Network Management

last person joined: 2 hours ago 

Keep an informative eye on your network with IMC and AirWave network management solutions.
Expand all | Collapse all

Why do some of my clients report 2 LAN IP addresses?

Jump to Best Answer
  • 1.  Why do some of my clients report 2 LAN IP addresses?

    Posted May 18, 2015 10:35 AM

    Airwave reports a number of clients with 2 IP addresses. I am trying to track down a recurring broadcast storm that clears when I momentarily disconnect the controller, and so I am trying to answer all "that's weird" questions.

     

    Some of these, both addresses are pingable. Some report one address timing out and the other is unreachable. End devices run the gamut - iPhone, Anrdoid, Windows 7. About 10% of clients have 2 IP LAN Addresses reported by airwave.



  • 2.  RE: Why do some of my clients report 2 LAN IP addresses?

    Posted May 18, 2015 10:40 AM

    Hi Kevets

    2 IP from your user subnets, or, 1 IP from user vlan scopes, and 1 UFO from 'somewhere'?  Both are common, reasons are different, let me know which, can make some suggestions.

    regards

    -jeff



  • 3.  RE: Why do some of my clients report 2 LAN IP addresses?

    Posted May 18, 2015 10:45 AM

    I have all four of these scenarios:

    - 2 IPs on my default VLAN 1's DHCP address scope

    - 1 on the internal scope and 1 on the guest scope

    - guest IP + something off net like 192.168 or even a routable IP

    - internal IP + something off net like 192.168 or even a routable IP

     

    But it's really the first one that is concerning me.

     

    Thanks!

     



  • 4.  RE: Why do some of my clients report 2 LAN IP addresses?

    Posted May 18, 2015 11:04 AM

     

    - 2 IPs on my default VLAN 1's DHCP address scope

    >> this is potentially trickier - possible causes including 2 controllers serving APs at same location , with vlan pooling but different vlans configured. Could also be due to use of even vlan pooling without preserve vlan. May i suggest getting syslog setup, even if temporarily, and sending the output of "logging level debugging user" to the syslog, this may aid in backtracing the cause of this if none of the above jump out as possible causes. I may also be missing something obvious, maybe others will chime in here too.

     

    - 1 on the internal scope and 1 on the guest scope

    >> I am assuming internal scope means something you expect for clients doing PEAP or something like this, guest being guest. This could be due to clients having both configured/have connected to both at some point. Potentially you could try something like adding a space on the end of the guest ESSID which might stop people for a while moving between the two. I suppose you could also check in Airwave to see if these are legit connections to guest, or this could also be due to the same as below for the 'offnet' case, depending the subnet of your guest network.

     

    - guest IP + something off net like 192.168 or even a routable IP

    - internal IP + something off net like 192.168 or even a routable IP

     >> in these two cases, likely it's leakage from the clients 3g/4g IP, virtual machines, VPNs etc. The typical case is you see random ip's like 192.168.56.x which is coming usually from vmware on machines

     

    To deal with this - you should configure a validuseracl allowing the DHCP subnets and specifically denying protected hosts (i.e. default gateways within the vlan, RADIUS if it's on any user subnet etc).

     

    If you're not familiar with validuseracl, let me know, I will post here about it.

     

    regards

    -jeff

     

     

     

     



  • 5.  RE: Why do some of my clients report 2 LAN IP addresses?

    Posted May 18, 2015 11:26 AM
      |   view attached

    wow, many thanks!

     

    I just have the 1 controller. I am syslogging the controller currently (and wow, does it spew the info!). I'll see about adding the debugging user.

     

    I am out of my depth quickly with Aruba, so it might take a while to figure out VLAN preserve. I am attaching my 7210's config file.

     

    My guest SSID comes over a tunneled VLAN and they get their addresses from the 7210. My Private SSID is VLAN 1 and it gets addresses from my DHCP server.

     

    I am having some strange network problems, and if I pull the Aruba controller interface for a few seconds, it clears my problems (which are manifest as a broadcast storm and spanning tree flapping). I generally only have that problem once or twice in the opening hours of the business, and once I clear it with the controller cable pull, it's good until the next day. I've been chasing any number of possibilities, so now am wondering if I have a wired+wireless PC that is somehow causing a loop on power-up

     


    #7210

    Attachment(s)

    txt
    7210Conf.txt   28 KB 1 version


  • 6.  RE: Why do some of my clients report 2 LAN IP addresses?

    Posted May 18, 2015 12:25 PM

    @Kevets wrote:

    wow, many thanks!

     

    I just have the 1 controller. I am syslogging the controller currently (and wow, does it spew the info!). I'll see about adding the debugging user.

     

    I am out of my depth quickly with Aruba, so it might take a while to figure out VLAN preserve. I am attaching my 7210's config file.

    [-jeff] ignore about the preserve vlan (you only have one). Based on your config, seems maybe nothing as complicated as I was thinking. is there any possibility of another DHCP server on vlan 1?

     

    My guest SSID comes over a tunneled VLAN and they get their addresses from the 7210. My Private SSID is VLAN 1 and it gets addresses from my DHCP server.

     

    I am having some strange network problems, and if I pull the Aruba controller interface for a few seconds, it clears my problems (which are manifest as a broadcast storm and spanning tree flapping). I generally only have that problem once or twice in the opening hours of the business, and once I clear it with the controller cable pull, it's good until the next day. I've been chasing any number of possibilities, so now am wondering if I have a wired+wireless PC that is somehow causing a loop on power-up

    [-jeff] i see you have bcmc-opt turned on in the vlans, please also go to each virtual-ap profile and enable "Broadcast Filter All". This may help any problem with a bridged client causing a problem. It is also good practice, keeps various L2 junk off the WLAN (like bpdus etc.)

     


     


    #7210


  • 7.  RE: Why do some of my clients report 2 LAN IP addresses?

    Posted May 18, 2015 01:59 PM

    I'm probably looking in the wrong place, but I don't see "broadcast filter all"

     

    In VAP, I see 3 related options:

    Dynamic/Multicast Optimization (currently off)

    Drop Broadcast and unknown multicast (currently off)

    Convert broadcast ARP request to unicast (currently on)



  • 8.  RE: Why do some of my clients report 2 LAN IP addresses?

    Posted May 18, 2015 02:01 PM

    should my "Forward Mode" in VAP's that use VLAN 1 be set to tunnel? That's how they are currently



  • 9.  RE: Why do some of my clients report 2 LAN IP addresses?

    Posted May 18, 2015 10:42 PM
    @Kevets wrote:

    should my "Forward Mode" in VAP's that use VLAN 1 be set to tunnel? That's how they are currently


    yes - don't change that.



  • 10.  RE: Why do some of my clients report 2 LAN IP addresses?

    Posted May 18, 2015 10:40 PM
    In VAP, I see 3 related options:

    Dynamic/Multicast Optimization (currently off)

    Drop Broadcast and unknown multicast (currently off)

    Convert broadcast ARP request to unicast (currently on)


    it is the middle one (sorry, in the CLI it's called broadcast filter all). "Drop broadcast and unknown multicast" - enable it.



  • 11.  RE: Why do some of my clients report 2 LAN IP addresses?

    Posted May 19, 2015 10:18 AM

    @jgoff wrote:
    In VAP, I see 3 related options:

    Dynamic/Multicast Optimization (currently off)

    Drop Broadcast and unknown multicast (currently off)

    Convert broadcast ARP request to unicast (currently on)


    it is the middle one (sorry, in the CLI it's called broadcast filter all). "Drop broadcast and unknown multicast" - enable it.


    Thanks. But if I do that I get the red warning: 

    Warning: broadcast-filter arp should be enabled with this option. Otherwise ARP requests will be dropped!

     

    and I don't see where to set broadcast-filter-arp

     



  • 12.  RE: Why do some of my clients report 2 LAN IP addresses?
    Best Answer

    Posted May 19, 2015 01:01 PM

    broadcast-filter-arp is the "Convert broadcast ARP" option.  It is on by default now, did not used to be, and the warning fires whether or not it is already on.

     

    BTW, If it were not for Win7 hosts also showing duplicate IPs I would write that off as dhcp clients misbehaving.  This happens a lot on Andriod and sometime on Apple stuff.  You either have to pin those guys with a dhcp reservation or run bleeding edge dhcp servers to keep it from happening.

     



  • 13.  RE: Why do some of my clients report 2 LAN IP addresses?

    Posted May 19, 2015 02:44 PM

    OK, thanks - I have this set now on all my VAPS



  • 14.  RE: Why do some of my clients report 2 LAN IP addresses?

    Posted May 19, 2015 02:26 PM

    @Kevets wrote:

    @jgoff wrote:
    In VAP, I see 3 related options:

    Dynamic/Multicast Optimization (currently off)

    Drop Broadcast and unknown multicast (currently off)

    Convert broadcast ARP request to unicast (currently on)


    it is the middle one (sorry, in the CLI it's called broadcast filter all). "Drop broadcast and unknown multicast" - enable it.


    Thanks. But if I do that I get the red warning: 

    Warning: broadcast-filter arp should be enabled with this option. Otherwise ARP requests will be dropped!

     

    and I don't see where to set broadcast-filter-arp

     

    enable the "Drop Broadcast and unknown multicast" + ignore the warning, as bjulin mentioned, the warning is a hangover from times past when the defaults were different (the warning is about option 3 in the previous post, it is enabled by default, didn't used to be - hence the warning)

     

    regards

    -jeff



  • 15.  RE: Why do some of my clients report 2 LAN IP addresses?

    Posted May 18, 2015 01:52 PM

    thanks so much Jeff. Any details you can post on validuser acl would be appreciated. Maybe something I could cut and paste into a cli config? The controller screens are too many!

     

    I only have a Windows Server domain controller providing DHCP leases on VLAN 1.



  • 16.  RE: Why do some of my clients report 2 LAN IP addresses?
    Best Answer

    Posted May 18, 2015 11:19 PM

    to configure validuseracl - you need to follow these steps, but it presumes you have a pefng license.

     

    ** note / disclaimer **

    I have tried to follow your subnets, but you must doublecheck the below before just cut/pasting it into the controller CLI. Further, I strongly recommend you make a 'backup flash' just before doing this, in case you hit any issues and want to back out the changes (restore flash). You can also backup the flash from the controller webui , go to Maintenance -> Backup Flash -> Create Backup.


    step 1> create a network destination called VALID_SUBNETS, add to it all your DHCP scopes for all VAPs. Note that in the future if you create a new subnet, you will need to add it to this list or the user will *not* appear in the controller, despite being able to associate.

     

     

    configure t
    netdestination VALID_SUBNETS network 10.20.4.0 255.255.252.0 network 10.114.138.0 255.255.255.0 network 10.170.138.0 255.255.255.0 network 10.1.1.0 255.255.252.0 !


    step 2> create a network destination called PROTECTED_HOSTS, add to it all your important host IPs that reside within user subnets (i.e. default gateways, AD servers, radius servers, external captive portals etc.)

     

    I have scraped the below from your config, please double check each one. These IPs can never become users in the controller (which is a good thing).

     

     

    configure t
    netdestination PROTECTED_HOSTS host 10.20.4.1 host 10.114.138.5 host 10.170.138.1 host 10.1.1.61 host 10.1.1.10 host 10.1.1.5 host 10.1.1.3 !

     

    step 3> we are going to create two new rules in the valid user ACL, and delete one rule:

      i)   add a rule "deny anything that is using a source IP within PROTECTED_HOSTS"

      ii)  add a rule "allow anything with a source IP within VALID_SUBNETS"

      iii) delete the rule  "allow anything from anywhere" (rule 6 below)

     

    the existing ACL looks like this (tidied slighly to fit in this screen)

     

    # show ip access-list session validuser
    validuser
    ---------
    Priority  Source       Destination  Service  Application    Action
    --------  ------            -----------  -------  -----------  ------  --------- 
    1         127.0.0.0 255.0.0.0      any          any          deny  
    2         169.254.0.0 255.255.0.0  any          any      deny 
    3         224.0.0.0 240.0.0.0      any          any          deny 
    4         255.255.255.255          any          any           deny
    5         240.0.0.0 240.0.0.0      any          any           deny
    6         any                               any          any          permit

     

    so we need to insert our new two rules at position 6 and 7, and then delete the existing rule at position 6.

    configure t
    ip access-list session validuser
      alias PROTECTED_HOSTS any any deny position 6
      alias VALID_SUBNETS any any permit position 7
      no any any any permit
    !
    

    which we check after with "show ip access-list validuser", you should see now this (again tidied to fit, and ipv6 stuff removed)

    (sg-7030) #show ip access-list validuser
    
    ip access-list session validuser
    validuser
    ---------
    Priority  Source                   Destination  Service  Application  Action  
    --------  -----------                   -----------    -------  -----------  ------  ---------  
    1         127.0.0.0 255.0.0.0         any          any      deny
    2         169.254.0.0 255.255.0.0  any         any       deny
    3         224.0.0.0 240.0.0.0         any          any       deny
    4         255.255.255.255             any          any       deny
    5         240.0.0.0 240.0.0.0         any          any       deny
    6         PROTECTED_HOSTS     any          any       deny
    7         VALID_SUBNETS             any          any       permit
    <ipv6 stuff below here>

    at this point, you should be good to go - you should find that the junk IPs are no longer appearing in the usertable and Airwave. You can check it's working using "show acl hits", in this below example you can see a couple of allows and a reject, this is from a windows 8 client that is dual stack but also leaking the VPN IP into the controller, usually it has 3 IPs

     

    > before validuseracl

    (sg-7030) #show user
    fe80::a4ae:a862:2451:2211  5c:c5:d4:00:00:01    authenticated
    10.11.12.13 5c:c5:d4:00:00:01 authenticated 192.168.1.3 5c:c5:d4:00:00:01 authenticated
    (sg-7030) #

    > added validuser acl to allow 192.168.1.0/24, disconnect -> reconnect client

    (sg-7030) #show acl hit
    User Role ACL Hits
    ------------------
    <snip>
    
    Port Based Session ACL
    ----------------------
    Policy     Src         Dst   Service/Application  Action  New Hits  Total Hits
    ------ --- --- ------------------- ------ ----------- ---------- ----- --------- validuser VALID_SUBNETS any any permit 0 1 validuser fe80::/64 any any-v6 permit 1 1
    validuser any any 0 deny 2 2

    > can see two hits on deny, and an allow in VALID_SUBNET - now the usertable shows:

    (sg-7030) #show user
    fe80::a4ae:a862:2451:2211  5c:c5:d4:00:00:01    authenticated  
    192.168.1.3                5c:c5:d4:00:00:01              authenticated  
    (sg-7030) #

    and if all is well, "write memory" at the end.

     

    regards

    -jeff

     

    * edited a few times for clarity/typos etc. *

     

     

     

     



  • 17.  RE: Why do some of my clients report 2 LAN IP addresses?

    Posted May 19, 2015 09:43 AM
      |   view attached

    Jeff -

     

    That was an incedibly generous thing to do, and I can't tell you how much I appreciate it. I will make these changes in my next available maintenance window.

     

    I hate to call on you again, but no good deed goes unpunished! Would you look at my attached network schematic and weigh in on where I should have the 7210 connected? I originally had it going to the Aruba edge switch (138), but have moved it the 101 core switch. I ask about this because I have a daily broadcast storm (at around 9 or 9:30) that gets cleared when I temporarily disable the controllers interface. I had that same storm when it was on 138 as I do today with it on 101.

     

    I am running MSTP on this primarily HP switch stack, and I am not running any flavor of STP on the 7210. And part of my 2 LAN IP address question was trying to figure out if the 7210 is causing a loop somehow.

     

    Again, I can't thank you enough for your assitance.


    #7210


  • 18.  RE: Why do some of my clients report 2 LAN IP addresses?

    Posted May 20, 2015 12:19 AM

    based on what you have said about the config and the diagram, I don't think it should be the controller specifically causing the loop. Having said that, please get me the following output:

     

    show datapath bwm type 0

    show datapath debug opcode | include BPDU

    show datapath frame

    show datapath maintenance counters

     

    we may be able to deduce something from these stats.

     

    regards,

    -jeff



  • 19.  RE: Why do some of my clients report 2 LAN IP addresses?

    Posted May 20, 2015 03:08 PM

    Jeff,

     

    Thanks again. I will try those commands shortly, but I believe (and dear God I hope) I may have found the problem.

     

    I had IGMP on a couple of VLANS, one without an IP address, on my HP Switches and I believe my Fortigate firewall decided to be helpful. All I know is when I got rid of IGMP my switch storm immediately abated.

     

    Your original config advice for the wonky IP's worked great. I had to change the IP address to 10.1.0.0 for the main subnet, but other than that it was copy and paste.

     

    Thanks! You're the best!