08-05-2015 07:42 AM
Got a setup with a RAP-155P (v 126.96.36.199) which has a VPN to a cluster of 7010 controllers (v 188.8.131.52). Everything works fine, but I have an issue with the DHCP centralized L3:
When a client connects to the SSID linked to the VLAN (2) with the centralized L3 dhcp, I see the dhcp discover packet coming out of the aruba controller in the datacenter firewall logs (there is a firewall at the datacenter where the aruba controllers and dhcp server are located), and i see a response coming from the dhcp server towards the aruba controllers.
I've set up logging on the IAP as well, and the log shows that the initial dhcp packet is indeed being sent, but there is no returning traffic.
I can reach the DHCP server pinging from the IAP and vice versa, so the path is OK.
When I put a static IP on the wifi client, everything is working, I can reach the servers in the datacenter.
Any ideas on how to troubleshoot this?
My suspicion is that the returning traffic is being dropped by the aruba controller at the datacenter, as i don't see anything in the IAP logs. The datacenter is remote, so going on-site for a packet capture is an absolute last resort.
Any help is appreciated!
Solved! Go to Solution.
08-07-2015 02:19 PM
I've built a lab setup to replicate the issue. This time the DHCP server has an IP adress in a subnet which has the Aruba controller as a default gateway. So no other routing/firewalling in between. I see the DHCP discover packets arriving at the server, and the server sends a DHCP offer, but the offer never reaches the client (wireless or wired, same result).
Smells like a bug! Opened a TAC case, let's see what support has to say about it.
08-17-2015 05:31 AM
Rebuild the lab setup this week, and everything worked from the start now. Probably missed something the first time.
In the datacenter, it still wasn't working, but as I tested with the same hardware in the lab, something else should be the culpritt. And it was: the windows firewall on the dhcp server was blocking incoming DHCP packets. For some reason the IAP sends the DHCP relay packets using source port 1067 (which was new to me, anyway), and that got dropped. After fixing the firewall, it worked fine.