Wireless Access

Hi!

 

I can´t get the solution of this case:

 

Clients using mobile phones are unable to reconnect to the corporate or guest SSID but the session remains active without being connected.

The customer close the session via CLI or Webui when the mobile can not connect, then , the mobile can connect.

 

This only affects all types of mobile and affects to all roles.

 

 i need a help :(

 

Im speak spanish.. sorry for my english.

 

the detail:

**********************

show version

Aruba Operating System Software.
ArubaOS (MODEL: Aruba3200), Version 6.3.1.1

 

*************************

 

questions that can help you:

 

Ø Does all the clients are facing this issue or with specific OS ( Android , I phone , windows based phone ) ? .

Yes, we have tried with Android (diferent versions from 2.3.6 to 4.4.2), iPad and Windows Phone…

Ø Is it a new set-up or an existing set-up ?

This problem occurs from initial setup and year ago… but is now when we want include Smartphone/devices in our wifi-network
Ø Was it working fine in the past (from the time of installation) ?

N/A

Ø How long are you facing the issue ?

One year ago… but its really now when we have checking it.

Ø Are we facing the issue with a specific location / AP ?

No, we have two sites with two independent controllers and same or similarly config. And both of them we have the problem.

Ø Are you trying to reconnect after disconnecting at the same location or moving to a different location ( Roaming Client )

Yes… really here is the problem. If I move over coverage zone, I have not any problem. But if I disconnect manually or I move to zone without coverage, when I try connect again I can’t connect.

Ø Also please provide us the output by executing the command # show ap association client-mac < client mac address >

PTMAruba) #show ap association client-mac cc:fa:00:a6:cd:29

The phy column shows client's operational capabilities for current association

Flags: A: Active, B: Band Steerable, H: Hotspot(802.11u) client, K: 802.11K client, R: 802.11R client, W: WMM client, w: 802.11w client

PHY Details: HT : High throughput; 20: 20MHz; 40: 40MHz

VHT : Very High throughput; 80: 80MHz; 160: 160MHz; 80p80: 80MHz + 80MHz

<n>ss: <n> spatial streams

Association Table

-----------------

Name bssid mac auth assoc aid l-int essid vlan-id tunnel-id phy assoc. time num assoc Flags Band steer moves (T/S)

---- ----- --- ---- ----- --- ----- ----- ------- --------- --- ----------- --------- ----- ----------------------

AP-Sistemas 6c:f3:7f:29:77:1c cc:fa:00:a6:cd:29 y y 1 10 gmvstaff 56 0x1010b a-HT-40sgi-1ss 22s 1 WAB 8/6

cc:fa:00:a6:cd:29-6c:f3:7f:29:77:1c Stats

------------------------------------------

Parameter Value

--------- -----

Channel 60

Channel Frame Retry Rate(%) 0

Channel Frame Low Speed Rate(%) 0

Channel Frame Non Unicast Rate(%) 0

Channel Frame Fragmentation Rate(%) 0

Channel Frame Error Rate(%) 0

Channel Bandwidth Rate(kbps) 0

Channel Noise 93

Client Frame Retry Rate(%) 0

Client Frame Low Speed Rate(%) 0

Client Frame Non Unicast Rate(%) 0

Client Frame Fragmentation Rate(%) 0

Client Frame Receive Error Rate(%) 0

Client Bandwidth Rate(kbps) 0

Client Tx Packets 14

Client Rx Packets 2

Client Tx Bytes 1725

Client Rx Bytes 169

Client SNR 21


Ø #show ap remote debug mgmt-frame ap-name < name of the ap >

(PTMAruba) #show ap remote debug mgmt-frames ap-name AP-Sistemas | include cc:fa:00:a6:cd:29

Mar 3 15:09:37 deauth 6c:f3:7f:29:77:1c cc:fa:00:a6:cd:29 6c:f3:7f:29:77:1c 15 - (internal only)

Mar 3 15:09:19 disassoc cc:fa:00:a6:cd:29 6c:f3:7f:29:77:1c 6c:f3:7f:29:77:1c 60 STA has left and is disassociated

Mar 3 15:08:20 assoc-resp 6c:f3:7f:29:77:1c cc:fa:00:a6:cd:29 6c:f3:7f:29:77:1c 15 Success

Mar 3 15:08:20 assoc-req cc:fa:00:a6:cd:29 6c:f3:7f:29:77:1c 6c:f3:7f:29:77:1c 34 -

Mar 3 15:08:20 auth 6c:f3:7f:29:77:1c cc:fa:00:a6:cd:29 6c:f3:7f:29:77:1c 15 Success (seq num 2098)


Ø #show aaa timer
(PTMAruba) #show aaa timers

Global User idle timeout = 3600 seconds

Auth Server dead time = 10 minutes

Logon user lifetime = 5 minutes

User Interim stats frequency = 600 seconds

 

****************************************************************************************************

 

Why that might happen??

 

i attached the log when this occur

 

Timeout mobile IP? timeout session role?  timeout AAA? i don´t know... :(   i have tech support.

 

Thank you very much!!

 

 

#3600

I had a similer issue - that i found out that caused by wrong user roles..after i figure it out and fixed all the ACL - everything solved.

*can u please write here - what ACL are u using?* for all the networks - and with with roles inside the ACL*
Read here - it will give an idea - where i think your issue is:

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/SplitTunnel-Captive-Portal-connectivity-issues-in-Aruba/m-p/141209#M30105

 

Also - be sure to use default AAA timers > and then test it.

HI,

 

Thank you!

 

i Attached the roles ands acl.

 

acl hits:

 

 

User Role ACL Hits
------------------
Role Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index Ipv4/Ipv6
---- ------ --- --- ------- ------ ----------- -------- ---------- ----- ---------
logon logon-control any any svc-icmp permit 311 645 8645 ipv4
logon logon-control any any svc-dns permit 6 106 8646 ipv4
logon logon-control any any svc-dhcp permit 29 59 8647 ipv4
logon logon-control any any svc-natt permit 0 14 8648 ipv4
logon captiveportal user controller svc-https dst-nat 8081 0 8 8651 ipv4
logon captiveportal user any svc-http dst-nat 8080 1 25 8652 ipv4
logon captiveportal user any svc-https dst-nat 8081 0 27 8653 ipv4
logon any any 0 deny 6180 11481 8675 ipv6
sys-ap-role sys-control any any sys-svc-icmp permit 506 2033 8532 ipv4
sys-ap-role sys-control any any sys-svc-papi permit 4026183 11926738 8534 ipv4
sys-ap-role sys-control any any sys-svc-sec-papi permit 1226556 3593642 8535 ipv4
sys-ap-role sys-control any any sys-svc-natt permit 576413 1567130 8540 ipv4
sys-ap-role sys-ap-acl any any sys-svc-gre permit 160 420 8541 ipv4
sys-ap-role sys-ap-acl any any sys-svc-syslog permit 6990 20719 8542 ipv4
sys-ap-role sys-ap-acl user any sys-svc-ftp permit 0 7 8549 ipv4
sys-ap-role any any 0 deny 6 529 8551 ipv6
gmvstaff-guest-logon logon-control any any svc-icmp permit 934 1780 8560 ipv4
gmvstaff-guest-logon logon-control any any svc-dns permit 108543 269502 8561 ipv4
gmvstaff-guest-logon logon-control any any svc-dhcp permit 12388 30910 8562 ipv4
gmvstaff-guest-logon logon-control any 240.0.0.0 240.0.0.0 any deny 129 380 8565 ipv4
gmvstaff-guest-logon captiveportal user controller svc-https dst-nat 8081 24937 163276 8566 ipv4
gmvstaff-guest-logon captiveportal user any svc-http dst-nat 8080 41456 263998 8567 ipv4
gmvstaff-guest-logon captiveportal user any svc-https dst-nat 8081 39150 228698 8568 ipv4
gmvstaff-guest-logon captiveportal user any svc-http-proxy1 dst-nat 8088 0 2 8569 ipv4
gmvstaff-guest-logon captiveportal user any svc-http-proxy2 dst-nat 8088 59 169 8570 ipv4
gmvstaff-guest-logon any any 0 deny 205149 462387 8572 ipv6
gmvstaff-guest Internet-staff user Private Networks any deny 257 257 13023 ipv4
gmvstaff-guest Internet-staff user Private Networks any deny 13988 13988 13024 ipv4
gmvstaff-guest Internet-staff user Private Networks any deny 94823 94823 13025 ipv4
gmvstaff-guest Internet-staff user any any permit 473010 473010 13026 ipv4
gmvstaff-guest any any 0 deny 20745 20745 13027 ipv6
gmvguest-guest-logon logon-control any any svc-icmp permit 1712 2102 8574 ipv4
gmvguest-guest-logon logon-control any any svc-dns permit 180205 363651 8575 ipv4
gmvguest-guest-logon logon-control any any svc-dhcp permit 11032 22223 8576 ipv4
gmvguest-guest-logon logon-control any any svc-natt permit 26 26 8577 ipv4
gmvguest-guest-logon logon-control any 240.0.0.0 240.0.0.0 any deny 1007 1741 8579 ipv4
gmvguest-guest-logon captiveportal user controller svc-https dst-nat 8081 41244 100029 8580 ipv4
gmvguest-guest-logon captiveportal user any svc-http dst-nat 8080 148798 206937 8581 ipv4
gmvguest-guest-logon captiveportal user any svc-https dst-nat 8081 103851 183073 8582 ipv4
gmvguest-guest-logon captiveportal user any svc-http-proxy1 dst-nat 8088 0 13 8583 ipv4
gmvguest-guest-logon captiveportal user any svc-http-proxy2 dst-nat 8088 1166 5267 8584 ipv4
gmvguest-guest-logon any any 0 deny 213254 322321 8586 ipv6
gmvguest-guest Internet-guest user Private Networks any deny 5674 8470 8367 ipv4
gmvguest-guest Internet-guest user Private Networks any deny 4922 67618 8368 ipv4
gmvguest-guest Internet-guest user Private Networks any deny 80131 200199 8369 ipv4
gmvguest-guest Internet-guest user any any permit 1113633 1906018 8370 ipv4
gmvguest-guest any any 0 deny 12254 17501 8371 ipv6
authenticated allowall any any any permit 4487397 9880778 8468 ipv4
gsmart allowall any any any permit 18730 18730 15203 ipv4
gsmart AllowedMACS 5c:f3:70:00:00:a3 00:00:00:00:00:00 permit 608 608 15206 ipv4
gsmart AllowedMACS 40:30:04:84:8c:44 00:00:00:00:00:00 permit 1413 1413 15207 ipv4
gsmart AllowedMACS cc:fa:00:a6:cd:29 00:00:00:00:00:00 permit 136 136 15208 ipv4
gsmart AllowedMACS any deny 82 82 15209 ipv4
gsmart_to_inet Internet-staff user Private Networks any deny 60 60 15212 ipv4
gsmart_to_inet Internet-staff user Private Networks any deny 6 6 15213 ipv4
gsmart_to_inet Internet-staff user any any permit 5766 5766 15214 ipv4
gsmart_to_inet any any 0 deny 483 483 15215 ipv6

 

 

I think it's a lot of information :(

 

Thanks and sorry for my english

i will try to do it.

 

thanks

 

Since the users are able to associate make sure that the VLAN/ IP Segment and DHCP server are working properly.

 

What's acting as your DHCP server ? If it external do you have the IP Helper address on that VLAN ?

 

 

 

 

HIi,

 

Thank you for your help.

 

At first, the DHCP client used the controller, but they had this problem. For this motive, they  began using an external DHCP.

 

Best regards!

 

 

 

 

 

 

 

Hi!!

 

We restarted the controller and the problems have disappeared. :)

Looks like a memory resource issue or some process. ?¿?¿

We believe that will reproduce the problem in a few days :(

The strange thing is that it only happens to all mobiles.

 

 

If it starts happening open a TAC case and the following commands it might tell you if there's any issues with any of the processes
Show log system all
Show process monitor stats

Hi Victor.

 

OK!! We wait to verify this.

 

Thank you very much! nice day