Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA as DHCP server for WLC2106 and LAP

Hi,

First off i aplolgize for asking something that seems to have been asked before but i am getting conflicting answers and wanted someone to give a definitive answer.

Setup:

     ASA5505  ---------------- WS-C3750G -----------------WLC2106  -------------------------------AIR-LAP1131

(DHCP SERVER)           (simple config)          (dhcp proxy disabled)           (is requesting dhcp from ASA)

 

ASA5505 - ASA 8.2(1)

WLC2106 - 7.0.98.0 (tried 6.0.99.4 as well)

AIR-LAP1131 - 12.4(23c)JA

Problem:

The ASA5505 is giving addresses to multiple devices, i tested it with the AP plugged directly into the ASA and it worked great.  The problem is that the WLC2106 seems to be altering the DHCP requests somehow and thus making the ASA5505 not respond to them.  The AP gets an ip address and associates to the WLC if plugged into the 3750, or the ASA directly.  Just not when plugged into the WLC2106 ports.

Research:

https://supportforums.cisco.com/message/1268269#1268269

https://supportforums.cisco.com/message/3037259#3037259

https://supportforums.cisco.com/message/1302468#1302468

https://supportforums.cisco.com/message/926529#926529

I have read quite a few posts with people basically saying you cannot use the ASA as the DHCP server with the WLC because of how the WLC relays the requests.  BUT: (this is important)  There are some documents that say with WLC version 4.2 and above you have the option of turning off dhcp proxy mode to enable bridging mode thus elminating the probem and all DHCP requests get forwarded without modification.  Please see here for suggested solution to this issue:

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080af5d13.shtml#topic2

*Interoperability issues can exist between a controller with DHCP proxy enabled and devices acting as both a firewall and DHCP server. This is most likely due to the firewall component of the device as firewalls generally do not respond to proxy requests. To work around this issue, disable DHCP proxy on the controller.

Help please:

I have tried this but maybe im missing something.  I have tried with proxy enabled and disabled.  Can anyone verify this is supposed to work for me please?  I input "config dhcp proxy disable" and verified proxy is now disabled.  Yet i do not see any responces from my DHCP server to my AP's requests when going through the WLC.  It works fine when plugging the AP into the ASA or 3750.  DHCP server is working.  Is the above suggested work around not a valid solution?  Did i miss something?  Do i need specific software versions on my devices?  Is this a bug in my software versions?

Any help is greatly appreciated.  Let me know if anyone has questions.  Thanks,

Kyle

Everyone's tags (4)
9 REPLIES
Cisco Employee

Re: ASA as DHCP server for WLC2106 and LAP

When you plug the AP behind the WLC, do you see the DHCP request reaching the ASA ?

Nicolas

New Member

Re: ASA as DHCP server for WLC2106 and LAP

I do not see any debug output on the ASA5505 when the AP is connected through the WLC.  Debug output from WLC2106 below:


(Cisco Controller) >show debug

MAC debugging .............................. disabled

Debug Flags Enabled:
  dhcp packet enabled.

(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >show dhcp proxy

DHCP Proxy Behaviour: disabled bootp-broadcast disabled

(Cisco Controller) >
(Cisco Controller) >*DHCP Socket Task: Nov 16 10:56:39.931: 00:1d:a1:ed:c8:d4 DHCP received op BOOTREQUEST (1) (len 310,vlan 0, port 8, encap 0xec00)
*DHCP Socket Task: Nov 16 10:56:39.932: 00:1d:a1:ed:c8:d4 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Nov 16 10:56:39.932: 00:1d:a1:ed:c8:d4 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Nov 16 10:56:39.932: 00:1d:a1:ed:c8:d4 DHCP   xid: 0x126b (4715), secs: 0, flags: 80
*DHCP Socket Task: Nov 16 10:56:39.932: 00:1d:a1:ed:c8:d4 DHCP   chaddr: 00:1d:a1:ed:c8:d4
*DHCP Socket Task: Nov 16 10:56:39.933: 00:1d:a1:ed:c8:d4 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
*DHCP Socket Task: Nov 16 10:56:39.933: 00:1d:a1:ed:c8:d4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
*DHCP Socket Task: Nov 16 10:56:39.933: 00:1d:a1:ed:c8:d4 DHCP dropping REQUEST from STA with invalid mobility state 'Unassociated' (0)
*DHCP Socket Task: Nov 16 10:56:42.939: 00:1d:a1:ed:c8:d4 DHCP received op BOOTREQUEST (1) (len 310,vlan 0, port 8, encap 0xec00)
*DHCP Socket Task: Nov 16 10:56:42.940: 00:1d:a1:ed:c8:d4 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Nov 16 10:56:42.940: 00:1d:a1:ed:c8:d4 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Nov 16 10:56:42.940: 00:1d:a1:ed:c8:d4 DHCP   xid: 0x126b (4715), secs: 0, flags: 80
*DHCP Socket Task: Nov 16 10:56:42.940: 00:1d:a1:ed:c8:d4 DHCP   chaddr: 00:1d:a1:ed:c8:d4
*DHCP Socket Task: Nov 16 10:56:42.941: 00:1d:a1:ed:c8:d4 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
*DHCP Socket Task: Nov 16 10:56:42.941: 00:1d:a1:ed:c8:d4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
*DHCP Socket Task: Nov 16 10:56:42.941: 00:1d:a1:ed:c8:d4 DHCP dropping REQUEST from STA with invalid mobility state 'Unassociated' (0)
*DHCP Socket Task: Nov 16 10:56:46.938: 00:1d:a1:ed:c8:d4 DHCP received op BOOTREQUEST (1) (len 310,vlan 0, port 8, encap 0xec00)
*DHCP Socket Task: Nov 16 10:56:46.938: 00:1d:a1:ed:c8:d4 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Nov 16 10:56:46.938: 00:1d:a1:ed:c8:d4 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Nov 16 10:56:46.938: 00:1d:a1:ed:c8:d4 DHCP   xid: 0x126b (4715), secs: 0, flags: 80
*DHCP Socket Task: Nov 16 10:56:46.939: 00:1d:a1:ed:c8:d4 DHCP   chaddr: 00:1d:a1:ed:c8:d4
*DHCP Socket Task: Nov 16 10:56:46.939: 00:1d:a1:ed:c8:d4 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
*DHCP Socket Task: Nov 16 10:56:46.939: 00:1d:a1:ed:c8:d4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
*DHCP Socket Task: Nov 16 10:56:46.939: 00:1d:a1:ed:c8:d4 DHCP dropping REQUEST from STA with invalid mobility state 'Unassociated' (0)
*DHCP Socket Task: Nov 16 10:57:05.034: 00:1d:a1:ed:c8:d4 DHCP received op BOOTREQUEST (1) (len 310,vlan 0, port 8, encap 0xec00)
*DHCP Socket Task: Nov 16 10:57:05.035: 00:1d:a1:ed:c8:d4 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Nov 16 10:57:05.035: 00:1d:a1:ed:c8:d4 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Nov 16 10:57:05.035: 00:1d:a1:ed:c8:d4 DHCP   xid: 0x126c (4716), secs: 0, flags: 80
*DHCP Socket Task: Nov 16 10:57:05.035: 00:1d:a1:ed:c8:d4 DHCP   chaddr: 00:1d:a1:ed:c8:d4
*DHCP Socket Task: Nov 16 10:57:05.036: 00:1d:a1:ed:c8:d4 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
*DHCP Socket Task: Nov 16 10:57:05.036: 00:1d:a1:ed:c8:d4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
*DHCP Socket Task: Nov 16 10:57:05.036: 00:1d:a1:ed:c8:d4 DHCP dropping REQUEST from STA with invalid mobility state 'Unassociated'

It keeps seeing the Discover messages but never gets any responce from the ASA.  What does that message mean "dropping REQUEST from STA with invalid mobility state 'Unassociated'" ?  I know the STA is the AP but why is it dropping the request?

Here is the debug output from the ASA:

ASA5505lab#  show debug
debug dhcpd packet enabled at level 128
debug dhcpd event enabled at level 128

ASA5505lab#

DHCPD: checking for expired leases.

DHCPD: checking for expired leases.
DHCPD: checking for expired leases.
DHCPD: checking for expired leases.

DHCPD: checking for expired leases.
DHCPD: checking for expired leases.

(IT NEVER SEE'S ANY MESSAGES OR SHOWS ME ANY BLOCKED REQUESTS OR ANYTHING)

(Now if i move the AP to the PoE ports directly on the ASA5505 you will see the AP get an IP)


DHCPD: Server msg received, fip=ANY, fport=0 on inside interface
DHCPD: DHCPDISCOVER received from client 0100.1da1.edc8.d4 on interface inside.
DHCPD: Sending DHCPOFFER to client 0100.1da1.edc8.d4 (192.168.143.4).

DHCPD: Total # of raw options copied to outgoing DHCP message is 0.
DHCPD: broadcasting BOOTREPLY to client 001d.a1ed.c8d4.
DHCPD: Server msg received, fip=ANY, fport=0 on inside interface
DHCPD: DHCPREQUEST received from client 0100.1da1.edc8.d4.
DHCPD: Sending DHCPACK to client 0100.1da1.edc8.d4 (192.168.143.4).

DHCPD: Total # of raw options copied to outgoing DHCP message is 0.
DHCPD: broadcasting BOOTREPLY to client 001d.a1ed.c8d4.

ASA5505lab#
ASA5505lab# show dhcpd binding

IP address       Hardware address        Lease expiration        Type

  192.168.143.4    0100.1da1.edc8.d4            3581 seconds    Automatic
  192.168.143.5  0063.6973.636f.2d30.           1911 seconds    Automatic
                 3031.662e.3965.6234.
                 2e35.3034.302d.566c.
                 31
ASA5505lab#

ASA5505lab#

So the ASA5505 is working when the AP is plugged directly into the ASA or a 3750 on the same network.  Only when connected through the WLC i do not see any messages on the ASA.  Is there something else i need setup on the WLC2106 besides turning off dhcp proxy?

Thanks,

Cisco Employee

Re: ASA as DHCP server for WLC2106 and LAP

I would not guarantee 100% (I would need to verify that stuff myself) but I'm quite sure that the 2106 is not to be used like a 8 port switch. You cannot plug a laptop to it for example. In the same concept, an AP plugged to it cannot get an ip address from another random device on the network.

If the AP is plugged directly on WLC, it should get its ip from the WLC.

The trick you did with dhcp proxy makes total sense in the case of a wireless client that would get an ip from the ASA, this is sth the WLC forwards. But WLC doesn't have much reasons to forward AP traffic to the network.

Nicolas

===

Don't forget to rate answers that you find useful

New Member

Re: ASA as DHCP server for WLC2106 and LAP

I just want to update this thread with the verification i recieved from TAC.

"You have done a great research to be honest, and seems to be you have understood very well how the WLC works as a relay agent, and the workaround of disabling the DHCP proxy feature.

This is the clue that you are missing: This workaround is for the wireless clients to obtain the IP address; but for an Access Point directly connected to the controller port, the AP needs a relay agent to redirect the DHCP requests to the DHCP server, therefore DHCP proxy needs to be enabled. This is because WLC ports are not switch ports, and the controller does not forward traffic to all its ports as a switch does. Having the problem of the ASA5505 not accepting DHCP requests from a proxy agent, then it is not possible to make this configuration to work at all.

However, there are different alternatives.

  1. You can set an static IP on the AP and connect the AP to the WLC. And with DHCP proxy disabled on the WLC2106, the wireless clients won’t have a problem to get an IP address from the ASA.
  2. You can connect the AP somewhere else on your network, to a switch for example. This way the DHCP requests from the AP will arrive to the ASA directly, without passing through the controller. And with DHCP proxy disabled on the controller, the wireless clients won’t have a problem to get an IP address from the ASA.
  3. The only option when connecting the AP directly to the WLC and for this AP to obtain an IP address automatically, is to use another DHCP server rather than an ASA.

I hope this clarify your doubts.

So... thank you to TAC and thank you to Nicolas for the help.  I will work on one of the above solutions.  Maybe this will help someone else too. 

Cisco Employee

Re: ASA as DHCP server for WLC2106 and LAP

Thanks for the follow up on your post. It helps others !

I think you can afford configuring a DHCP pool on the WLC itself tor the APs right ? and then use the ASA for the clients. That should be the easiest of the workarounds.

Nicolas

===

Don't forget to rate answers that you find useful

New Member

ASA as DHCP server for WLC2106 and LAP

Since this post is now 2+ years old, I'm wondering if there have been any enhancements that will allow me to disable dhcp on a per-WLAN basis rather than a global setting.

I am trying to do exactly what the original post was doing.

Setup:

     ASA5505  ---------------- WS-C3560 --------tagged----------WLC2106  -------------------------------AIR-LAP1142

(DHCP SERVER)           (simple config)          (dhcp proxy disabled)           (is requesting dhcp from ASA)

If I plug my workstation into the 3560, my wired client adapter can get an IP address.  But the WLAN adapter will not.

Usually this is not a problem since you may only have two access points on the controller and a dozen or so hosts.  In my case, however, I want to put a few of the ports on the 3560 into the same VLAN as the WLAN on the 2106 so I can give them the same guest access as the WLAN.  The hosts plugged into the 3560 get an IP address without issue.  When I disable dhcp proxy, the WLAN clients get an IP address, but then the APs cease to function when rebooted since they cannot get to the controller.

Anyone know if there have been any improvements, such as somehow configuring the ASA to accept the modified DHCP packets?

Re: ASA as DHCP server for WLC2106 and LAP

Umm dhcp proxy has Zero to do with the ap being able to talk to the WLC. Unless of course you are using the WLC as the dhcp server for the ap, which is not a recommended practice.

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

ASA as DHCP server for WLC2106 and LAP

Keep in mind this is a 2106 with two APs, an 8 port switch and an ASA...  This is not an enterprise setting...

Agreed - DHCP proxy has nothing to do with the AP talking to the WLC.  But when you disable it, the AP cannot get an IP address from the internal  DHCP server running on the WLC.  There is not Windows box or anything else.  Just three small devices that is going to be used to give out some guest internet service for a few wired and wireless clients.

Sad the ASA can't answer up or turn off the proxy per WLAN instead of being a global setting.

Cisco Employee

ASA as DHCP server for WLC2106 and LAP

7.4 WLC code allows DHCP proxy setting on a WLAN basis, but you have a 2106 so you are doomed anyway :-)

3191
Views
30
Helpful
9
Replies