Wireless Access

Reply
Frequent Contributor II
Posts: 125
Registered: ‎08-07-2013

SSID DHCP "obatining IP address" problem

Over the past week or two we've seen a growing amount of device "hang" at obtaining an IP address on our primary SSID. The user-table reflects that an IP address has been assigned to the device but it obtains one or reaches "connected" status.

 

I just turned on dhcp debugging but I'm not sure what that will reflect. It's sporadic and switching from our primary SSID to our onboarding SSID and back seems to fix the issue but that's not an acceptable permanent solution to our problem.

 

Has anyone else seen this type of issue or can anyone recommend troubleshooting steps to determine the cause?


Thanks,

 

Rosie!

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: SSID DHCP "obatining IP address" problem

Please open up a case for this issue!  You can (in tandem) post some more info here like:

 

1. Code version

2. Config

3. Debug logs.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Frequent Contributor II
Posts: 125
Registered: ‎08-07-2013

Re: SSID DHCP "obatining IP address" problem


SethFiermonti wrote:

Please open up a case for this issue!  You can (in tandem) post some more info here like:

 

1. Code version

2. Config

3. Debug logs.


1. We are currently running 6.3.1.7 waiting for downtime to update.

 

2. Which config would you like to see?

 

3. I just enabled DHCP debug logs and will wait until the problem is reported again. It doesn't seem like something I can reproduce at will.

 

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: SSID DHCP "obatining IP address" problem

OK great.  I would like to see the VAP and all relevant profiles underneath it including SSID and AAA.  

 

As far as code, 6.3.1.10 was released late last week.  Please consider that as an upgrade.  

 

For debug logs, also enable user-debugs for the client MAC address if known - logging level debugging user-debug <mac-address>

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Frequent Contributor II
Posts: 125
Registered: ‎08-07-2013

Re: SSID DHCP "obatining IP address" problem

For what it's worth: On a case by case removing a user from the user-table seems to help the user get connected.

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: SSID DHCP "obatining IP address" problem

Curious - were you able to get the logs and can you also check to see if a user is blacklisted?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Frequent Contributor II
Posts: 125
Registered: ‎08-07-2013

Re: SSID DHCP "obatining IP address" problem

The user was not blacklisted and the mac address didn’t show anywhere in the dhcp log.

 

It seems to be primarily happening with Android devices and "maybe" when roaming.

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: SSID DHCP "obatining IP address" problem

What about user-debug logs?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Frequent Contributor II
Posts: 125
Registered: ‎08-07-2013

Re: SSID DHCP "obatining IP address" problem

 

SethFiermonti wrote:

What about user-debug logs?


The problem with one of the users happened today between 11:26 and we removed from the user-table at 11:32 and then was working. 

 

Aug 25 11:26:38 :522036: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX Station DN: BSSID=XX:XX:XX:XX:XX:XX ESSID=SU-Secure VLAN=68 AP-name=HH-AP
Aug 25 11:26:38 :522234: <DBUG> |authmgr| Setting idle timer for user XX:XX:XX:XX:XX:XX to 300 seconds (idle timeout: 300 ageout: 0).
Aug 25 11:26:38 :501000: <DBUG> |stm| Station XX:XX:XX:XX:XX:XX: Clearing state
Aug 25 11:26:54 :501106: <NOTI> |AP HH-AP@xxx.xxx.xx.xx stm| Deauth to sta: XX:XX:XX:XX:XX:XX: Ageout AP xxx.xxx.xx.xx-XX:XX:XX:XX:XX:XX-HH-AP handle_sapcp
Aug 25 11:26:54 :501080: <NOTI> |AP HH-AP@xxx.xxx.xx.xx stm| Deauth to sta: XX:XX:XX:XX:XX:XX: Ageout AP xxx.xxx.xx.xx-XX:XX:XX:XX:XX:XX-HH-AP Sapcp Ageout (internal ageout)
Aug 25 11:26:54 :501114: <NOTI> |stm| Deauth from sta: XX:XX:XX:XX:XX:XX: AP xxx.xxx.xx.xx-XX:XX:XX:XX:XX:XX-HH-AP Reason 255
Aug 25 11:26:54 :501044: <NOTI> |stm| Station XX:XX:XX:XX:XX:XX: No authentication found trying to de-authenticate to BSSID XX:XX:XX:XX:XX:XX on AP HH-AP
Aug 25 11:27:00 :522245: <DBUG> |authmgr| user_age() called for MAC XX:XX:XX:XX:XX:XX IP 192.168.xxx.xxx.
Aug 25 11:27:32 :522245: <DBUG> |authmgr| user_age() called for MAC XX:XX:XX:XX:XX:XX IP 192.168.xxx.xxx.
Aug 25 11:28:36 :522245: <DBUG> |authmgr| user_age() called for MAC XX:XX:XX:XX:XX:XX IP 192.168.xxx.xxx.
Aug 25 11:29:40 :522245: <DBUG> |authmgr| user_age() called for MAC XX:XX:XX:XX:XX:XX IP 192.168.xxx.xxx.
Aug 25 11:29:59 :522005: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX IP=192.168.xxx.xxx User entry deleted: reason=user request
Aug 25 11:29:59 :522050: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX,IP=N/A User data downloaded to datapath, new Role=Priv-Staff-Wireless/98, bw Contract=0/0, reason=Station resetting role, idle-timeout=300
Aug 25 11:29:59 :522244: <DBUG> |authmgr| MAC=XX:XX:XX:XX:XX:XX Station Deleted Update MMS
Aug 25 11:29:59 :522265: <DBUG> |authmgr| "MAC:XX:XX:XX:XX:XX:XX: Deallocating UUID: 2918.
Aug 25 11:29:59 :522038: <INFO> |authmgr| username=bpcrockett MAC=XX:XX:XX:XX:XX:XX IP=192.168.xxx.xxx Authentication result=Authentication Successfu
Aug 25 11:30:00 :527004: <INFO> |mdns| mdns_parse_auth_useridle_message 197 Auth User Idle Timeout: MAC:XX:XX:XX:XX:XX:XX, WIRED:0, FW:0, VLAN:68, I
Aug 25 11:30:00 :527000: <DBUG> |mdns| mdns_client_purge 648 Purge mdns client, mac=XX:XX:XX:XX:XX:XX
Aug 25 11:32:04 :501109: <NOTI> |AP HH-AP@xxx.xxx.xx.xx stm| Auth request: XX:XX:XX:XX:XX:XX: AP xxx.xxx.xx.xx-XX:XX:XX:XX:XX:XX-HH-AP auth_al
Aug 25 11:32:04 :501093: <NOTI> |AP HH-AP@xxx.xxx.xx.xx stm| Auth success: XX:XX:XX:XX:XX:XX: AP xxx.xxx.xx.xx-XX:XX:XX:XX:XX:XX-HH-AP
Aug 25 11:32:04 :501095: <NOTI> |stm| Assoc request @ 11:32:04.137078: XX:XX:XX:XX:XX:XX (SN 2066): AP xxx.xxx.xx.xx-XX:XX:XX:XX:XX:XX-HH-AP
Aug 25 11:32:04 :501095: <NOTI> |AP HH-AP@xxx.xxx.xx.xx stm| Assoc request @ 11:32:04.083373: XX:XX:XX:XX:XX:XX (SN 2066): AP xxx.xxx.xx.xx-24:de
Aug 25 11:32:04 :501100: <NOTI> |AP HH-AP@xxx.xxx.xx.xx stm| Assoc success @ 11:32:04.084944: XX:XX:XX:XX:XX:XX: AP xxx.xxx.xx.xx-24:de:c6:b6:f7:
Aug 25 11:32:04 :501100: <NOTI> |stm| Assoc success @ 11:32:04.142247: XX:XX:XX:XX:XX:XX: AP xxx.xxx.xx.xx-XX:XX:XX:XX:XX:XX-HH-AP
Aug 25 11:32:04 :522035: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX Station UP: BSSID=XX:XX:XX:XX:XX:XX ESSID=SU-Secure VLAN=68 AP-name=HH-AP
Aug 25 11:32:04 :522077: <DBUG> |authmgr| MAC=XX:XX:XX:XX:XX:XX ingress 0x0x10b03 (tunnel 2819), u_encr 64, m_encr 64, slotport 0x0x2100 , type: loc
Aug 25 11:32:04 :522264: <DBUG> |authmgr| "MAC:XX:XX:XX:XX:XX:XX: Allocating UUID: 3950.
Aug 25 11:32:04 :522258: <DBUG> |authmgr| "VDR - Add to history of user user XX:XX:XX:XX:XX:XX vlan 0 derivation_type Reset VLANs for Station up ind
Aug 25 11:32:04 :522255: <DBUG> |authmgr| "VDR - set vlan in user for XX:XX:XX:XX:XX:XX vlan 68 fwdmode 0 derivation_type Default VLAN.
Aug 25 11:32:04 :522258: <DBUG> |authmgr| "VDR - Add to history of user user XX:XX:XX:XX:XX:XX vlan 68 derivation_type Default VLAN index 1.
Aug 25 11:32:04 :522255: <DBUG> |authmgr| "VDR - set vlan in user for XX:XX:XX:XX:XX:XX vlan 68 fwdmode 0 derivation_type Current VLAN updated.
Aug 25 11:32:04 :522258: <DBUG> |authmgr| "VDR - Add to history of user user XX:XX:XX:XX:XX:XX vlan 68 derivation_type Current VLAN updated index 2.
Aug 25 11:32:04 :522246: <DBUG> |authmgr| Idle timeout should be driven by STM for MAC XX:XX:XX:XX:XX:XX.
Aug 25 11:32:04 :522254: <DBUG> |authmgr| VDR - mac XX:XX:XX:XX:XX:XX rolename logon fwdmode 0 derivation_type Initial Role Contained vp not present
Aug 25 11:32:04 :522258: <DBUG> |authmgr| "VDR - Add to history of user user XX:XX:XX:XX:XX:XX vlan 0 derivation_type Reset Role Based VLANs index 3
Aug 25 11:32:04 :524124: <DBUG> |authmgr| dot1x_supplicant_up(): MAC:XX:XX:XX:XX:XX:XX, pmkid_present:True, pmkid:0b 2a 1a 5e 17 af b5 c9 ab 60 96 9
Aug 25 11:32:04 :522050: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX,IP=N/A User data downloaded to datapath, new Role=logon/1, bw Contract=0/0, reason=l
Aug 25 11:32:04 :522242: <DBUG> |authmgr| MAC=XX:XX:XX:XX:XX:XX Station Created Update MMS: BSSID=XX:XX:XX:XX:XX:XX ESSID=SU-Secure VLAN=68 AP-name=
Aug 25 11:32:04 :522038: <INFO> |authmgr| username=bpcrockett MAC=XX:XX:XX:XX:XX:XX IP=0.0.0.0 Authentication result=Authentication Successful metho
Aug 25 11:32:04 :522044: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX Station authenticate(start): method=802.1x, role=logon///logon, VLAN=68/68, Derivati
Aug 25 11:32:04 :522016: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX IP=?? Derived role '3' from Aruba VSA
Aug 25 11:32:04 :522017: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX IP=?? Derived role 'Priv-Staff-Wireless' from server rules: server-group=radius, aut
Aug 25 11:32:04 :522049: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX,IP=N/A User role updated, existing Role=logon/none, new Role=Priv-Staff-Wireless/non
Aug 25 11:32:04 :522050: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX,IP=N/A User data downloaded to datapath, new Role=Priv-Staff-Wireless/98, bw Contrac timeout=600
Aug 25 11:32:04 :522258: <DBUG> |authmgr| "VDR - Add to history of user user XX:XX:XX:XX:XX:XX vlan 0 derivation_type Reset Dot1x VLANs index 4.
Aug 25 11:32:04 :522254: <DBUG> |authmgr| VDR - mac XX:XX:XX:XX:XX:XX rolename NULL fwdmode 0 derivation_type Dot1x Aruba VSA vp present.
Aug 25 11:32:04 :522021: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX Derived VLAN '204' from Aruba VSA
Aug 25 11:32:04 :522255: <DBUG> |authmgr| "VDR - set vlan in user for XX:XX:XX:XX:XX:XX vlan 204 fwdmode 0 derivation_type Dot1x Aruba VSA.
Aug 25 11:32:04 :522258: <DBUG> |authmgr| "VDR - Add to history of user user XX:XX:XX:XX:XX:XX vlan 204 derivation_type Dot1x Aruba VSA index 5.
Aug 25 11:32:04 :522253: <DBUG> |authmgr| VDR - mac XX:XX:XX:XX:XX:XX derivation_type Dot1x Aruba VSA derived vlan 204.
Aug 25 11:32:04 :522254: <DBUG> |authmgr| VDR - mac XX:XX:XX:XX:XX:XX rolename NULL fwdmode 0 derivation_type Dot1x MSFT Attributes vp present.
Aug 25 11:32:04 :522254: <DBUG> |authmgr| VDR - mac XX:XX:XX:XX:XX:XX rolename NULL fwdmode 0 derivation_type Dot1x Server Rule vp present.
Aug 25 11:32:04 :522023: <INFO> |authmgr| MAC=XX:XX:XX:XX:XX:XX Derived VLAN 204 from server rules: server-group=radius

Frequent Contributor II
Posts: 125
Registered: ‎08-07-2013

Re: SSID DHCP "obatining IP address" problem

It looks like this was the problem of a PEF rule that doesn't quite compute. I had a rule blocking and traffic from 192.168.1.0/24 to 192.168.1.0/24 and that rule was blocking DHCP access after roaming/sleeping but while still in the user-table. I changed the rule to allow DHCP above that even though the dhcp server is on a different network block. Then MAC OS X devices had trouble roaming and would spam mdns traffic and not have about a 30 second to 5 minute wait before they connected after roaming or sleeping and I changed the initial rule to block user traffic to 192.168.1.0/24 and the MAC problem went away.

 

 

The initial goal was to not user "Deny inter user traffic" and instead use PEF so that we could start to test AirGroup. Can someone recommend a better way to use PEF to create client isolation?

 

Thanks again,

 

Rosie!

Search Airheads
Showing results for 
Search instead for 
Did you mean: