Guest VLAN unable to get DHCP IP address from Anchor Controller

Unanswered Question
Feb 24th, 2012

Hello everybody,

In our test set up, we have two WLC 5508 Controllers connected via Checkpoint UTM-1 firewall Inside and DMZ Interfaces. Both the WLC controllers are connected to the firewall via Cisco 3750 switch. On the Local (Inside) Controller, guest SSID is enabled and attached to the wireless management Interface. On the remote anchor controller, guest SSID is enabled and attached to the Management Interface as well. The following configs are replicated on both the Controllers.

SSID Name - guest

Interface - Management ( VLAN 10 on Local and VLAN 20 on remote) -

Mobility Group: Same configs at both ends

SSID Anchor : Anchor SSID on local and local SSID on Anchor.

AP: CAPWAP 3502 Management Subnet

SSID Security etc all defaults and matching on  both ends

Checkpoint Firewall Rules: Allowed 16666-7, IP 97 etc on the firewall

Checkpoint Inside/DMZ to Outside(Internet) is NAT enabled.

EoIP Tunnel Status: Up, UP - Both ends

Mping - OK

eping - OK

WLC Sofware Version on Local - 7.0.98.0

WLC Sofware Version on Local - 7.0.116.0

DHCP Scope: Definitions on Anchor Controller and Guest Anchor SSID points to the Anchor management IP as the Primary DHCP server.

Management IP Subnet on Local: 10.x.x.x

Management IP Subnet on Anchor: 172.x.x.x

The problem definition as follows:

When guest SSID associates to the local AP, the guest SSID never gets a DHCP address assigned from the Anchor Controller and the following debugs are obtained.

1. WLAN ID 1 (for Guest SSID Number) delete message appears in the Controller message logs, but the SSID does not DHCP from the local Management Subnet and i can see DHCP request via the tunnel to the Anchor WLC as follows:

DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 13, encap 0xec03)

*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)

*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0

*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54774 (1237665652), secs: 42, flags: 0

*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13

*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0

*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0

*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to EoIP tunnel

2. Similar debugs on the Anchor controller yields the following results;

Cisco Controller) >*DHCP Socket Task: Feb 25 04:30:25.488: 64:b9:e8:33:2d:13 DHCP options end, len 72, actual 64

*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 20, port 1, encap 0xec05)

*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)

*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0

*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54778 (1237665656), secs: 52, flags: 0

*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13

*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0

*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0

*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to DS

*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 20, port 1, encap 0xec05)

*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)

*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0

*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54778 (1237665656), secs: 61, flags: 0

*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13

*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0

*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0

*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to DS

*apfOrphanSocketTask: Feb 25 04:37:49.931: 34:51:c9:59:b1:c7 Invalid MSCB state: ipAddr=169.254.254.148, regType=2, Dhcp required!

Is there any thing missing in the wireless configs and or the firewall rules as i could not see DHCP request back from the Anchor Controller. Also, after DHCP is obtained, the web authentication request will be redirected to an Amigopod device for authentication. In this case is the redirect URL congiguration to be performed only on the Anchor Controller or is this to be replicated on both the Local and Anchor Controllers.

Thanks and Regards.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Stephen Rodriguez Fri, 02/24/2012 - 16:05

on the anchor you DHCP proxy disabled. For the WLC to be the shop server proxy has to be enabled.

Config DHCP proxy enable

Then try a client again

Steve

Sent from Cisco Technical Support iPhone App

mohankumarm Fri, 02/24/2012 - 16:09

Hi Stephen,

Thanks for the quick reply!! yes I have tried to enable the DHCP proxy feature with no change in results unfortunately:).

Thanks and Regards,

Mohan

mohankumarm Fri, 02/24/2012 - 16:20

Hi Stephen,

Thanks again. I am not at work now, so do not have access to the sites remotely. But will try and get it done when i get a chance.By the way, is the proxy to be enabled on both the Controllers or just the Anchor? Also, could there be an issue with Anchor running 7.0.98.0 as this version is currently used in thier production environment. Our test setup runs 116 on Local and 98 on the Anchor.

Best Regards,

daviwatk Fri, 02/24/2012 - 16:33

You may be hitting CSCth68708 whereby a 7.0.98.0 WLC will stop handing out addresses for an internal DHCP scope.  I would highly suggest moving the anchor off of 7.0.98.0 to, say, 7.0.230.0, that way the potential bug is not in the equation.

Also, you must have both the anchor and foreign WLC DHCP Proxy configuration matching, just FYI.

1. Move anchor off of 7.0.98.0

2. Configure DHCP Proxy enabled at both foreign and anchor WLC

3. Test client

4. Post outputs from 'debug client ' from both WLCs during a connection attempt if client did not test successfully.

mohankumarm Fri, 02/24/2012 - 17:01

Thanks a lot David. I will upgrade the Controller and hopefully it should work!!  I have also tried configuring DHCP server on the upstream switch connected to the Anchor Controller(with DHCP proxy enabled on both the Controllers) but still get the same result. Anyway, i will upgrade the anchor to 7.0.116 or7.0.230 and will post the outputs if it does test successfully.

Also, once DHCP is obtained, in order to redirect web authentication to an  Amigopod external server, does the redirect URL Layer 3 security configuration for the guest SSID have to match on both the controllers or is this to be configured only on the Anchor Contoller?

Best Regards,

Mohan

daviwatk Tue, 02/28/2012 - 10:46

L3 security for foreign/anchor is processed at the anchor

mohankumarm Tue, 02/28/2012 - 13:10

The DHCP issue is resolved if external DHCP server is configured on a 3750 switch connected to the WLC and the default gateway for DHCP points to the Firewall, which is in the data path between the Inside and Anchor Controllers. DHCP is essentially bridged (no Proxy setting now) from the EoIP tunnel to the Distribution system network. We will test this solution on pilot production and then consider upgrading to 7.0.116.0, as there are about six offices running 7.0.98.0, which will need to be upgraded. 

For L3 security,  configuration is set up on both the controllers for external captive portal redirection.I will try this only on the Anchor and revert.

Thanks again very much for all your help.

Stephen Rodriguez Fri, 02/24/2012 - 16:11

On the anchor can you do a debug client < Mac address > with proxy enabled

Sent from Cisco Technical Support iPhone App

Actions

Login or Register to take actions

This Discussion

Posted February 24, 2012 at 4:00 PM
Stats:
Replies:8 Avg. Rating:
Views:2215 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard