Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

FlexConnect and DHCP issus

HI

We have around 400 ap's, in 50 different locations (customers). The WLC a 8500with a HA is running AireOS 7.4.110.0. The AP's are 1131, 1242, 2602 and 3602

Every AP is i flexconnect.

Every location (costumers) has two SSID:

  1. guest
  2. employee

The employee has two vlans (PC’s and for BYOD). We are using NPS rules to select witch VLAN the device connectes to.

In the FlexConnet settings, we do a WLAN to vlan mapping:

Native vlan = 2

  • GUEST (WPA2 aes TKIP) to vlanID = 3
  • PC to vlan (802.11x) ID = 2

And in the FlexConnect group (one for eache location) we but in the vlan ID for BYOD (vlan 6)

Every SSID is configured to a dummy interface, with the vlanID 2222.

On the switches the interfaces are configured:

switchport mode trunk

switchport trunk native vlan 2

switchport trunk allowed vlan 2,3,6

switchport mode trunk

At some sites the DHCP are local at others the DHCP i in sentral.

If the DHCP in sentral, the router is configerd with a DHCP rely adress for eatch VLAN.

Almoust everything work fine. We had some issues witth loosing WLAN to VLAN mappings, So we decided to upgrade

Now the question:

Last week we oppgraded the WLC from v 7.3.112 to 7.4.110.0.

this week we experience problems with some of our gest SSID's The Clients do not get an IP. No new leases in the DHCP scoops.:-(

It seems like this is happening only with 1131 and 1242 AP's. At locations this is appning we have connected a PC in VLAN3 and it gets an IP...

Does any one know what could be the cause and how I can fix it?

Everyone's tags (4)
9 REPLIES
Hall of Fame Super Silver

Re: FlexConnect and DHCP issus

Verify the AP's vlan mapping again. That is usually the main reason for a client to not get a dhcp address.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: FlexConnect and DHCP issus

Guest is not using webauth correct. Post your show WLAN

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: FlexConnect and DHCP issus

WLAN Identifier.................................. 54
Profile Name..................................... MB-GUEST
Network Name (SSID).............................. MB-GUEST
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
  Client Profiling Status ....................... Disabled
   DHCP ......................................... Disabled
   HTTP ......................................... Disabled
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 2
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ 300 seconds

--More-- or (q)uit
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... WLANCTRL-002
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ dummy
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................   0    0
Average Realtime Data Rate.......................   0    0
Burst Data Rate..................................   0    0
Burst Realtime Data Rate.........................   0    0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................   0    0
Average Realtime Data Rate.......................   0    0

--More-- or (q)uit
Burst Data Rate..................................   0    0
Burst Realtime Data Rate.........................   0    0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ Global Servers
   Accounting.................................... Global Servers
      Interim Update............................. Disabled
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan

--More-- or (q)uit
Local EAP Authentication......................... Disabled
Security

   802.11 Authentication:........................ Open System
   FT Support.................................... Disabled
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
      Auth Key Management
         802.1x.................................. Disabled
         PSK..................................... Enabled
         CCKM.................................... Disabled
         FT-1X(802.11r).......................... Disabled
         FT-PSK(802.11r)......................... Disabled
         PMF-1X(802.11w)......................... Disabled
         PMF-PSK(802.11w)........................ Disabled
      FT Reassociation Timeout................... 20
      FT Over-The-DS mode........................ Disabled
      GTK Randomization.......................... Disabled

--More-- or (q)uit
      SKC Cache Support.......................... Disabled
      CCKM TSF Tolerance......................... 1000
   WAPI.......................................... Disabled
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   FlexConnect Local Switching................... Enabled
   flexconnect Central Dhcp Flag................. Disabled
   flexconnect nat-pat Flag...................... Disabled
   flexconnect Dns Override Flag................. Disabled
   FlexConnect Vlan based Central Switching ..... Disabled
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Enabled
   Client MFP.................................... Optional
   PMF........................................... Disabled
   PMF Association Comeback Time................. 1
   PMF SA Query RetryTimeout..................... 200
   Tkip MIC Countermeasure Hold-down Timer....... 60

--More-- or (q)uit
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled

Mobility Anchor List
WLAN ID     IP Address            Status
-------     ---------------       ------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

New Member

Re: FlexConnect and DHCP issus

Hi Scoot

and here is th config of the AP:

Cisco AP Identifier.............................. 1421

Cisco AP Name.................................... MB0D-LAP-001

Country code..................................... Multiple Countries:NO,US

Regulatory Domain allowed by Country............. 802.11bg:-AE 802.11a:-AE

AP Country code.................................. NO - Norway

AP Regulatory Domain............................. 802.11bg:-E 802.11a:-E

Switch Port Number .............................. 1

MAC Address...................................... 00:19:06:ea:e2:a6

IP Address Configuration......................... Static IP assigned

IP Address....................................... 10.40.234.40

IP NetMask....................................... 255.255.255.0

Gateway IP Addr.................................. 10.40.234.1

Domain...........................................

Name Server......................................

NAT External IP Address.......................... None

CAPWAP Path MTU.................................. 1485

Telnet State..................................... Disabled

Ssh State........................................ Disabled

Cisco AP Location................................ Office

Cisco AP Floor Label............................. 0

Cisco AP Group Name.............................. MB-Wlan_Group

--More-- or (q)uit

Primary Cisco Switch Name........................ WLANCTRL-002

Primary Cisco Switch IP Address.................. 188.95.244.162

Secondary Cisco Switch Name......................

Secondary Cisco Switch IP Address................ Not Configured

Tertiary Cisco Switch Name.......................

Tertiary Cisco Switch IP Address................. Not Configured

Administrative State ............................ ADMIN_ENABLED

Operation State ................................. REGISTERED

Mirroring Mode .................................. Disabled

AP Mode ......................................... FlexConnect

Public Safety ................................... Disabled

AP SubMode ...................................... Not Configured

Remote AP Debug ................................. Disabled

Logging trap severity level ..................... informational

Logging syslog facility ......................... kern

S/W Version .................................... 7.4.110.0

Boot Version ................................... 12.3.7.1

Mini IOS Version ................................ 0.0.0.0

Stats Reporting Period .......................... 180

Stats Collection Mode ........................... normal

LED State........................................ Enabled

PoE Pre-Standard Switch.......................... Disabled

PoE Power Injector MAC Addr...................... Disabled

--More-- or (q)uit

Power Type/Mode.................................. Power injector / Normal mode

Number Of Slots.................................. 2

AP Model......................................... AIR-LAP1242AG-E-K9

AP Image......................................... C1240-K9W8-M

IOS Version...................................... 12.4(25e)JAM2$

Reset Button..................................... Enabled

AP Serial Number................................. FCZ1033808E

AP Certificate Type.............................. Manufacture Installed

FlexConnect Vlan mode :.......................... Enabled

Native ID :..................................... 2

WLAN 54 :....................................... 3

WLAN 53 :....................................... 2

FlexConnect VLAN ACL Mappings

Vlan :........................................... 2

Ingress ACL :................................... None

Egress ACL :.................................... None

Vlan :........................................... 3

Ingress ACL :................................... None

Egress ACL :.................................... None

VLAN with least priority :....................... 6

FlexConnect Group................................ MB0D-FLEX_Group

Group VLAN ACL Mappings

 

--More-- or (q)uit

Vlan :........................................... 6

Ingress ACL :................................... None

Egress ACL :.................................... None

FlexConnect Local-Split ACLs :

WLAN ID PROFILE NAME ACL TYPE

------- -------------------------------- --------------------------------- -------

Flexconnect Central-Dhcp Values :

WLAN ID PROFILE NAME Central-Dhcp DNS Override Nat-Pat Type

------- --------------------------------- -------------- -------------- --------- ------

54 MB-GUEST False False False Wlan

FlexConnect Backup Auth Radius Servers :

Primary Radius Server........................... Disabled

Secondary Radius Server......................... Disabled

AP User Mode..................................... AUTOMATIC

AP User Name..................................... Not Configured

AP Dot1x User Mode............................... Not Configured

AP Dot1x User Name............................... Not Configured

Cisco AP system logging host..................... 255.255.255.255

AP Up Time....................................... 1 days, 10 h 58 m 40 s

AP LWAPP Up Time................................. 1 days, 10 h 51 m 06 s

--More-- or (q)uit

Join Date and Time............................... Tue Sep 24 21:53:25 2013

Join Taken Time.................................. 0 days, 00 h 00 m 30 s

GPS Present...................................... NO

Ethernet Vlan Tag................................ Disabled

Ethernet Port Duplex............................. Auto

Ethernet Port Speed.............................. Auto

AP Link Latency.................................. Disabled

Rogue Detection.................................. Disabled

AP TCP MSS Adjust................................ Disabled

Hotspot Venue Group.............................. Unspecified

Hotspot Venue Type............................... Unspecified

DNS server IP ............................. Not Available

New Member

Re: FlexConnect and DHCP issus

It seems that we where hitting two bugs:

CSCuh94366    FlexConnect Local Switching - Clients unable to connect with some VLANs

CSCui73764    AP 1242 ,dhcp not working with Flexconnect if Vlan Native 2

We solved this:

Changing Native vlan to anything else than 2 fixes the issue. You can have Native VLAN2 on Switch, and anything else on the AP.

We also replaced som of the 1131 AP's with newer models.

VIP Purple

FlexConnect and DHCP issus

Thanks for updating this with the bug info

Rasika

New Member

FlexConnect and DHCP issus

Hi All

I have the same issue with AP 1252 and AP 1131

User can connect on AP 1252 and get IP address normaly

The same user connect on AP1131 but cannot get IP address

What is the issue with AP 1131

Please halps

Hall of Fame Super Silver

Re: FlexConnect and DHCP issus

Have you verified the WLAN to Vlan mapping and the trunk port configuration?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

FlexConnect and DHCP issus

Hi

It's not best practice to have both your corporate clients and guests anchored on the same WLC. However, for your scenarion,I would suggest the following:

1. Disable LAG on the WLC if it exits

2. Create a dynamic vlan for guests and map it to a physical port on the controller. The WLC 5508 has 8 distribution ports so there is enough.

3. Your corporate clients SSID can be mapped to the management interface if you choose. The management interface takes the first port.

4. The dynamic interface for the guests must have the IP address of the external dhcp server specified.

5. If the WLC ports are connected to the same switch, you can create pre-authemtication ACL for guests to deny access to any corporate subnets and allow connection to only DNS,DHCP,and other necesssary services.

6. Map the guest SSID to the dynamic interface VLAN.

1283
Views
10
Helpful
9
Replies
CreatePlease to create content