Wireless Access

Hi AirHeads,

 

 

 

Here is my vlans / interfaces: (All VLANS arriving from Trunk port)

VLAN 210 - is the vlan for contacting the extranl DHCP server that handling all the vlans.

 

 

My clients connecting to VLAN402.

• Once in a while there are some random clients that it seems that dont getting an IP address... (the scope aint full - i checked it)
• If i'am checking the client user list - i can see the same MAC with two diffrent IP'S. and on client machince i can see assoaction and auth suscssuefl and sometime IP or sometime no IP ...but no data is passing. (enforce DHCP is on - and it's 802.1x profile that working in front of a radius)
• I tested connectiviy between the DHCP server to the aruba controller and it's seems , just working fine and stable.
• i tought to add DHCP helper to the client VLAN (402) - but it's an interface with no IP (L2) so... no DHCP IP HELPER option.

 

 

 

please advise,

 

thanks

 

Me.

 

If all of your layer 3s are upstream, there's no need to add any helpers
to the controllers, even on 210.

ok - thanks 4 the tip. :smileyfrustrated:

 

so what may fix / solve this multi ip for same mac issue?

(This causing randolmey machinces not to be able to work)

Does anything stick out when you run a show auth-tracebuf for the user?

Also you can try turning user-debug on for the client.

I'm not on site right now (it's 18:00 here) i will be there again tomorrow morning , and will do a user debug on a machine that i will find in that situation.

 

How do you have your VAP setup ?

 

If you only want a certain IP segment to be allowed you could also adjust the user valid table to only allowed certain IP spaces for the user-table .

 

 

Thanks for the TIP,That's not the issue....the right IP segment is arriving to all users in all diffrent vlans ...but once in a while ... there is a user that getting two ip's (same mac two ip's) and then he cant work....

 

 

it might be a issue when client moves from one SSID to other, the user table might have the 2 entries. 

 

 try enabling "aaa user fast-age" to ageout the duplicate entry and it should work for you. 

vkumaar, Thanks for the tip.
i already in the past configured this option in other deployments, IS: aaa user fast-age will not effect the 802.1x connected users? ..as far as i aware - the controller ping to an a client,and if the client isnt resposned - the client mac is being deleted it from the db.

Hi Asa,

 

I have also face this issue of single mac address with two ip addresses in same SSID. When i configured the VLAN IP address to get IP address from DHCP Server.  

 

But which i configure static IP address for that VLAN and the problem resolved.

Hi :)

 

Thanks for the tip,I still waiting for an output from the client , after yesterday i applied the "AAA user fast-age" command.

 

DHCP SERVER is located and reachable for the controller via VLAN201

and the clients are on VLAN402 (a VLAN without an IP.Only L2 connectivity)

 

If the client will still complain about the same issue (of two ip's to one client in the client list ... What causing them not to be able to connect well) - I will add a static IP to the 402 vlan...(and than DHCP HELPER also)

 

have a gr8 day.

 

Me

kdisc98

 

A station can have up to 4 x IPv4 addresses and 2 x IPv6 address associated with it (i.e. user-table entries) without any problem. This is not to say that when your problem client ends up with a 2nd ipv4 address that it's not the trigger for some problem, but the controller does support the notion of multiple IP addresses per user.

 

Causes of multiple IP per user can vary; moving across vlans will cause it to appear shortly, as do some mobile devices which leak 3G/4G addresses into the wifi side. Some Windows devices do sometimes exhibit some odd bridging behaviour where if they are connected to wired and wireless at same time they can leak wired side addresses into the wifi even if bridging is disabled.

 

Most common way to filter against this is to use the validuseracl to allow only your desired subnets. AAA fast age can help also, as does disabling of ipv6 if you dont wish to support dual stack (not in your case though, the implcation seems to be multiple ipv4)

 

Enforce DHCP can sometimes be problematic - if the client wakes up and the user entry has idled out on the controller user-table but the DHCP lease is still very fresh and the client doesn't try renew the lease, then your user will get stuck (traffic dropped by the controller since no user entry and enforce DHCP enabled). Most (some?) clients will trigger a DHCP request after waking up and reconnecting to the wifi, but I have seen some clients not do this. Perhaps try disabling enforce DHCP for a while and/or review your DHCP lease time vs. the aaa user idle time in the controller.

 

 regards

-jeff

If you have an IP address configured for that vlan on the controller, them you should have the helper address for that vlan set on thru controller and not upstream. I missed that in the screenshot earlier.








Sent from Surface

cappalli, i have ip only for the mangment vlan (201) the clients vlan is (402)

so i should put DHCP help on VLAN 201?

rgrds,

me