10-02-2024 11:00 AM
9800L-F running 17.12.02 in the Corp Data center. Large WAN sites connected via Cisco 8x00 SD-WAN devices. Small sites have S2S VPN connection to the corp datacenter using 3rd party Firewall. All remote sites APs are Flexconnected and registered to 9800L-F. The Guest SSID subnet lives in the Corp Datacenter and DHCP assigned by the data center core. Guest SSID uses MAC Auth and Web Auth w/ external redirect. The MAC auth is used for devices that can't display Web Auth splash page like ROKUs etc. Web Auth is for devices that can. Neither auth method is working for the S2S VPN clients.
So, the SD-WAN sites all work for Guest SSID. The sites that are connected with S2S VPN do not. The Guest clients at the VPN sites are stuck in IP Learn state.
So took a debug and PCAP on the 9800L-F. In the PCAP I see the DHCP DIscover and the DHCP Offer for the failing client. The DHCP Offer does not make it back to the client.
I can't see any drops in the Firewall logs -- but since I believe the traffic is inside the CAPWAP tunnel between the 9800 and the site's Flexconnected AP makes it hidden from running captures on the Firewall.
TAC says it's the Firewall since the 9800 is seeing the DHCP traffic.
Anyone have ideas what the cause is or where to look next?
TIA
10-02-2024 11:22 AM
If it flexconn then traffic not pass to wlc unless you use dhcp central
MHM
10-02-2024 12:28 PM
All The remote SD-WAN flexconn sites get DHCP for Guest SSID. Central DHCP is activated in the Guest Policy. Plus, the pcap taken on the 9800-L-F clearly showed the DHCP Discover and Offer from the remote site's device trying to access Guest SSID. The device stays in IP Learn state.
10-02-2024 04:33 PM
you can do a packet capture at the WLC to see traffic going through it
10-04-2024 05:06 PM
I have taken pcaps & debugs on the 9800. The device that use MAC auth gets an IP but is still prevented from accessing network despite being in Run state. The Firewall does complain about some Identity Awareness issue. I’m working with that 3rd party TAC on that issue. The other client uses Web Auth and I still see the DHCP Discover & Offer on the 9800. But the client is stuck in IP Learn and doesn’t get the IP address or display the login web page for the Guest network
10-20-2024 04:46 AM
Did you make any progress on this?
It seems clear the problem must be the 3rd party firewall but it could also be an MTU and/or fragmentation issue.
Can't you do a pcap on the egress from the firewall to confirm the packets are leaving the firewall (or not)? As long as you don't have CAPWAP data encryption turned on you should be able to see all the packets in the CAPWAP data tunnel. If you do have CAPWAP data encryption turned on (pointless if you're running it over a VPN anyway) then turn it off for troubleshooting at least.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide