Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
21825
Views
11
Helpful
32
Replies

802.1x Session Re-authentication timeout and DHCP

Go to solution
kanansimpson
Level 1
Level 1

‎01-20-2016 11:39 AM - edited ‎07-05-2021 04:31 AM

Hello,

Has anyone experienced an issue with wireless client IP renewal on a 802.1x enabled WLAN/SSID when the Re-authentication timeout occurs?

Here is the issue..

I have a dot1x enabled WLAN. I have some wireless clients (a mixture/not the same) that will lose it's IP address after the Re-authentication timeout occurs. When this occurs, the client remains connected to the ap but will eventually show an APIPA address. I have enabled client debug on the the WLC and see that the client reauth logs after the timeout occurs. I know the reauth is fine (Client remains connected to ap). I've done several pcaps and it indicates that the DHCP server is receiving the Discover packet and replying with the Offer. However, the last place I see the offer packet is at the WLC up link port. From there, its not getting to the client to complete the process.

By default, the Re-authentication timeout is configured for 30 mins (or 1800 secs). As a work around, I've increase the Re-authentication timeout value to 12 hours. A 30 minute disconnect is not acceptable.

Has anyone experienced this issue or know anything about it?

Thanks Kindly.

4 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to kanansimpson

‎01-20-2016 07:58 PM

You have a backup controller maybe try and reproduce it on that one if you can't reboot production. Years ago it would use the management address it now and for a long time it's been sourced from the interface you put in the wlc if proxy is on. 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

0 Helpful
32 Replies 32

Go to solution
George Stefanick
VIP Alumni
VIP Alumni

‎01-20-2016 11:47 AM

Hello 

I can't say I've seen this issue during a re auth the client loses its IP address. Can you move this back to 30 mins, capture a client debug and post ? 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
kanansimpson
Level 1
Level 1
In response to George Stefanick

‎01-20-2016 11:57 AM

George,

First, I would give a disclaimer and let you know that I'm new to Cisco Wireless and learning it. With that said, you are referring to the debug client <mac> on the wlc cli, correct? I'm not able to move the timer back to the 30 minute value on the WLAN but I have create a duplicate WLAN that using the same L3 network for testing. I have the timeout value set to 5 minutes (300).  

Thanks,

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to kanansimpson

‎01-20-2016 12:34 PM

No problem. We all have to start somewhere. I manage a very large wireless network. 30,000 clients plus+. Im pretty well aware of all the little crazy things that can happen.

Fine, create another WLAN see, move to a shower timer and see if you can reproduce the issue. On the CLI in the WLC the client is attached to do a client debug <mac address>. When it disconnects and tries to reconnect we want to capture this...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Go to solution
kanansimpson
Level 1
Level 1
In response to George Stefanick

‎01-20-2016 01:22 PM

George,


This is a capture that I already had. I've been tshooting this for a while now.  Perhaps, I should disable dhcp proxy. 

Please take a look.


Thanks,

Preview file
471 KB
0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to kanansimpson

‎01-20-2016 01:27 PM

What controller model and code are you on ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
kanansimpson
Level 1
Level 1
In response to George Stefanick

‎01-20-2016 01:29 PM

8500 runnning 8.1.102.0 code. Planning to upgrade to 8.1.131.0 in the next few months.

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to kanansimpson

‎01-20-2016 01:31 PM

On the controller CLI do a ->show wlan <X> 

and post it 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to George Stefanick

‎01-20-2016 01:43 PM

Do you have 2 DHCP servers configured of your interface ?

Let me take a look at the WLAN config. Also do post the interface this WLAN is configured to. In the CLI do:

show interface detailed <name of interface>

server id: <DHCP_SVR_1> rcvd server id: <DHCP_SVR_1>

server id: <DHCP_SVR_2>  rcvd server id: <DHCP_SVR_2>
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to George Stefanick

‎01-20-2016 01:51 PM

Post 

show interface detailed test-wifi-1010

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
kanansimpson
Level 1
Level 1
In response to George Stefanick

‎01-20-2016 01:59 PM

I posted the WLAN output above. I will note that I disable the dhcp proxy on theis wlan and put IP helpers on the gateway interface. However, some WLANs are still using it and it still enabled globally.

Thanks,

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to kanansimpson

‎01-20-2016 02:18 PM

Here is where the breakdown is as I see it. 

Did this ever work and stopped working ? Did you do a code upgrade recently ? Any changes ?

Im not sure what this mean. But I think this is a logging bug and not your issue based on what i read. 

[PA] Wired client head is NULL, no clients in the list. Number of clients = 0

*DHCP Socket Task: Nov 10 10:48:30.548: [PA] a0:63:91:87:4c:90 DHCP processing DHCP ACK (5)
*DHCP Socket Task: Nov 10 10:48:30.548: [PA] a0:63:91:87:4c:90 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Nov 10 10:48:30.548: [PA] a0:63:91:87:4c:90 DHCP   xid: 0xd5488f16 (3578302230), secs: 0, flags: 0
*DHCP Socket Task: Nov 10 10:48:30.548: [PA] a0:63:91:87:4c:90 DHCP   chaddr: a0:63:91:87:4c:90
*DHCP Socket Task: Nov 10 10:48:30.548: [PA] a0:63:91:87:4c:90 DHCP   ciaddr: <Wireless_Client_IP>,  yiaddr: 0.0.0.0
*DHCP Socket Task: Nov 10 10:48:30.548: [PA] a0:63:91:87:4c:90 DHCP   siaddr: 0.0.0.0,  giaddr: <_Client_VLAN_1010_Gateway>
*DHCP Socket Task: Nov 10 10:48:30.548: [PA] a0:63:91:87:4c:90 DHCP   server id: <DHCP_SVR_2>  rcvd server id: <DHCP_SVR_2>
*Apf Guest: Nov 10 10:48:56.650: [PA] Wired client head is NULL, no clients in the list. Number of clients = 0
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to George Stefanick

‎01-20-2016 02:18 PM

Are all the clients acting like this ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
kanansimpson
Level 1
Level 1
In response to George Stefanick

‎01-20-2016 02:21 PM

see above post.

Thanks

0 Helpful

Go to solution
kanansimpson
Level 1
Level 1
In response to George Stefanick

‎01-20-2016 02:20 PM

This is a new deployment. No change in code. Always been an issue until I increase the session timer. The issue is still there. It's just every 12 hours and not every 30 minutes. This doesn't occur for everyone. 

I just know when the session times out, the client does a reauth but eventually loses its IP. If I do a ipconfig/release and /renew, it will not obtain an IP address. If i disconnect from the wireless and reconnect, the device is able to obtain an IP. It seems that a client has to create a new session by disconnecting and reconnecting in order to get an IP. 


Thanks,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card