Controllerless Networks

We have some strange problems with the AP-105 wifi accespoints.

The problem is that when connect a notebook with a Intel Proset WiFi Adapter, some times the laptops are loosing there connection.
When we start a trace on the network switch with wireshark we see a lot of duplication IP address warnings on the log files.
One MAC address is the original MAC address of the laptop and the other MAC address is a phantom address starting with 02:....

When we connect IPADS or Iphones to the WiFi network we have the problem that the devices are loosing there connection to. On our DHCP server (Windows 2008 r2) we see a lot of "bad address" messages, with on the end a message DHCP is near end.

On each network we configure a WiFi network for the end user and a guest network for guests. After this network settings we change the following settings in the AP and leave the rest on default.

Settings Page
-------------
Virtual Controller Name                = [Customer Name]
virtual Controller IP-Address         = 192.168.10.30
MAS integration                            = Disabled
NTP server                                    = ntp.<ISP>.nl
Timezone                                     = Amsterdam UTC+1
password                                     = [Password]
DHCP Network                              = 1.2.3.4
DHCP Mask                                   = 255.255.255.255

RF Page
-------
Radio 2.4 GHz band
Background spectrum monitor         = Enabled

Radio 5 GHz band
Background spectrum monitor         = Enabled

IDS / Wireless Intrusion Protection (WIP) Page
----------------------------------------------
Infrastructure detection            = High
Clients detection                      = High

Infrastructure protection           = High
Clients protection                     = High

Wired containment                   = On
Wireless containment                = Authenticate only

Network Page
------------
Multicast transmission optimization = Enabled
Dynamic multicast optimization       = Enabled

Blacklisting                                      = Enabled
Max authentication failures              = 3

We do not have this problems when all settings are default, and we only configure a SSID and WPA2 key.
Do you have any idea which of this settings can cause this behavior?

In terms of the duplicate IP packets in wireshark, that might well be normal. If you've configured one of the SSIDs to use virtual controller assigned IP addressing for clients, you're seeing NAT'd client packets, and true AP packets using the AP Eth0 address.

When you say clients are loosing their connection, do you mean becoming fully disassociated, or just not getting an IP?

Why is the DHCP mask you've referenced a /32 mask? That's not normal, and might be linked to your issue.

It isn't clear what version of Instant code you're running? The configurations you're calling out don't look like the current menu structures?

Also, your IDS settings are pretty aggressive. Have you tried without these to rule that out?

We have configured the SSID's to use the network assiged IP address.

We do see the requests and leases on our DHCP server (Windows 2008 R2)

We have a 192.168.10.x /24 subnet mask configured on our LAN network. We changed the DHCP pool of the aruba AP's to a /32 subnet to be sure that the AP's can not conflict with our LAN subnet.

The AP's are using firmware version "6.2.1.0-3.3.0.3_39227" but we also have this behaviour when we use the latest firmware version.

The DHCP part doesn't work the way you're thinking if I'm interpreting what you're saying correctly, but I don't think we need worry about that for the purpose of this discussion.

Do all the configured SSIDs use network assigned addressing?

When you say clients are loosing their connection, do you mean becoming fully disassociated, or just not getting an IP?

Also, your IDS settings are pretty aggressive. Have you tried without these to rule that out?

All SSID's are getting a network address.

The cliënts are keeping there WiFi connection, but they can not get a DHCP address. In Wireshark I see duplicated IP messages.

With the Apple Devices I see a lot of "BAD ADDRESS" messages on the DHCP server. It seems that the Apple device keeps asking for a new IP address continiously.

When I reset the device to the factory defaults and only configure the SSID parameters, I do not have any problems.

In this settings the IDS is also not configured.

So just for clarity, if you configure everything else you want, but disable the IDS, does everything work ok?

I have not tested this.

Can IDS cause this kind of behaviour?

Quite possibly. IDS is very complex. In your scenario, you've turned all the sensitivity dials up to maximum. I very rarely do this, and I've worked in some very very sensitive environments.

To limit your troubleshooting efforts, I'd try first setting all of it back to defaults, then on the basis you really need this kind of security for whatever reasons, try pushing the sensitivity levels up category by category, one by one.

There is a possibility that some of the clients are affected by one IDS feature, and others are affected by a different one.

Can you also post the config of this IAP cluster?  Something doesn't seem right here.  Want to make sure that we address the /32 addressing for the APs.  If DHCP is properly configured, then you shouldn't worry about that at all.

Probably a good point.

I ignored that based on his setup using network assigned, rather than VC, so should be no dependancy on the DHCP of the IAP.

Possibly optimistic, as granted the /32 clearly wouldn't be correct in any definition I can think of.

I will send the configuration of the network later.

The reason for the 1.2.3.4/32 subnet on the DHCP configuration page is the old unused Magic VLAN IP article we found on the forum.

http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/Virtual-Controller-is-responding-to-HTTP-requests-on-an-old-and/m-p/51460/highlight/true#M932

We wanted to make sure the IP conflicts we are seeing were not caused by the AP's, becuase for our LAN network we use also the 192.168.10.x/24 subnet.

Our Microsoft Windows based LAN network is build on a Microsoft Windows 2008 R2 Domain controller, with DHCP, DNS and other roles.

Sure.

The IAP is software coded to make use of this "magic" subnet/vlan for portal purposes amongst other things I believe.

So long as the magic subnet doesn't conflict with something important/relevant to the real network, you'll be fine.

I think the thought here is the mask is the issue, rather than the subnet. I.e. setting /32 might well have an unknown consequence on the way the IAP software runs. It might be advisable to try it with a /24 instead?

Find enclosed the configuration File.

Attachment(s)

instant.zip   1 KB 1 version

Having looked at your conf, the only thing I'd add to my previous suggestions, is turning the spectrum monitoring off. If that's not operating as we'd expect, it might cause an issue. Unlikely.

I still think it's one or more of the IDS settings triggering a false positive. Or in terms of the guest SSID, might even be triggering for a real reason.