Wireless Access

Hi, All

 

Just looking to see if anyone else has run across the same issue. One of our customers have been having issues where random wireless clients after connecting to the employee wireless and getting Authentications can not brows local or internet resources.

After looking in the Aruba controller they show the client as have an old IP address and basically sandboxes them. They can reboot, re-logon with no change. Because they still get the same new IP address from the external DHCP server. You have to login to the Aruba controller and clear the user on the controller before they can reconnect and then they work as normal. This happens three to five times a week in a large campus environment.

 

Any help would be great.

 

 

 

thats loooks like more like a bug what code are you running?

6.1.3.5

We thought the same thing so we upgraded. this has been going on for a while now.

Hi Wizard,

 

Are you using role derivation in this install? If so, try moving the following rule:

 

any any svc-dhcp  permit 

 

to the top of any derived roles. Previously, a customer of mine relied on the "any any any permit" rule at the end of their derived rules for DHCP and it caused something similar to what you may be seeing. The change with the svc-dhcp rule improved DHCP across the board.

 

-Mike

 

Hi, boston1630

 

I have requested a copy of the configuration and will look into this. I believe they are using default roles. They were using the controller as the DHCP server for a while until this became a issue then they moves to an external server for all off the DHCP services.

 

Thanks,

 

Wizard

A. Upgrade to the latest AOS (6.1.3.8 for example)

A2. Save config & reboot

B. Run this command in the cli: 

the lastest firmware is 6.1.3.9 ;)

 

But now the 6.2.x is on general avaibility :) guess you can upgrade to tose also...

NightShade1 Thanks for already known info. :smileyfrustrated:( i dunno - how it can or might help the person)

(that why i wrote in my post - 6.1.3.8 for example)

 

8 or 24 hrs  the customer said he would verify, but i have not gotten back to him on that.

Keep us informed.(if further assistance needed or if the case is been solved)

 

Me.

 

 

Hi, kdisc98

 

Upgrade is very difficult to go through with this customer it is a large campus and requires going through change controller. So if it not a guarantied fix I will wait to look deeper. This has been an open issue for a few months so it is a sore subject for them.

We did do an upgrade to 6.1.3.5 with no change.

 

Thanks,

 

 

 

A couple of questions :smileywink:

- Is the device able to ping it's gateway ?

- Is the device able to ping another device in the same segment ?

- Can the controller ping the device ?

- What's the lease for that segment ? can you see the active lease in the DHCP server ?

- Have you done a wireshark capture on the device and seee if the device is sending an ARP request ? can you see the arp entry in the uplink or core switch ?

- Can you share the user-debug logs from the controller ?

- Does it happen with a particular set of devices or segment ?

 

Note: you should probably consider opening a TAC case if you haven't already

 

Take your time 

 

• Just don't forget after the upgrade to 6.1.3.8 or 6.1.3.9 from 6.1.3.5 to run the command:

Hi, vfabian

 

- Is the device able to ping it's gateway ? No

- Is the device able to ping another device in the same segment ? No

- Can the controller ping the device ? No

- What's the lease for that segment ?  Either 8 or 24 hrs. I am trying to verify. Can you see the active lease in the DHCP server ? Yes, the server shows an active lease

- Have you done a wireshark capture on the device and see if the device is sending an ARP request ? Yes, it authenticates and gets a new IP address from the DHCP Server. They did this with a support engineer. Can you see the ARP entry in the uplink or core switch ? No the controller still so the old IP address of the client. It does not seem to update the active user information. So it drops the traffic from the client seeing the same MAC with the wrong IP

- Can you share the user-debug logs from the controller ?I do not have one.

- Does it happen with a particular set of devices or segment ? It seems fairly random on the users except for a few that seem it happen more often. Other than that it is windows laptops and it only happens in the employee SSID but they do have a remote site that it happens to also.

- When the device is in state (can't reach the network) do you see any DHCP communication on the capture ?
- can you do a show aaa timers and make sure it has the default values.
- you should enable debugging network subcat dhcp and debugging use-debug <clientmac> and if you can point this info to a syslog server even better