Wireless Access

I'm troubleshooting a new Xbox One at one of my client's houses. During the Xbox setup, it sees the SSID, you enter the PSK, it attempts to connect & then displays an error, "Can't connect to your DHCP server". It then suggests that your router may be filtering MAC addresses.

We're running a 620 local controller (AOS 6.1.3.4-Airgroup) with 3x AP-105's. The master is a 620 running the same AOS. ALL AP's terminate to the local controller. No traffic is routed back to the master. We're using WPA2-PSK AES. Absolutely no mac filtering. Other devices (IOS, Android, HP...etc) have no issues connecting.

Here is some output from debug. So far I haven't had any luck finding a root cause for this. I'm inclined to think there is an issue with the Xbox, but the customer completely disagrees & it would be nice to have some proof. I would greatly appreciate any thoughts or suggestions.

===============================================================

(aructrl) (config) #logging level debugging user-debug 50:1a:c5:b1:ac:e0

(aructrl) #show log user 20

Jul 29 14:06:22 :501065: <DBUG> |stm| Sending STA c0:9f:42:10:84:e1 message to Auth and Mobility Unicast Encr WPA2 PSK AES Multicast Encr WPA2 PSK AES VLAN 0x2a, wmm:1, rsn_cap:c
Jul 29 14:06:22 :522036: <INFO> |authmgr| MAC=c0:9f:42:10:84:e1 Station DN: BSSID=6c:f3:7f:15:85:81 ESSID=Section_10 VLAN=42 AP-name=AP-HU-2
Jul 29 14:06:22 :500511: <DBUG> |mobileip| Station c0:9f:42:10:84:e1, 0.0.0.0: Received disassociation on ESSID: Section_10 Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name AP-HU-2 Group HU-House BSSID 6c:f3:7f:15:85:81, phy g, VLAN 42
Jul 29 14:06:22 :500010: <NOTI> |mobileip| Station c0:9f:42:10:84:e1, 255.255.255.255: Mobility trail, on switch <SCRUBBED>, VLAN 42, AP AP-HU-2, Section_10/6c:f3:7f:15:85:81/g
Jul 29 14:06:22 :522004: <DBUG> |authmgr| MAC=c0:9f:42:10:84:e1 ingress 0x10cf (tunnel 15), u_encr 32, m_encr 32, slotport 0x1020 , type: local, FW mode: 0, AP IP: 0.0.0.0
Jul 29 14:06:22 :522004: <DBUG> |authmgr| station free: bssid=6c:f3:7f:15:85:81, @=0x108e5014
Jul 29 14:06:22 :501000: <DBUG> |stm| Station c0:9f:42:10:84:e1: Clearing state
Jul 29 14:06:25 :501065: <DBUG> |stm| send_ageout_sta_ack 8369: Send ageout sta 50:1a:c5:b1:ac:e0 ack back to AP (192.168.77.199)
Jul 29 14:06:25 :501105: <NOTI> |AP AP-HU-1@192.168.77.199 stm| Deauth from sta: 50:1a:c5:b1:ac:e0: AP 192.168.77.199-6c:f3:7f:15:85:59-AP-HU-1 Reason STA has left and is deauthenticated
Jul 29 14:06:25 :501105: <NOTI> |stm| Deauth from sta: 50:1a:c5:b1:ac:e0: AP 192.168.77.199-6c:f3:7f:15:85:59-AP-HU-1 Reason STA has left and is deauthenticated
Jul 29 14:06:25 :501000: <DBUG> |AP AP-HU-1@192.168.77.199 stm| Station 50:1a:c5:b1:ac:e0: Clearing state
Jul 29 14:06:25 :501065: <DBUG> |stm| Sending STA 50:1a:c5:b1:ac:e0 message to Auth and Mobility Unicast Encr WPA2 PSK AES Multicast Encr WPA2 PSK AES VLAN 0x2a, wmm:1, rsn_cap:28
Jul 29 14:06:25 :522036: <INFO> |authmgr| MAC=50:1a:c5:b1:ac:e0 Station DN: BSSID=6c:f3:7f:15:85:59 ESSID=Section_10 VLAN=42 AP-name=AP-HU-1
Jul 29 14:06:25 :522004: <DBUG> |authmgr| MAC=50:1a:c5:b1:ac:e0 ingress 0x10d7 (tunnel 23), u_encr 32, m_encr 32, slotport 0x1023 , type: local, FW mode: 0, AP IP: 0.0.0.0
Jul 29 14:06:25 :522004: <DBUG> |authmgr| station free: bssid=6c:f3:7f:15:85:59, @=0x108e566c
Jul 29 14:06:25 :522004: <DBUG> |authmgr| MAC=50:1a:c5:b1:ac:e0 Send Station delete message to mobility
Jul 29 14:06:25 :501065: <DBUG> |AP AP-HU-1@192.168.77.199 stm| remove_stale_sta 1748: client 50:1a:c5:b1:ac:e0 not in stale hash table
Jul 29 14:06:25 :500511: <DBUG> |mobileip| Station 50:1a:c5:b1:ac:e0, 0.0.0.0: Received disassociation on ESSID: Section_10 Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name AP-HU-1 Group HU-House BSSID 6c:f3:7f:15:85:59, phy a, VLAN 42
Jul 29 14:06:25 :500010: <NOTI> |mobileip| Station 50:1a:c5:b1:ac:e0, 255.255.255.255: Mobility trail, on switch <SCRUBBED>, VLAN 42, AP AP-HU-1, Section_10/6c:f3:7f:15:85:59/a
Jul 29 14:06:25 :501000: <DBUG> |stm| Station 50:1a:c5:b1:ac:e0: Clearing state

===============================================================

Here you can see the Xbox send a disassociation

(aructrl) #show log user 20

Jul 29 14:06:22 :501065: <DBUG> |stm| Sending STA c0:9f:42:10:84:e1 message to Auth and Mobility Unicast Encr WPA2 PSK AES Multicast Encr WPA2 PSK AES VLAN 0x2a, wmm:1, rsn_cap:c
Jul 29 14:06:22 :522036: <INFO> |authmgr| MAC=c0:9f:42:10:84:e1 Station DN: BSSID=6c:f3:7f:15:85:81 ESSID=Section_10 VLAN=42 AP-name=AP-HU-2
Jul 29 14:06:22 :500511: <DBUG> |mobileip| Station c0:9f:42:10:84:e1, 0.0.0.0: Received disassociation on ESSID: Section_10 Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name AP-HU-2 Group HU-House BSSID 6c:f3:7f:15:85:81, phy g, VLAN 42
Jul 29 14:06:22 :500010: <NOTI> |mobileip| Station c0:9f:42:10:84:e1, 255.255.255.255: Mobility trail, on switch <SCRUBBED>, VLAN 42, AP AP-HU-2, Section_10/6c:f3:7f:15:85:81/g
Jul 29 14:06:22 :522004: <DBUG> |authmgr| MAC=c0:9f:42:10:84:e1 ingress 0x10cf (tunnel 15), u_encr 32, m_encr 32, slotport 0x1020 , type: local, FW mode: 0, AP IP: 0.0.0.0
Jul 29 14:06:22 :522004: <DBUG> |authmgr| station free: bssid=6c:f3:7f:15:85:81, @=0x108e5014
Jul 29 14:06:22 :501000: <DBUG> |stm| Station c0:9f:42:10:84:e1: Clearing state
Jul 29 14:06:25 :501065: <DBUG> |stm| send_ageout_sta_ack 8369: Send ageout sta 50:1a:c5:b1:ac:e0 ack back to AP (192.168.77.199)
Jul 29 14:06:25 :501105: <NOTI> |AP AP-HU-1@192.168.77.199 stm| Deauth from sta: 50:1a:c5:b1:ac:e0: AP 192.168.77.199-6c:f3:7f:15:85:59-AP-HU-1 Reason STA has left and is deauthenticated
Jul 29 14:06:25 :501105: <NOTI> |stm| Deauth from sta: 50:1a:c5:b1:ac:e0: AP 192.168.77.199-6c:f3:7f:15:85:59-AP-HU-1 Reason STA has left and is deauthenticated
Jul 29 14:06:25 :501000: <DBUG> |AP AP-HU-1@192.168.77.199 stm| Station 50:1a:c5:b1:ac:e0: Clearing state
Jul 29 14:06:25 :501065: <DBUG> |stm| Sending STA 50:1a:c5:b1:ac:e0 message to Auth and Mobility Unicast Encr WPA2 PSK AES Multicast Encr WPA2 PSK AES VLAN 0x2a, wmm:1, rsn_cap:28
Jul 29 14:06:25 :522036: <INFO> |authmgr| MAC=50:1a:c5:b1:ac:e0 Station DN: BSSID=6c:f3:7f:15:85:59 ESSID=Section_10 VLAN=42 AP-name=AP-HU-1
Jul 29 14:06:25 :522004: <DBUG> |authmgr| MAC=50:1a:c5:b1:ac:e0 ingress 0x10d7 (tunnel 23), u_encr 32, m_encr 32, slotport 0x1023 , type: local, FW mode: 0, AP IP: 0.0.0.0
Jul 29 14:06:25 :522004: <DBUG> |authmgr| station free: bssid=6c:f3:7f:15:85:59, @=0x108e566c
Jul 29 14:06:25 :522004: <DBUG> |authmgr| MAC=50:1a:c5:b1:ac:e0 Send Station delete message to mobility

===============================================================

Side note. Are these logs normal? I'm not sure why I'm seeing CPPM activity. I don't have Clearpass at all. This may be completely unrelated, but I thought I'd mention it.

(aructrl-hunt) #show log user 20

Jul 29 14:05:44 :527003: <DBUG> |mdns| CPPM mdns_aal_authenticate 297 No server available
Jul 29 14:05:44 :527003: <DBUG> |mdns| CPPM mdns_mac_auth_handler 1297 response; result:Fail, mac:64:76:ba:d6:24:36
Jul 29 14:05:44 :527003: <DBUG> |mdns| CPPM mdns_mac_auth_handler 1300 VP not set
Jul 29 14:05:46 :501106: <NOTI> |AP AP-HU-2@192.168.77.197 stm| Deauth to sta: c0:9f:42:10:84:e1: Ageout AP 192.168.77.197-6c:f3:7f:15:85:81-AP-HU-2 handle_sapcp
Jul 29 14:05:46 :501080: <NOTI> |AP AP-HU-2@192.168.77.197 stm| Deauth to sta: c0:9f:42:10:84:e1: Ageout AP 192.168.77.197-6c:f3:7f:15:85:81-AP-HU-2 Denied: AP Ageout
Jul 29 14:05:46 :501065: <DBUG> |stm| send_ageout_sta_ack 8369: Send ageout sta c0:9f:42:10:84:e1 ack back to AP (192.168.77.197)
Jul 29 14:05:46 :501065: <DBUG> |AP AP-HU-2@192.168.77.197 stm| store_stale_sta 1664: sta c0:9f:42:10:84:e1 saved to stale_sta_hash_table
Jul 29 14:05:46 :501114: <NOTI> |stm| Deauth from sta: c0:9f:42:10:84:e1: AP 192.168.77.197-6c:f3:7f:15:85:81-AP-HU-2 Reason 255
Jul 29 14:05:46 :501044: <NOTI> |stm| Station c0:9f:42:10:84:e1: No authentication found trying to de-authenticate to BSSID 6c:f3:7f:15:85:81 on AP AP-HU-2
Jul 29 14:05:46 :501065: <DBUG> |AP AP-HU-2@192.168.77.197 stm| remove_stale_sta 1758: sta c0:9f:42:10:84:e1 is freed and removed from stale_sta_hash_table
Jul 29 14:05:48 :527003: <DBUG> |mdns| CPPM mdns_amigopod_fetch 1116 single mac case : 64:76:ba:d6:24:36
Jul 29 14:05:48 :527003: <DBUG> |mdns| CPPM mdns_mac_authenticate 1435 MAC Authenticate; mac=64:76:ba:d6:24:36
Jul 29 14:05:48 :527003: <DBUG> |mdns| CPPM mdns_aal_authenticate 297 No server available
Jul 29 14:05:48 :527003: <DBUG> |mdns| CPPM mdns_mac_auth_handler 1297 response; result:Fail, mac:64:76:ba:d6:24:36
Jul 29 14:05:48 :527003: <DBUG> |mdns| CPPM mdns_mac_auth_handler 1300 VP not set
Jul 29 14:05:48 :527003: <DBUG> |mdns| CPPM mdns_amigopod_fetch 1116 single mac case : 24:a2:e1:e8:7e:f3
Jul 29 14:05:48 :527003: <DBUG> |mdns| CPPM mdns_mac_authenticate 1435 MAC Authenticate; mac=24:a2:e1:e8:7e:f3
Jul 29 14:05:48 :527003: <DBUG> |mdns| CPPM mdns_aal_authenticate 297 No server available
Jul 29 14:05:48 :527003: <DBUG> |mdns| CPPM mdns_mac_auth_handler 1297 response; result:Fail, mac:24:a2:e1:e8:7e:f3
Jul 29 14:05:48 :527003: <DBUG> |mdns| CPPM mdns_mac_auth_handler 1300 VP not set

===============================================================

Can you turn on DHCP debugging to see if it is actually getting an address?

logging level debugging network subcat dhcp

---

@cappalli wrote:

Can you turn on DHCP debugging to see if it is actually getting an address?

logging level debugging network subcat dhcp

 

---

Good point. I may have some of that output already, but if not I'll do that. Also, I should have mentioned, the DHCP server is the controller & we are nowhere near running out of leases. Less than 20 total devices at any given time.

Here is some dhcpd debug. I don't see the MAC address of the Xbox though.

======================================

Jul 29 14:04:53 :202544: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan42: ACK c0:9f:42:10:84:e1 clientIP=192.168.42.235
Jul 29 14:04:56 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x40 opcode 0x5a ingress 0x10d7 vlan 42 egress 0x2a src mac 84:38:35:e7:53:25
Jul 29 14:04:56 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan42: REQUEST 84:38:35:e7:53:25 reqIP=192.168.42.253 Options 37:0103060f77fc 39:05dc 3d:01843835e75325 33:0076a700 0c:436861726c65732d6950686f6e6535
Jul 29 14:04:56 :202523: <DBUG> |dhcpdwrap| |dhcp| dhcprelay: dev=eth1, length=300, from_port=68, op=1, giaddr=0.0.0.0
Jul 29 14:04:56 :202532: <DBUG> |dhcpdwrap| |dhcp| got 0 relay servers
Jul 29 14:04:56 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x0 vlan 42 egress 0x10d7 src mac 00:1a:1e:21:e7:b0
Jul 29 14:04:56 :202086: <INFO> |dhcpdwrap| netlink_arp_changed(): ker_mac 84:38:35:e7:53:25 pkt_mac 84:38:35:e7:53:25 cip 192.168.42.253
Jul 29 14:04:56 :202544: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan42: ACK 84:38:35:e7:53:25 clientIP=192.168.42.253
Jul 29 14:05:54 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x40 opcode 0x5a ingress 0x10cf vlan 42 egress 0x2a src mac c0:9f:42:10:84:e1
Jul 29 14:05:54 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan42: REQUEST c0:9f:42:10:84:e1 reqIP=192.168.42.235 Options 37:0103060f77fc 39:05dc 3d:01c09f421084e1 33:0076a700 0c:475257732d6950686f6e65
Jul 29 14:05:54 :202523: <DBUG> |dhcpdwrap| |dhcp| dhcprelay: dev=eth1, length=300, from_port=68, op=1, giaddr=0.0.0.0
Jul 29 14:05:54 :202532: <DBUG> |dhcpdwrap| |dhcp| got 0 relay servers
Jul 29 14:05:54 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x0 vlan 42 egress 0x10cf src mac 00:1a:1e:21:e7:b0
Jul 29 14:05:54 :202086: <INFO> |dhcpdwrap| netlink_arp_changed(): ker_mac c0:9f:42:10:84:e1 pkt_mac c0:9f:42:10:84:e1 cip 192.168.42.235
Jul 29 14:05:54 :202544: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan42: ACK c0:9f:42:10:84:e1 clientIP=192.168.42.235
Jul 29 14:06:01 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x1028 vlan 1 egress 0x1 src mac e0:2f:6d:6c:f6:d9
Jul 29 14:06:01 :202546: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: OFFER 00:23:ed:9e:67:f6 clientIP=10.5.17.237
Jul 29 14:06:03 :202541: <DBUG> |dhcpdwrap| |dhcp| Received DHCP packet from Datpath, sos msg hdr flags 0x42 opcode 0x5a ingress 0x1028 vlan 1 egress 0x1 src mac e0:2f:6d:6c:f6:d9
Jul 29 14:06:03 :202085: <DBUG> |dhcpdwrap| No arp entry for ip address 10.5.17.237 eth1.1
Jul 29 14:06:03 :202544: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: ACK 00:23:ed:9e:67:f6 clientIP=10.5.17.237

hi Clayton

what happens if you put a static ip address/gw/dns on the xbox as a test?

regards

-jeff

---

@jgoff wrote:

hi Clayton

what happens if you put a static ip address/gw/dns on the xbox as a test?

regards

-jeff

---

Jeff, good thought. We actually did try that & funny thing was the Xbox STILL gave the same error. Like I said, I'm fairly sure this is not an Aruba or network issue, but I was hoping to find definitive proof.

Does anyone have any idea what those deauth logs would indicate? My first thought was that perhaps the Xbox one didn't support WPA2-PSK AES, but according to the documentation it does & that would be whack if it didn't. 

hi Clayton

the log you added doesnt show the association , only the disassociation seemingly sent by the client (confirm with show ap remote debug mgmt-frames ap-name).

<missing the association msg>

Jul 29 14:06:22 :500511: <DBUG> |mobileip| Station c0:9f:42:10:84:e1, 0.0.0.0: Received disassociation on ESSID: Section_10 Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name AP-HU-2 Group HU-House BSSID 6c:f3:7f:15:85:81, phy g, VLAN 42

Typically if clients dont get IP (notwithstanding your static IP test) or cannot ping gateway IPs etc., then you may see a fixed amount of time between the assoc and disassoc each time you repeat the test.

Perhaps try a test on open ssid, together with DP packet capture to capture what is going on (6.3 and higher). This will capture both wlan frames (after they come out of GRE tunnel) and the packets that went into them - a sort of per client traffic mirror.

(sg-3200) #packet-capture destination ip-address 192.168.1.2
(sg-3200) #packet-capture datapath wifi-client 00:11:22:33:44:55 all

Alternatively if you think the problem might be at the wlan side of the AP, use the original ap packet capture (monitor -> access point -> packet capture, or use CLI as shown below). Only really helpful if the problem is at auth/assoc or if the opmode is set to open

(sg-3200) #ap packet-capture open-port 5555
(sg-3200) #ap packet-capture raw-start ap-name ap105-24:78 
Packet capture has started for pcap-id:2
(sg-3200) #

in both examples, 192.168.1.2 is some host running wireshark. In first example, the frames are all GRE encapsulated, in the second example they come in as UDP/5555 - if using a recent version of wireshark, decode-as Aruba_ERM.

If you dont have a wired host, then cut straight to the "packet-capture datapath" and set the destination to "local-filesystem" instead of an IP address, do the test, and then tar logs techsupport will contain the pcaps. May be the easiest way to get a remote capture of what the xbox is doing once it associates.

regards

-jeff

Thanks, Jeff. This is some troubleshooting I have not done before so I'm not entirely clear on the process, but I'll give it my best shot.