Hi,
We are facing the same issue. We have moved from Cisco Wireless to Aruba, and the DHCP issue is for Corp SSID. Corp SSID has 802.1x Authentication through Windows DC, and the same does Radius for Corp SSID. The Aruba APs are Connected to the Aruba Switch, which is connected to the Distribution Switch( Cisco), which is connected to the Core(Cisco). VLAN 172, assigned to Corp SSID, is configured on Aruba Switch and allowed on the AP ports and through the uplink port to Distribution.
SVI for VLAN 172 is configured on Core Switch with IP Helper address for DHCP server.
Able to Ping DHCP server from AP and the Switch but clients are unable to get IP.
-----------------------------------------------------------------------------------------------
debug from AP.
LIB-AP-03# sh clients
Client List
-----------
Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal(dB) Speed (Mbps)
---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ---------- ------------
192.168.2.XXX 26:a2:8f:2d:e9:76 NOFP TOG-Public LIB-AP-03 132 a-HE TOG-PUBLIC fe80::ce0:4894:73dd:bb29 35(good) 114(ok)
Galaxy-S23-FE 192.168.2.XXX 8e:85:44:df:79:bb Linux TOG-Public LIB-AP-03 132 a-HE TOG-PUBLIC fe80::8c85:44ff:fedf:79bb 33(good) 154(good)
192.168.2.XX 6a:8c:9a:94:c3:5a NOFP TOG-Public LIB-AP-03 132 a-HE TOG-PUBLIC fe80::184c:c2b:5626:9561 38(good) 77(poor)
192.168.2.XXX 32:f7:bd:60:5a:8a NOFP TOG-Public LIB-AP-03 132 a-HE TOG-PUBLIC fe80::145e:3e3c:b190:5faf 29(good) 206(good)
192.168.2.XXX b8:98:ad:d5:1a:0a Android TOG-Public LIB-AP-03 11 GN TOG-PUBLIC fe80::9c5c:3115:d878:98b6 32(good) 58(good)
host/LAP201807091005 169.254.165.102 90:32:4b:a0:62:41 Win 10 TOG LIB-AP-03 132 AC TOG fe80::bc7c:72e5:f27b:a566 40(good) 6(poor)
192.168.2.XX 6e:5d:b3:59:a5:01 NOFP TOG-Public LIB-AP-03 132 a-HE TOG-PUBLIC fe80::ca9:e65f:2b28:dc79 44(good) 258(good)
XXXXX-s-S23-FE 192.168.2.XX 8e:2c:18:3a:03:94 Linux TOG-Public LIB-AP-03 132 a-HE TOG-PUBLIC fe80::8c2c:18ff:fe3a:394 36(good) 172(good)
Galaxy-S23-FE 192.168.2.XX c6:5b:c5:b8:27:38 Linux TOG-Public LIB-AP-03 132 a-HE TOG-PUBLIC fe80::c45b:c5ff:feb8:2738 59(good) 286(good)
Galaxy-S22 192.168.2.XX 5a:b1:f8:49:f6:bb Linux TOG-Public LIB-AP-03 11 g-HE TOG-PUBLIC fe80::58b1:f8ff:fe49:f6bb 53(good) 206(good)
Number of Clients :10
Info timestamp :251860
LIB-AP-03# debug pkt match mac 90:32:4b:a0:62:41
LIB-AP-03# debug pkt type dhcp
LIB-AP-03# debug pkt dump
If source or destination MAC is 90:32:4b:a0:62:41
AND packet is of type DHCP
Module : ASAP ASFP UOL
Press 'q' to quit.
ASFP received packet from aruba001 ([cpu 3] timestamp (2024-6-6 11:21:11:718514))
[sfe_drv_recv(1447): asfp entry] len 342, egress CP, ingress aruba001:
#mac: etype 0800 smac 90:32:4b:a0:62:41 dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17 hdr len 20
len 328, id 41282, cksum 9863, ttl 128, dscp 0
fragment ok, last fragment, frag off 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0x34e13316, seconds elapsed: 0
boot flags: 0x8000
client mac: 90:32:4b:a0:62:41
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: Host Name: LAP201807091005
#dhcp-option: Vendor Class ID: MSFT 5.0
[sfe_ipv4_recv(2256):sfe ipv4 recv entry] len 328, egress CP, ingress aruba001:
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17 hdr len 20
len 328, id 41282, cksum 9863, ttl 128, dscp 0
fragment ok, last fragment, frag off 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0x34e13316, seconds elapsed: 0
boot flags: 0x8000
client mac: 90:32:4b:a0:62:41
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: Host Name: LAP201807091005
#dhcp-option: Vendor Class ID: MSFT 5.0
[sfe_ipv4_recv_udp(781):sfe ipv4 recv udp entry] len 328, egress CP, ingress aruba001:
[sfe_ipv4_recv_udp(815):Before connection match] len 328, egress CP, ingress aruba001:
[sfe_ipv4_recv_udp(843):No connection match found, let go in asap] len 328, egress CP, ingress aruba001:
ASAP received packet from aruba001 ([cpu 3] timestamp (2024-6-6 11:21:11:718612))
[asap_firewall_forward(8588):firewall entry] len 342, vlan 0, egress CP, ingress aruba001:
#mac: etype 0800 smac 90:32:4b:a0:62:41 dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17 hdr len 20
len 328, id 41282, cksum 9863, ttl 128, dscp 0
fragment ok, last fragment, frag off 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0x34e13316, seconds elapsed: 0
boot flags: 0x8000
client mac: 90:32:4b:a0:62:41
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: Host Name: LAP201807091005
#dhcp-option: Vendor Class ID: MSFT 5.0
[asap_firewall_forward(8858):vlan decision, tags 0] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_check_dhcp_packet(4174):dhcp packet from client] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(9449):looking up pkt ingress/src bridge entry 90:32:4b:a0:62:41] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(9506):Found ingress/src bridge entry 90:32:4b:a0:62:41 rechable via aruba001] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(9887):bridge section, looking for dst bridge entry ff:ff:ff:ff:ff:ff] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(10188):Unable to find dst bridge entry ff:ff:ff:ff:ff:ff, flood to VLAN 172] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10244):session section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10258):Offload flag after bom denylist check: 0x1, E] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_session_fp_add_process(610):session not offload: session is null] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10581):fastpath session returned 1 opcode 4, snat none] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10597):slowpath section: opcode 4] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10720):slowpath match acl se -1 re -1 rt -1 dpi -1 opcode 3] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10940):back to fastpath, opcode 3] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_session_add_process(630):session not offload: session is null] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(11354):route section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(11493):cp route section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(11991):forward section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14359):flooding: l2switchmode 0 session no] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14597):checking dev7 bond0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15280):flooding to bond0, tags 1, appid 255, priority 255, app_flag:0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14597):checking dev27 aruba001] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15280):flooding to aruba001, tags 0, appid 255, priority 255, app_flag:0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14597):checking dev28 aruba101] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15280):flooding to aruba101, tags 0, appid 255, priority 255, app_flag:0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15300):stack section protocol=0x800, type=1, aruba_vlan_tci=0] len 342, vlan 172, egress vlan 172, ingress aruba001:
ASFP received packet from aruba001 ([cpu 3] timestamp (2024-6-6 11:21:16:626507))
[sfe_drv_recv(1447): asfp entry] len 342, egress CP, ingress aruba001:
#mac: etype 0800 smac 90:32:4b:a0:62:41 dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17 hdr len 20
len 328, id 41283, cksum 9862, ttl 128, dscp 0
fragment ok, last fragment, frag off 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0x34e13316, seconds elapsed: 0
boot flags: 0x8000
client mac: 90:32:4b:a0:62:41
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: Host Name: LAP201807091005
#dhcp-option: Vendor Class ID: MSFT 5.0
[sfe_ipv4_recv(2256):sfe ipv4 recv entry] len 328, egress CP, ingress aruba001:
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17 hdr len 20
len 328, id 41283, cksum 9862, ttl 128, dscp 0
fragment ok, last fragment, frag off 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0x34e13316, seconds elapsed: 0
boot flags: 0x8000
client mac: 90:32:4b:a0:62:41
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: Host Name: LAP201807091005
#dhcp-option: Vendor Class ID: MSFT 5.0
[sfe_ipv4_recv_udp(781):sfe ipv4 recv udp entry] len 328, egress CP, ingress aruba001:
[sfe_ipv4_recv_udp(815):Before connection match] len 328, egress CP, ingress aruba001:
[sfe_ipv4_recv_udp(843):No connection match found, let go in asap] len 328, egress CP, ingress aruba001:
ASAP received packet from aruba001 ([cpu 3] timestamp (2024-6-6 11:21:16:626910))
[asap_firewall_forward(8588):firewall entry] len 342, vlan 0, egress CP, ingress aruba001:
#mac: etype 0800 smac 90:32:4b:a0:62:41 dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17 hdr len 20
len 328, id 41283, cksum 9862, ttl 128, dscp 0
fragment ok, last fragment, frag off 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0x34e13316, seconds elapsed: 0
boot flags: 0x8000
client mac: 90:32:4b:a0:62:41
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: Host Name: LAP201807091005
#dhcp-option: Vendor Class ID: MSFT 5.0
[asap_firewall_forward(8858):vlan decision, tags 0] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_check_dhcp_packet(4174):dhcp packet from client] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(9449):looking up pkt ingress/src bridge entry 90:32:4b:a0:62:41] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(9506):Found ingress/src bridge entry 90:32:4b:a0:62:41 rechable via aruba001] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(9887):bridge section, looking for dst bridge entry ff:ff:ff:ff:ff:ff] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(10188):Unable to find dst bridge entry ff:ff:ff:ff:ff:ff, flood to VLAN 172] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10244):session section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10258):Offload flag after bom denylist check: 0x1, E] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_session_fp_add_process(610):session not offload: session is null] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10581):fastpath session returned 1 opcode 4, snat none] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10597):slowpath section: opcode 4] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10720):slowpath match acl se -1 re -1 rt -1 dpi -1 opcode 3] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10940):back to fastpath, opcode 3] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_session_add_process(630):session not offload: session is null] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(11354):route section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(11493):cp route section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(11991):forward section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14359):flooding: l2switchmode 0 session no] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14597):checking dev7 bond0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15280):flooding to bond0, tags 1, appid 255, priority 255, app_flag:0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14597):checking dev27 aruba001] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15280):flooding to aruba001, tags 0, appid 255, priority 255, app_flag:0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14597):checking dev28 aruba101] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15280):flooding to aruba101, tags 0, appid 255, priority 255, app_flag:0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15300):stack section protocol=0x800, type=1, aruba_vlan_tci=0] len 342, vlan 172, egress vlan 172, ingress aruba001:
ASFP received packet from aruba001 ([cpu 3] timestamp (2024-6-6 11:21:20:737189))
[sfe_drv_recv(1447): asfp entry] len 342, egress CP, ingress aruba001:
#mac: etype 0800 smac 90:32:4b:a0:62:41 dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17 hdr len 20
len 328, id 41284, cksum 9861, ttl 128, dscp 0
fragment ok, last fragment, frag off 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0x34e13316, seconds elapsed: 1024
boot flags: 0x8000
client mac: 90:32:4b:a0:62:41
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: Host Name: LAP201807091005
#dhcp-option: Vendor Class ID: MSFT 5.0
[sfe_ipv4_recv(2256):sfe ipv4 recv entry] len 328, egress CP, ingress aruba001:
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17 hdr len 20
len 328, id 41284, cksum 9861, ttl 128, dscp 0
fragment ok, last fragment, frag off 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0x34e13316, seconds elapsed: 1024
boot flags: 0x8000
client mac: 90:32:4b:a0:62:41
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: Host Name: LAP201807091005
#dhcp-option: Vendor Class ID: MSFT 5.0
[sfe_ipv4_recv_udp(781):sfe ipv4 recv udp entry] len 328, egress CP, ingress aruba001:
[sfe_ipv4_recv_udp(815):Before connection match] len 328, egress CP, ingress aruba001:
[sfe_ipv4_recv_udp(843):No connection match found, let go in asap] len 328, egress CP, ingress aruba001:
ASAP received packet from aruba001 ([cpu 3] timestamp (2024-6-6 11:21:20:737299))
[asap_firewall_forward(8588):firewall entry] len 342, vlan 0, egress CP, ingress aruba001:
#mac: etype 0800 smac 90:32:4b:a0:62:41 dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17 hdr len 20
len 328, id 41284, cksum 9861, ttl 128, dscp 0
fragment ok, last fragment, frag off 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0x34e13316, seconds elapsed: 1024
boot flags: 0x8000
client mac: 90:32:4b:a0:62:41
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: Host Name: LAP201807091005
#dhcp-option: Vendor Class ID: MSFT 5.0
[asap_firewall_forward(8858):vlan decision, tags 0] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_check_dhcp_packet(4174):dhcp packet from client] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(9449):looking up pkt ingress/src bridge entry 90:32:4b:a0:62:41] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(9506):Found ingress/src bridge entry 90:32:4b:a0:62:41 rechable via aruba001] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(9887):bridge section, looking for dst bridge entry ff:ff:ff:ff:ff:ff] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(10188):Unable to find dst bridge entry ff:ff:ff:ff:ff:ff, flood to VLAN 172] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10244):session section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10258):Offload flag after bom denylist check: 0x1, E] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_session_fp_add_process(610):session not offload: session is null] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10581):fastpath session returned 1 opcode 4, snat none] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10597):slowpath section: opcode 4] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10720):slowpath match acl se -1 re -1 rt -1 dpi -1 opcode 3] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10940):back to fastpath, opcode 3] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_session_add_process(630):session not offload: session is null] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(11354):route section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(11493):cp route section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(11991):forward section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14359):flooding: l2switchmode 0 session no] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14597):checking dev7 bond0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15280):flooding to bond0, tags 1, appid 255, priority 255, app_flag:0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14597):checking dev27 aruba001] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15280):flooding to aruba001, tags 0, appid 255, priority 255, app_flag:0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14597):checking dev28 aruba101] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15280):flooding to aruba101, tags 0, appid 255, priority 255, app_flag:0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15300):stack section protocol=0x800, type=1, aruba_vlan_tci=0] len 342, vlan 172, egress vlan 172, ingress aruba001:
ASFP received packet from aruba001 ([cpu 3] timestamp (2024-6-6 11:21:29:73628))
[sfe_drv_recv(1447): asfp entry] len 342, egress CP, ingress aruba001:
#mac: etype 0800 smac 90:32:4b:a0:62:41 dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17 hdr len 20
len 328, id 41285, cksum 9860, ttl 128, dscp 0
fragment ok, last fragment, frag off 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0x34e13316, seconds elapsed: 3072
boot flags: 0x8000
client mac: 90:32:4b:a0:62:41
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: Host Name: LAP201807091005
#dhcp-option: Vendor Class ID: MSFT 5.0
[sfe_ipv4_recv(2256):sfe ipv4 recv entry] len 328, egress CP, ingress aruba001:
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17 hdr len 20
len 328, id 41285, cksum 9860, ttl 128, dscp 0
fragment ok, last fragment, frag off 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0x34e13316, seconds elapsed: 3072
boot flags: 0x8000
client mac: 90:32:4b:a0:62:41
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: Host Name: LAP201807091005
#dhcp-option: Vendor Class ID: MSFT 5.0
[sfe_ipv4_recv_udp(781):sfe ipv4 recv udp entry] len 328, egress CP, ingress aruba001:
[sfe_ipv4_recv_udp(815):Before connection match] len 328, egress CP, ingress aruba001:
[sfe_ipv4_recv_udp(843):No connection match found, let go in asap] len 328, egress CP, ingress aruba001:
ASAP received packet from aruba001 ([cpu 3] timestamp (2024-6-6 11:21:29:73720))
[asap_firewall_forward(8588):firewall entry] len 342, vlan 0, egress CP, ingress aruba001:
#mac: etype 0800 smac 90:32:4b:a0:62:41 dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17 hdr len 20
len 328, id 41285, cksum 9860, ttl 128, dscp 0
fragment ok, last fragment, frag off 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0x34e13316, seconds elapsed: 3072
boot flags: 0x8000
client mac: 90:32:4b:a0:62:41
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: Host Name: LAP201807091005
#dhcp-option: Vendor Class ID: MSFT 5.0
[asap_firewall_forward(8858):vlan decision, tags 0] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_check_dhcp_packet(4174):dhcp packet from client] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(9449):looking up pkt ingress/src bridge entry 90:32:4b:a0:62:41] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(9506):Found ingress/src bridge entry 90:32:4b:a0:62:41 rechable via aruba001] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(9887):bridge section, looking for dst bridge entry ff:ff:ff:ff:ff:ff] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(10188):Unable to find dst bridge entry ff:ff:ff:ff:ff:ff, flood to VLAN 172] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10244):session section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10258):Offload flag after bom denylist check: 0x1, E] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_session_fp_add_process(610):session not offload: session is null] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10581):fastpath session returned 1 opcode 4, snat none] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10597):slowpath section: opcode 4] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10720):slowpath match acl se -1 re -1 rt -1 dpi -1 opcode 3] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10940):back to fastpath, opcode 3] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_session_add_process(630):session not offload: session is null] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(11354):route section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(11493):cp route section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(11991):forward section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14359):flooding: l2switchmode 0 session no] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14597):checking dev7 bond0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15280):flooding to bond0, tags 1, appid 255, priority 255, app_flag:0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14597):checking dev27 aruba001] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15280):flooding to aruba001, tags 0, appid 255, priority 255, app_flag:0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14597):checking dev28 aruba101] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15280):flooding to aruba101, tags 0, appid 255, priority 255, app_flag:0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15300):stack section protocol=0x800, type=1, aruba_vlan_tci=0] len 342, vlan 172, egress vlan 172, ingress aruba001:
ASFP received packet from aruba001 ([cpu 3] timestamp (2024-6-6 11:21:44:952039))
[sfe_drv_recv(1447): asfp entry] len 342, egress CP, ingress aruba001:
#mac: etype 0800 smac 90:32:4b:a0:62:41 dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17 hdr len 20
len 328, id 41286, cksum 985f, ttl 128, dscp 0
fragment ok, last fragment, frag off 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0x34e13316, seconds elapsed: 7168
boot flags: 0x8000
client mac: 90:32:4b:a0:62:41
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: Host Name: LAP201807091005
#dhcp-option: Vendor Class ID: MSFT 5.0
[sfe_ipv4_recv(2256):sfe ipv4 recv entry] len 328, egress CP, ingress aruba001:
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17 hdr len 20
len 328, id 41286, cksum 985f, ttl 128, dscp 0
fragment ok, last fragment, frag off 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0x34e13316, seconds elapsed: 7168
boot flags: 0x8000
client mac: 90:32:4b:a0:62:41
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: Host Name: LAP201807091005
#dhcp-option: Vendor Class ID: MSFT 5.0
[sfe_ipv4_recv_udp(781):sfe ipv4 recv udp entry] len 328, egress CP, ingress aruba001:
[sfe_ipv4_recv_udp(815):Before connection match] len 328, egress CP, ingress aruba001:
[sfe_ipv4_recv_udp(843):No connection match found, let go in asap] len 328, egress CP, ingress aruba001:
ASAP received packet from aruba001 ([cpu 3] timestamp (2024-6-6 11:21:44:952197))
[asap_firewall_forward(8588):firewall entry] len 342, vlan 0, egress CP, ingress aruba001:
#mac: etype 0800 smac 90:32:4b:a0:62:41 dmac ff:ff:ff:ff:ff:ff
#ip: sip 0.0.0.0, dip 255.255.255.255, proto 17 hdr len 20
len 328, id 41286, cksum 985f, ttl 128, dscp 0
fragment ok, last fragment, frag off 0
#udp: sport 68 dport 67 len 308
#dhcp: message-type: request
hardware type: 1, len: 6, hops: 0
txn id: 0x34e13316, seconds elapsed: 7168
boot flags: 0x8000
client mac: 90:32:4b:a0:62:41
magic cookie: 0x63825363
#dhcp-option: message-type: discover
#dhcp-option: Host Name: LAP201807091005
#dhcp-option: Vendor Class ID: MSFT 5.0
[asap_firewall_forward(8858):vlan decision, tags 0] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_check_dhcp_packet(4174):dhcp packet from client] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(9449):looking up pkt ingress/src bridge entry 90:32:4b:a0:62:41] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(9506):Found ingress/src bridge entry 90:32:4b:a0:62:41 rechable via aruba001] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(9887):bridge section, looking for dst bridge entry ff:ff:ff:ff:ff:ff] len 342, vlan 172, egress CP, ingress aruba001:
[asap_firewall_forward(10188):Unable to find dst bridge entry ff:ff:ff:ff:ff:ff, flood to VLAN 172] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10244):session section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10258):Offload flag after bom denylist check: 0x1, E] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_session_fp_add_process(610):session not offload: session is null] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10581):fastpath session returned 1 opcode 4, snat none] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10597):slowpath section: opcode 4] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10720):slowpath match acl se -1 re -1 rt -1 dpi -1 opcode 3] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(10940):back to fastpath, opcode 3] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_session_add_process(630):session not offload: session is null] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(11354):route section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(11493):cp route section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_forward(11991):forward section] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14359):flooding: l2switchmode 0 session no] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14597):checking dev7 bond0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15280):flooding to bond0, tags 1, appid 255, priority 255, app_flag:0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14597):checking dev27 aruba001] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15280):flooding to aruba001, tags 0, appid 255, priority 255, app_flag:0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(14597):checking dev28 aruba101] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15280):flooding to aruba101, tags 0, appid 255, priority 255, app_flag:0] len 342, vlan 172, egress vlan 172, ingress aruba001:
[asap_firewall_flood(15300):stack section protocol=0x800, type=1, aruba_vlan_tci=0] len 342, vlan 172, egress vlan 172, ingress aruba001:
LIB-AP-03#
Original Message:
Sent: Apr 07, 2021 11:28 PM
From: ST69
Subject: Aruba Central + AP515's = DHCP Timeouts
So we've recently rolled out 16 x Aruba AP-515's, configured via Aruba Central.
It all seemed to work fine at first, but it quickly became apparent that there are sporadic DHCP Discover, and Offer timeout errors.
There are also reports of poor performance, frequent disconnections and DOT1X errors in the Aruba Central logs (these could just be certificate or credential mismatches)
Our Environment:
- Aruba CX 6405 switch; AP's are directly connected to this.
- Fortigate 200D cluster; handles the DHCP for the Guest SSID.
- Two Windows 2016 DC's that handle the DHCP for the Staff SSID. They also do RADIUS for the Staff SSID.
- Aruba Central as the controller.
- Other sites are still running Cisco AP's.
The Aruba AP's replaced Cisco Aironet AP's which worked without issue.
Some troubleshooting steps taken:
- Installed the Aruba AP's in another office to take the CX 6405 switch out of the equation.
- Went back to WPA2 instead of WPA3.
- Turned off Fast Roaming, Wi-Fi Multimedia Power Save (U-APSD), Management Frame Protection.
- Turned off LACP mode on each AP.
- Turned off Enforce DHCP, 80MHz support.
- Setup a different DHCP server.
- Created completely separate VLAN's for the Aruba's to make sure the Cisco controller and AP's weren't interfering.
- Updated the firmware on the AP's to 8.8.0.0_79697; previously on 8.6.0.4 and 8.6.0.8.
All these changes have made no difference, and working with Aruba Support has led us nowhere.
Has anyone encountered this issue before and have any ideas on how to continue troubleshooting?