Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Android phones can't get IP on reconnect...

This thread has been viewed 6 times

  • 1.  Android phones can't get IP on reconnect...

    Posted Sep 22, 2015 04:55 PM

    I'm running a 3400 Controller on 6.4.2.6 with guests authenticating via captive portal.  Guest accounts are created in the local DB and DHCP for Guest is done on the controller.

     

    As of last week, I've been having some android users complaining that their phones are not able to get an address when connecting to my guest network (after being connected, leaving for lunch, and then coming back into the building typically).

     

    When I look in the controller, I see their session and the controller thinks they have an IP.  There is no traffic for the session, but it seems to be active.  As soon as I kill their session, they can connect again.

     

    The only change I could think of that may be causing this is that I changed the user idle timeout to 2 hours on my guest AAA profile.  Prior to that, it was set to 10 minutes, I believe - and users were complaining that they had to log in several times a day.

     

    Any help would be appreciated.

     

    Thanks!



  • 2.  RE: Android phones can't get IP on reconnect...

    EMPLOYEE
    Posted Sep 22, 2015 04:57 PM

    If your user idle timeout exceeds their lease, that could be what is happening.  The lease needs to be twice the user idle timeout.



  • 3.  RE: Android phones can't get IP on reconnect...

    Posted Sep 22, 2015 05:01 PM

    I just verified that the lease is 9 hours and idle timeout is 2 hours, so that's probably not it.



  • 4.  RE: Android phones can't get IP on reconnect...

    EMPLOYEE
    Posted Sep 22, 2015 05:05 PM
    @mmartin wrote:

    I just verified that the lease is 9 hours and idle timeout is 2 hours, so that's probably not it.

     

     

    What is the user role for your production users?  What is the output of "show rights <role>"?

     



  • 5.  RE: Android phones can't get IP on reconnect...

    EMPLOYEE
    Posted Sep 22, 2015 05:10 PM

    Have you got an 'any any svc-dhcp permit' at the top of the policy for that role?



  • 6.  RE: Android phones can't get IP on reconnect...

    Posted Sep 22, 2015 05:14 PM

    Production users?  You mean the guest users having an issue?  Or the role for internal users?



  • 7.  RE: Android phones can't get IP on reconnect...

    EMPLOYEE
    Posted Sep 22, 2015 05:16 PM

    The guest users having the issue after they have authenticated successfully.



  • 8.  RE: Android phones can't get IP on reconnect...

    Posted Sep 22, 2015 05:17 PM

    Derived Role = 'guest'
     Up BW:No Limit   Down BW:No Limit  
     L2TP Pool = default-l2tp-pool
     PPTP Pool = default-pptp-pool
     Periodic reauthentication: Disabled
     DPI Classification: Enabled
     Web Content Classification: Enabled
     ACL Number = 4/94
     Max Sessions = 65535

     Check CP Profile for Accounting = TRUE

     

    Do you want the ACL's too?



  • 9.  RE: Android phones can't get IP on reconnect...

    EMPLOYEE
    Posted Sep 22, 2015 05:20 PM

    yes



  • 10.  RE: Android phones can't get IP on reconnect...

    Posted Sep 22, 2015 05:24 PM

    (controller) #show rights guest            

    Derived Role = 'guest'
     Up BW:No Limit   Down BW:No Limit  
     L2TP Pool = default-l2tp-pool
     PPTP Pool = default-pptp-pool
     Periodic reauthentication: Disabled
     DPI Classification: Enabled
     Web Content Classification: Enabled
     ACL Number = 4/94
     Max Sessions = 65535

     Check CP Profile for Accounting = TRUE

    Application Exception List
    --------------------------
    Name  Type
    ----  ----

    Application BW-Contract List
    ----------------------------
    Name  Type  BW Contract  Id  Direction
    ----  ----  -----------  --  ---------

    access-list List
    ----------------                                  
    Position  Name                           Type     Location
    --------  ----                           ----     --------
    1         global-sacl                    session  
    2         apprf-guest-sacl               session  
    3         validuserethacl                eth      
    4         acme-block-1918              session  
    5         ra-guard                       session  
    6         acme-block-dhcp              session  
    7         acme-block-linklocal         session  
    8         acme-block-management        session  
    9         acme-block-local-debug-page  session  
    10        acme-guest-dns-nat           session  
    11        acme-guest-http-nat          session  
    12        acme-guest-icmp-nat          session  
    13        acme-guest-ios-gmail-nat     session  
    14        acme-guest-gplay-nat         session  
    15        acme-guest-ipsec-nat         session  
    16        acme-guest-gaming-nat        session  
    17        cplogout                       session  
    18        acme-drop-any                session  
    19        acme-drop-log                session  

    global-sacl
    -----------                                       
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    apprf-guest-sacl
    ----------------
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

    ip access-list eth validuserethacl
      permit any

    acme-block-1918
    -----------------
    Priority  Source  Destination                 Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------                 -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         any     10.0.0.0 10.255.255.255     any                   deny                             Low                                                           4        
    2         any     172.16.0.0 255.248.0.0      any                   deny                             Low                                                           4        
    3         any     192.168.0.0 192.168.255.25  any                   deny                             Low                                                           4        
    ra-guard
    --------
    Priority  Source  Destination  Service           Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------           -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         user    any          icmpv6 rtr-adv                 deny                             Low                                                           6        
    acme-block-dhcp
    -----------------                                 
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         user    any          udp 68                deny               Yes           Low                                                           4        
    acme-block-linklocal
    ----------------------
    Priority  Source  Destination              Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------              -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         any     169.254.0.0 255.255.0.0  any                   deny                             Low                                                           4        
    acme-block-management
    -----------------------
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         any     controller   any                   deny               Yes           Low                                                           4        
    acme-block-local-debug-page
    -----------------------------
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         user    localip      any                   deny                             Low                                                           4        
    acme-guest-dns-nat
    --------------------
    Priority  Source  Destination  Service  Application  Action                            TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------                            ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         user    74.82.42.42  svc-dns               src-nat pool acme-av1-nat-pool                           Low                                                           4        
    2         user    8.8.8.8      svc-dns               src-nat pool acme-av1-nat-pool                           Low                                                           4        
    3         user    8.8.4.4      svc-dns               src-nat pool acme-av1-nat-pool                           Low                                                           4        
    acme-guest-http-nat
    ---------------------
    Priority  Source  Destination  Service    Application  Action                            TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------    -----------  ------                            ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         user    any          svc-https               src-nat pool acme-av1-nat-pool                           Low                                                           4        
    2         user    any          svc-http                src-nat pool acme-av1-nat-pool                           Low                                                           4        
    acme-guest-icmp-nat
    ---------------------
    Priority  Source  Destination  Service   Application  Action                            TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------   -----------  ------                            ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         user    any          svc-icmp               src-nat pool acme-av1-nat-pool                           Low                                                           4        
    acme-guest-ios-gmail-nat
    --------------------------
    Priority  Source  Destination  Service  Application  Action                            TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------                            ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         user    any          tcp 993               src-nat pool acme-av1-nat-pool                           Low                                                           4        
    2         user    any          tcp 465               src-nat pool acme-av1-nat-pool                           Low                                                           4        
    acme-guest-gplay-nat
    ----------------------
    Priority  Source  Destination  Service   Application  Action                            TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------   -----------  ------                            ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         user    any          tcp 5228               src-nat pool acme-av1-nat-pool                           Low                                                           4        
    acme-guest-ipsec-nat
    ----------------------
    Priority  Source  Destination  Service   Application  Action                            TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------   -----------  ------                            ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         user    any          udp 4500               src-nat pool acme-av1-nat-pool                           Low                                                           4        
    2         user    any          udp 500                src-nat pool acme-av1-nat-pool                           Low                                                           4        
    3         user    any          tcp 4500               src-nat pool acme-av1-nat-pool                           Low                                                           4        
    4         user    any          tcp 500                src-nat pool acme-av1-nat-pool                           Low                                                           4        
    acme-guest-gaming-nat
    -----------------------
    Priority  Source  Destination  Service    Application  Action                            TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------    -----------  ------                            ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         any     any          udp 2053                src-nat pool acme-av1-nat-pool                           Low                                                           4        
    2         any     any          tcp 10050               src-nat pool acme-av1-nat-pool                           Low                                                           4        
    3         any     any          tcp 9293                src-nat pool acme-av1-nat-pool                           Low                                                           4        
    4         any     any          udp 50000               src-nat pool acme-av1-nat-pool                           Low                                                           4        
    5         any     any          tcp 1119                src-nat pool acme-av1-nat-pool                           Low                                                           4        
    6         any     any          tcp 3724                src-nat pool acme-av1-nat-pool                           Low                                                           4        
    cplogout
    --------
    Priority  Source  Destination  Service    Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------    -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         user    controller   svc-https               dst-nat 8081                           Low                                                           4        
    acme-drop-any
    ---------------
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         any     any          any                   deny                             Low                                                           4        
    acme-drop-log
    ---------------
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         any     any          any                   deny               Yes           Low                                                           4        

    Expired Policies (due to time constraints) = 0

    (controller) #  



  • 11.  RE: Android phones can't get IP on reconnect...
    Best Answer

    EMPLOYEE
    Posted Sep 22, 2015 05:26 PM

    Mike mclarke says, "any any svc-dhcp permit" needs to be at the top of that, otherwise you will have DHCP problems like you have been having.  None of your rules explicity allow DHCP when a user re-associates later.



  • 12.  RE: Android phones can't get IP on reconnect...

    Posted Sep 22, 2015 05:47 PM

    Ohh - so they are getting DHCP in the guest-logon role, but it's being blocked when they reassociate before their session times out?

     

    Makes sense.

     

    The guy before me has the deny udp 68 rule so guests can't give out DHCP.  Is that even effective though?  I don't believe I allow guest to guest communication.  Can I just delete that rule and allow DHCP at the top of the ruleset?



  • 13.  RE: Android phones can't get IP on reconnect...

    EMPLOYEE
    Posted Sep 22, 2015 05:49 PM
    You can put the udp 68 deny rule first, then the any any svc-dhope permit rule next.


  • 14.  RE: Android phones can't get IP on reconnect...

    Posted Sep 22, 2015 05:53 PM

    Done.  I'm guessing that's going to resolve the issue.  Thanks for the blazing fast replies once again!



  • 15.  RE: Android phones can't get IP on reconnect...

    EMPLOYEE
    Posted Sep 23, 2015 02:38 AM

    Yeah, what happens is that when the devices wake up they remember their ip details and then do a unicast RENEW to the dhcp server, which you have blocked.

     

     



  • 16.  RE: Android phones can't get IP on reconnect...

    Posted Sep 23, 2015 01:08 PM

    Okay, that makes a lot of sense.

     

    Thanks for your help!



  • 17.  RE: Android phones can't get IP on reconnect...

    Posted Sep 22, 2015 05:03 PM
    do you have enough available IP addresses?


  • 18.  RE: Android phones can't get IP on reconnect...

    Posted Sep 22, 2015 05:13 PM

    205 free leases.  Plus these clients already have a lease and an active session in the controller that lists an IP tied to their MAC.