DHCP Taking A While For Wireless Devices

kyle.jones1 · ‎07-18-2015

Dear Experts,

I am hoping for some assistance on an issue I am having on my network!

Background:

We have 3 VLANS and 15 Cisco Aironet 1141 APs (Autonomous)

Core Switch is a Cisco Catalyst WS-3750G-24PS

DHCP Server is Windows Server 2012 R2 on Vlan 1 192.168.10.2 (Also DNS server)

VLAN 1 = 192.168.10.1 255.255.255.0 SSID: Admin (lease 7 days) (This is our main wired network, only a couple devices on wifi)

VLAN 20 = 192.168.20.1 255.255.255.0 SSID Main (lease 7 days) (Main wireless network, about 60 devices on it, mainly iPads)

VLAN 30 = 192.168.30.1 255.255.255.0 SSID Main-Guest (lease 8 hours)

VLAN routing is working fine and when hard wired, IPs are pulling fast and are updated in Windows Server like normal.

I have 3 scopes created on the server. I have each scope's gateway set to the IP address of the VLAN 10.1, 20.1, 30.1 etc.

My problem is in the Wifi. Devices take several minutes to get an IP. Sometime it will fail and get a 169 address and then you retry and it will work. Every now and then it will pull fast, but usually takes a while to renew. They roam very quickly from AP to AP once connected and when you do get an address it is fine for the duration of the lease. You can come back the next day and reconnect quickly, but once your lease expires and you renew, it's back to a couple minute wait to renew.

Any ideas?? I will include our core switch configuration.

Thanks

User Access Verification

Password:

Core>en

Password:

Core#show run

Building configuration...

Current configuration : 7695 bytes

!

! Last configuration change at 13:13:08 CDT Fri Jul 17 2015 by Cisco

! NVRAM config last updated at 13:40:05 CDT Fri Jul 17 2015 by Cisco

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service sequence-numbers

!

hostname Core

!

boot-start-marker

boot-end-marker

!

enable secret 5 XXXXX

enable password XXXXX

!

username cisco privilege 15 secret 5 XXXXX

no aaa new-model

clock timezone CST -6 0

clock summer-time CDT recurring

switch 1 provision ws-c3750g-24ps

system mtu routing 1500

ip routing

ip domain-name HIDDEN

!

crypto pki trustpoint TP-self-signed-2955339520

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2955339520

revocation-check none

rsakeypair TP-self-signed-2955339520

!

crypto pki certificate chain TP-self-signed-2955339520

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32393535 33333935 3230301E 170D3933 30333031 30303033

31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39353533

33393532 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100F459 BBD7C0AF 2BD93C88 DD8E8287 AA235578 11176144 625D417A E0EE7716

418D18E5 189EF478 7D936F76 2162E458 8E57ECDA 86C3D290 735D3B30 D7C085A7

06C5ED23 EE54E38F 5CAC8C59 67A22EB6 7D74D752 15FADD29 3DAD0633 CDEC95AB

285B0E0C 6FB5192E 4EC1272F 68D3615A EDADDFAA 57CC7554 3FA8DD12 04069324

FA890203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14E7A165 18C74807 55EE27EF 8D9E8B8A AE32754E B6301D06

03551D0E 04160414 E7A16518 C7480755 EE27EF8D 9E8B8AAE 32754EB6 300D0609

2A864886 F70D0101 05050003 81810029 B53CF539 3EFB6F65 C2184AD5 3CDBFCBC

288F8D2B 4E793E0D F2EA09C1 D43D6B1A 4524A764 A2CAE25A 9A2CCD65 D8D21661

C4DCB906 1E4854A3 201778CA 04E02AC4 EDE329A9 39C8425B 87BDC1E5 AEFF60BA

40D7E2E3 E2F46F7B 22000544 68A09DA2 005B3D3F DB93A487 5BEB29CD AE08B864

1CF2F5B3 B39B0C19 619EB6B7 AB58F9

quit

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan access-map SecWiz 10

match ip address SecWiz_Gi1_0_1_out_ip

action forward

!

vlan filter SecWiz vlan-list 1,20,30,254

vlan internal allocation policy ascending

!

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/2

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/3

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/4

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/5

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/6

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/7

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/8

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/9

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/10

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/11

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/12

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/13

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/14

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/15

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/16

switchport trunk encapsulation dot1q

switchport trunk native vlan 254

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/17

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/18

switchport trunk encapsulation dot1q

switchport trunk native vlan 254

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/19

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/20

switchport access vlan 254

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

!

interface GigabitEthernet1/0/21

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/22

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

!

interface GigabitEthernet1/0/23

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

!

interface GigabitEthernet1/0/24

switchport trunk encapsulation dot1q

switchport mode trunk

arp timeout 604800

!

interface GigabitEthernet1/0/25

arp timeout 604800

!

interface GigabitEthernet1/0/26

arp timeout 604800

!

interface GigabitEthernet1/0/27

arp timeout 604800

!

interface GigabitEthernet1/0/28

arp timeout 604800

!

interface Vlan1

ip address 192.168.10.1 255.255.255.0

arp timeout 604800

!

interface Vlan20

ip address 192.168.20.1 255.255.255.0

ip helper-address 192.168.10.2

arp timeout 604800

!

interface Vlan30

ip address 192.168.30.1 255.255.255.0

ip access-group 130 in

ip helper-address 192.168.10.2

arp timeout 604800

!

interface Vlan40

ip address 192.168.40.1 255.255.255.0

arp timeout 604800

!

interface Vlan254

ip address 192.168.254.1 255.255.255.0

arp timeout 604800

!

ip default-gateway 192.168.10.254

ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.10.254

!

access-list 130 deny ip any 192.168.10.0 0.0.0.255

access-list 130 deny ip any 192.168.20.0 0.0.0.255

access-list 130 deny ip any 192.168.254.0 0.0.0.255

access-list 130 deny tcp any host 192.168.30.1 eq telnet

access-list 130 deny tcp any host 192.168.30.1 eq www

access-list 130 deny tcp any host 192.168.30.1 eq 8080

access-list 130 deny tcp any host 192.168.30.1 eq 443

access-list 130 deny tcp any host 192.168.30.1 eq 161

access-list 130 deny udp any host 192.168.30.1 eq snmp

access-list 130 permit udp any any eq bootps

access-list 130 permit ip 192.168.30.0 0.0.0.255 any

!

line con 0

line vty 0 4

password XXXXX

login

line vty 5 15

password XXXXX

login

!

mac address-table aging-time 604800 vlan 1

mac address-table aging-time 604800 vlan 20

mac address-table aging-time 604800 vlan 254

mac address-table aging-time 604800 vlan 30

end

johnd2310 · ‎07-19-2015

HI,

What code is running on the Access Points and on the 3750 Core switch? You have arp timeout and mac aging times configured. Was this to fix a particular problem?

Thanks

John

**Please rate posts you find helpful**

kyle.jones1 · ‎07-20-2015

Thank you for the reply. I inherited some of these configurations so I'm not sure why ARP timeout and mac aging is on. Should they be off? Below I have the configuration of one of the APs.



!
! Last configuration change at 12:05:33 CDT Fri Jul 17 2015
! NVRAM config last updated at 12:05:59 CDT Fri Jul 17 2015
! NVRAM config last updated at 12:05:59 CDT Fri Jul 17 2015
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname 01AP
!
!
logging rate-limit console 9
enable secret 5 $1$z.7/$XaypybO9dLlb.XTw7NjVd1
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
clock timezone CST -6 0
clock summer-time CDT recurring
no ip source-route
no ip cef
!
!
!
!
dot11 syslog
!
dot11 ssid Admin
   vlan 1
   authentication open 
   authentication key-management wpa version 2
   wpa-psk ascii 7 HIDDEN
!
dot11 ssid Main
   vlan 20
   authentication open 
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 HIDDEN
!
dot11 ssid Main-Guest
   vlan 30
   authentication open 
   mbssid guest-mode
!
!
!
!
!
username CISCO password HIDDEN!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers aes-ccm 
 !
 encryption vlan 20 mode ciphers aes-ccm 
 !
 ssid Admin
 !
 ssid Main
 !
 ssid Main-Guest
 !
 antenna gain 0
 mbssid
 speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 spanning-disabled
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
!
interface Dot11Radio0.30
 encapsulation dot1Q 30
 bridge-group 30
 bridge-group 30 subscriber-loop-control
 bridge-group 30 spanning-disabled
 bridge-group 30 block-unknown-source
 no bridge-group 30 source-learning
 no bridge-group 30 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption vlan 1 mode ciphers aes-ccm 
 !
 encryption vlan 20 mode ciphers aes-ccm 
 !
 ssid Admin
 !
 ssid Main
 !
 ssid Main-Guest
 !
 antenna gain 0
 peakdetect
 dfs band 3 block
 mbssid
 speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 channel dfs
 station-role root
!
interface Dot11Radio1.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.20
 encapsulation dot1Q 20
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 spanning-disabled
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
!
interface Dot11Radio1.30
 encapsulation dot1Q 30
 bridge-group 30
 bridge-group 30 subscriber-loop-control
 bridge-group 30 spanning-disabled
 bridge-group 30 block-unknown-source
 no bridge-group 30 source-learning
 no bridge-group 30 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20
 bridge-group 20
 bridge-group 20 spanning-disabled
 no bridge-group 20 source-learning
!
interface GigabitEthernet0.30
 encapsulation dot1Q 30
 bridge-group 30
 bridge-group 30 spanning-disabled
 no bridge-group 30 source-learning
!
interface BVI1
 mac-address 4c00.8206.529f
 ip address 192.168.10.200 255.255.255.0
 ipv6 address dhcp
 ipv6 address autoconfig
!
ip default-gateway 192.168.10.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 length 0
 transport input all
!
end

johnd2310 · ‎07-21-2015

Hi,

The arp and mac address config could have been put to fix a particular problem and can be left there.

Try upgrading the code on one AP as test.

Thanks

John

**Please rate posts you find helpful**

kyle.jones1 · ‎07-27-2015

I cleaned up the config a little bit and ensure portfast trunking was on and somewhere along the way it has been resolved. I can now pull an IP address almost instantly. Thank you for the reply!!!!