Wireless Access

Background info - Aruba 7010, AP 205's

 

So I have a VAP that will always deny connecting to it after 6pm on wednesdays. I have checked time ranges, and no time range like this exists. I added a backup VAP to the access point, and it works fine, but it doesn't have our captive portal assigned to it. What should I be digging for in my settings?

It's unclear what are you're asking.

Are you asking how to add your "captive portal" to the back up VAP or where to check if the other VAP is being disabled at that specific time?

---

@jrwhitehead wrote:
It's unclear what are you're asking.

Are you asking how to add your "captive portal" to the back up VAP or where to check if the other VAP is being disabled at that specific time?

---

I want to check to see if the other VAP is being disabled at that time. I have a time condition applied to the vap, but it is not erroneous. Are there other places to apply a time condition?

What version of ArubaOS is this?

Reboot the AP and see if it continues to happen.

Contact TAC and see if they know what your issue is.  There is not enough detail to determine what your problem is.

---

@cjoseph wrote:

What version of ArubaOS is this?

Reboot the AP and see if it continues to happen.

Contact TAC and see if they know what your issue is.  There is not enough detail to determine what your problem is.

---

6.4.3.7

Rebooting the AP has not fixed the issue in the past.

My org is a non-profit and we do not currently have a support contract.

---

@AaronDallaLonga wrote:

---

@cjoseph wrote:

What version of ArubaOS is this?

Reboot the AP and see if it continues to happen.

Contact TAC and see if they know what your issue is.  There is not enough detail to determine what your problem is.

---

6.4.3.7

Rebooting the AP has not fixed the issue in the past.

My org is a non-profit and we do not currently have a support contract.

---

We still need more detail:

 

- How long has this been happening?

- What kind of SSIDs do you have on that AP?

- What kind of devices do you have on that AP?

- How do you know that no devices can connect?

- Does this happen every wednesday?

- Have you put any devices into user debug and looked at what happens when you try to connect?

- Have you use the Aruba Utilities android app to see if the AP is broadcasting?

- Have you type "show ap bss-table" to see if that AP is broadcasting any SSIDs when it happens?

---

@cjoseph wrote:

---

@AaronDallaLonga wrote:

---

@cjoseph wrote:

What version of ArubaOS is this?

Reboot the AP and see if it continues to happen.

Contact TAC and see if they know what your issue is.  There is not enough detail to determine what your problem is.

---

6.4.3.7

Rebooting the AP has not fixed the issue in the past.

My org is a non-profit and we do not currently have a support contract.

---

We still need more detail:

 

- How long has this been happening?

- What kind of SSIDs do you have on that AP?

- What kind of devices do you have on that AP?

- How do you know that no devices can connect?

- Does this happen every wednesday?

- Have you put any devices into user debug and looked at what happens when you try to connect?

- Have you use the Aruba Utilities android app to see if the AP is broadcasting?

- Have you type "show ap bss-table" to see if that AP is broadcasting any SSIDs when it happens?

---

1. For a few months.

2. I have multiple kinds, the captive portal auth, a backup SSID for that which we implemented as a work-around (the backup SSID uses wpa-2 and always works), and a couple of hidden ones for printers and display TVs that also always work. The problem is only with the captive portal SSID.

3. It is a patron-facing AP in a library. Multiple types of phones and laptops.

4. When speaking to some patrons and library staff, The devices attempt to connect for about 60-90 seconds then fail with a cannot connect error message.

5. It happened last wednesday, but I have had it happen on other days of the week, but always after 6pm.

6. No.

7. The AP is for sure broadcasting without having to look into that (see #2)

8. See #7.

Does the problem resolve itself?

You should look at the dashboard to see the APs channel utilization when it happens.

You should also put a client into debug and try to connect when it happens.

The library closes 3 hours later at 9pm, but it usually stays down for the entire time. This morning it was working again. The problem always resolves itself yes.

 

I will check the AP utilization. As a note this library has 4 APs.

 

I will not be able to put a client into debug mode, as they do not appear on the client list during this issue.

Take a client that you know connects and put it into debug mode.  The move that client into the library and get it to connect to the Captive Portal, is what I meant.

Not too sure I understand how to do this. No clients connect during the issue to that specific SSID. If you mean to connect a client to the backup SSID and then manually move the clients connection to the faulty SSID, I do not know how to do that.

So no clients connect to the entire SSID in that period?  I would turn on user debugging for all users when that happens to get an idea what is going on:

 

config t

logging level debugging user

 

You can then type "show log user all" to see what is happening...

 

 

Alright. Next time it happens I will pull the logs and post them in a followup post in this thread. Thank you for your help so far. 

Hi. just got the same issue happening with a different SSID (but uses the same captive-portal schema)

 

http://pastebin.com/A49eDT3X

Thats a lot of logs! :D Whats the MAC address of a client that you was testing with? I've had a look found some items:

 

User failed to auth

 

Feb 22 12:55:16 :522275:  <ERRS> |authmgr|  User Authentication failed. username=24:00:ba:e4:04:12 userip=0.0.0.0 usermac=24:00:ba:e4:04:12 authmethod=MAC servername=Internal serverip=192.168.0.251 apname=SLS-BRO1 bssid=f0:5c:19:f7:03:e0

Client has auth + associated without issues

 

Feb 22 12:54:21 :501100:  <NOTI> |AP SLS-FOR1@192.168.3.103 stm|  Assoc success @ 12:54:21.635333: 28:be:03:8e:38:73: AP 192.168.3.103-f0:5c:19:f7:05:00-SLS-FOR1

---

@Craig Syme wrote:

Thats a lot of logs! :D Whats the MAC address of a client that you was testing with? I've had a look found some items:

 Client has auth + associated without issues

 

Feb 22 12:54:21 :501100:  <NOTI> |AP SLS-FOR1@192.168.3.103 stm|  Assoc success @ 12:54:21.635333: 28:be:03:8e:38:73: AP 192.168.3.103-f0:5c:19:f7:05:00-SLS-FOR1

---

Its this one. Client did not get an IP address. 

 

@cjospeh: PM'd

The only thing that comes to mind is if you did not exclude the default gateway ip address of those VLANs in your DHCP server.  If a device gets the default gateway by accident from the DHCP server, it could very well block all of the traffic.

---

@cjoseph wrote:

The only thing that comes to mind is if you did not exclude the default gateway ip address of those VLANs in your DHCP server.  If a device gets the default gateway by accident from the DHCP server, it could very well block all of the traffic.

---

Are either of these configurations where I would need to check for that? I have no exclusions in picture 1.

 

Is the default gateway the controller or another device for those two subnets?

 

Yes, that is where you would be excluding the ip address of the default gateway in the DHCP configuration..

---

@cjoseph wrote:

Is the default gateway the controller or another device for those two subnets?

 

Yes, that is where you would be excluding the ip address of the default gateway in the DHCP configuration..

---

The DHCP server is 192.168.100.1 on the controller, for vlan ID 100. The DHCP server is 192.168.0.6, a windows server 2008 DHCP/DNS server internally. The gateway, and master firewall, to the internet, is 192.168.0.1, which by the looks of things, isn't currently specified anywhere on the controller. Should I exclude my firewall/gateway IP in the excluded address range? Or should I exclude 192.168.100.1?

In general, you should exclude the default gateway address on the DHCP server that is serving up addresses.  If that is the controller, exclude the default gateway address from the DHCP server on the controller.  If your windows server is serving up addresses, you need to exclude the default gateway address from that scope, whatever it is.

 

Does that make sense?

---

@cjoseph wrote:

In general, you should exclude the default gateway address on the DHCP server that is serving up addresses.  If that is the controller, exclude the default gateway address from the DHCP server on the controller.  If your windows server is serving up addresses, you need to exclude the default gateway address from that scope, whatever it is.

 

Does that make sense?

---

Yes that makes sense, sorry I gave some extra info with my reply, the windows DHCP server doesn't actually serve addresses to the gateway. I have made the following adjustment:

 

 

---

@AaronDallaLonga wrote:

Hi. just got the same issue happening with a different SSID (but uses the same captive-portal schema)

 

http://pastebin.com/A49eDT3X

---

Nothing in the logs look unusual.  PM me your email address so I can take a look at your logs.tar with tech support.