Question

VLAN MU's some getting 169 address

  • 24 July 2019
  • 6 replies
  • 183 views

Userlevel 2
Hi
We have a strange issue on the wifi network, I will try to explain

we have the RFS7K that at present is set to tunnelled , The RFS has a connection into the LAN ( Avaya 5520 ) the port is set to a trunk port and have VLAN 1 & 10 allowed

OF the RFS GE1 is set to trunk and allowed VLAN's 1 & 10. Under the virtual adapter there is VLAN1 & VLAN10

The WLANs are then mapped to the VLAN's depending on Access.

so in this case VLAN 1 = LAN ( and is working fine with no issues.

VLAN 10 on the other hand is causing some issues.

On the LAN switch ( Ayaya 5520 ) a port has been allocated to VLAN 10 ( set as the default VLAN ) this in turn has an ADSL router connected to it , the router also is the DHCP server for VLAN10.

VLAN 10 is a Guest WLAN, and the DHCP range is 192.168../24

The AP's are all 7532 ( FW 5.8 )

On the AP GE 1 is set to trunk with the allowed vlans 1 & 10 and the virtual adapters Vlan 1 & 10

now to the issue:

On VLAN 10 some MU are getting a 169 address or 0.0.0.0, I have selected one of the devices in the statistics / wireless clients and then selected disconnect client, it then re-appears as a 0.0.0.0 then changes to a 169 address.

It seems very hit and miss if you can connect to the VLAN 10 . I can not see anything obvious causing the issue.

If I connect to the ADSL router and look at connected devices, it shows the devices that are connected.
So I don't think the router is the issue.

I I select one of the AP's that that have a MU with a 169 address on it and then select troubleshooting and from there select packet capture. and set the interface to vlan 10 and packet direction as any, I can see DHCP request on VLAN 10 and MINT traffic

Its Not affecting all AP's and the ones that are affected are connected to different switches.

Any Help or advice gratefully received

6 replies

Userlevel 5
On one of the APs that has a client that cannot get a lease, is it consistent? Or do some of the clients get a lease on the VLAN-10 WLAN? Hopefully it's a consistent problem. Easier to troubleshoot.

You can use the below command on the controller's CLI to specifically watch a client's DHCP traffic. This would hopefully show you the DHCP Discovery messages being sent from the client...and the expected DHCP Offer from the DHCP server. If you see the Request but not the Offer, then either the Requests are not reaching the DHCP server or the DHCP server's Offer messages are not able to make it back to the AP. From there, you need to locate the source of the breakdown in the wired side traffic flow.

# remote-debug live-pktcap hosts bridge filter ether port 67 and port 68 and ether host
Userlevel 2
Hi Chris
do I need to add anything to the command ?

remote-debug live-pktcap hosts bridge filter ether port 67 and port 68 and ether host

I have tried different options but returns with incomplete command The RFS is at Wing 5.8
Userlevel 5
Either I entered the command improperly or it got seriously messed up when pasting it.
Either way, it should be:
#remote-debug live-pktcap rf-domain "rf-domain name" bridge filter port 67 and port 68 and ether host "client MAC" (Don't include the quotes "")

...and just to be sure, the client MAC address should be dash delimited. e.g., 00-00-00-11-11-11
do you make ping to the gateway vlan from the AP?
go to cli to one AP then you cna ping to the main gateway?
Userlevel 2
Hi Chris
this what I get from the debug
Capturing up to 50 packets from each remote host. Use Ctrl-C to abort
[ap7532-Delivery-4,bridge] 1 8:39:56.993108 UDP: 0.0.0.0 > 255.255.255.255 ports 68 > 67, data length 556, DHCP Discover from 40-16-3B-B7-74-49, DSCP 0
[ap7532-B4c1,bridge] 1 8:39:57.808992 UDP: 0.0.0.0 > 255.255.255.255 ports 68 > 67, data length 556, DHCP Discover from 40-16-3B-B7-74-49, DSCP 0
[ap7532-Stores,bridge] 1 8:39:56.974656 UDP: 0.0.0.0 > 255.255.255.255 ports 68 > 67, data length 556, DHCP Discover from 40-16-3B-B7-74-49, DSCP 0
[ap7532-B4c2,bridge] 1 8:39:56.968021 UDP: 0.0.0.0 > 255.255.255.255 ports 68 > 67, data length 556, DHCP Discover from 40-16-3B-B7-74-49, DSCP 0
[ap7532-PC01,bridge] 1 8:39:57.793869 UDP: 0.0.0.0 > 255.255.255.255 ports 68 > 67, data length 556, DHCP Discover from 40-16-3B-B7-74-49, DSCP 0
[ap7532-Delivery-3,bridge] 1 8:39:57.760110 UDP: 0.0.0.0 > 255.255.255.255 ports 68 > 67, data length 556, DHCP Discover from 40-16-3B-B7-74-49, DSCP 0
[ap7532-Dev-1,bridge] 1 8:39:57.537927 UDP: 0.0.0.0 > 255.255.255.255 ports 68 > 67, data length 556, DHCP Discover from 40-16-3B-B7-74-49, DSCP 0
[ap7532-PC02,bridge] 1 8:39:57.490932 UDP: 0.0.0.0 > 255.255.255.255 ports 68 > 67, data length 556, DHCP Discover from 40-16-3B-B7-74-49, DSCP 0
[ap7532-Reception-GF,bridge] 1 8:39:57.572147 UDP: 0.0.0.0 > 255.255.255.255 ports 68 > 67, data length 556, DHCP Discover from 40-16-3B-B7-74-49, DSCP 0

This MAC 40-16-3B-B7-74-49 is showing as being on different AP's in different parts of the site some are remote buildings The MAC shows as being a Samsung Device, possibly a Phone but we do have a lot of Samsung Displays. Just looking through the other MAC's that are not getting IP addresses and its all sorts . Apple/intel/Motorola/zebra etc

I have noticed that when you select an AP under devices some AP's show Primary IP as 0.0.0.0 and some have an IP on the LAN ( VLAN 1 )

Below is the Running config of one of the AP's that a unit is trying to connect to / get IP -

!
! Configuration of AP7532 version 5.8.5.0-016R
!
!
version 2.5
!
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
permit ip any 224.0.0.0/4 rule-precedence 21 rule-description "Allow IP multicast for Chromecast and Apple TV Boxes to work"
permit ip any host 255.255.255.255 rule-precedence 22 rule-description "allow IP local broadcast for Chromecast and Apple TV Boxes to work"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
permit proto 254 any any rule-precedence 101 rule-description Sip traffic
permit tcp any eq 5061 any rule-precedence 102 rule-description sip traffic
permit ip any 104.245.56.0/21 rule-precedence 103 rule-description RingCentral Network
permit ip any 185.23.248.0/22 rule-precedence 104 rule-description RingCentral Network
permit ip any 199.255.120.0/22 rule-precedence 106 rule-description RingCentral Network
permit ip any 199.68.212.0/22 rule-precedence 107 rule-description RingCentral Network
permit tcp any range 8008 8009 any range 8008 8009 rule-precedence 108
permit udp any eq 53 any rule-precedence 110
permit udp any eq 1900 any rule-precedence 111
permit tcp any 54.236.3.128/26 eq https rule-precedence 113
permit tcp any 54.241.191.192/26 eq https rule-precedence 114
permit tcp any 54.246.196.128/26 eq https rule-precedence 115
permit tcp any 54.207.127.192/27 eq https rule-precedence 116
permit tcp any 37.58.79.160/27 eq https rule-precedence 117
permit tcp any 198.11.216.96/27 eq https rule-precedence 118
permit tcp any 5.153.35.160/27 eq https rule-precedence 119
permit tcp any 54.249.82.128/26 eq https rule-precedence 121
permit tcp any 50.22.5.112/28 eq https rule-precedence 122
permit tcp any 54.175.63.64/26 eq https rule-precedence 123
permit tcp any 54.93.127.192/26 eq https rule-precedence 124
permit tcp any 54.209.255.64/26 eq https rule-precedence 125
permit tcp any 54.241.191.64/26 eq https rule-precedence 126
permit tcp any 54.219.189.192/26 eq https rule-precedence 127
permit tcp any 54.4.63.128/26 eq https rule-precedence 128
permit tcp any 54.233.127.192/27 eq https rule-precedence 129
permit tcp any 54.219.189.64/26 eq https rule-precedence 130
permit tcp any 54.175.191.192/26 eq https rule-precedence 131
permit tcp any 54.250.252.0/26 eq https rule-precedence 132
permit tcp any 54.171.191.192/26 eq https rule-precedence 133
permit tcp any 54.93.254.192/26 eq https rule-precedence 134
permit udp any range 5060 5061 any range 5060 5061 rule-precedence 135
permit tcp any eq 5494 any rule-precedence 136
!
mac access-list PERMIT-ARP-AND-IPv4
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
deny host 60-02-B4-F7-E9-E4 host 60-02-B4-F7-E9-E4 vlan 10 rule-precedence 30 rule-description Winstrom Device ?
deny host 60-02-B4-F7-E8-66 host 60-02-B4-F7-E8-66 vlan 10 rule-precedence 41 rule-description winstrom ?
deny host 60-02-B4-F7-EA-CF host 60-02-B4-F7-EA-CF vlan 10 rule-precedence 60 rule-description winstrom ?
deny host 60-02-B4-F7-E9-B8 host 60-02-B4-F7-E9-B8 vlan 10 rule-precedence 70 rule-description winstrom
!
ip snmp-access-list c_HQ
permit host xxx.xxx.xxx.137
!
firewall-policy default
no ip dos tcp-sequence-past-window
storm-control multicast log warnings
ip-mac conflict log-and-drop log-level debugging
no ipv6 firewall enable
no stateful-packet-inspection-l2
alg sip
!
!
mint-policy global-default
mtu 1460
!
wlan-qos-policy default
classification normal
classification non-unicast normal
voice-prioritization
qos trust dscp
qos trust wmm
!
radio-qos-policy default
no admission-control implicit-tspec
admission-control voice
admission-control video
admission-control video max-airtime-percent 15
accelerated-multicast max-streams 60
!
wlan POT
ssid POT
vlan 10
bridging-mode tunnel
encryption-type tkip-ccmp
authentication-type none
no client-client-communication
fast-bss-transition
wpa-wpa2 psk 0 2WqBKL9z7e
client-load-balancing probe-req-intvl 5ghz 24
client-load-balancing probe-req-intvl 2.4ghz 24
ip arp trust
use ip-access-list out BROADCAST-MULTICAST-CONTROL
use mac-access-list out PERMIT-ARP-AND-IPv4
broadcast-dhcp validate-offer
!
wlan ANBG
ssid ANBG
vlan 1
bridging-mode tunnel
encryption-type tkip-ccmp
authentication-type none
fast-bss-transition
wpa-wpa2 psk 0 xxxxx0B1
use ip-access-list out BROADCAST-MULTICAST-CONTROL
use mac-access-list out PERMIT-ARP-AND-IPv4
!
smart-rf-policy Wood2
sensitivity custom
channel-width 5GHz auto
channel-width 2.4GHz auto
!
!
management-policy default
no telnet
no http server
https server
no ftp
ssh
user admin password 1 ab38cb210d7336ec17bcad7b2d0d7fa644e98f9fcd32c691c5ac1875f5858854 role superuser access all
allowed-location cHQ locations CHQ
snmp-server manager v1
snmp-server manager v2
no snmp-server manager v3
snmp-server community 0 public ro ip-snmp-access-list Mic_HQ
snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
snmp-server enable traps
snmp-server host xxx.xxx.xxx.137 v2c 161 community 0 public
!
profile ap7532 Mc_7532
dscp-mapping 46 priority 7
ip name-server xxx.xxx.xxx.184
ip name-server xxx.xxx.xxx.150
ip name-server xxx.xxx.xxx.151
ip domain-name l.local
ip default-gateway xxx.xxx.144.254
autoinstall configuration
autoinstall firmware
device-upgrade count 20
led flash-pattern
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
data-rates bgn
wlan ANBG bss 2 primary
wlan POT bss 3 primary
max-clients 256
interface radio2
data-rates an
wlan POT bss 1 primary
wlan ANBG bss 2 primary
max-clients 256
interface ge1
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1-4094
no cdp receive
no cdp transmit
no lldp receive
no lldp transmit
interface vlan1
interface vlan10
interface pppoe1
use firewall-policy default
ntp server xxx.xxx.xxx.150 version 3
ntp server xxx.xxx.xxx.151 prefer version 3
ntp server xxx.xxx.xxx.184 version 3
rf-domain-manager capable
logging on
no cdp run
no lldp run
service pm sys-restart
router ospf
dpi
dpi metadata voice-video
dpi metadata http
dpi metadata ssl
dpi logging on
traffic-shape total-bandwidth 20 Mbps
traffic-shape enable
!
rf-domain Wood_2
location L_HQ
timezone Europe/London
country-code gb
use smart-rf-policy Wood2
!
ap7532 84-24-8D-82-C7-88
use profile Mic_7532
use rf-domain Wood_2
hostname ap7532-Delivery-1
layout-coordinates -899.5 -983.0
area Delivery
floor B4-First-Floor-Kitchen-Sec-end
interface radio1
wlan HOTSPOT bss 1 primary
wlan MICWLANBG bss 2 primary
interface radio2
channel 48ww
wlan POT bss 1 primary
wlan ANBG bss 2 primary
!
!
end
Userlevel 2
Having done some more investigation , I seem that the ADSL router that is doing the DHCP may have been running out of resource, So this has been replaced with a different unit loaded with the openWRT FW, so far it seems to be OK, ( now I have Jinxed it )

Reply