on the outside interface and so the packet looks fine.
The problem comes when the DHCP server tried to respond to the request. Everything works fine in DHCP except it sends the reply to the addres it finds in the DHCP request (ie the inside interface) and not the IP source address of the packet it received.
I hope this helps to find a solution as I too am still unable to work it out...
I know this is an old post, but for anyone else searching, the answer to the question about debugging IP Helper is "debug ip UDP" You will see output such as the following: