cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1536
Views
0
Helpful
11
Replies

DHCP fails to allocate Address

9mmurphy
Level 1
Level 1

Everyone,

Here is the design.

4402 internal controller in data center

4402 DMZ Guest controller in data center

1242AP behind firewall at remote sites

I had this working, and then all of a sudden DHCP stops working for the clients.

The DHCP scope is defined on the DMZ controller. The DMZ controller is the anchor for the WLAN that the clients are connecting to. When this first started working, I assumed the DHCP requests from the internal controller were being sent accross the EoIP tunnel between the two controllers. When the clients stopped getting DHCP IP assignments, I have tracked it down to the initial request from the client is now being sent outside the EoIP tunnel. I opened up the DMZ firewall to allow the UDP 67 traffic from the internal controller and I see the packets arrive at the DMZ controller, but are dropped with the following message.

Jul 13 12:31:06.399 dhcpd.c:167 DHCP-6-SCOPE_NOT_FOUND: Dropping packet from 172.18.140.210 (unable to match to a dhcp scope)

I am not sure how I changed anything to have the DHCP/Bootps request to stop traversing the EoIP tunnel, but I think that is the root of my problem.

Anyone ever seen this, or have insight as to how to fix?

TIA!

11 Replies 11

Scott Fella
Hall of Fame
Hall of Fame

What else to you see in the FW logs as being dropped? Open UDP port 97 also and make sure UDP port 16666 is open between the foreign WLC and the Guest WLC.

-UDP 16666 for tunnel control traffic

-UDP 16667 for encrypted traffic

-IP Protocol 97 for user data traffic

http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00809a30cc.shtml#qa12

-Scott
*** Please rate helpful posts ***

I have confirmed that 16666 and 97 are in place and taking hits on the ACL. Plus I have performed eping, mping and ping from the command line and verfied the mobility group membership on both controllers.

The version of code on the controllers is 4.2.130.0

Debugging the client on the internal controller, I see the DHCP request cycle through, but no packet is ever returned from the DMZ controller due to the error message in the original post.

Thanks

I have clients running 4.2.130 also and have no issues. Delete the scope from the DMZ wlc and recreate it. I assume you have the guest ssid on all controllers configured exactly the same and using the management interface?

-Scott
*** Please rate helpful posts ***

I do have the same WLAN defined on both wlc.

I have no scope defined on the internal wlc.

On the internal wlc for the wlan I have dhcp defined as the managment interface of the DMZ wlc (anchor).

On the internal wlc I have the wlan interface defined as the management interface.

====

On the DMZ wlc the dhcp server is defined as the managment interface

On the DMZ wlc the wlan is defined as the dynamic lan terminating in the actual dmz for clients.

On the DMZ wlc the dhcp scope is defined for the range of the dynamic interface dmz ip range.

Q. Do I need to use the virtual ip address anywhere in this configuration? 1.1.1.1?

The virtual ip needs to be the same for all members in the mobility group. Do you have both port from the guest wlc connected to the dmz or do you have one port connected to the internal network and the other to the dmz?

-Scott
*** Please rate helpful posts ***

The guest wlc is configured like this

dynamic interface --> vlan3=dmz3

management/ap-mgnt interface --> vlan4=dmz4

Clients tunnel to the guest wlc via dmz4 and exit to dmz3 as nodes on the vlan.

The virtual interface has the same default IP on all controllers.

I did delete the scope and recreate on the quest wlc.

I usually don't create a dynamic interface on the guest wlc. I map the guest ssid to the management since it is already in the dmz. So the only interface I have is the management, ap manager, virtual and service port. I have tried to create a dynamic interface just like you did, but never got it to work that way. Try mapping the guest ssid to the management and create a scope to see if that works for you. I haven't had time to play around with creating and using dynamic interfaces in the dmz....

-Scott
*** Please rate helpful posts ***

Q. This is on the DMZ Anchor wlc, under the WLAN/Edit/Advanced/DHCP Server = 1.1.1.1

Does this make sense? or should I have it assigned to the managment interface?

On the internal wlc, I have the DMZ wlc mangement interface defined for the same wlan.

Does that make sense also?

TIA

DHCP should be the management ip of the guest anchor. DHCP address on the management interface on the foreign controller s is usually set to your internal dhcp server. Once you change that on the wlan on the guest anchor, it should work. Again, I haven't been able to get this working with dynamic interfaces configured.

-Scott
*** Please rate helpful posts ***

Well,

I will have to get Cisco back in on Monday. They had it working and some how I managed to hose up the DMZ guest WLC providing dhcp addresses from the internal wlc DHCP server.

I will post the resolution when I get this resolved.

Thanks for your help!

let us know.... curious to see how they got it to work.

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: