I have an anchor controller (4402) is running version 220.127.116.11 in our DMZ
The main service we use is a guest service which uses the anchor controller in the DMZ for access to the internet. Authentication is via the WEB re-direct feature. We currently have a subnet assigned to the Guest SSID with a 22 bit mask providing just over 1000 ip addresses to clients.
Change required (which were attemped).
1. Move the dhcp server to a dedicated dhcp server and off the anchor controller.
2. Increase the address space to /21 thereby providing about 2000 addresses for clients. (By changing the ip address mask on the SSID interface).
The provision of dhcp from the new dhcp server worked fine and clients were able to pick up dhcp addresses when they associated to the wireless SSID.
The problem was that only some clients were being re-directed to the web-redirect page for authentication. Any clients who were re-directed were able to authenticate correctly.
It appears that only some client's dns requests were being passed on from the anchor controller. A capture of packets between the anchor controller and the DMZ firewall did not pick up dns packets from an assiocated and connected client even when running dns queries manually from the wireless client.
A reboot of the controller did not make any difference.
Is there any throttling effect on dns queries which may have being implemented on the anchor controller by default once the subnet mask was increased? I noticed authentication successes of about 1 a minute while normally we would see authentication rates of 1 every couple of seconds.
Are there any bugs or known reason why an interface mask of /21 would be problematic on the controller?
We had to roll back the changes to the original configuration in order to bring the service back on-line.