topic Re: After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external. in Aerohive Migrated Content

After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external.

wendland_jm — Thu, 12 Sep 2019 20:20:09 GMT

We are running 10.0r7a on 98% of our AP250 and AP230. Some Background info, we have most of our building segmented on different subnets but using the same SSID for all buildings and are using an external radius server for authentication. All APs in a building are issuing the same subnet scope and VLAN. We have already tried GRE Tunneling (this made the issue worse). We have done a VLAN Probe test and the AP successfully passes the test for its Building VLAN.

The issue is when a client is connected in building A on VLAN-A and IP address int subnet A and the client moves to building B the clients stays connected but has no access to anything due to the client keeping their IP address form building A. This is happening on all devices (apple,android,windows,chrome) but it does not happen all the time. A client can move from building A to B (no issue) then to building C and have the issue. Suggestions would be a great help.

Thank you.

Re: After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external.

dparsons — Fri, 13 Sep 2019 03:12:58 GMT

And unfortunately you will continue to have issues. The device cannot tell that it has moved to a new VLAN since from what it can tell it is on the same network. The only option is to set you DHCP life time to a few seconds (Windows minimum is one minute) but that is going to flood your network. In short this is not a good design. I have to ask why you did this?

We ran into the same issue with two separate sites using the same SSID but different VLANs due to the site being on the end of a VPN and no means to retain the same VLAN. In the end we had to change the SSID at the remote site so the devices could determine that it was a different network and ask for a new IP. Recent updates to windows has made it even worse.

On Windoze when the device connect to a wireless network that it has connected before it will use the IP address that was issued to it during the prior session unless it has expired. It speeds up the connection process. Just think if every time a device changed APs (same building or not) that it had to do a DHCP request. The device has no means to detect what VLAN is behind the SSID it is connecting to (yeah I said it again).

Re: After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external.

wendland_jm — Fri, 13 Sep 2019 03:27:53 GMT

When we were using Aerohive Classic we had the same vlan and subnet setup as we do now and never had this problem. This summer we moved all of our APs to NG and this issue started and has only gotten worse.

"I have to ask why you did this?" Why we did what?

Thank you for your response.

Re: After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external.

dparsons — Fri, 13 Sep 2019 03:35:13 GMT

Why are your users in a different VLAN in each building? Why not have them in the same VLAN regardless of the building? Are your APs and users in the same VLAN?

Re: After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external.

dparsons — Fri, 13 Sep 2019 03:52:35 GMT

As to why it worked before I have a few guesses but not knowing all the details I am only guessing. First is that you happened to make your move around the same time Windows changed the way it connects. Prior to this spring Windows did a DHCP request each time it "connected" to a network. When I use the term connected I am saying where it has lost the connection and has a red X on the tray and then connects to the next AP and the X goes away as opposed to connecting to another AP as a simple roam. When a client roams the connection never goes red. As your user leaves one building and enters another is there a time that the signal is so weak the client disconnects completely?

Did you replace your APs during the change? Better APs mean better signal and user may no longer disconnect as discussed above.

In the new Hive Manager you will have a new radio profile and a renegotiation of channels and signal strength. This could have reduce the disconnects when changing buildings. If prior to the change you got disconnected and after you do not then that could have been what made the difference.

Regardless you are faced with a no win battle on Windows clients now as they hold on even through reboots. Our two sites were a 30 minute drive apart. We use client classification and it also was affected. When two different users logged onto the same device if they were placed in different VLANs then the second user would not have connectivity because it would hang onto the prior IP as you are experiencing. We had to implement a procedure for the helpdesk to walk them through a ipconfig /release and ipconfig /renew to force a DHCP request.

Re: After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external.

wendland_jm — Fri, 13 Sep 2019 05:12:48 GMT

For may reasons, 1) to segment network traffic between our 30+ buildings and not have a huge subnet scope, 2) to limit casting between buildings, 3) better security, 4) help prevent virus spread and many more reasons. This question is more why is only NG doing this. The buildings that were previously still on classic did not have any problem moving between those building.

Re: After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external.

wendland_jm — Fri, 13 Sep 2019 05:20:11 GMT

The scope of client issues is not limited to Windows devices. "(apple,android,windows,chrome)" Yes, building are far enough apart that there is no wireless between. We have not added APs in these areas. Our NG radio profiles are as close to the Classic radio profiles as we can set them with the slider bars. I cannot ask 1000s of clients to "ipconfig /release and ipconfig /renew to force a DHCP request." every time they walk between buildings.

Re: After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external.

dparsons — Fri, 13 Sep 2019 06:35:39 GMT

First I understand your frustration. Been there many times. In the world of WiFi the client is in control no matter how hard you try control them. I was just using Windows as an example, we had issue with other clients.

If I understand you still have some APs still on classic. Pull the config from an AP on classic and one on NG and compare them. See if there is any differences that stand out. Do you still have two adjacent buildings on Classic? If so, do clients have any issues between those two buildings? Feel free to sanitize the configs and upload them, be glad to take a peek.

No I don't expect you to ask clients to release renew, just explaining what we had to do.

So I am wondering if there is a chance that the design on classic and the design on NG are actually the same or if something got changed?

I am at a college and our "student" wireless is one VLAN on the entire campus serving 1000+ clients across 14 buildings. I have about 30 VLANs on my APs and segregate my users based on several factors. They all use the same SSID but land in different VLANs depending on their domain as well as thier group membership within the domains. If all else fails, is something like this something you could use to segment your users and shrink you broadcast domains?

Re: After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external.

wendland_jm — Fri, 13 Sep 2019 06:54:33 GMT

This is also a college environment, We thought the issue was coming from being partly NG and partly Classic so we quickly moved all APs to NG before students arrived. We had an Aerohive engineer setup NG as close as Classic as they could. We had a similar issue a few years ago which was fixed by the core router dhcp helper making some overrides. Theses are still in place and were working great until NG came along.

I am confused by you last paragraph. How do you have both one VLAN and also land in different VLANs?

Thank you for your response.

Re: After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external.

dparsons — Fri, 13 Sep 2019 07:27:58 GMT

Sorry bout that, end of the day...

Almost all of my students are on one vlan that spans the entire campus. We have a wireless firewall policy that prevents student devices from talking to each other on the wireless. As for the 30 VLANs those serve my other users. We are part of a state wide college system. So here are some of the groups that exist and are each put into separate VLANs but under one SSID.

Our students.

Other schools students.

Faculty and staff in the system wide domain.

Laptop carts in an acad domain.

domain joined devices in our internal domain

IT users

Facilities users

Media users

Campus Police users

Any chance you still have the classic server?

Re: After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external.

wendland_jm — Fri, 13 Sep 2019 07:39:15 GMT

Yes we still have the classic server. I have a ticket open with Aerohive but it is slow coming. How are you handling casting between hardwired vlans to the wireless? And headless devices? To clarify you have your Aerohive AP all broadcast the same ssid. All "students" go into one vlan and you are separating other staff to a different vlan which they keep regardless of what building? If there is a security issue how do you track the user down? Is you firewall policy through Aerohive or a network ACL?

Thank you,

Re: After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external.

dparsons — Fri, 13 Sep 2019 08:04:03 GMT

All APs broadcast the same SSID and a user stays on the same VLAN regardless of location. The student vlan along with the others are separated in our internal firewall that controls all traffic between the vlans and the Internet. I only use the wireless firewall policy to block traffic between wireless users preventing an personal infected machine from spreading. Since we use WPA2-Enterprise the user ID is in the NPS server logs.

When you speak of casting are you talking of things like screen sharing?

Re: After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external.

wendland_jm — Fri, 13 Sep 2019 08:31:03 GMT

Yes, we have academic areas where they utilize chromecast, and airtames. Also how are you dealing with headless devices such as xboxes since they cannot do 802.1x auth while only having one ssid?

Re: After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external.

dparsons — Mon, 16 Sep 2019 23:35:34 GMT

For casting devices they are in a separate VLAN (and in our case hard wired) so it is handled in the central firewall. For the most part we are fortunate that we don't deal with headless devices much. When I do have a device that cannot do WPA-Enterprise I connect them to our guest wireless segment that uses WPA2-Personal. The normal guest uses PPSK but I issue a PSK under a separate user profile and then drop them in the VLAN of choice. If I need the segregating I can do that or just put them in the guest VLAN. I have three SSIDs broadcasting, one for each type of authentication. We have an open segment that only allows the user to a webpage that has instructions on how to connect to the wireless. I use to also have the certificate to download when we were using a private cert on our NPS server, now we use a public signed cert. I then have a guest SSID that is WPA2-Personal. Although it says guest I can stick the user in any VLAN I want using the user profile. And then I have the WPA-Enterprise. Initially it uses the radius attribute to drop the user in the appropriate user profile the some of those use client classification to further sort them into different VLANs. For example we have a list of MAC addresses for a set of laptops, unless you are on one of these laptops you cannot use you internal domain credentials. If you use those credentials on a device not on the MAC list you will either not get connected (no IP) or get stuck in a guest network.

If you need to break up your users like you students is there a grouping in the domain that could be used to break them into smaller groups and the drop them into separate VLANs base on the group membership? Same SSID and stuff just splits them up. Maybe by dorm? Just tossing ideas out.

Re: After Moving to Aerohive NG management platform we are having clients keeping their old IP address from other locations. This is causing the clients to stay connected but not access anything internal or external.

phadley — Fri, 03 Jan 2020 20:59:42 GMT

We went to NG a year ago and it's been nothing but problems. It got so bad I went back to 8.2r6. Doing this keeps most of the clients happy such as Chromebooks, newer phones, and Windows 10 clients, but I've got sporadic issues with older Windows 7 clients unable to connect after they "sit" for a while. We have AP-250's exclusively, and I've spent months "dialing things in", dialing I never had to do with classic. NG is problem, and now that Extreme owns Aerohive, good luck to us all.