No IP's with Aironet 1142N connected to ASA 5505

Unanswered Question
Feb 13th, 2012

Hi there! I'm probably missing something really simple but I have an Aironet 1142N autonomous AP connected to and receiving PoE from an ASA 5505 w/ Security + license. The AP is configured with two SSID's, and has a management IP set, all utilizing difference VLAN's. My issue is that I cannot get an IP for either VLAN once connected. When tailing my DHCP server logs I see the DHCP discover message hit the server, the server offers an IP, but then nothing. As a test I trunked a switch to the same port on the ASA, plugged my computer into a configured switchport, and was able to get IP's for my VLANs just fine so I'm assuming that I'm missing something on the AP side.

My port configuration on the ASA is as follows:

interface Ethernet0/6

description Wireless-Network-Interface

switchport trunk allowed vlan 100,200,253

switchport trunk native vlan 253

switchport mode trunk

Below is my AP config:

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname AP

!

logging rate-limit console 9

enable secret

!

no aaa new-model

clock timezone est -5

clock summer-time edt recurring 1 Sun Mar 2:00 1 Sun Nov 2:00

no ip source-route

no ip domain lookup

ip domain name

!

!        

dot11 mbssid

dot11 syslog

!

dot11 ssid Guest

   vlan 200

   max-associations 10

   authentication open

   authentication key-management wpa version 2

   mbssid guest-mode

   wpa-psk ascii

!

dot11 ssid Internal

   vlan 100

   max-associations 7

   authentication open

   authentication key-management wpa version 2

   mbssid guest-mode

   wpa-psk ascii

!

!

username

!        

!

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 100 mode ciphers aes-ccm

!

encryption vlan 200 mode ciphers aes-ccm

!

broadcast-key vlan 100 change 500

!

broadcast-key vlan 200 change 500

!

!

ssid Guest

!

ssid Internal

!

antenna gain 0

station-role root

!

interface Dot11Radio0.100

encapsulation dot1Q 100

no ip route-cache

bridge-group 100

bridge-group 100 subscriber-loop-control

bridge-group 100 block-unknown-source

no bridge-group 100 source-learning

no bridge-group 100 unicast-flooding

bridge-group 100 spanning-disabled

!

interface Dot11Radio0.200

encapsulation dot1Q 200

no ip route-cache

bridge-group 200

bridge-group 200 subscriber-loop-control

bridge-group 200 block-unknown-source

no bridge-group 200 source-learning

no bridge-group 200 unicast-flooding

bridge-group 200 spanning-disabled

!

interface Dot11Radio0.253

encapsulation dot1Q 253 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption vlan 100 mode ciphers aes-ccm

!

encryption vlan 200 mode ciphers aes-ccm

!

broadcast-key vlan 100 change 500

!

broadcast-key vlan 200 change 500

!       

!

ssid Guest

!

ssid Internal

!

antenna gain 0

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1.100

encapsulation dot1Q 100

no ip route-cache

bridge-group 100

bridge-group 100 subscriber-loop-control

bridge-group 100 block-unknown-source

no bridge-group 100 source-learning

no bridge-group 100 unicast-flooding

bridge-group 100 spanning-disabled

!

interface Dot11Radio1.200

encapsulation dot1Q 200

no ip route-cache

bridge-group 200

bridge-group 200 subscriber-loop-control

bridge-group 200 block-unknown-source

no bridge-group 200 source-learning

no bridge-group 200 unicast-flooding

bridge-group 200 spanning-disabled

!

interface Dot11Radio1.253

encapsulation dot1Q 253 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

!

interface GigabitEthernet0.100

encapsulation dot1Q 100

no ip route-cache

bridge-group 100

bridge-group 100 subscriber-loop-control

bridge-group 100 block-unknown-source

no bridge-group 100 source-learning

no bridge-group 100 unicast-flooding

bridge-group 100 spanning-disabled

!

interface GigabitEthernet0.200

encapsulation dot1Q 200

no ip route-cache

bridge-group 200

bridge-group 200 subscriber-loop-control

bridge-group 200 block-unknown-source

no bridge-group 200 source-learning

no bridge-group 200 unicast-flooding

bridge-group 200 spanning-disabled

!

interface GigabitEthernet0.253

encapsulation dot1Q 253 native

no ip route-cache

no keepalive

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.253.200 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.253.1

no ip http server

no ip http secure-server

ip radius source-interface BVI1

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

transport preferred none

transport input ssh

transport output ssh

!

end

Any help you guys can dish out would be greatly appreciated!!!!!!!!!

THANK YOU!!!!!!!

-Ken


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
nikhilcherian Mon, 02/13/2012 - 21:44

Exiting to hear about an AP connected directly to ASA port

Wondering if you have multiple VLAN's enabled on the ASA port for the SSID

Thanks

NikhiL

kennethdziok Tue, 02/14/2012 - 07:34

I do:

interface Ethernet0/6

description Wireless-Network-Interface

switchport trunk allowed vlan 100,200,253

switchport trunk native vlan 253

switchport mode trunk

daviwatk Mon, 02/13/2012 - 23:06

Your AP config looks solid.  Since you are seeing "some" DHCP traffic (Discover, then server Offer), I would suggest a wireshark capture directly on the client as an easy quick test.  I'm curious if the OFFER arrives at the client.  If you don't see the OFFER, then either 1. The offer didn't make it to the AP (tough to "prove" directly connected) 2. The OFFER was not processed correctly by the AP 3. The AP did not transmit, over-the-air, the DHCP OFFER to the client.  It "seems" like the AP isn't receiving or processing the OFFER from the ASA.  It's kind of tough to examine the packets being directly connected.  The debugs are limited on the AP for the "client" traffic.

Wireshark on client

Over the Air Capture if not seeing OFFER at client.

kennethdziok Tue, 02/14/2012 - 07:42

Thanks for you reply and yeah, it's completly bizarre!!! I Wiresharked the wireless connection on my client side and the only things I saw was the outgoing Discover broadcast traffic which repeated several times and then finally the 169 address traffic from my client. I'm not seeing anything coming back from the AP at all. I also did dumps off the interfaces on my ASA and I am actually seeing the Offer packets being sent to the correct interface but from there they seem to just vaporize! Just for shiggles, I'm gonna try the same config on another AP just to see what happens. I know it's pretty rare for it to be a device problem but I guess weirder things have happened!!!

Thanks!!!!!

kennethdziok Tue, 02/14/2012 - 15:51

So after taking a failing shot in the dark with another AP I decided to rebuild my config line by line. I started by getting it to work using only one SSID over a specific VLAN and management IP, then adding a second VLAN, etc etc. In the end I got it to work with a slightly modified config!!!!! I have attached a copy of my working config for reference or for anyone who may run into an issue like this in the future. Thanks!!!!!!!!!!!!

Actions

Login or Register to take actions

This Discussion

Posted February 13, 2012 at 6:48 PM
Stats:
Replies:5 Avg. Rating:
Views:1305 Votes:0
Shares:0
Tags: 5505, 1142n
+

Related Content

Discussions Leaderboard