Wireless Access

Aruba Controller versions 6.4.2.8_50314, CPPM 6.5.2.73779, Android version 5.0-5.1

I have an SSID on a Aruba 7210 controller with a backup Aruba 7210 controller.  The SSID is configured AAA to pass authenication EAP\TLS user certificate authenication to CPPM via Airwatch staging for the Apple and Android devices.  CPPM works fine and accepts the authenications for both Apple and Android devices and forwards back to the controller.  The Apple devices work everytime and get the correct role and get an IP address.  The Android devices most of the time do not get an IP address and do pass CPPM and get the correct role everytime.  On the backend of the SSID I have 3 split VLANS with \24 subnets that are layer 2 to the Cisco Nexus switch in a port channel config.  The layer 3 interface is on the Cisco Nexus switch and has IP helpers.  I have changed the VLANS for troubleshooting to just one VLAN and it does not fix the issue and also put the layer 3 interface on the controller and that does not fix the issue.

When the Android device fails it does show it connected and has an IP addres to the SSID and the Aruba controller shows NO IP address but shows it connected for that same device.  When the person that tests the Android devices sees that it does have an IP address on the Android device but can not get anywhere on the internet.

But for some reason the Android devices sometimes do get connected and work fine!!!  The Apple devices have no problem and get an IP everytime and pass CPPM everytime on that same SSID.

Do you know if there is an issue with the Android devices and what version I should be using to get these devices to work everytime?

I do know that CPPM and the firewall rules on the Aruba controller all work fine because the Apple devices all work fine.

I am working with Aruba TAC on this issue but they are having issues finding a solution for this issue with the Android devices.

Thank You! 

Can you make sure that those VLANs\Scopes that the Androids are landing on are not running out of leases?

You could also run the following command :

show  vlan-assignment

To see the distribution of clients .

What type of VLAN pooling you are using ? Hash or Even

The DHCP scopes are fine.  They are /24 subnets and I have been only testing the SSID with one WAP broadcasting the SSID with the max client sessions of 5 at one time.  Lease time is set for 8 hours.

I will check to see how the VLAN pools are split.  

I did test this with only one VLAN \24 and the same problem happens.

I FOUND THE SOLUTION TO THE ANDROID DEVICES NOT GETTING AN IP ADDRESS!

ANDROID DEVICES DO NOT LIKE UNICAST ARP REQUESTS.  THERE IS AN OPTION BY DEFAULT ON THE VIRTUAL AP, SSID "CONVERT BROADCAST ARP TO UNICAST ARP".  THIS OPTION NEEDS TO BE DISABLED!!  AS SOON AS I DID THIS CHANGE THE ANDROID DEVICES STARTED TO GET IP ADDRESS JUST FINE.

I FOUND OUT THAT WINDOWS\APPLE DEVICES DO NOT CARE IF THERE IS UNICAST ARP REQUESTS AND THATS WHY THEY WORKED JUST FINE.

I use a number of android devices and this has always been enabled.  I have never failed to get an ip address.  There has to be something else in play here...

Thank you! This fixed it on my old ASUS Nexus 7 (2013) immediately.