4400 WLC - AP Client routing issue

Unanswered Question
Jul 15th, 2008

Cisco 4404 WLC

AP 1240 - LWAP

Wireless client receives a DHCP address from central DHCP server fine.

Unable to route outside of own subnet -

Continuous ARP WHO HAS (Default Gateway addr) TELL (client IP) messages being received

WLC running OS 4.2.99.0

If anyway one can help with this problem it would be great. Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Scott Fella Tue, 07/15/2008 - 15:49

Well client receives an IP from a central site... So is the WLC located on that central site or not. If the ap's are in local mode, then all client traffic will be egress out of the WLC and into the switch the WLC is connected to. If the ap's are H-REAP, then they will be placed out onto the local site where the ap is located.

How is everything setup so it makes it clear how you should have it configured.

WLC IP, WLC vlan, WLC location, Client IP, Client Vlan.... etc.

cbeaufoy Tue, 07/15/2008 - 16:02

WLC Mgmt 10.201.70.170 (vlan 1 on local office switch)

Client IP 10.201.71.36 (vlan 60 on local office switch with DHCP helper configured as overseas DHCP server). Default gateway 10.201.71.1

AP switch port set to VLAN 9 (AP Mgmt VLAN)

AP Joins WLC, User authenticates ok via PEAP ACS server, DHCP address (10.201.71.36) received ok via MetaIP DHCP server -following message repeated in wire shark:

ARP who has 10.201.71.1 Tell 10.201.71.36

Scott Fella Tue, 07/15/2008 - 16:31

Setup a dhcp on the wlc temporary and see if the clients get an ip address and can route outside the subnet. Or configure a static IP and run a trace route to an outside ip address and see where it fails. You can configure a port on the switch for vlan 60, connect a laptop to it and see if you have any issues. Are you doing any Nat?

Scott Fella Tue, 07/15/2008 - 17:57

Okay, so routing works fine.... now remove that and let the dhcp server hand out the ip address. When the user authenticates and gets an ip address, do an ipconfig and verify the settings.

cbeaufoy Tue, 07/15/2008 - 18:00

Yep - i can confirm that the DHCP server mask, gateway etc. are all correct.

Also - when using the same subnet on Autonomous AP's everything is fine. This only seems to be an issue on LWAPs

cbeaufoy Tue, 07/15/2008 - 18:35

Yep - timeout.

And loads of ARP who has 'default-gateway' messages

Scott Fella Tue, 07/15/2008 - 18:39

Almost like the configuration on the client when it gets an ip address is corrupt. You already tested that when you create a scope on the wlc it works. Try to configure this on the cli: config dhcp proxy disable

cbeaufoy Tue, 07/15/2008 - 21:32

Tried that - but without the proxy enabled it can't get a DHCP address is any case.

Scott Fella Wed, 07/16/2008 - 04:00

Your management and ap-manager should be on the same vlan and should be set to "0" for untagged and if you are using vlan 1, then you don't have to worry about native vlan. Post your show run-config... makes it easier to verify your configuration.

cbeaufoy Wed, 07/16/2008 - 04:17

Thanks - yes both mgr and ap-mgr and on vlan 1 (untagged 0)

The attached config is how i left it with a locally configured WLC DHCP scope working.

Attachment: 
Scott Fella Wed, 07/16/2008 - 04:26

Looks like when you had dhcp working was when you had the defaul gateway configured as 10.201.71.129 not 10.201.71.1 which you have on the other dhcp server overseas. You need to make sure the scope on the dhcp server looks like this:

Network 10.201.71.128

Netmask 255.255.255.128

Default Routers 10.201.71.129

cbeaufoy Wed, 07/16/2008 - 05:15

The subnet on the MetaIP DHCP server is 71.0/25 with DG 71.1

This is correct on the client machine when assigned using the WLC as a relay.

It also works fine when using autonomous AP's and the MetaIP server.

This has really got me foxed and i've requested a brand new /24 scope on the DHCP server with the WLC added to the bind interface. This should rule out any anomalies with the 71.0/25 subnet. I hope to be able to test all this on Friday if the new subnet is assigned to me in time.

Thanks for your help. Please let me know if you have any other suggestions.

Scott Fella Wed, 07/16/2008 - 05:45

The thing is, what is the ip of the router local to the clients... 71.1 or not. You had 71.128 which if that is the local gateway, then that is what the clients need to have. Just let me know what happens when you get a new scope.

cbeaufoy Thu, 07/17/2008 - 19:09

Hello,

Everything was correct, subnets, gateways etc. all as they should be.

The issue was caused by the WLAN AP Group Name being too long! I only discovered this as a last resort and as soon as i gave it a simpler name the problem dissappeared.

I've had a look around and can't find the max number of characters for a group name but am able to get 20 working. I'm surprised the WLC accepted the long name if it is actually invalid.

Cheers for your help.

iswanizan Mon, 10/24/2011 - 05:33

Hi,

I faced 1 problem with my WLC 4400 and RAP. Before this, my mesh network working fine for few month. But now my RAP (LWAPP1522) not joined (status) to controller. Its happen on 2nd Oct 2011. I checked from the log there have few error.

*Oct 24 23:13:58.850: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 15:04:55.644: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:56:46.641: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:53:02.238: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:51:58.038: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:49:03.435: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:47:46.835: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:43:30.232: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:40:28.629: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:39:17.629: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:37:32.629: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:32:56.026: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:31:54.023: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:28:56.423: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:28:22.823: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:25:59.820: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:25:10.220: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:17:34.017: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:14:28.415: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:07:25.008: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:05:36.808: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:04:22.208: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 14:01:09.605: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 13:58:51.405: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

*Oct 24 13:55:20.402: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to complete DTLS handshake with peer 130.1.65.232

and this error to

Controller time base status - Controller is out of sync with the central timebase.

Whys its happen? please help me

George Stefanick Mon, 10/24/2011 - 09:17

What controller code are you on?

What country domain is your WLC configured as?

What is the full part number of your AP?

Is your AP configured in the MAC address fliter ?

jasonchristophercobb Tue, 08/21/2012 - 07:33

WLC4404 - United States

Software Version 5.2.193.0

Hello, we are having a similair problem as above, where the new WLAN dosn't seem to be routing... but it's not related to name length (ours only 6 charecters). It's almost seems like the new WLC interface (interface2) isn't configured for the same subnet that it's plugged into, but it is.

We actually have 2 WLANS. Alot of the original config was done before my time, between about 3 different people.

The original WLAN config works fine, but part of the problem is the WLC4404 was configured our server VLAN, thus when a client gets an IP, they are placed on our main server VLAN.

Our WLC4404 is connected to our 6509 in our Datacenter, and we have dozens of PTP T1's to our remote offices, which all have WAPs.

On the WLC4404, I've configured a new interface on port 2, vlan404, and I have the new WLAN using that interface. The WLAN security is using WPA2, and authenticates via our ActiveDirector services.

The client wireless PC is able to connect to the WAP, but unable to connect to anything else. It can only ping the WLC4404 interface2 address, and nothing else. It does receieve DHCP info (via WLC via Windows DHCP server), but cannot see DHCP server.

From the WLC4404: I can telnet into the management IP address, and can ping PC's on the new WLAN, and anyplace else, except the vlan gateway ip address on the 6509.

From the 6509: when telnetted in, I can ping everything except interface2 of WLC on vlan404 and the wireless PC. I am able to ping the ip address of int for vlan404. The 6509 somewhat see's the WLC int2 & wireless PC. Show ARP | inc 404 from the 6509 shows the IP's of the VLAN int, WLC int2, and wireless PC.  Show mac-add-tab | inc 404 shows the WLC and wireless PC on same 6509 port.

From my work PC (via LAN) at a remote location: I can ping everything except Int2 on the WLC, and the wireless PC.

Actions

Login or Register to take actions

This Discussion

Posted July 15, 2008 at 3:16 PM
Stats:
Replies:20 Avg. Rating:5
Views:997 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard