Wireless Access

Hello airheads,

I currently have a problem with a small network.
Four APs are connected to a 7205 controller (AOS8.3). Until last week everything was running fine.

Now since friday the clients on the APs do not get an IP address anymore. I don't know if anyone has changed anything.

They can log on to the SSID normally and are listed as "authenticated" in the controller. I gave a client a static IP address and he can't ping his gateway. Forwarding mode is tunnel. Role authenticated. The Role has only one rule "any any permit". 

The controller can ping all IP addresses. (Gateway of the SSID network, dhcp etc.).
The DHCP for the client network also works normally, I have tested this with a wired-device.

I can only imagine a layer-2 problem so I try to provide these informations. The Controller is directly connected with two links to the core. 
The current configuration of the controller ports looks like this:

!

interface gigabitethernet 0/0/0
trusted
trusted vlan 1-4094
no poe
!

interface gigabitethernet 0/0/1
trusted
trusted vlan 1-4094
no poe
switchport mode trunk
switchport trunk allowed vlan 10,20
no spanning-tree
!

*Vlan 10 is the mgmt-network for the APs and Vlan 20 the client network. 
APs are working correctly, they are pingable and providing the SSID

Now the Core ports looks like this:

interface 1   -> connected to Gi0/0/0
no power-over-ethernet
tagged vlan 10,20
untagged vlan 100
no cdp enable
loop-protect

!

interface 2   -> connected to Gi0/0/1
no power-over-ethernet
tagged vlan 10,20
no cdp enable
loop-protect
!

Both links are up/up, Spanning-Tree forwarding (except Controller port Gi0/0/1 where STP is disabled for a reason I dont know). 

The Core is Gateway for vlan 10 and 20. The Controller has only one IP address in vlan 10. 
Controller can ping any IP address. 

- sorry for the long post, but I wanted to provide as many informations as I can. 

I think Layer1 is working without issues.
Layer3 seems working fine, the Gateway and DHCP are working as I think it should-
So for me only Layer2 issues can be the reason for the failure. 

I only wanted to get some ideas what can I test anymore, maybe I forgot something? 

Your controller & core ports are not configured the same AND you're not doing any sort of link aggrigation.

I would start by unplugging "interface gigabitethernet 0/0/0" and configuring both sides of the link (0/0/0 - interface 2) with the same switchport configuration.

If you want to introduce a second link, I'd recommend looking into link aggrigation. LACP would be a good start if it's supported on your core.

Thank you both for your feedback. I was careful to configure something at first, because that's how it worked before.

But now I will start to correct the ports and I will give the controller an IP in Vlan 20 and verify the connection with gateway and dhcp.  

I will report the results.

Thank you both again.

Probably one of the admins has changed something on the connections, after I configured the interface on the core clean and correctly everything ran normally again.

Hello Phillip

Configs look OK... Someone has to have changed something somewhere

On the Controller do a "show audit-trail" and see if there has been any changes there.

Is an ip-helper needed somewhere?

Can you check the DHCP server to see if the leases are obtained?

If they don't get an IP-address you won't see them correctly in the user-table.

"show station-table" to verify role and other vitals

As a test to verify vlan 20 all to the gateway..

Add an IP-address for you controller i VLAN 20 and verify that you can ping the gateway there using source 20. If OK - change it to dhcp and see if your controller can get an IP by dhcp..

If not OK, check uplinks of the switch if vlan 20 is still tagged there..