Wireless Access

Reply
Super Contributor II

Re: Client issue after changing from tunnel to bridge mode

Today we tried putting up a fresh new bridge SSID but the same error occured for the few problematic clients. We've been exercising alot of "cleaning out" of WLAN profiles using netsh interface reset commands etc. Removing features and changing parameters to the VAP and SSID profile settings. All without any success.

 

We installed wireshark and captured the exchange of the client trying to get an IP-address, the result was showing several DHCP requests going out but nothing coming back. As if it wasn't bad enough, a few more problematic clients arose when more people came back from summer vacation.

 

Any more guesses guys?

 

Tomorrow I'll involve the ISP who handles the IP-helper and DHCP server to see if they're recieving any DHCP requests and sending offers back.

 

Chris

Christoffer Jacobsson | Aranya AB
Aruba Partner Ambassador
Aruba: ACMX #537 ACCP ACDP | CWNP: CWNE #306
MVP Guru

Re: Client issue after changing from tunnel to bridge mode

Did you tried adding that acl rule ?
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Super Contributor II

Re: Client issue after changing from tunnel to bridge mode

Sorry for the delayed response, yes I tried adding your suggested rule but experienced the same issue. We finally tried with an external USB NIC and that works perfectly.

 

My theory atm is that there's some cache somewhere in windows that I havn't found yet that causes this behaviour. Anyway they're getting their clients redone at this office and my guess is that after a fresh install the bridge SSID will work.

 

Frustrating not to get the bottom of the problem but I can only spend so much time on client issues :P

 

Thanx for all the input.

Christoffer Jacobsson | Aranya AB
Aruba Partner Ambassador
Aruba: ACMX #537 ACCP ACDP | CWNP: CWNE #306
Occasional Contributor I

Re: Client issue after changing from tunnel to bridge mode

I am having the exact same issue except with iPads in a school.  I need to get this resolved ASAP.  The DHCP is being done on a Cisco 3750 on the Bridged Vlan at the building some iPads connect but dont get an IP address most conenct just fine though.

Super Contributor II

Re: Client issue after changing from tunnel to bridge mode

Hi jwoodworth90! It sounds like you´re missing the client VLAN on the trunk ports to some of your APs. Double check that you´ve got all the VLANs tagged to the APs.

 

 

Christoffer Jacobsson | Aranya AB
Aruba Partner Ambassador
Aruba: ACMX #537 ACCP ACDP | CWNP: CWNE #306
Super Contributor II

Re: Client issue after changing from tunnel to bridge mode

I´m acctually gonna post in this bad boy thread again. I "solved" this issue by implementing a split tunnel configuration where clients get IP-adresses centrally and I route-src NAT everything destined for the local subnet, rest is tunneled. The couple of problematic clients worked fine in this configuration.

 

Today I got a call from one of the users at the site who claims she´s been having issues with the wireless all the time. After troubleshooting a little bit, I see the same "double netmask" in the ipconfig with a windows APIPA address that I explain in my first post. She claims there´s another one with the same issue but I havn't verified it yet.

 

So now with the new split-tunnel configuration there´s two new clients that experience the exact same issue as the other clients did before on the bridge configuration. 

 

I found this in the user debug log that looks kind of suspicious:

<DBUG> |authmgr|  MAC=c4:85:08:b3:0d:5d (vlan:126) Detecting Wireless-user AAA-Profile mismatch or wireless<->wired roam

 

See the full user-debug logs for one authentication try attached. I can see some worrying entries about a logon role popping in at some stages.

 

Also I´ve attached the configuration of the user-role. This gets derived from successfull 802.1X authentication per the AAA profile configuration.

 

Anyone have any ideas? Affecting 1 or 2 clients from about 20 total. We´re up to Aruba OS 6.4.2.2 now on our M3.

 

Cheers,

Chris

Christoffer Jacobsson | Aranya AB
Aruba Partner Ambassador
Aruba: ACMX #537 ACCP ACDP | CWNP: CWNE #306
Guru Elite

Re: Client issue after changing from tunnel to bridge mode

Is there more than one access point at this site?

 

EDIT:

 

Your main problem here is that you need to have an "any any service dhcp permit" statement at the top of your ACL.  A dhcp request from a client will only hit rule 3, because dhcp does not have a destination that matches "Except-Company".  The user will then get no ip address and then end up in the user table with a 169.00 addrexx.  Put a rule allowing dhcp at the top and see if it fixes this.

 

Split-Company-Local
---------------------
Priority  Source  Destination       Service  Application  Action         TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------       -------  -----------  ------         ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any               udp 68                deny                                    Low                                                           4
2         any     Except-Company  any                   permit                                  Low                                                           4
3         user    any               any                   route src-nat                           Low                                                           4

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Super Contributor II

Re: Client issue after changing from tunnel to bridge mode

Hi Colin!

 

Yes, there are 5 AP-105:s at the site configured as remote APs and connected to local switches on access ports. 

Christoffer Jacobsson | Aranya AB
Aruba Partner Ambassador
Aruba: ACMX #537 ACCP ACDP | CWNP: CWNE #306
Guru Elite

Re: Client issue after changing from tunnel to bridge mode

Split-tunnel is not designed for roaming.  It is only designed for a single AP at a site.  You are better off using bridge mode, because whenever a split tunnel user roams, it is forced to reauthenticate all over again.  It is not seamless, because the firewall rules are contained within each access point and does not roam with them.  With bridge mode, if the access points are on the same vlan, it will allow roaming and transfer the client's firewall state to the next access point.  Please use bridge mode instead.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Super Contributor II

Re: Client issue after changing from tunnel to bridge mode

I understand, although bridge mode was what started this thread in the first place I´d just go back to a more widely spread version of the issue. If we can somehow pinpoint what´s causing this issue perhaps I can fix it and then revert to bridge mode again.

Christoffer Jacobsson | Aranya AB
Aruba Partner Ambassador
Aruba: ACMX #537 ACCP ACDP | CWNP: CWNE #306
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: