Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

SSID DHCP "obatining IP address" problem

This thread has been viewed 7 times

  • 1.  SSID DHCP "obatining IP address" problem

    Posted Aug 25, 2014 09:09 AM

    Over the past week or two we've seen a growing amount of device "hang" at obtaining an IP address on our primary SSID. The user-table reflects that an IP address has been assigned to the device but it obtains one or reaches "connected" status.

     

    I just turned on dhcp debugging but I'm not sure what that will reflect. It's sporadic and switching from our primary SSID to our onboarding SSID and back seems to fix the issue but that's not an acceptable permanent solution to our problem.

     

    Has anyone else seen this type of issue or can anyone recommend troubleshooting steps to determine the cause?


    Thanks,

     

    Rosie!



  • 2.  RE: SSID DHCP "obatining IP address" problem

    EMPLOYEE
    Posted Aug 25, 2014 09:12 AM

    Please open up a case for this issue!  You can (in tandem) post some more info here like:

     

    1. Code version

    2. Config

    3. Debug logs.



  • 3.  RE: SSID DHCP "obatining IP address" problem

    Posted Aug 25, 2014 09:17 AM
    @SethFiermonti wrote:

    Please open up a case for this issue!  You can (in tandem) post some more info here like:

     

    1. Code version

    2. Config

    3. Debug logs.

    1. We are currently running 6.3.1.7 waiting for downtime to update.

     

    2. Which config would you like to see?

     

    3. I just enabled DHCP debug logs and will wait until the problem is reported again. It doesn't seem like something I can reproduce at will.

     



  • 4.  RE: SSID DHCP "obatining IP address" problem

    EMPLOYEE
    Posted Aug 25, 2014 09:19 AM

    OK great.  I would like to see the VAP and all relevant profiles underneath it including SSID and AAA.  

     

    As far as code, 6.3.1.10 was released late last week.  Please consider that as an upgrade.  

     

    For debug logs, also enable user-debugs for the client MAC address if known - logging level debugging user-debug <mac-address>



  • 5.  RE: SSID DHCP "obatining IP address" problem

    Posted Aug 25, 2014 11:50 AM

    For what it's worth: On a case by case removing a user from the user-table seems to help the user get connected.



  • 6.  RE: SSID DHCP "obatining IP address" problem

    EMPLOYEE
    Posted Aug 25, 2014 11:52 AM

    Curious - were you able to get the logs and can you also check to see if a user is blacklisted?



  • 7.  RE: SSID DHCP "obatining IP address" problem

    Posted Aug 25, 2014 11:57 AM

    The user was not blacklisted and the mac address didn’t show anywhere in the dhcp log.

     

    It seems to be primarily happening with Android devices and "maybe" when roaming.



  • 8.  RE: SSID DHCP "obatining IP address" problem

    EMPLOYEE
    Posted Aug 25, 2014 12:23 PM

    What about user-debug logs?



  • 9.  RE: SSID DHCP "obatining IP address" problem

    Posted Aug 25, 2014 12:34 PM

     

    @SethFiermonti wrote:

    What about user-debug logs?

    The problem with one of the users happened today between 11:26 and we removed from the user-table at 11:32 and then was working. 

     

    Aug 25 11:26:38 :522036: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX Station DN: BSSID=XX:XX:XX:XX:XX:XX ESSID=SU-Secure VLAN=68 AP-name=HH-AP
    Aug 25 11:26:38 :522234: <DBUG> |authmgr| Setting idle timer for user XX:XX:XX:XX:XX:XX to 300 seconds (idle timeout: 300 ageout: 0).
    Aug 25 11:26:38 :501000: <DBUG> |stm| Station XX:XX:XX:XX:XX:XX: Clearing state
    Aug 25 11:26:54 :501106: <NOTI> |AP HH-AP@xxx.xxx.xx.xx stm| Deauth to sta: XX:XX:XX:XX:XX:XX: Ageout AP xxx.xxx.xx.xx-XX:XX:XX:XX:XX:XX-HH-AP handle_sapcp
    Aug 25 11:26:54 :501080: <NOTI> |AP HH-AP@xxx.xxx.xx.xx stm| Deauth to sta: XX:XX:XX:XX:XX:XX: Ageout AP xxx.xxx.xx.xx-XX:XX:XX:XX:XX:XX-HH-AP Sapcp Ageout (internal ageout)
    Aug 25 11:26:54 :501114: <NOTI> |stm| Deauth from sta: XX:XX:XX:XX:XX:XX: AP xxx.xxx.xx.xx-XX:XX:XX:XX:XX:XX-HH-AP Reason 255
    Aug 25 11:26:54 :501044: <NOTI> |stm| Station XX:XX:XX:XX:XX:XX: No authentication found trying to de-authenticate to BSSID XX:XX:XX:XX:XX:XX on AP HH-AP
    Aug 25 11:27:00 :522245: <DBUG> |authmgr| user_age() called for MAC XX:XX:XX:XX:XX:XX IP 192.168.xxx.xxx.
    Aug 25 11:27:32 :522245: <DBUG> |authmgr| user_age() called for MAC XX:XX:XX:XX:XX:XX IP 192.168.xxx.xxx.
    Aug 25 11:28:36 :522245: <DBUG> |authmgr| user_age() called for MAC XX:XX:XX:XX:XX:XX IP 192.168.xxx.xxx.
    Aug 25 11:29:40 :522245: <DBUG> |authmgr| user_age() called for MAC XX:XX:XX:XX:XX:XX IP 192.168.xxx.xxx.
    Aug 25 11:29:59 :522005: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX IP=192.168.xxx.xxx User entry deleted: reason=user request
    Aug 25 11:29:59 :522050: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX,IP=N/A User data downloaded to datapath, new Role=Priv-Staff-Wireless/98, bw Contract=0/0, reason=Station resetting role, idle-timeout=300
    Aug 25 11:29:59 :522244: <DBUG> |authmgr| MAC=XX:XX:XX:XX:XX:XX Station Deleted Update MMS
    Aug 25 11:29:59 :522265: <DBUG> |authmgr| "MAC:XX:XX:XX:XX:XX:XX: Deallocating UUID: 2918.
    Aug 25 11:29:59 :522038: <INFO> |authmgr| username=bpcrockett MAC=XX:XX:XX:XX:XX:XX IP=192.168.xxx.xxx Authentication result=Authentication Successfu
    Aug 25 11:30:00 :527004: <INFO> |mdns| mdns_parse_auth_useridle_message 197 Auth User Idle Timeout: MAC:XX:XX:XX:XX:XX:XX, WIRED:0, FW:0, VLAN:68, I
    Aug 25 11:30:00 :527000: <DBUG> |mdns| mdns_client_purge 648 Purge mdns client, mac=XX:XX:XX:XX:XX:XX
    Aug 25 11:32:04 :501109: <NOTI> |AP HH-AP@xxx.xxx.xx.xx stm| Auth request: XX:XX:XX:XX:XX:XX: AP xxx.xxx.xx.xx-XX:XX:XX:XX:XX:XX-HH-AP auth_al
    Aug 25 11:32:04 :501093: <NOTI> |AP HH-AP@xxx.xxx.xx.xx stm| Auth success: XX:XX:XX:XX:XX:XX: AP xxx.xxx.xx.xx-XX:XX:XX:XX:XX:XX-HH-AP
    @aug 25 11:32:04 :501095: <NOTI> |stm| Assoc request @ 11:32:04.137078: XX:XX:XX:XX:XX:XX (SN 2066): AP xxx.xxx.xx.xx-XX:XX:XX:XX:XX:XX-HH-AP
    @aug 25 11:32:04 :501095: <NOTI> |AP HH-AP@xxx.xxx.xx.xx stm| Assoc request @ 11:32:04.083373: XX:XX:XX:XX:XX:XX (SN 2066): AP xxx.xxx.xx.xx-24:de
    @aug 25 11:32:04 :501100: <NOTI> |AP HH-AP@xxx.xxx.xx.xx stm| Assoc success @ 11:32:04.084944: XX:XX:XX:XX:XX:XX: AP xxx.xxx.xx.xx-24:de:c6:b6:f7:
    @aug 25 11:32:04 :501100: <NOTI> |stm| Assoc success @ 11:32:04.142247: XX:XX:XX:XX:XX:XX: AP xxx.xxx.xx.xx-XX:XX:XX:XX:XX:XX-HH-AP
    Aug 25 11:32:04 :522035: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX Station UP: BSSID=XX:XX:XX:XX:XX:XX ESSID=SU-Secure VLAN=68 AP-name=HH-AP
    Aug 25 11:32:04 :522077: <DBUG> |authmgr| MAC=XX:XX:XX:XX:XX:XX ingress 0x0x10b03 (tunnel 2819), u_encr 64, m_encr 64, slotport 0x0x2100 , type: loc
    Aug 25 11:32:04 :522264: <DBUG> |authmgr| "MAC:XX:XX:XX:XX:XX:XX: Allocating UUID: 3950.
    Aug 25 11:32:04 :522258: <DBUG> |authmgr| "VDR - Add to history of user user XX:XX:XX:XX:XX:XX vlan 0 derivation_type Reset VLANs for Station up ind
    Aug 25 11:32:04 :522255: <DBUG> |authmgr| "VDR - set vlan in user for XX:XX:XX:XX:XX:XX vlan 68 fwdmode 0 derivation_type Default VLAN.
    Aug 25 11:32:04 :522258: <DBUG> |authmgr| "VDR - Add to history of user user XX:XX:XX:XX:XX:XX vlan 68 derivation_type Default VLAN index 1.
    Aug 25 11:32:04 :522255: <DBUG> |authmgr| "VDR - set vlan in user for XX:XX:XX:XX:XX:XX vlan 68 fwdmode 0 derivation_type Current VLAN updated.
    Aug 25 11:32:04 :522258: <DBUG> |authmgr| "VDR - Add to history of user user XX:XX:XX:XX:XX:XX vlan 68 derivation_type Current VLAN updated index 2.
    Aug 25 11:32:04 :522246: <DBUG> |authmgr| Idle timeout should be driven by STM for MAC XX:XX:XX:XX:XX:XX.
    Aug 25 11:32:04 :522254: <DBUG> |authmgr| VDR - mac XX:XX:XX:XX:XX:XX rolename logon fwdmode 0 derivation_type Initial Role Contained vp not present
    Aug 25 11:32:04 :522258: <DBUG> |authmgr| "VDR - Add to history of user user XX:XX:XX:XX:XX:XX vlan 0 derivation_type Reset Role Based VLANs index 3
    Aug 25 11:32:04 :524124: <DBUG> |authmgr| dot1x_supplicant_up(): MAC:XX:XX:XX:XX:XX:XX, pmkid_present:True, pmkid:0b 2a 1a 5e 17 af b5 c9 ab 60 96 9
    Aug 25 11:32:04 :522050: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX,IP=N/A User data downloaded to datapath, new Role=logon/1, bw Contract=0/0, reason=l
    Aug 25 11:32:04 :522242: <DBUG> |authmgr| MAC=XX:XX:XX:XX:XX:XX Station Created Update MMS: BSSID=XX:XX:XX:XX:XX:XX ESSID=SU-Secure VLAN=68 AP-name=
    Aug 25 11:32:04 :522038: <INFO> |authmgr| username=bpcrockett MAC=XX:XX:XX:XX:XX:XX IP=0.0.0.0 Authentication result=Authentication Successful metho
    Aug 25 11:32:04 :522044: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX Station authenticate(start): method=802.1x, role=logon///logon, VLAN=68/68, Derivati
    Aug 25 11:32:04 :522016: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX IP=?? Derived role '3' from Aruba VSA
    Aug 25 11:32:04 :522017: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX IP=?? Derived role 'Priv-Staff-Wireless' from server rules: server-group=radius, aut
    Aug 25 11:32:04 :522049: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX,IP=N/A User role updated, existing Role=logon/none, new Role=Priv-Staff-Wireless/non
    Aug 25 11:32:04 :522050: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX,IP=N/A User data downloaded to datapath, new Role=Priv-Staff-Wireless/98, bw Contrac timeout=600
    Aug 25 11:32:04 :522258: <DBUG> |authmgr| "VDR - Add to history of user user XX:XX:XX:XX:XX:XX vlan 0 derivation_type Reset Dot1x VLANs index 4.
    Aug 25 11:32:04 :522254: <DBUG> |authmgr| VDR - mac XX:XX:XX:XX:XX:XX rolename NULL fwdmode 0 derivation_type Dot1x Aruba VSA vp present.
    Aug 25 11:32:04 :522021: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX Derived VLAN '204' from Aruba VSA
    Aug 25 11:32:04 :522255: <DBUG> |authmgr| "VDR - set vlan in user for XX:XX:XX:XX:XX:XX vlan 204 fwdmode 0 derivation_type Dot1x Aruba VSA.
    Aug 25 11:32:04 :522258: <DBUG> |authmgr| "VDR - Add to history of user user XX:XX:XX:XX:XX:XX vlan 204 derivation_type Dot1x Aruba VSA index 5.
    Aug 25 11:32:04 :522253: <DBUG> |authmgr| VDR - mac XX:XX:XX:XX:XX:XX derivation_type Dot1x Aruba VSA derived vlan 204.
    Aug 25 11:32:04 :522254: <DBUG> |authmgr| VDR - mac XX:XX:XX:XX:XX:XX rolename NULL fwdmode 0 derivation_type Dot1x MSFT Attributes vp present.
    Aug 25 11:32:04 :522254: <DBUG> |authmgr| VDR - mac XX:XX:XX:XX:XX:XX rolename NULL fwdmode 0 derivation_type Dot1x Server Rule vp present.
    Aug 25 11:32:04 :522023: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX Derived VLAN 204 from server rules: server-group=radius



  • 10.  RE: SSID DHCP "obatining IP address" problem
    Best Answer

    Posted Aug 28, 2014 09:24 AM

    It looks like this was the problem of a PEF rule that doesn't quite compute. I had a rule blocking and traffic from 192.168.1.0/24 to 192.168.1.0/24 and that rule was blocking DHCP access after roaming/sleeping but while still in the user-table. I changed the rule to allow DHCP above that even though the dhcp server is on a different network block. Then MAC OS X devices had trouble roaming and would spam mdns traffic and not have about a 30 second to 5 minute wait before they connected after roaming or sleeping and I changed the initial rule to block user traffic to 192.168.1.0/24 and the MAC problem went away.

     

     

    The initial goal was to not user "Deny inter user traffic" and instead use PEF so that we could start to test AirGroup. Can someone recommend a better way to use PEF to create client isolation?

     

    Thanks again,

     

    Rosie!