Wireless Access

Reply
Frequent Contributor I
Posts: 83
Registered: ‎05-11-2011

DHCP enforcement and HP printers

Hi
I'm facing a problem when I set DHCP enforcement on RAP with HP printers.
I found none of the HP printers were up to day from the firmware stand point in all sites. There are multiples issues reported by HP in regards to DHCP. Anyway I wasn't able to keep the rule to enforce DHCP and avoid users setting up on their own, I tried to add an static arp entry on the controller but didn't help.
The only way to make the printers working is using fix IP and don't use this feature which I don't like.
The issue seems to be related to the ArubaOS firmware ( my version is 6.4.2.5) as far as I see on a debug where the packets are dropped because the controller seems to believe the printer uses fix ip.
Any other ideas that I should be looking into?

Thanks
Guru Elite
Posts: 21,517
Registered: ‎03-29-2007

Re: DHCP enforcement and HP printers

Please start on page 10 of the document here:  http://community.arubanetworks.com/t5/Validated-Reference-Design/ArubaOS-DHCP-Fingerprinting/ta-p/155604 to turn on DHCP debugging to see what the HP printer does.  That will give you a starting point on what is happening.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 21,517
Registered: ‎03-29-2007

Re: DHCP enforcement and HP printers

Please start on page 10 of the document here:  http://community.arubanetworks.com/t5/Validated-Reference-Design/ArubaOS-DHCP-Fingerprinting/ta-p/155604 to turn on DHCP debugging to see what the HP printer does.  That will give you a starting point on what is happening.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 21,517
Registered: ‎03-29-2007

Re: DHCP enforcement and HP printers

Please start on page 10 of the document here:  http://community.arubanetworks.com/t5/Validated-Reference-Design/ArubaOS-DHCP-Fingerprinting/ta-p/155604 to turn on DHCP debugging to see what the HP printer does.  That will give you a starting point on what is happening.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Moderator
Posts: 321
Registered: ‎08-28-2009

Re: DHCP enforcement and HP printers

in addition to Colin's suggestions, what is your DHCP lease time versus the AAA user timeout and also the SSID STA Ageout ?  (show aaa timer, show wlan ssid-profile <the ssid profile>)

 

if the DHCP renewal doesn't come before the controller ages out the user (which is by default 1000 seconds), then you can get stuck like this.  This assumes the printer is 100% silent on the wlan side, to check that please also capture "show ap debug client-table ap-name <ap>" when the printer is in idle mode. If no packets are seen from the printer to the AP, then this 1000 second timer is in play.

 

regards

-jeff

 

Frequent Contributor I
Posts: 83
Registered: ‎05-11-2011

Re: DHCP enforcement and HP printers

Thanks for the answers. I've confgured a DHCP debug.

In regards to the timers/lease:

DHCP Lease time is configured to 8 days and the aaa timers are as follow:

Global User idle timeout = 300 seconds
Auth Server dead time = 10 minutes
Logon user lifetime = 5 minutes
User Interim stats frequency = 600 seconds

How can I change the default value of 1000 second timer?

 

 

 

Frequent Contributor I
Posts: 83
Registered: ‎05-11-2011

Re: DHCP enforcement and HP printers

Yesterday our admin changed the DHCP lease to 1 hour and printer was up and running until just now.

According to the logs ( printer details 172.20.208.13/00:21:5a:96:51:46), traffic was dropped because is not assigned via DHCP Altought I have the printer working in DHCP. After I deactivated the DHCP enforcement, the printer was starting to work again

 

"May  5 09:05:06  authmgr[3629]: <522141> <DBUG> |authmgr|  00:21:5a:96:51:46 IP 172.20.208.13: drop pkt as ip not assigned through dhcp."

 

 

 

May  5 09:05:03  authmgr[3629]: <522096> <DBUG> |authmgr|  00:21:5a:96:51:46: Sending STM new Role ACL : 83, and Vlan info: 610, action : 10, AP IP: 192.168.200.162, flags : 0 idle-timeout: 300
May  5 09:05:03  authmgr[3629]: <522096> <DBUG> |authmgr|  00:21:5a:96:51:46: Sending STM new Role ACL : 83, and Vlan info: 610, action : 10, AP IP: 192.168.200.162, flags : 0 idle-timeout: 300
May  5 09:05:03  authmgr[3629]: <522096> <DBUG> |authmgr|  00:21:5a:96:51:46: Sending STM new Role ACL : 83, and Vlan info: 610, action : 10, AP IP: 192.168.200.162, flags : 0 idle-timeout: 300
May  5 09:05:03  authmgr[3629]: <522096> <DBUG> |authmgr|  00:21:5a:96:51:46: Sending STM new Role ACL : 83, and Vlan info: 610, action : 10, AP IP: 192.168.200.162, flags : 0 idle-timeout: 300
May  5 09:05:03  authmgr[3629]: <522141> <DBUG> |authmgr|  00:21:5a:96:51:46 IP 172.20.208.13: drop pkt as ip not assigned through dhcp.
May  5 09:05:03  authmgr[3629]: <522141> <DBUG> |authmgr|  00:21:5a:96:51:46 IP 172.20.208.13: drop pkt as ip not assigned through dhcp.
May  5 09:05:03  authmgr[3629]: <522143> <DBUG> |authmgr|  user_miss from RAP:192.168.200.162, (Wired) user IP:172.20.208.13, VLAN:610, BSSID:00:0b:86:9d:5b:24:AP:Barcelona, flags=0x0.
May  5 09:05:03  authmgr[3629]: <522143> <DBUG> |authmgr|  user_miss from RAP:192.168.200.162, (Wired) user IP:172.20.208.13, VLAN:610, BSSID:00:0b:86:9d:5b:24:AP:Barcelona, flags=0x0.
May  5 09:05:03  authmgr[3629]: <522254> <DBUG> |authmgr|  VDR - mac 00:21:5a:96:51:46 rolename logon fwdmode 3 derivation_type Initial Role Contained vp not present.
May  5 09:05:03  authmgr[3629]: <522254> <DBUG> |authmgr|  VDR - mac 00:21:5a:96:51:46 rolename logon fwdmode 3 derivation_type Initial Role Contained vp not present.
May  5 09:05:03  authmgr[3629]: <522254> <DBUG> |authmgr|  VDR - mac 00:21:5a:96:51:46 rolename rap_corporate fwdmode 3 derivation_type MBA Role Contained vp not present.
May  5 09:05:03  authmgr[3629]: <522254> <DBUG> |authmgr|  VDR - mac 00:21:5a:96:51:46 rolename rap_corporate fwdmode 3 derivation_type MBA Role Contained vp not present.
May  5 09:05:03  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Current VLAN updated.
May  5 09:05:03  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Current VLAN updated.
May  5 09:05:03  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Current VLAN updated.
May  5 09:05:03  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Current VLAN updated.
May  5 09:05:03  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Default VLAN.
May  5 09:05:03  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Default VLAN.
May  5 09:05:03  authmgr[3629]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user 00:21:5a:96:51:46 vlan 0 derivation_type Reset VLANs for Station up index 27.
May  5 09:05:03  authmgr[3629]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user 00:21:5a:96:51:46 vlan 0 derivation_type Reset VLANs for Station up index 28.
May  5 09:05:03  authmgr[3629]: <522259> <DBUG> |authmgr|  "VDR - Do Role Based VLAN Derivation user 00:21:5a:96:51:46 role rap_corporate authtype 2 rolehow default for authentication type MAC.
May  5 09:05:03  authmgr[3629]: <522259> <DBUG> |authmgr|  "VDR - Do Role Based VLAN Derivation user 00:21:5a:96:51:46 role rap_corporate authtype 2 rolehow default for authentication type MAC.
May  5 09:05:03  authmgr[3629]: <522260> <DBUG> |authmgr|  "VDR - Cur VLAN updated 00:21:5a:96:51:46 mob 0 inform 1 remote 1 wired 1 defvlan 610 exportedvlan 0 curvlan 610.
May  5 09:05:03  authmgr[3629]: <522260> <DBUG> |authmgr|  "VDR - Cur VLAN updated 00:21:5a:96:51:46 mob 0 inform 1 remote 1 wired 1 defvlan 610 exportedvlan 0 curvlan 610.
May  5 09:05:03  authmgr[3629]: <522292> <DBUG> |authmgr|  Auth GSM : MAC_USER notify for mac 00:21:5a:96:51:46 vlan 610
May  5 09:05:03  authmgr[3629]: <522292> <DBUG> |authmgr|  Auth GSM : MAC_USER notify for mac 00:21:5a:96:51:46 vlan 610
May  5 09:05:03  authmgr[3629]: <524124> <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:00:21:5a:96:51:46, pmkid_present:False, pmkid:N/A
May  5 09:05:03  authmgr[3629]: <524124> <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:00:21:5a:96:51:46, pmkid_present:False, pmkid:N/A
May  5 09:05:03  authmgr[3629]: <524141> <DBUG> |authmgr|  clr_pmkcache_ft():988: MAC:00:21:5a:96:51:46 BSS:01:80:c2:00:00:03
May  5 09:05:03  authmgr[3629]: <524141> <DBUG> |authmgr|  clr_pmkcache_ft():988: MAC:00:21:5a:96:51:46 BSS:01:80:c2:00:00:03
May  5 09:05:06  authmgr[3629]: <522035> <INFO> |authmgr|  MAC=00:21:5a:96:51:46 Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/a VLAN=610 AP-name=Barcelona
May  5 09:05:06  authmgr[3629]: <522077> <DBUG> |authmgr|  MAC=00:21:5a:96:51:46 ingress 0x0x1005e (tunnel 94), u_encr 1, m_encr 1, slotport 0x0x2104 wired, type: remote, FW mode: 3, AP IP: 192.168.200.162 mdie 0 ft_complete 0
May  5 09:05:06  authmgr[3629]: <522078> <DBUG> |authmgr|  MAC=00:21:5a:96:51:46, wired: 1, vlan:610 ingress:0x0x1005e (tunnel 94), ingress:0x0x1005e new_aaa_prof: rap_corporate_wired_noDHCP, stored profile: rap_corporate_wired_noDHCP stored wired: 1 stored essid:  , stored-ingress: 0x0x1005e
May  5 09:05:06  authmgr[3629]: <522083> <DBUG> |authmgr|  Skip User-Derivation, mba:1 udr_exist:0,default_role:logon,pDefRole:0x0x110c62c
May  5 09:05:06  authmgr[3629]: <522096> <DBUG> |authmgr|  00:21:5a:96:51:46: Sending STM new Role ACL : 83, and Vlan info: 610, action : 10, AP IP: 192.168.200.162, flags : 0 idle-timeout: 300
May  5 09:05:06  authmgr[3629]: <522096> <DBUG> |authmgr|  00:21:5a:96:51:46: Sending STM new Role ACL : 83, and Vlan info: 610, action : 10, AP IP: 192.168.200.162, flags : 0 idle-timeout: 300
May  5 09:05:06  authmgr[3629]: <522141> <DBUG> |authmgr|  00:21:5a:96:51:46 IP 172.20.208.13: drop pkt as ip not assigned through dhcp.
May  5 09:05:06  authmgr[3629]: <522143> <DBUG> |authmgr|  user_miss from RAP:192.168.200.162, (Wired) user IP:172.20.208.13, VLAN:610, BSSID:00:0b:86:9d:5b:24:AP:Barcelona, flags=0x0.
May  5 09:05:06  authmgr[3629]: <522254> <DBUG> |authmgr|  VDR - mac 00:21:5a:96:51:46 rolename logon fwdmode 3 derivation_type Initial Role Contained vp not present.
May  5 09:05:06  authmgr[3629]: <522254> <DBUG> |authmgr|  VDR - mac 00:21:5a:96:51:46 rolename rap_corporate fwdmode 3 derivation_type MBA Role Contained vp not present.
May  5 09:05:06  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Current VLAN updated.
May  5 09:05:06  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Current VLAN updated.
May  5 09:05:06  authmgr[3629]: <522255> <DBUG> |authmgr|  "VDR - set vlan in user for 00:21:5a:96:51:46 vlan 610 fwdmode 3 derivation_type Default VLAN.
May  5 09:05:06  authmgr[3629]: <522258> <DBUG> |authmgr|  "VDR - Add to history of user user 00:21:5a:96:51:46 vlan 0 derivation_type Reset VLANs for Station up index 29.
May  5 09:05:06  authmgr[3629]: <522259> <DBUG> |authmgr|  "VDR - Do Role Based VLAN Derivation user 00:21:5a:96:51:46 role rap_corporate authtype 2 rolehow default for authentication type MAC.
May  5 09:05:06  authmgr[3629]: <522260> <DBUG> |authmgr|  "VDR - Cur VLAN updated 00:21:5a:96:51:46 mob 0 inform 1 remote 1 wired 1 defvlan 610 exportedvlan 0 curvlan 610.
May  5 09:05:06  authmgr[3629]: <522292> <DBUG> |authmgr|  Auth GSM : MAC_USER notify for mac 00:21:5a:96:51:46 vlan 610
May  5 09:05:06  authmgr[3629]: <524124> <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:00:21:5a:96:51:46, pmkid_present:False, pmkid:N/A
May  5 09:05:06  authmgr[3629]: <524141> <DBUG> |authmgr|  clr_pmkcache_ft():988: MAC:00:21:5a:96:51:46 BSS:01:80:c2:00:00:03

Moderator
Posts: 321
Registered: ‎08-28-2009

Re: DHCP enforcement and HP printers

Hi Aboj

you can adjust the 1000 seconds under the ssid profile, but you can also try increasing the aaa idle timeout for just the aaa profile being used by the printers.

 

it would seem here that the printer is dead silent, perhaps until either 50% of lease time, or maybe even until the lease is about to expire - so you can try setting the idle timeout accordingly.

 

regards

-jeff

 

 

Frequent Contributor I
Posts: 83
Registered: ‎05-11-2011

Re: DHCP enforcement and HP printers

Hi jgoff

Adjusting timers did the trick. The initial lease fro mthe DHCP servers was set to 8 days so I adjuted to 15 minutes and also I did the same for the user-idle timeout under the aaa profile to the 30 minutes.

Initially wasn't working as expected due to the fact the printer didn't take the new lease until I made some changes from fix to DHCP which trigger a new DHCP proccess.

I haven't lost the comunication with the printer since, thanks for the advise and support.

Printer also goes to sleep mode after some time so in order to re-enable it, you have to send a print job or generate some traffic but the printer is still reacheble and the controller doens't recognize the IP as fix ip address. Do you know anyway to send some traffic from the controller to keep it alive?

 

Thanks again for your support

Aboj

 

Moderator
Posts: 321
Registered: ‎08-28-2009

Re: DHCP enforcement and HP printers

hi Aboj

good to hear it's working better. there is no way for the controller to generate L3 traffic towards the client, perhaps you can install some monitoring software on a server somewhere that does a ping - or just use crontab on a linux box + some sort of subnet pinger like fping or hping to genrate a ping to each host on the subnet

regards

-jeff

Search Airheads
Showing results for 
Search instead for 
Did you mean: