Hello Alexandre,
Two questions. First, AOS version? I'm assuming AOS 8.6 or later, but if AOS 10, the rules change a bit.
Second, are you using a Mobility Controller (7005, 7008, 7205, 7210, etc) or gateway (90xx), or are these really IAPs managed by a swarm/cluster Virtual Controller? IAPs can be set to run in campus mode, so this does make a difference.
You mention Central, so it's a bit unclear how this really would work. Central will manage IAP swarms, or AOSv10 Gateways. Your 7010 may be managing the IAPs if they are in Campus mode. If this is the case, the default forwarding mode is "tunneled" meaning all traffic is sent back to the Mobility Controller for connectivity to the network. An alternate is Bridged mode, where the MC participates in authentication, but the user traffic is placed on the network at the AP's switch port.
Lack of DHCP often arises when the controller doesn't have an IP address in the VLAN in question, and the DHCP server is on a firewall or other switch. If the controller is set up to attempt to proxy DHCP but doesn't have an IP address, problems occur.
On my lab IAP configuration, no DHCP service or proxy is performed. I have a layer 3 interface for my trusted subnets on my core switch, which runs DHCP service for them (Aruba 2830F). The untrusted networks - guest, IoT - do not have a L3 interface. Traffic passes through the core switch to my antique Cisco ASA, which has the L3 interfaces for these subnets, as well as running DHCP service.
If I had a Windows Server or other DHCP server, I could set the DHCP proxy/helper address on the core switch for trusted networks, and the firewall for untrusted, to dereference that outside server.
If controller-based, the rules change a bit. Since the default is to tunnel back to the controller for distribution of traffic, you will either need to have an IP address and helper/proxy set up on the controller for each subnet/VLAN, or not place an IP address on the controller for the VLAN and perform a L2 pass-through so the core switch (trusted subnets) or firewall (untrusted subnets) can either provide DHCP service or proxy/helper functionality.
Most important thing, at least or me to be confident in my reply, is knowing the actual management/AP function in use (IAP or CAP). This reply tries to be general, so may be more difficult to decipher than if there was a clear definition of whether this network uses IAP/VC or CAP/MC. The product being labeled IAP doesn't assure the mode is Instant.
------------------------------
Timothy Leadbetter
ACMP, ACSP, ACCA
CWNA, CWDP
ECSE-Design
Not a current HPE/Aruba Employee
------------------------------
Original Message:
Sent: Dec 23, 2021 05:04 AM
From: Alexandre RAIMBAULT
Subject: Issue with IAP and mobility controller : Can't get DHCP
Hello,
We have issue with WIFI.
It's new devices.
Here's the schema.
We have a wifi employees with radius authentication and DHCP on REMOTE site > It works fine.
Then, we have a guest SSID (no auth, no password, open), it pass through GRE tunnel to mobility controler. DHCP is on CENTRAL.
Wifi is connected but no ip address.
From IAP (Vitual controller) :
AP# show vpn config
Concentrator
------------
Type Value
---- -----
VPN Primary Server
VPN Backup Server
VPN Preemption disable
VPN Preemption disable
VPN Fast Failover disable
VPN Hold Time 600
VPN Monitor Pkt Send Freq 5
VPN Monitor Pkt Lost Cnt 6
VPN Reconnect Duration before Normal-Failover 30 Seconds
VPN Ikepsk 14d0e4ced617a2102d1c8074fe317ef5
VPN Username
VPN Password 24a73d0d29b8fdd30af7f2314c8fec85
NAT outside disable
Source VLANs
GRE outside vpn disable
GRE Per AP Tunnel disable
GRE Type 48
GRE Primary Server 10.0.3.120
GRE Primary IP Address 10.0.3.120
GRE Backup Server
GRE Backup IP Address 0.0.0.0
GRE Reconnect User On Failover enable
GRE Reconnect Time On Failover 60
Reconnect User On Failover disable
Reconnect Time On Failover 60
Routing Table
--------------
Destination Netmask Gateway Metric Type Flag
----------- ------- ------- ------ ---- ----
Number of Route Entries :0
Route Flags: A = Active; D = in Datapath; M = to Master
From Mobility controller :
(MC) ^[mynode] #show datapath session table 10.110.3.50
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
u - Upstream Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
r - Route Nexthop, h - High Value
A - Application Firewall Inspect
J - SDWAN Default Probe stats used as fallback
B - Permanent, O - Openflow
L - Log, o - Openflow config revision mismatched
Source IP or MAC Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags CPU ID
----------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------- ---------- --------------- -------
There is no datas, but yesterday i ve seen traffic. There were packets from MC to VC but not from VC to MC.
Another question : why authenticated WIFI disconnect when Mobility controller is off? Auth wifi should not pass through mobility controller.
Thanks for help.
Regards.
------------------------------
Alexandre RAIMBAULT
------------------------------