Header Only - DO NOT REMOVE - Extreme Networks

Bridged@AP connected client cannot obtain DHCP address from the local Cisco ASA 5505?


Userlevel 5
I have a Cisco ASA 5505 with an Extreme 3825i plugged into it. I am pushing a VNS with a WLAN which requires zero authentication (trying to start off EASY). Right now I have it set in Bridged@AP mode, as I am trying to establish a guest network at the local site level.

I can see the SSID, and join it just fine, but I can never obtain a DHCP address. I am sort of at a loss here. There doesn't really seem to be much to configure? I can choose to tag/untag the port. But this is a Cisco ASA 5505 and there are only two VLAN's I am permitted to use, which is '1' for the local net, and '2' for the external NIC. I have tried setting it to tagged and untagged, but to no avail. When I run a packet capture while connecting, it appears that I am sending discover's to an empty room.

When I plug into the wired network - I get an address right away. I have determined that there are no licensing problems or filters on the ASA. But I have to wonder if it's just ignoring this traffic for some reason.

26 replies

Userlevel 7
Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).

Userlevel 5
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



Hello Ronald,

I only have a VLAN 1 and 2, and while I can create a VLAN 3, I cannot "name it". I am on a basic license, and I get this message: "ERROR: This license does not allow configuring more than 2 interfaces withnameif and without a "no forward" command on this interface or on 1 interface(s) with nameif already configured."

My VLAN 1 is named "inside", so shouldn't this work on my VLAN 1? Or - is my problem this "native VLAN" and then does moving it to something else fix the untagged packets?
Userlevel 7
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



I've also only the base license installed - here my VLAN config - not sure why I haven't used VLAN#1 but that shouldn't be the problem.

!interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.254 255.255.255.0
!
interface Vlan3
nameif inside
security-level 100
ip address 172.24.24.254 255.255.255.0

#################################

Have you checked the role and VNS config and in the report whether the client get the right role.
So if you connect a wired client to the same port as the AP it works ?
Userlevel 5
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



Hello Ron, the role and VNS looks okay. It was all working before I picked up the AP and brought it here. 😞

If I plug a client into the same port (my laptop) it works just fine.

Also, I just noticed that my AP shows as "offline" when looking at the dashboard on the home menu. It has an IP address from the local site, and the controller can reach it. And it updated the firmware out of the box. So why would it be "offline"? Strange!
Userlevel 5
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



I seem to be suffering from two unrelated problems.

I have deleted all traces of by B@AP VNS (roles, WLAN, etc). I have a few others VNS configurations which are all running fine at the main site.

I am at a remote site, connected via VPN. If I get a brand new AP out of the box and plug it it, it connects, gets the new firmware, reboots and then sits in "offline" status.

If I switch the AP to use "encrypt control traffic between AP & controller", is connects within a few seconds and shows online. However - it will not advertise any of the WLAN's. Even though they are applied to that AP, with the radios all set to On.

Is this something to do with the fact that I am connecting the AP through a VPN tunnel? If the AP is at a remote site and I am trying to use "bridged at AP" - what is the IP that it is using to connect to the controller? Seems like I should have a network defined for this site .... but it wouldn't make sense for a B@AP to do that. Which is probably why there is not a setting for an IP and gateway for a Network type of B@AP.

Perhaps I need to define a route somewhere?
Userlevel 7
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



My AP is also connected via VPN - the only thing that could be an issue is the MTU.
Check out the 2nd entry in this post...
https://community.extremenetworks.com/extreme/topics/remote_aps_fail_to_connect_to_controller
... if you see the "Blacklist successfully sent to Wireless" log message everything is fine.

In that case (no enrypted data/control tunnel) you should see the IP from the remote site in the active AP reports page.
Userlevel 5
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



Good call Ron, you were on the money with sharing that post. When I cranked up the logging to informational I found that my NEW controller (fresh from the box) was not actually getting a firmware update. It was failing for probably the same reason that everything else is bombing.

When I reconnected the AP that I had started with (already running the new firmware) it came up and connected okay and showed online.

Now I am back to my original problem!

Also following the advice of that post, I ssh'd into the AP and did a tail -f on /tmp/log/ap.log. Here is what it's repeating ...

Feb 18 20:13:24 cap: ru_discov_main_slp: Got 402 msgFeb 18 20:13:28 cap: 00268:ru_register.c:154-ru_register_finish()-sock=42, retval=0
Feb 18 20:13:28 cap: 00268:ru_register.c:355-ru_register()-Failed to Register/Authenticate with AC at 10.10.72.10
Feb 18 20:13:28 cap: Step<6>: Delay for 3000 mili seconds...
Feb 18 20:13:31 cap: STEP<6> (3/3) @ 0:21.000: Register & Authenticate with Access Controller,
Feb 18 20:13:31 cap: 00268:ru_register.c:287-ru_register()-MaxRetryCnt 1 curIpIdx 0 curIpRetryCnt 0
Feb 18 20:13:31 cap: 00268:ru_mgmt.c:2995-ru_disc_flush_m2pkts()-0 packets flushed
Feb 18 20:13:31 cap: 00268:ru_register.c:111-ru_register_finish()-Attempting to Register with AC: 10.10.72.10 KEY: 75ade6271034923c565e96115fa85df0

Looks like this problem is usually resolved by lowering the MTU on the AP to 1300. I tried that, and it didn't work. I also lowered it to 1200, still no dice.

But the moment I switch on "encrypt controller and ap", it authenticates and is connected. However - it still does not seem to work. When connecting to an SSID, I get the old' spinner of death (and no DHCP lease).

With this MTU value, do I need to change it *everywhere*? I tried lowering my MTU on the Cisco box (both internal and external) to 1400 and all hell broke loose. All my connections dropped. And once I got the VPN re-established, I was still unable to connect to a few things but it was slow and buggy. And my Cisco phones did NOT want to re-register.

Are there any other work arounds to this problem? 🙂
Userlevel 5
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



I went ahead and opened a GTAC case last night (01190288) and I am working with an engineer on this issue. I will be sure to come back and report progress for the curious, or future victims of this problem!

Everything still leans to an MTU problem, but no amount of changing it in on the AP settings makes any difference. I have to believe that the Cisco ASA is doing something fruity with my packets. Perhaps repackaging them and changing the MTU against my will.
Userlevel 5
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



Well, support is trying to help. But they sent me an article on how to use identifi with the controller and AP's both behind NAT, and the solution is "don't do that". Kind of reminds me of the old video on how to shave your beard like a man.

This gives me all sorts of other problems to consider. I have plenty of unused public IP addresses that I can dole out, so I wouldn't mind using one exclusively for my remote site AP's. But I can't think of a way to do that without giving up a physical port on my controller. And I would have to put my controller outside of the firewall. Not something I am really comfortable with.

But that leads me back to you, Ron. How did you get this working? If you don't mind, can you tell me a little more about your environment?
  • Are you doing NAT at either end of your tunnel? In other words, each site has a public IP address, and your controller and AP's both have non-routable internal addresses?
  • What did you end up setting your MTU at on the AP's? Did you have to lower it from 1500?
  • What version of firmware are you running on your controller/AP's? I am running the latest 10 release myself.
  • What version of firmware are you running on your Cisco ASA devices?
Also, if anyone can suggest a better way to make this work - I am all ears!! 🙂

When fooling around last night, I did find that I could turn off fragmentation altogether on my Cisco ASA's (not a good idea, but I tried it for troubleshooting). That didn't do anything to help this behavior though.
Userlevel 7
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



I've both setups running for ages - below the network diagram.
In both scenarios 802.1X PEAP is used with my NAC/AD and also Extreme Analytics is enabled for the bridge@AP SSID.

1) secure tunnel
In the HQ I've configured port forwarding on my Fortigate and on the AP I've configured the official internet address as the controller IP.
The only function that isn't supported in this setup is AP upgrade - a CR is open and I hope that this is added this year.



2) VPN
Also very simple - a VPN between my ASAs.
I've reduced the MTU to 1300 = my cable provider doens't support 1500 and also the VPN reduces the MTU.



Answer to your question:
- this is my lab controller and the AP is@home, I've the VPN running since V5.3 I think, I've upgraded my controller every time to the latest software and it was running with every version without a problem, right now I'm running latest v10

- the secure tunnel setup is running since the feature was released and I also use it for customer presentations - just connect the AP in the customers LAN with a DHCP and internet access and the AP will connect to my controller.

- ASA software is from 2008 🙂 v8.0.4, too lazy to upgrade, base license

-Ron
Userlevel 5
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



Ron, thank you for this information! I have to wonder if one my original experiments would have worked if it weren't for my AP needing an upgrade. I will have to upgrade one and then take it home with me tonight, and then try to run through this again.

Another thing you mentioned which is setting off sirens in my head. You say that you can take your AP anywhere with Internet access and it works. For that to happen, you must be pointing your AP to a public IP address, correct? That may be what support is telling me. That this will only work if the AP is connecting to a public IP.

Can you tell me more about that part of your design?
  • Do you have an interface on your controller with a public IP?
  • Are you NAT'ting that public IP on your firewall to a controller interface with a private IP?
  • Are you going into your AP settings and manually adding the public IP of the firewall for the controller address? I want to say I tried this, but as soon as the AP connected through the VPN tunnel, it would remove the public address from the list and go into the broken loop again.
Userlevel 7
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



Diagram#1
Correct the AP has the public IP A.B.C.D configured to connect to the controller (cset authip 1 A.B.C.D).
The controller has not a public IP but I do translation/forwarding.
On the HQ firwall I've only allow to forward the ports 13910, 4500, 13907 and translate A.B.C.D to 10.12.0.1 (controller ESA port).

Check the controller GUI > AP > Bulk Configuration > AP Default Settings > Common Settings > Static Configuration
I've set it to "Learn EWC Search List from AP"
Might be that you have it set to the internal IP so the external IP get's overwritten every time the AP connects.

-Ron
Userlevel 5
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



Hello Ron, thanks for the additional information. It really looks like I have this all set up correctly. It seems like my traffic is getting to the controller but the controller just refuses to answer back to it.

Here is what the log looks like on the AP side ...

Jan 1 00:02:59 cap: 00268:ru_register.c:323-ru_register()-Successfully Registered & Authenticated with AC at 74.219.X.XJan 1 00:02:59 cap: ACINFO: Save Binding key: dbc688087d7c285faf879551fedbfd93
Jan 1 00:02:59 cap: STEP<7> (1/5) @ 2:33.000: Software version validate,
Jan 1 00:02:59 cap: 00268:ru_mgmt.c:2995-ru_disc_flush_m2pkts()-0 packets flushed
Jan 1 00:02:59 cap: 00268:ru_sw_version_validate.c:67-wassp_ru_sw_version_validate()-s/w validate: model='AP3825i', vers='10.01.01.0129.M.00', s/n='15241161085J0000'
Jan 1 00:02:59 cap: 00268:ru_sw_version_validate.c:227-ru_sw_version_validate_finish()-Send 62 bytes data to ac 74.219.X.X
Jan 1 00:02:59 cap: 00268:ru_mgmt.c:2535-whsl_trans()-S_EDISC 145
Jan 1 00:03:01 cap: 00268:ru_mgmt.c:2535-whsl_trans()-S_EDISC 143
Jan 1 00:03:02 cap: 00268:ru_mgmt.c:2535-whsl_trans()-S_EDISC 142
Jan 1 00:03:03 cap: 00268:ru_mgmt.c:2535-whsl_trans()-S_EDISC 141
Jan 1 00:03:04 cap: 00268:ru_mgmt.c:2535-whsl_trans()-S_EDISC 140
Jan 1 00:03:05 cap: 00268:ru_mgmt.c:2535-whsl_trans()-S_EDISC 139
Jan 1 00:03:06 cap: 00268:ru_mgmt.c:2535-whsl_trans()-S_EDISC 138
Jan 1 00:03:07 cap: 00268:ru_mgmt.c:2535-whsl_trans()-S_EDISC 137
Jan 1 00:03:08 cap: 00268:ru_mgmt.c:2535-whsl_trans()-S_EDISC 136

And then here is what the controller is showing when I run a capture against this interface ...



If I perform a ping to the external IP of 65.186.X.X from the controller interface (10.10.72.10) I get replies. But it sure seems like it either a) doesn't know how to get the traffic there or b) it just doesn't *want to*.
Userlevel 7
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



Is that now via the ASA VPN or not ?
If you use VPN does a ping from the AP console to the internal controller IP work.

So to the IPs - is that correct...
controller internal = 10.10.72.10
controller ext = 74.219.x.x
AP external = 65.186.x.x

What's your MTU ? Set it to 1300 on the controller and reboot the AP please.
I get the same AP log messages with my MTU on 1500 (which doesn't work@home on my cable modem/VPN setup).
Userlevel 7
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



You'd also try with your PC@home to ping the internal controller IP and set the "don't fragment bit" to check the max. MTU on the link.

Here mine.. as you'd see I doesn't work with 1500, 1400, 1300 but is OK with 1250.
Even the ping show that 1300 isn't working I use that value on my AP because as as far as I'd remeber the windows ping takes the buffer size (1300) and adds the header = a larger frame is send.

Userlevel 5
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



Hello Ron, if I set up VPN to 10.10.72.10, I can ping it with packets up to 1398 (1399 fails). I presently have my MTU for this AP on the controller set to 1200 just to be safe. But - I have removed that VPN tunnel to prevent any confusion with the traffic.

Here is a poor man's network drawing of the setup, which confirms how you believe that it's set up.

Userlevel 5
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



I HAVE SOLVED THE RIDDLE.
Today I was attacking this from a switching/routing perspective. It didn't appear that anything was being blocked. And even if it was, I would at least see the controller *TRY* to send something out to the public IP of my remote access point.

That's when it hit me. Default route. Duh.

I went into the Controller > Network > Routing Protocols and added a default route. In my case it was:
Destination: 0.0.0.0
Subnet mask: 0.0.0.0
Gateway: 10.10.72.1
Override dynamic routes = checked

Instantly, the AP joined the controller and began pulling the VNS down.

Ron, thank you for all of your advice. I really appreciate all of the effort you put forth in helping me out with this. Hopefully this long running topic will help other lost souls like myself in the future.

Also - thanks to Craig in support. He has been feeding me tips, GTAC articles, and other such advice throughout this ugly troubleshooting process.

Userlevel 5
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



I HAVE SOLVED THE RIDDLE.
Today I was attacking this from a switching/routing perspective. It didn't appear that anything was being blocked. And even if it was, I would at least see the controller *TRY* to send something out to the public IP of my remote access point.

That's when it hit me. Default route. Duh.

I went into the Controller > Network > Routing Protocols and added a default route. In my case it was:
Destination: 0.0.0.0
Subnet mask: 0.0.0.0
Gateway: 10.10.72.1
Override dynamic routes = checked

Instantly, the AP joined the controller and began pulling the VNS down.

Ron, thank you for all of your advice. I really appreciate all of the effort you put forth in helping me out with this. Hopefully this long running topic will help other lost souls like myself in the future.

Also - thanks to Craig in support. He has been feeding me tips, GTAC articles, and other such advice throughout this ugly troubleshooting process.

Userlevel 6
Ron wrote:

Hi Steve,

I've also an AP on a ASA5505 on the internal VLAN = the ASA provides DHCP service to the WLAN clients...

Cisco ASA:
interface Vlan3 nameif inside
security-level 100
!
ip address 172.24.24.254 255.255.255.0
!
interface Ethernet0/7
switchport access vlan 3
!
dhcpd address 172.24.24.75-172.24.24.106 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
######################

On the WLAN controller I use the default bridge@AP topology - so the only thing left is the correct role configuration - check in the report whether the client get the right one.

Here my role...contain to the bridge@AP topology (the VLAN is untagged, 4093 is only used as an internal reference).



Good stuff Steve. Glad you persevered!

Appreciate you relying on the Hub Community to help you sort this out.
Hi , Can you help me ? I need a connection between the AP remote office and ECW across internet, can give me more information ?, I see that you have experience in the case. Thank you.
Userlevel 5
Martin Perez wrote:

Hi , Can you help me ? I need a connection between the AP remote office and ECW across internet, can give me more information ?, I see that you have experience in the case. Thank you.

Hello Martin, are you attempting to do a "split topology" like I did? The only reason you would do something like that is if you want to have a Guest Splash (or other captive portal) but then channel the users Internet access out through the remote sites Internet. The alternative is to drag all of the traffic through the AP and the controllers WASSP conversations, which for me would be passing through a VPN connection (sloooowwwww!!!).

Can you tell us a little about your environment? What type of firewall do you have at your headquarters (where your controller is), and what type of firewall do you have at your remote office?

Probably the best way to explain this would be for me to draw a picture. I will work on that and post it shortly.
Userlevel 5
Martin Perez wrote:

Hi , Can you help me ? I need a connection between the AP remote office and ECW across internet, can give me more information ?, I see that you have experience in the case. Thank you.



I will try to explain, hopefully this makes some sense. In this example, you have a headquarters with a controller and a remote site with an AP. The controller is booting up at the remote site and grabbing an IP from the local network (192.168.1.x).

Step #1 (don't skip this) - Plug in your AP at your headquarter site and let it find the controller, and update it's firmware. You cannot upgrade the firmware remotely. Then, take it to your remote site.

Step #2 - Now, the AP needs to reach out and look for a controller. There are several methods of "finding" a controller. The least elegant, but easy to implement at a remote site, is to drop a DNS host entry at your firewall for "controller" which points to the *PUBLIC IP* of your remote headquarter firewall. If you know the IP that your AP picked up, you can also SSH into the AP and set the controller IP manually. At a shell prompt, you would enter:
cset authipaddr 76.54.32.21[/code]capply[/code]csave[/code]reboot[/code]Step #3 - Set up a IP forward on your headquarters firewall for all of the Extreme Networks ports. Also - you should create a rule on your firewall so that it is only accepting this traffic from your remote site(s) (to prevent abuse from strangers flooding your controller with garbage UDP packets). NOTE: You will find in this Extreme GTAC that you cannot NAT both your controller and your AP's. But that is not really what we are doing here. To the AP, it's controller is a public IP address.

Step #4 - If you need to encrypt traffic (probably a good idea given this design) you should set the AP up that way. To do that: Click on the AP tab in your controller admin pages. Then All. Then select the AP from the list. Then click the Advanced button. Then click the Secure Tunnel drop-down and change it to Encrypt control & data.

Step #5 - Make sure you have a default route to the Internet for your Extreme controller. This is what threw me off. In the picture above, 172.17.1.x has access to the Internet. And the interface on the Extreme controller does too. But it won't route Internet traffic out through that interface without your say so. Click Controller tab > Network > Routing protocols. Click New. It should be something like:
Dest Addr: 0.0.0.0
Subnet Mask: 0.0.0.0
Gateway: 172.17.1.1

When you click Save your Extreme Controller will show what interface it's using based on what you provided.

Step #6 - Profit???

If you decided to do a split-VNS sort of thing, it gets a little more complicated. But the gist of it is that your Non Authenticated is using a "bridged at controller" while your Authenticated uses "bridged at AP". The effect is that your visitor gets a splash page from the controller, clicks accept, and then after a short delay, they are connected at the local site.

Remember that you need to set up policies, especially for a guest setup. For non-Auth, they should only be able to access the controller. For Auth, they should only be able to access the gateway at the remote site - but not any of the local hosts on that network!

I am sure I am leaving out some details here --- but hopefully this is helpful to you.
Martin Perez wrote:

Hi , Can you help me ? I need a connection between the AP remote office and ECW across internet, can give me more information ?, I see that you have experience in the case. Thank you.

Hey you are a Master! , thank you so much. Your tutorial is complete for me, now is Up the system.
Userlevel 5
Martin Perez wrote:

Hi , Can you help me ? I need a connection between the AP remote office and ECW across internet, can give me more information ?, I see that you have experience in the case. Thank you.

Hi Carlo, I don't have anything special defined there in my firewall config. I have a rule that allows any traffic on the inside to any destination on the outside. I think that is how most people set things up?
Martin Perez wrote:

Hi , Can you help me ? I need a connection between the AP remote office and ECW across internet, can give me more information ?, I see that you have experience in the case. Thank you.

Hi Steve, I already followed the steps you taught me and its working now. The remote AP could already access the controller in HO. But when you look at the AP availability menu you cant see the AP as available. Is it possible to control the AP in the remote site running on b@AP via the HO controller? And also instead of putting public IP in the AP is it possible to use domain name instead?

Reply