Hello,
From the Logs..
logging level debugging user-debug 50:1c:b0:3a:54:ea process dhcpd subcat all
>>>>>>>>>>>
AP Reboot Issue:
Nov 19 09:59:38 nanny[3668]: <303022> <WARN> |AP CR7ASW001AP03@172.20.2.133 nanny| Reboot Reason: AP rebooted Wed Dec 31 16:05:15 PST 1969; DHCP timed out
Nov 19 09:59:40 nanny[3693]: <303022> <WARN> |AP CR7ASW001AP04@172.20.2.134 nanny| Reboot Reason: AP rebooted Wed Dec 31 16:05:15 PST 1969; DHCP timed out
>>>>>>>>>>>
Channel Interferrence:
Nov 19 10:08:01 KERNEL(CR03ASW001AP08@172.20.2.10): [2163340.623777] dfs_radar_enable: firpwr=0, rssi=0, height=0, prssi=0, inband=0, relpwr=0, relstep=0, maxlen=0
Nov 19 10:08:02 KERNEL(CR03ASW001AP08@172.20.2.10): [2163341.352705] dfs_init_radar_filters: dfsdomain=2, numradars=9, numb5radars=0
Nov 19 10:08:02 KERNEL(CR03ASW001AP08@172.20.2.10): [2163341.352737] DFS max pulse dur = 61 ticks
Nov 19 10:08:02 KERNEL(CR03ASW001AP08@172.20.2.10): [2163341.352737] DFS max pulse pri = 5004, min pulse pri = 246
Nov 19 10:08:02 KERNEL(CR03ASW001AP08@172.20.2.10): [2163341.352737] DFS min filter rssiThresh = 15
Nov 19 10:08:02 KERNEL(CR03ASW001AP08@172.20.2.10): [2163341.352768] Enabled radar detection on channel 5520
Nov 19 10:08:02 KERNEL(CR03ASW001AP08@172.20.2.10): [2163341.352768] dfs_radar_enable: duration multiplier is 72
>>>>>>>>>>>
Errors:
Nov 18 08:53:11 dot1x-proc:1[4335]: <138093> <4335> <ERRS> |dot1x-proc:1| WPA2 Key message 2 from Station 90:97:f3:32:ee:64 20:a6:cd:25:ec:60 TE045AP01 did not match the replay counter 03 vs 04
Nov 18 08:53:46 dbsync[3826]: <307269> <3826> <ERRS> |dbsync| dbsync: timed out, failed to complete in time (state= WAITING FOR ACK FROM STANDBY TO START, timeout= 30000)
Nov 18 08:54:51 dot1x-proc:2[4338]: <138093> <4338> <ERRS> |dot1x-proc:2| WPA2 Key message 2 from Station 68:5a:cf:c7:d3:69 20:a6:cd:25:ec:00 TE041AP01 did not match the replay counter 01 vs 03
Nov 18 08:54:51 dot1x-proc:2[4338]: <138093> <4338> <ERRS> |dot1x-proc:2| WPA2 Key message 2 from Station 68:5a:cf:c7:d3:69 20:a6:cd:25:ec:00 TE041AP01 did not match the replay counter 03 vs 04
Nov 18 08:56:02 dot1x-proc:2[4338]: <138093> <4338> <ERRS> |dot1x-proc:2| WPA2 Key message 2 from Station 0c:b3:19:49:3e:b7 20:a6:cd:25:ed:20 TE025AP01 did not match the replay counter 03 vs 04
Nov 18 08:58:54 stm[3328]: <304055> <ERRS> |AP CR03ASW001AP03@172.20.2.16 stm| |ap| Unexpected stm (Station management) runtime error at handle_assoc_req, 7314, sta_mac:3c:57:6c:41:e8:0c, in_drvr_mgmt:0
Nov 18 09:00:40 stm[3315]: <304055> <ERRS> |AP CR2ASW005AP02@172.20.2.81 stm| |ap| Unexpected stm (Station management) runtime error at handle_assoc_req, 7314, sta_mac:54:fc:f0:b0:b9:25, in_drvr_mgmt:0
Nov 18 09:03:47 dbsync[3826]: <307269> <3826> <ERRS> |dbsync| dbsync: timed out, failed to complete in time (state= WAITING FOR ACK FROM STANDBY TO START, timeout= 30000)
Nov 18 09:13:48 dbsync[3826]: <307269> <3826> <ERRS> |dbsync| dbsync: timed out, failed to complete in time (state= WAITING FOR ACK FROM STANDBY TO START, timeout= 30000)
>>>>>>>>>>>>
IP spoof warning with Samsung/Huawei NIC cards:
Nov 18 22:20:28 authmgr[3645]: <522027> <3645> <WARN> |authmgr| MAC=14:3c:c3:fe:2c:80 IP=172.24.0.181 IP Spoof from MAC=d8:32:e3:9e:e6:84 role=authenticated/(null)
Nov 18 22:21:33 authmgr[3645]: <522027> <3645> <WARN> |authmgr| MAC=14:3c:c3:fe:2c:80 IP=172.24.0.181 IP Spoof from MAC=d8:32:e3:9e:e6:84 role=authenticated/(null)
Nov 18 22:22:46 authmgr[3645]: <522027> <3645> <WARN> |authmgr| MAC=14:3c:c3:fe:2c:80 IP=172.24.0.181 IP Spoof from MAC=d8:32:e3:9e:e6:84 role=authenticated/(null)
>>>>>>>>>>>>
Even the APs were failing to get the IP addressfrom the Server, so they were rebooting.
- show aaa state station <Test_Client_MAC> --> To check if the client is authenticated and getting the role correctly, note the role-name of the client
- show rights "role-name" --> confirm that the role-name have the DHCP allowed on the ACL
After the above steps, please check the below:
-For testing you can confiugre a test VLAN for the "PoB" SSID and see if it is working to confirm that it is not VLAN specific issue
-Try assiging Static IP and check the result if and after succesful authentication
- Server connectivity for the client VLAN 500
-Check if there is DCHP helper is configured on the VLAN/Gateway I/F
- Check on the Server logs, whether we are getting the DHCP Discover from the clients
-If yes, Check the server scope
-If not, check each hops inbetween if there is DHCP drops
-If we get Offer from Server, we should be seeing Offer from the Server, which is not present in the logs file
By this time you will be able to identify the issue. Please share the result, I might be able to help you.
Also, please keep an eye on the other Errors/ Warning that I have highlighted above, seems you are experiencing lot of interference in the Air.
Good Luck!!
- Jeeva Selvakumar