I’m in the process of converting a wireless mobile DVR system from WEP to WPA2. The clients have static IP addresses assigned. With the current configuration, when the DVR comes into wireless range of our access point – it authenticates with WEP and a video server automatically connects and downloads video from the DVR. When the DVR leaves the wireless range it continues to record and will upload again once it’s back in range. Using WEP this configuration/setup has been working with no issues.
When I converted a DVR unit and Access Point to WPA2, they authenticate fine and upload video as it should initially – however after it leaves the wireless range and comes back in – it re-authenticates with the access point (shows up in the Associated Clients w/ IP address etc), however isn’t accessible by anything on that subnet. If I make any change on the access point (doesn’t matter what, just have to update something) and apply it – the unit is then accessible over the network.
Has this happened to any of you? I’m baffled and cannot figure out why it’s pingable when it’s first authenticated, however after it leaves range and comes back, re-authenticates, it’s not pingable until I apply any change the AP.
The clients are a hardcoded – embedded software on the DVR themselves.
hostname AP2 ! enable secret 5 $1$Veg4$GXod1EInNvbF7QiJKODTm1 ! no aaa new-model ! ! ! dot11 ssid DVRWIFI authentication open authentication key-management wpa version 2 wpa-psk ascii 7 12180416135A5D557B ! dot11 network-map power inline negotiation prestandard source ! ! username Cisco password 7 14341B180F0B ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm speed 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache ! encryption mode ciphers aes-ccm ! ssid DVRWIFI ! dfs band 3 block speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface GigabitEthernet0 no ip address no ip route-cache duplex full speed 1000 no keepalive bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 172.16.16.102 255.255.255.0 no ip route-cache ! ip default-gateway 172.16.16.254 ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag logging 172.16.16.199 bridge 1 route ip ! ! ! line con 0 line vty 0 4 login local ! end
Cisco IOS Software, C1250 Software (C1250-K9W7-M), Version 12.4(10b)JA1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Wed 30-Jan-08 12:04 by prod_rel_team
ROM: Bootstrap program is C1250 boot loader BOOTLDR: C1250 Boot Loader (C1250-BOOT-M) Version 12.4(10b)JA, RELEASE SOFTWARE (fc2)
AP2 uptime is 1 year, 11 weeks, 4 days, 20 hours, 56 minutes System returned to ROM by power-on System image file is "flash:/c1250-k9w7-mx.124-10b.JA1/c1250-k9w7-mx.124-10b.JA1"
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
AIR-AP1252AG-A-K9 (PowerPC 8349) processor (revision A0) with 49142K/16384K bytes of memory. Processor board ID FCW1225Z01S PowerPC 8349 CPU at 533Mhz, revision number 0x0031 Last reset from power-on 1 Gigabit Ethernet interface 2 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: 00:21:D8:8A:4C:68 Part Number : 73-10425-05 PCA Assembly Number : 800-27630-05 PCA Revision Number : A0 PCB Serial Number : FOC12242TL4 Top Assembly Part Number : 800-29039-02 Top Assembly Serial Number : FCW1225Z01S Top Revision Number : A0 Product/Model Number : AIR-AP1252AG-A-K9
Just like what Justin asked for, we need to find the config and the version to know how to proceed with this.
You used the term "reauthenticate" in technical term (802.11 re-authentication) or the verbal term (meaning it reauthenticates again after it was getting disconnected)? I think the latter is what you meant. right?
In my experience, I find devices with wireless cards (DVRs, printers, handheld scanners...etc) get problems wih APs that have 802.11n support when using WPA/WPA2 (either personal or enterprise). Most of the time I've seen it was a client issue which usually solved by a newer firmware that works fine with 802.11n. But usually if there is a clinet side problem then clients would not connect at all or they connect with a lot of problems.
Some quetsions please, does the DVR still have it's IP address when it goes outside the wireless coverage? or it releases it? (from DVR point of view)?
if you turn off DVR while it is out of coverage and turn it on again (while still out of coverage) and make it enter coverage one more time, will it work fine?
Rating useful replies is more useful than saying "Thank you"
Reauthenticate might be the wrong word – re associate with the AP is what I mean.
The DVR has a static IP, so it keeps the IP address even after leaving the wireless coverage area. I’ve tested using DHCP and experienced the same problem.
If I turn the DVR off out of coverage and turn it back on, then enter coverage, it associates with the AP (showing full signal strength on the client and it shows as an associated client on the AP GUI), however I cannot ping the address. If I change a setting in the SSID manager or Encryption Manger tab that makes the radio reset on the AP and apply it, I can then ping the address. Even if the change I make keeps the setting exactly the same, once I hit apply - the client is then pingable.
Sorry I forgot that you use static address. You mentioned this already in your first note.
Are there any other devices conneccted to this AP? Do they lose connectivity when this specific DVR come back to associate to the AP again?
re-associate and reauthenticate are misleading terms. just let us say the AP comes back to connect again.
You mentioned that you need to do some chagnes on AP so the coming-back AP can connect successfully.
Does this include any kind of changes? or only changes that make the radio to reset?
I suppose other client's connecting to same SSID are not affected by this DVR going out and in, right? they are still connecting without problem no matter what the DVR goes out and in (except for the part you do the change and apply on the AP). am I right?
I think if you do AP reset (shut/no shut for the dot11radio 0 inerface) this is going also to work. can you please check?
Your image version (12.4(10b)JA1) is considered a bit old. You better think of upgrading to any of latest releases to eliminate any bug issues. There is 12.4.25d-JA1 which is the latest. (Aug 2011).
btw, your current image released in Feb 2008.
You can consider look into the logs of the AP if there is anything useufl about what is going on during the problem.
If I am not going to upgrade I would also take some wireless sniffers to see what is going exactly on when the issue reproduced. But I think if upgrade is an option then this is the first step one should take.
Rating useful replies is more useful than saying "Thank you"
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...
I have created a Powershell script to automatically add a Wireless Guest
User on Cisco WLCs. (tested on 2500 Series) The script should be
completely self explanatory. Prerequisites: Powershell SNMP Module
(Install-Module -Name SNMP) SNMP Write Access to y...