Cisco 881W problems with DHCP and Wireless

james.ochs · ‎01-08-2014

Hi all,

I have a cisco 881W that I am having a strange issue with. I can't seem to get my details past whatever filter they have put on this site as I keep getting this message:

This message can not be displayed due to its content. Please use the contact us link with any questions.

But in a nutshell, two laptops don't get a dhcp address, one tablet also can not, but two phones can when connected to the wireless network. All of the devices I am having trouble with are made by a manufacturer named after a fruit.

When the devices that do not get an ip connect, I see them associate with the AP, but I don't see any activity under sho ip dhcp server stat

border-1#sho run

Building configuration...

Current configuration : 3263 bytes

!

! Last configuration change at 23:07:31 PCTime Tue Jan 7 2014 by

! NVRAM config last updated at 22:34:20 PCTime Tue Jan 7 2014 by

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname border-1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

memory-size iomem 10

clock timezone PCTime -5

service-module wlan-ap 0 bootimage autonomous

!

no ip source-route

!

ip dhcp excluded-address 10.10.10.1 10.10.10.10

ip dhcp excluded-address 10.10.30.1 10.10.30.10

!

ip dhcp pool vlan1pool

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 8.8.8.8 8.8.4.4

!

ip dhcp pool vlan3pool

network 10.10.30.0 255.255.255.0

default-router 10.10.30.1

dns-server 8.8.8.8 8.8.4.4

!

ip cef

no ip domain lookup

ip domain name froody.org

ip inspect name IPV4Rule dns

ip inspect name IPV4Out tcp

ip inspect name IPV4Out udp

ip inspect name IPV4Out ftp

ip inspect name IPV4Out icmp

ipv6 unicast-routing

ipv6 cef

ipv6 inspect name IPV6Rule udp

ipv6 inspect name IPV6Rule ftp

ipv6 inspect name IPV6Rule icmp

ipv6 inspect name IPV6Rule tcp

ipv6 dhcp pool poolv6

!

multilink bundle-name authenticated

license boot module c880-data level advipservices

!

ip ssh version 2

!

bridge irb

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

switchport access vlan 2

!

interface FastEthernet3

!

interface FastEthernet4

ip address dhcp

ip nat outside

ip inspect IPV4Out out

ip virtual-reassembly

duplex auto

speed auto

ipv6 address autoconfig default

ipv6 enable

ipv6 dhcp client pd tw-ipv6

ipv6 inspect IPV6Rule out

ipv6 traffic-filter wan-in in

ipv6 traffic-filter wan-out out

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

!

interface Vlan1

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan2

ip address 10.10.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan3

ip address 10.10.30.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list 3 interface FastEthernet4 overload

!

ip access-list extended INBOUND

deny ip any any

!

access-list 1 permit 0.0.0.0 255.255.255.0

access-list 3 permit 10.10.10.0 0.0.0.255

access-list 3 permit 10.10.30.0 0.0.0.255

!

ipv6 access-list wan-in

sequence 100 deny ipv6 any any

!

ipv6 access-list wan-out

permit tcp any any reflect REFLECTOUT

permit udp any any reflect REFLECTOUT

deny ipv6 FEC0:0:0:201::/64 any

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

no modem enable

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

access-class 3 in

login local

transport input ssh

!

scheduler max-task-time 5000

end

And the Access Point:

ap#sho run

Building configuration...

Current configuration : 2310 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ap

!

no aaa new-model

!

dot11 syslog

dot11 vlan-name vlan1 vlan 1

dot11 vlan-name vlan3 vlan 3

!

dot11 ssid WLAN1

vlan 1

authentication open

authentication key-management wpa version 2

mbssid guest-mode

wpa-psk ascii 0 Test123

!

dot11 ssid WLAN-GUEST

vlan 3

authentication open

authentication key-management wpa version 2

mbssid guest-mode

wpa-psk ascii 0 Test123

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 1 mode ciphers tkip

!

encryption vlan 3 mode ciphers tkip

!

ssid WLAN1

!

ssid WLAN-GUEST

!

antenna gain 0

mbssid

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.2

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

bridge-group 3 spanning-disabled

!

interface GigabitEthernet0

description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router

no ip address

no ip route-cache

!

interface GigabitEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.2

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

bridge-group 3 spanning-disabled

!

interface BVI1

ip address 10.10.10.2 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

bridge 1 protocol ieee

bridge 1 route ip

!

banner login ^CC

^C

!

line con 0

privilege level 15

login local

no activation-character

line vty 0 4

login local

!

end

james.ochs · ‎01-09-2014

To clarify, when I connect either laptop directly to the wired switch on the router, I get an IP address and everything works normally.

If I connect either of the phones to the 802.11n network (either SSID) they both get an IP address and everything works normally.

If I connect either laptop to the 802.11n network, both associate to the access point, but neither one gets and IP address.

If I do sho ip dhcp server stat I see the statistics increment if the phones are connected to the wireless network, or if the laptops are connected to the wired network. I don't see the statistics increment when the laptops are connected to the wireless network.

tcpdump does show the laptops sending dhcp discover packets, so it looks like the access point is not forwarding the laptop dhcp requests for some reason.

the router is running ios 15.0M and the ap has 12.4 something on it.

philip daly · ‎01-09-2014

It could be that your AP is in 802.11n mode only. Try enabling it for 802.11 a/b/g/n on both the 2.4 and 5 GHZ radio

see the following link http://support.apple.com/kb/ht4199

Ashish Arora · ‎01-09-2014

It seems like a wireless isssue ;however have you tried to put a static ip on the laptop from the DHCP server and then try to check if you are able to connect/ping across it.

in case if there is any vulnerablity related to Wireless standard 802.11n , then it should bve reported to TAC for the analysis;however first action will have to be to test it with the static ip.

2. Share the output of debug dhcp

james.ochs · ‎01-10-2014

The AP in the 881W only has a 2.4GHZ radio. I took a look at the apple support link and there wasn't anything that really helps, but some good tips none the less.

Here's the dhcp server debug output when connecting with a phone:

on the ap:

*Mar 1 00:04:22.915: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 8853.956b.1cbf Associated KEY_MGMT[WPAv2 PSK]

on the router side:

Jan 11 04:17:35.467: DHCPD: Sending notification of DISCOVER:

Jan 11 04:17:35.467: DHCPD: htype 1 chaddr 8853.956b.1cbf

Jan 11 04:17:35.467: DHCPD: remote id 020a00000a0a0a0100000001

Jan 11 04:17:35.467: DHCPD: circuit id 00000000

Jan 11 04:17:35.467: DHCPD: Seeing if there is an internally specified pool class:

Jan 11 04:17:35.467: DHCPD: htype 1 chaddr 8853.956b.1cbf

Jan 11 04:17:35.467: DHCPD: remote id 020a00000a0a0a0100000001

Jan 11 04:17:35.467: DHCPD: circuit id 00000000

Jan 11 04:17:35.467: DHCPD: Found previous server binding

Jan 11 04:17:36.479: DHCPD: Sending notification of ASSIGNMENT:

Jan 11 04:17:36.479: DHCPD: address 10.10.10.13 mask 255.255.255.0

Jan 11 04:17:36.479: DHCPD: htype 1 chaddr 8853.956b.1cbf

Jan 11 04:17:36.479: DHCPD: lease time remaining (secs) = 86400

When the laptop connects I see the associate message on the AP, but no activity on the dhcp server on the router side.

Heres the dhcp request from the laptop:

23:24:56.036120 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from 00:23:6c:9a:2f:42 (oui Unknown), length 300