https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-with-dhcp-server-at-remote-site/m-p/187784#M57087 <P>It sounds like you need a security policy to permit the dhcp reply on the PA.&nbsp; This would be from the zone of the tunnel interface to the zone where the client is connected to the network.</P><P>&nbsp;</P> Sat, 18 Nov 2017 11:54:40 GMT pulukas 2017-11-18T11:54:40Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-with-dhcp-server-at-remote-site/m-p/187632#M57065 <P>Hi,</P><P>&nbsp;</P><P>I have a site to site ipsec vpn between 2 PA devices. Lets call them Site A and Site B and at Site A I have a Cisco router acting as a dhcp server. I'm trying to have all the client at Site B get their dhcp address and scope options from the cisco router at Site A. I have the sites connected to each other and I setup a dhcp relay agent on Site B PA device. I can see the client making the request and the request hitting the dhcp server at the remote site, but I'm not receiving an IP address at the client. For simplicty, I created the vpn tunnel between the two sites to land in the same zone as the trusted.</P><P>&nbsp;</P><P>I did see this thread <A href="https://live.paloaltonetworks.com/t5/General-Topics/DHCP-relay-through-a-VPN-tunnel/m-p/65406/highlight/true#M39062" target="_blank">https://live.paloaltonetworks.com/t5/General-Topics/DHCP-relay-through-a-VPN-tunnel/m-p/65406/highlight/true#M39062</A> only diffence is they're using an ASA.</P><P>&nbsp;</P><P>I've done this in the past with an ASA and I know it works, but I'm not sure if it works with Palo Alto. Does anyone have a senerio like this configured?</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>S.</P> Fri, 17 Nov 2017 02:50:50 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-with-dhcp-server-at-remote-site/m-p/187632#M57065 strobins 2017-11-17T02:50:50Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-with-dhcp-server-at-remote-site/m-p/187784#M57087 <P>It sounds like you need a security policy to permit the dhcp reply on the PA.&nbsp; This would be from the zone of the tunnel interface to the zone where the client is connected to the network.</P><P>&nbsp;</P> Sat, 18 Nov 2017 11:54:40 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-with-dhcp-server-at-remote-site/m-p/187784#M57087 pulukas 2017-11-18T11:54:40Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-with-dhcp-server-at-remote-site/m-p/187789#M57088 <P>Hi Pulukas,</P><P>&nbsp;</P><P>I have them both on the trusted zone for simplicity. Do I still need a rule?</P> Sat, 18 Nov 2017 21:00:12 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-with-dhcp-server-at-remote-site/m-p/187789#M57088 strobins 2017-11-18T21:00:12Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-with-dhcp-server-at-remote-site/m-p/187811#M57090 <P>The default intrazone policy is to permit so if that has not been overridden it should work.&nbsp; You can confirm the deployed rule.</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/What-are-Universal-Intrazone-and-Interzone-Rules/ta-p/57491" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/What-are-Universal-Intrazone-and-Interzone-Rules/ta-p/57491</A></P><P>&nbsp;</P><P>Or just create an explict one for this traffic so you can see session init logs confirming the traffic arrives on the PA.</P><P>&nbsp;</P><P>If the logs don't help we can try packet captures to confirm what is happening.</P> Sun, 19 Nov 2017 11:46:36 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-with-dhcp-server-at-remote-site/m-p/187811#M57090 pulukas 2017-11-19T11:46:36Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-with-dhcp-server-at-remote-site/m-p/187813#M57091 <P>Hi&nbsp;</P><P>&nbsp;</P><P>Please attachet some pic to your main PA configurtion for DHCP Server and DHCP Relay</P> Sun, 19 Nov 2017 13:22:05 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-with-dhcp-server-at-remote-site/m-p/187813#M57091 MFayez 2017-11-19T13:22:05Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-with-dhcp-server-at-remote-site/m-p/188657#M57223 <P>Will do. When I get back. Have to run to one of our remote sites for 2 weeks.</P> Fri, 24 Nov 2017 13:29:08 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-vpn-with-dhcp-server-at-remote-site/m-p/188657#M57223 strobins 2017-11-24T13:29:08Z