Duplicated IP error on some clients

Answered Question
May 5th, 2012

Hello,  Dear All.

We have typical deployment with WLC550x (7.0.116.0) and 16 APs (AIR-LAP1242G-E-K9) placed on same site. WLC connected to 3560 (with LAG , and dhcp relay)  , and all wireless clients( Motorolla MC3100 handled PC ) work with same WPA2-PSK SSID. All APs configured as HREAP group and SSID has local switching and auth settings. DHCP server for clients work on Windows 2008r2 failover cluster, APs give addresses from WLC builtin server.

Almost all works great.  But sometimes some clients go insane . After wake up,  they show duplicate IP error and wont connect to nework.  On DHCP server  this IP shown as leased to client mac(without any errors and so).

Client reboot wont resolve this issue.

After reboot client try another dhcp address (after marking dchp decline message) but also without luck, with same error and another IP.

All this looks like client side problem . But when i try debug arp on root switch 3560  i get following situation.

After client wake-up

*Apr 10 18:44:32.773: IP ARP: rcvd req src 10.116.51.59 0023.68cb.a8fc, dst 10.116.51.59 Vlan51

*Apr 10 18:44:32.782: IP ARP: rcvd req src 10.116.51.59 0023.68cb.a812, dst 10.116.51.59 Vlan51

After reboot

*Apr 10 19:16:40.123: IP ARP: rcvd req src 10.116.51.24 0023.68cb.a8fc, dst 10.116.51.24 Vlan51

*Apr 10 19:16:40.131: IP ARP: rcvd req src 10.116.51.24 0023.68c9.a29b, dst 10.116.51.24 Vlan51

*Apr 10 19:16:40.459: IP ARP: rcvd req src 10.116.51.27 0023.68cb.a8fc, dst 10.116.51.27 Vlan51

*Apr 10 19:16:40.467: IP ARP: rcvd req src 10.116.51.27 0023.68cb.a9b6, dst 10.116.51.27 Vlan51

Where  0023.68cb.a8fc problem clent mac and   0023.68cb.a812,

0023.68cb.a9b6, 0023.68c9.a29b    - another full working clients  MACs(with another ip address).

Looks like another client (or ??  ap or controller) send ARP reqest with same IP right after problem client. How this possible ?

I'll be

appreciate for any opinions

and comments!

I have this problem too.
0 votes
Correct Answer by Scott Fella about 1 year 11 months ago

I had a client that had the same issues on certain laptops and they had to tweak the power save setting on the device.  Now I'm not a big fan of upgrading code, but 7.0.230.0 has worked better in my deployments than the other previous 7.0.x versions.  One thing you can also try is to enable passive mode in the wlan to see if that helps with your devices.

So to undersand your setup, you have the WLC and AP's in the same site, but instead of running the ap's in local mode, you have them in h-reap.  And all AP's are in one h-reap group and you are not using 802.1x?

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
valeriy.nebogin Sat, 05/05/2012 - 05:58

Looks like problem related with controler  because after wlc reboot problem temporary solved.

*Apr 10 20:43:40.924: IP ARP: rcvd req src 10.116.51.27 0023.68cb.a8fc, dst 10.116.51.27 Vlan51

*Apr 10 20:43:40.949: IP ARP: rcvd req src 10.116.51.27 0023.68cb.a8fc, dst 10.116.51.27 Vlan51

*Apr 10 20:43:41.956: IP ARP: rcvd req src 10.116.51.27 0023.68cb.a8fc, dst 10.116.51.27 Vlan51

And client sucessufuly receive ip 10.116.51.27 .

Correct Answer
Scott Fella Sat, 05/05/2012 - 07:50

I had a client that had the same issues on certain laptops and they had to tweak the power save setting on the device.  Now I'm not a big fan of upgrading code, but 7.0.230.0 has worked better in my deployments than the other previous 7.0.x versions.  One thing you can also try is to enable passive mode in the wlan to see if that helps with your devices.

So to undersand your setup, you have the WLC and AP's in the same site, but instead of running the ap's in local mode, you have them in h-reap.  And all AP's are in one h-reap group and you are not using 802.1x?

valeriy.nebogin Sun, 05/06/2012 - 00:13

Thank for advice.  I will try upgrade wlc.

Yes, we use HREAP localy for survivability (when\if controller died). We dont use 8021x now , but plan it for another service with dedicated SSID (for laptops acess to corporate network).

Scott Fella Sun, 05/06/2012 - 06:50

Just note that h-reap groups only benefit if your doing 802.1x and cckm/okc.

Sent from Cisco Technical Support iPhone App

valeriy.nebogin Wed, 10/24/2012 - 06:34

For some reason, the problem was postponed until now. All this time, the system has worked successfully in the h-reap mode , with a disabled controller. Now while waiting our service contract delivery (to try to update the controller), I began to investigate  the issue in more detail.

In syslog I have following indiication of problem.

Oct 24 12:55:55 10.116.50.11 idp16.wlc5502: *dtlArpTask: Oct 24 12:55:58.492: %APF-6-MOBILE_NOT_EXCLUDED: apf_ms.c:4344 Could not exclude the mobile 00:23:68:cb:a7:f1.

Oct 24 12:55:55 10.116.50.11 idp16.wlc5502: *dtlArpTask: Oct 24 12:55:58.492: %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1487 Could not Register IP Add on MSCB. Identity theft alert for IP address. Address:00:23:68:cb:a7:f1

All clients exclussion options disabled on WLC . Learning IP Option also disabled for  WLAN.

Example of  "debug client" for one,    in attach.

        http://pastebin.com/hQAbtWJa

valeriy.nebogin Tue, 12/11/2012 - 02:04

Upgrade WLC to 7.0.235.3 code wont help me to  resolve problem.

After 24 hour of work clients again display warning about duplicated ip`s.

And WLC log contains following error again:

Dec 11 13:49:46 10.116.50.11 idp16.wlc5502: *dtlArpTask: Dec 11 13:49:48.301: %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1504 Could not Register IP Add on MSCB. Identity theft alert for IP address. Address:00:23:68:cb:a9:87

I don know what to do next.

Scott Fella Tue, 12/11/2012 - 05:35

You have passive mode enabled on the WLAN. Maybe also disable the session timeout on the wlan. Also increase the the idle timeout to 14400 and see if helps. What is your dhcp lease time on these devices?

Sent from Cisco Technical Support iPhone App

valeriy.nebogin Tue, 12/11/2012 - 11:25

Thanks for suggestions  , Scott

DHCP lease time = 8 hours.

Session timeout already disabled in WLAN - Advanced settings . All exclussion policies also disabled  globaly. 

I will try to increase  Controller > User Idle Timeout (seconds) form default 300 to 14400.

I cant enable "passive client " feature because it requre Multicast mode  , but only Unicat mode  supported with H-REAP

Scott Fella Tue, 12/11/2012 - 21:20

I'm thinking its a client side issue then. I don't think there are any other changes you can make to stabilize the issue.

Sent from Cisco Technical Support iPhone App

valeriy.nebogin Tue, 12/11/2012 - 22:15

Why you think so ?

Reboot of controller resolve problem for some time.

Clients work flawlessly when controller disconnected from network and APs in H-REAP mode. Also same clients (handles PC models) works  in online mode with wlc 4400 without problems.

There are two difference in this deployment:

1. wlc 5500 and 7.0 major release

2. APs in  H-REAP mode and WLAN configured as localy switched

From my point of view problem related with controller  incorrect  behavior(or I think so).

Process of obtaining  ip addresses interrupted by  controller   for some unclear  reasons.

1.Client obtain IP address from DHCP without problem(via dhcp relay on 3750)

2. Client check that no one use it by sending  ARP request "ARP Who has address (leased from DHCP address here)"

3. No response mean that address free.

4. Controller interrupt process. By sending ARP resposne  "ARP  (leased from DHCP address here) used by (MAC of one of  client what used it in past)   "

5. After this client show duplicated ip error.

6. Controller log message

%APF-4-REGISTER_IPADD_ON_MSCB_FAILED:apf_foreignap.c:1504 Could not Register IP Add on MSCB. Identity theft alert for IP address. Address:00:23:68:cb:a9:87

I think this mean controller failed to update some internal table  with new ip-mac pair and prevent client work.

But how disable such controller behavior I dont know.

I disabled controller DHCP proxy , I disabled client ip learning in WLAN settings , I disabled any exclusion policies.

Scott Fella Wed, 12/12/2012 - 04:11

What if you disable the WLAN and enable the WLAN? Does that fix your issues. If you set a static address in the devices does that help?

Sent from Cisco Technical Support iPhone App

Scott Fella Thu, 12/13/2012 - 19:18

You ever find the issue... if not, what do you have your idle timeout set at and how long is your dhcp lease?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Scott Fella Thu, 12/13/2012 - 21:38

Never mind I did see you had the dhcp lease set for 8 hours and the idle timeout set for 300 seconds. Just ran I to a similar issue and the idle timeout was causing issues when set high. It was keeping the devices information but dhcp was handing out address to cause a duplicate error on the WLC.

Sent from Cisco Technical Support iPhone App

valeriy.nebogin Thu, 12/13/2012 - 21:59

After disabling local switching and auth for WLAN,  WLC work without %APF-4-EGISTER_IPADD_ON_MSCB_FAILED error more than 24 hours and client didnt receive duplicated address errors . This  wont prove anything but usually error occure earlier. I will wait additionaly   for 48 hours  or more before any conclusions.

But some client notice  connection freezes (they work with rdp) and even connection losts. This can be releated also with  wireless network our neibghours deploying now.

I will try disable and re-enable WLAN after experiment with disabling HREAP.

valeriy.nebogin Thu, 12/20/2012 - 03:48

Definitely this problem related with HREAP.  Proved that disabling local switching for WLAN  resolve problem.

I think  this is may be  design error ,because WLC interfaces and  APs placed  in same  broadcasts domains. That  definitely is not typicall hreap deployment.

But why it work flawlessly  for day or two?

valeriy.nebogin Sat, 04/27/2013 - 04:26

Problem resolved by correcting design. I'd remove wlc interfaces from wlans . And now system work almost flawlessly

Sent from Cisco Technical Support iPhone App

Actions

Login or Register to take actions

This Discussion

Posted May 5, 2012 at 5:13 AM
Stats:
Replies:18 Avg. Rating:5
Views:2394 Votes:0
Shares:0

Related Content

Discussions Leaderboard