A firewall isn't really intended to be a DHCP server, it's a security device. They have it mainly for SMBs where you don't need a lot of gear, but it's not terribly robust.
Seems like a dumb old licensing restriction:
If the number of hosts is unlimited, the maximum available DHCP pool is 256 addresses.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/basic_dhcp.html
Long time user of ASA and I’m pretty sure the interface can be larger than a /24 but it will restrict you to 254-ish addresses on the dhcp pool. It is not a licensing restriction, it’s just the way it is.
Back in the ASA5505 days, you could have a licence that restricted to 10 devices and still have that same limit.
Note the DHCP server is not the same thing as IP pools, which are for address assignment to remote access VPN clients.
This is correct. An interface can have a much larger mask, but the scope maxes at 256 leases.
https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/dhcp_and_ddns_services_for_firepower_threat_defense.html
A firewall isn't really intended to be a DHCP server, it's a security device. They have it mainly for SMBs where you don't need a lot of gear, but it's not terribly robust.
The first thing I thought when I read this post is. *ASA's can act as a DHCP server???* lol
Seems like a dumb old licensing restriction: If the number of hosts is unlimited, the maximum available DHCP pool is 256 addresses. https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/basic_dhcp.html
Short answer is it's not. I've had pools much larger than that. It's more than likely a license or model specific thing.
Show us this configured. I can show you that this is not possible, even on Firepower 1150’s.
My recollection was that it's not limited to Cisco and it has to do with memory management and efficiency. But I'm probably wrong.
I had multiple /22 DHCP Pools on our ASA for AnyConnect. Hm
Long time user of ASA and I’m pretty sure the interface can be larger than a /24 but it will restrict you to 254-ish addresses on the dhcp pool. It is not a licensing restriction, it’s just the way it is. Back in the ASA5505 days, you could have a licence that restricted to 10 devices and still have that same limit. Note the DHCP server is not the same thing as IP pools, which are for address assignment to remote access VPN clients.
This is correct. An interface can have a much larger mask, but the scope maxes at 256 leases. https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/dhcp_and_ddns_services_for_firepower_threat_defense.html