Re: DHCP Stopped Working C881W

Gene Horr · ‎11-10-2017

DHCP was working both on the wired and AP sides. This is the only DHCP server on the local network. I am fairly sure it is an ACL issue but am lost as to what I did wrong. The following are the DHCP, Interface, and ACL sections of the configuration:

!
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool ccp-pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.25 8.8.8.8 64.88.192.20 64.88.192.21
netbios-name-server 192.168.1.25
lease 0 2
!
!
!
ip domain name pvm.local
ip name-server 8.8.8.8
ip name-server 192.168.1.25
ip name-server 64.88.192.20
ip name-server 64.88.192.21
ip inspect name firewall http
ip inspect name firewall https
ip inspect name firewall tcp
ip inspect name firewall udp
ip cef
no ipv6 cef
<snip>

interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description PrimaryWANDesc_
ip address 173.209.76.13 255.255.255.0
ip access-group 100 in
ip access-group 110 out
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
duplex auto
speed auto
!
interface Wlan-GigabitEthernet0
no ip address
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 192.168.2.1 255.255.255.0
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.1 255.255.255.0
ip access-group 110 in
ip access-group 110 out
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
no ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 110 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 173.209.76.1
!
!
access-list 20 permit 0.0.0.0 255.255.255.0
access-list 100 deny   tcp any any
access-list 100 deny   udp any any
access-list 100 deny   ip any any
access-list 110 permit ip any any
access-list 110 permit tcp any any
access-list 110 permit udp any any
access-list 110 permit icmp any any
!

Reza Sharifi · ‎11-10-2017

For testing, does it work if you remove acl 100 and 110 from vlan 1?

HTH

paul driver · ‎11-10-2017

Hello

Regards you using CBAC, I am assuming you dont require any traffic initiation from outside of interface fa0/4, So denying any traffic from the outside would be applicable.

The acl 100 would be okay however i would clean it ip a little and also the cbac inspect protocols.

You also dont need to apply acl 100 on the svi interface as your permit everything any way, and lastly the nat acl 110 need to be more specific other than any any.

Please try the following:
no access-list 100
no access-list 110
access-list 100 deny ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any ( for cbac)
access-list 110 permit ip 192.168.1.0 0.0.0.255 any (for nat)

no ip inspect name firewall http
no inspect name firewall https
ip inspect name firewall icmp

int vlan 1

no ip access-group 110 in
no ip access-group 110 out
ip access-group 101 in
ip inspect firewall in

int fa0/4
no ip access-group 110 out
no ip inspect firewall out

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Gene Horr · ‎11-15-2017

Thanks for the tips. You answered my next question before I even asked it, which was help on cleaning up everything.

DHCP still has a problem. It appears that it is handing out 10.0.1.X addresses.

paul driver · ‎11-15-2017

Hello

Are you saying your lan hosts are receiving a 10.xxx allocation instead of the 192.168.x.x

Can you post the ipconfg /all form a host that receive such addressing, it should tell the dhcp server ip address.

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Gene Horr · ‎11-15-2017

Thanks. I mentioned in another post there was a rogue server present. Now the workstations time out, so still no dhcp. But I am going to try again later with the router isolated to test whether something else is causing problems.

Gene Horr · ‎11-15-2017

Rouge DHCP server. Someone had plugged in an Apple Airport device.

paul driver · ‎11-15-2017

Hello

Yep that would do it all the time?
if you have switches that support dhcp snooping then suggest your enable it

res

Paul.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Gene Horr · ‎11-16-2017

Well, it winds up it was "A" problem but not "The" problem.

Tested this morning with only network connection a Win10 PC on FE0. No other network connections including the WAN. DHCP timed out. Tried a wireless connection with the same PC. Error not able to configure.

Connecting with a fixed IP works fine. Internet works and can connect to the router GUI interface.

As a reminder everything had been working at one time.

Here are a few "show" results in case they help

C881#sh dhcp server
   DHCP server: ANY (255.255.255.255)
    Leases:   0
    Offers:   0      Requests: 0     Acks : 0     Naks: 0
    Declines: 0      Releases: 0     Query: 0     Bad: 0
    Forcerenews: 0      Failures: 0

sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
192.168.1.101       0152.4153.2000.1e4f.    Nov 16 2017 09:25 AM    Automatic
                    2668.bd00.0000.0000.
                    00

C881#sh ip dhcp server statistics
Memory usage         40930
Address pools        1
Database agents      0
Automatic bindings   1
Manual bindings      0
Expired bindings     0
Malformed messages   0
Secure arp entries   0

Message              Received
BOOTREQUEST          0
DHCPDISCOVER         2
DHCPREQUEST          282
DHCPDECLINE          0
DHCPRELEASE          2
DHCPINFORM           0

Message              Sent
BOOTREPLY            0
DHCPOFFER            2
DHCPACK              11
DHCPNAK              271

Gene Horr · ‎11-16-2017

PS - Also tried deleting the exiting pool and creating a new one using CCP Express. No default checkboxes were changed. Still not working.

paul driver · ‎11-16-2017

Hello

Okay - I am assuming we are talking about your Lan clients ?
Do you have any switch attach to this rtr and if so how it is connected?

Res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Gene Horr · ‎11-17-2017

As mentioned above there are two devices with a single network cable. The C881 and a PC. Nothing else. Network cable plugged into FE0. Tested with two different PCs. PCs have no problem getting DHCP info on a different network.