Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Clients associated to the AP aren't able to resolve mac-address of Default Gateway

Hi all,

i really hope someone can point me in the right direction because i am out of ideas what goes wrong.

I have an 2811 (12.4(24)T) ISR Router with an NM-WLC (6.0.182) Module which supports up to 6 Access Points.

I have configured the Router,Switch and WLC according to the Configuration Example in the following Link:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00807112e2.shtml#intro

I used Example Number 2 which is exactly my topology.

The Configuration worked liked a charm, the AP's join the WLC and are propagating the configured SSID's (3 total)

The Clients can associate with an AP (1231G) (which is broadcasting SSID_1) and get an ip address from the DHCP Pool configured on the 2811.

The Problem i am experiecing is that the Clients do not receive an answer if they do a ARP Request for their configured Gateway and i have no clue why.

When i try to ping the Wireless Client directly from the Router, i can see that the ICMP Echo Request arrive on the Wireless Client (through Wireshark) but the ICMP Reply failed due to the unanswered ARP Request for the Default Gateway.I tested this with various Operating Systems (Linux/Windows/OSX) but they all have the same faulty behaviour.

I would greatly appreciate your effort if you could point me the right direction or could bring up a solution, because this weird behaviour drives me crazy.

If you need any additional Information don't hesitate to ask.

See attached my configuration for the Router & WLC.

2811 Router Config

===================

!
! Last configuration change at 23:13:07 CET Mon Mar 8 2010
! NVRAM config last updated at 21:45:15 CET Mon Mar 8 2010 by xxx
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname 2811_wlc
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 9
logging message-counter syslog
logging buffered 8192
enable secret 5 xxx
!
no aaa new-model
memory-size iomem 10
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
dot11 syslog
no ip source-route
!
ip cef
ip dhcp excluded-address 172.16.4.1 172.16.4.100
ip dhcp excluded-address 10.2.0.1 10.2.0.100
ip dhcp excluded-address 172.16.1.1 172.16.1.50
ip dhcp excluded-address 172.16.5.1 172.16.5.100
ip dhcp excluded-address 10.1.0.1 10.1.0.100
ip dhcp excluded-address 172.16.2.1 172.16.2.100
ip dhcp excluded-address 172.16.3.1 172.16.3.100
!
ip dhcp pool AP_Pool
   network 10.2.0.0 255.255.255.0
   default-router 10.2.0.1
   option 43 ascii "10.3.0.20"
!
ip dhcp pool SSID_1
   network 172.16.1.0 255.255.255.0
   default-router 172.16.1.1
   dns-server 194.25.2.129 87.118.110.215
!
ip dhcp pool MGMT
   network 10.1.0.0 255.255.255.0
   default-router 10.1.0.1
   dns-server 194.25.2.129 87.118.110.215
!
ip dhcp pool SSID_2
   network 172.16.2.0 255.255.255.0
   default-router 172.16.2.1
   dns-server 194.25.2.129 87.118.110.215
!
ip dhcp pool SSID_3
   network 172.16.3.0 255.255.255.0
   default-router 172.16.3.1
   dns-server 194.25.2.129 87.118.110.215
!
ip dhcp pool LAN 1
   network 172.16.4.0 255.255.255.0
   default-router 172.16.4.1
   dns-server 194.25.2.129 87.118.110.215
!
ip dhcp pool LAN 2
   network 172.16.5.0 255.255.255.0
   default-router 172.16.5.1
   dns-server 194.25.2.129 87.118.110.215
!
interface FastEthernet0/0
no ip address
duplex full
speed 100
no keepalive
!
interface FastEthernet0/0.101
description ===MGMT GW===
encapsulation dot1Q 101
ip address 10.1.0.1 255.255.255.0
ip access-group 150 out
no cdp enable
!
interface FastEthernet0/0.102
description ===AP_GW===
encapsulation dot1Q 102
ip address 10.2.0.1 255.255.255.0
no cdp enable
!
interface FastEthernet0/0.174
description ===LAN1_GW===
encapsulation dot1Q 174
ip address 172.16.4.1 255.255.255.0
no cdp enable
!
interface FastEthernet0/0.175
description ===LAN2_GW===
encapsulation dot1Q 175
ip address 172.16.5.1 255.255.255.0
no cdp enable
!
interface FastEthernet0/1
description ===TRANSIT to Border Gateway===
ip address 10.4.0.2 255.255.255.0
duplex full
speed 100
no keepalive
!
interface wlan-controller1/0
description ====WLAN_Controller_Subnet===
ip address 10.3.0.1 255.255.255.0
!
interface wlan-controller1/0.171
encapsulation dot1Q 171
ip address 172.16.1.1 255.255.255.0
no cdp enable
!
interface wlan-controller1/0.172
encapsulation dot1Q 172
ip address 172.16.2.1 255.255.255.0
no cdp enable
!
interface wlan-controller1/0.173
encapsulation dot1Q 173
ip address 172.16.3.1 255.255.255.0
no cdp enable
!
no ip forward-protocol nd
ip forward-protocol udp 12223
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 10.4.0.1
no ip http server
no ip http secure-server
!
!
!
access-list 100 remark ### VTY Access ###
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
access-list 100 permit ip 10.2.0.0 0.0.0.255 any
access-list 100 permit ip 10.3.0.0 0.0.0.255 any
access-list 100 permit ip 172.16.3.0 0.0.0.255 any
access-list 150 remark ===DENY ACCESS TO MGMT===
access-list 150 permit ip 172.16.2.0 0.0.0.255 host 10.1.0.225
access-list 150 deny   ip 172.16.1.0 0.0.0.255 any log
access-list 150 deny   ip 172.16.2.0 0.0.0.255 any log
access-list 150 deny   ip 172.16.4.0 0.0.0.255 any log
access-list 150 deny   ip 172.16.5.0 0.0.0.255 any log
access-list 150 permit ip any any
!
line con 0
exec-timeout 0 0
logging synchronous level 2
line aux 0
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
access-class 100 in
logging synchronous
login local
length 0
line vty 5 15
access-class 100 in
logging synchronous
login local
length 0
line vty 16 988
access-class 100 in
logging synchronous
login local
!
scheduler allocate 20000 1000
end


=======================


WLC Config (with just 1 SSID)


=======================

config advanced 802.11a channel add 36
config advanced 802.11a channel add 40
config advanced 802.11a channel add 44
config advanced 802.11a channel add 48
config advanced 802.11a channel add 52
config advanced 802.11a channel add 56
config advanced 802.11a channel add 60
config advanced 802.11a channel add 64
config advanced 802.11b channel add 1
config advanced 802.11b channel add 6
config advanced 802.11b channel add 11
config sysname nm_wlc
config trapflags client 802.11-authfail enable
config trapflags client excluded enable
config trapflags client 802.11-associate disable
config trapflags client 802.11-disassociate enable
config trapflags client 802.11-deauthenticate enable
config trapflags client 802.11-assocfail enable
config interface address management 10.3.0.20 255.255.255.0 10.3.0.1
config interface port management 1
config interface dhcp management primary 10.3.0.20
config interface dhcp service-port enable
config interface address virtual 1.1.1.1
config interface address ap-manager 10.3.0.30 255.255.255.0 10.3.0.1
config interface port ap-manager 1
config interface dhcp ap-manager primary 10.3.0.20
config interface address dynamic-interface troopers 172.16.1.254 255.255.255.0 172.16.1.1
config interface port troopers 1
config interface dhcp dynamic-interface troopers primary 172.16.1.1
config interface create troopers 171
config interface vlan troopers 171
config 802.11b 11gsupport enable
config auth-list ap-policy ssc enable
config auth-list add ssc encrypt 00:13:1a:22:b8:31 1 528f286ead76d5769faa32a140fde686 cee8f2c82118c085a6e8bfdbda1517f04aec9727 48 6da23866f5d195fffaaeb9aae613dbad510cfc6401de0794f508aac56fdd7601d92d35dbc7d8d4b453967f05d0656d90000000000000000000000000000000000000
config auth-list add ssc encrypt 00:12:da:a4:29:8b 1 dd87a24ae742c1cb33c50953f42c2acf d4dc36c60960f3390abcdf4418effe98d0b59b4c 48 18af89a66d603dd8fdbb037e761a481a4498784c2e33569d0f8f237f2534d450d5a436550cc902abcb26cd2a92ead42f000000000000000000000000000000000000
config mobility group domain Troopers
config ap cdp disable all
config snmp version v2c disable
config snmp v3user create encrypt xxx rw hmacsha aescfb128 1 6f83d0dbd8014b29e99ca91ab5562bca fc64211de3ade034e1e9ebedd0e12ed419b98503 16 c6ba7f31ab920f0ab50523f6d1ea06a40000000000000000000000000000000000000000000000000000000000000000 1 523991ec0dde07d428ceb82dbe4bf98c 47a55d1c043a9109b764caf977a4c7955adc68f4 16 ba19de10c1e305b9873c6796cd187f1a0000000000000000000000000000000000000000000000000000000000000000
config snmp trapreceiver mode enable 10.1.0.104
config snmp trapreceiver create 10.1.0.104 10.1.0.104
config time ntp interval 3600
config time ntp server 1 10.4.0.1
config database size 2048
config network rf-network-name Troopers
config network mgmt-via-dynamic-interface enable
config network ip-mac-binding disable
config network multicast mode multicast 1.0.10.224
config network webmode enable
config network broadcast enable
config country DE
config certificate generate webadmin
config mgmtuser add encrypt xxx 1 152ad33dcfa9545ed9a33a8a262b5e86 8461647a541d6291edb78cb6d791da5a4486d3df 16 8381509fcb95576dedf254f5028d42c40000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 read-write
config wlan broadcast-ssid enable 171
config wlan security wpa wpa1 ciphers tkip enable 171
config wlan security wpa wpa1 ciphers aes enable 171
config wlan security wpa wpa1 enable 171
config wlan security wpa wpa2 ciphers tkip enable 171
config wlan security wpa wpa2 ciphers aes enable 171
config wlan security wpa akm psk set-key hex encrypt 1 a3c725a2b981c25550fd878a9c82824f e2a70bd94f41887f585c4f3b5a510a0a4de3cd4a 48 f7714d020d204fad157fd38b401157e5c0ea2db67d99638cdb31f74aea30bc75bc6dc0309e18b38b84ebd5d3c194097f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 171
config wlan security wpa akm psk enable 171
config wlan security wpa akm 802.1x disable 171
config wlan security wpa enable 171
config wlan apgroup add troopers troopers
config wlan apgroup description troopers troopers
config wlan apgroup interface-mapping add troopers 171 troopers
config wlan exclusionlist 171 60
config wlan peer-blocking forward-upstream 171
config wlan wmm allow 171
config wlan interface 171 troopers
config wlan create 171 troopers troopers
config wlan session-timeout 171 1800
config wlan channel-scan defer-priority 5 enable 171
config wlan channel-scan defer-priority 6 enable 171
config wlan mfp client enable 171
config wlan enable 171
transfer upload serverip 10.1.0.101
transfer upload path /
transfer upload filename nm-wlc-confg
transfer upload datatype config
transfer download serverip 10.1.0.101
transfer download path /
transfer download filename nm-wlc-confg
transfer download datatype config

Everyone's tags (3)
2 REPLIES
Silver

Re: Clients associated to the AP aren't able to resolve mac-addr

Well your configuration looks great to me... nothing is obviously standing out at least..

If the routers ping request makes it to your client, then the router must at least be able to arp for you.

Have you tried to ping the gateway from the WLC itself? (vlan 171 it appears)

I'm curious if the WLC even gets the ping through.  'show arp switch' on the WLC would show its arp table as well...

I'm not very proficient with the router debugging, but perhaps there is some kind of ARP debug you can run to verify if the ARP request is even coming out of the WLC from your client?  

Again, the config looks go to me, so either this is a situation where a nice save config and reboot would come in handy (perhaps coupled with shutting down the interfaces and turning them back on).....  or something just isn't right....

Does this happen with the other vlans you have coming in to the WLC?  Perhaps there is just something going on the router side where it isn't responding to the arp....   which comes back to the whole shutting down interfaces and/or rebooting.   Obviously this isn't root-cause, but should at least provide sanity-check.

New Member

Re: Clients associated to the AP aren't able to resolve mac-addr

We are having a similar issue with a ISR 3825 with WLCM 6.0.199.   Did you get this resolved? If so, what did you do?

1239
Views
0
Helpful
2
Replies
CreatePlease to create content