We have a retail store that is directly connected to our network via fiber, thus we have the AutoVPN disabled (as it is not needed).
The store is coming into our gateway (Cisco ASA) on VLAN 100.
The store is using an MX85 with SFP on WAN1 to connect directly to the fiber. WAN2 is disabled. WAN1 is configured to tag traffic with VLAN 100 and has an IP of 10.100.1.6/24. The Cisco ASA (being the gateway) has the following config:
interface Port-channel12.100
vlan 100
nameif vlan100-int
security-level 0
ip address 10.100.1.1 255.255.255.0 standby 10.100.1.2
The MX85 has three VLANs configured. VLAN 5 (10.10.1.0/25), VLAN 10 (10.10.1.128/26) and VLAN 15 (10.10.1.192/26).
Our DHCP server (10.50.1.7) sits on another VLAN (VLAN 50) which is connected to the gateway (Cisco ASA).
The routing table on the MX85 looks as such:
Stat Ver Subnet Name VLAN Next hop Dest Type
- IPv4 0.0.0.0/0 Default - - WAN uplink Default WAN Route
- IPv4 10.10.10.0/25 Retail 5 10.10.10.1 10.10.10.1 Local VLAN
- IPv4 10.10.10.128/26 Retail 10 10.10.10.129 10.10.10.129 Local VLAN
- IPv4 10.10.10.192/26 Retail 15 10.10.10.193 10.10.10.193 Local VLAN
Using the "Tools" on the "MX Security & SD-WAN" page I can ping (and get responses from) the DHCP server from the Internet interface and I can ping (and get responses from) the DHCP server from the VLAN 5, 10 and 15 interfaces. Connectivity is established. BUT, when I try to connect clients on the network behind the MX85 and permit them to use DHCP for addresses, they never get a response. I try to enable the DHCP relay on the "Security & SD-WAN" -> "DHCP" page and I get the error: "The DHCP relay IP address must be in a subnet or static route in this network."
Connectivity is clearly established and the route exists, so why can I not enable DHCP relay?
Is there an option I am missing?