new here - on far from expert on Cisco AP's.
Have a strange issue that I cannot figure out why happens - nor how to avoid.
I have 2 AP's with the same configuration. They work fine for some days - but out of nowhere I get 2 issues:
1: Existing connected clients get no access to the VLAN nor to the internet. So they are connected but gets nowhere... Reconnecting gets you nowhere as well.
2: If a new client tries to connect it cannot.
I first thought it might be the router that somehow cut the connection or DHCP service failed on. Now I have replaced the router - and problem persists. So I am confident that the AP's are causing the issue.
One AP is an Air Lap 1142 and the other is 3520.
Below is the configuration. Hope someone can help me locate what I have done wrong... Any help is greatly appreciated
! version 15.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Redahama1142 ! ! logging rate-limit console 9 enable secret 5 #removed# ! no aaa new-model no ip source-route no ip igmp snooping no ip cef no ip domain lookup ! ! ! ! dot11 mbssid dot11 pause-time 100 no dot11 igmp snooping-helper dot11 syslog ! dot11 ssid WiFi vlan 1 authentication open authentication key-management wpa version 2 mbssid guest-mode wpa-psk ascii 7 #removed# ! dot11 ssid WiFi2 vlan 1 authentication open authentication key-management wpa version 2 mbssid guest-mode wpa-psk ascii 7 #removed# ! ! ! no ipv6 cef ! crypto pki trustpoint TP-self-signed-1205840335 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1205840335 revocation-check none rsakeypair TP-self-signed-1205840335 ! ! crypto pki certificate chain TP-self-signed-1205840335 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer username Cisco password 7 #removed# username ADMIN privilege 15 secret 5 #removed# ! ! bridge irb ! ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 1 mode ciphers aes-ccm tkip ! broadcast-key vlan 1 change 500 ! ! ssid WiFi2 ! antenna gain 0 station-role root ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio0.2 no ip route-cache ! interface Dot11Radio1 no ip address no ip route-cache ! encryption vlan 1 mode ciphers aes-ccm tkip ! broadcast-key vlan 1 change 500 ! ! ssid WiFi ! antenna gain 0 peakdetect dfs band 3 block channel 5320 station-role root ! interface Dot11Radio1.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio1.2 no ip route-cache ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto no keepalive ! interface GigabitEthernet0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 bridge-group 1 spanning-disabled no bridge-group 1 source-learning ! interface BVI1 mac-address #removed# ip address dhcp no ip route-cache ipv6 address dhcp ipv6 address autoconfig ipv6 enable ! ip forward-protocol nd ip http server ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ! ! bridge 1 route ip ! ! ! line con 0 line vty 0 4 login local transport input all ! end
Does these AP connect to a cisco switch ? what is the switchport configuration looks like ? (show run interface gx/x output)
Can you ping AP management IP address from your network ?
If you do not need multiple vlans, I would try this simple configuration on one of your AP. With this configuration you can connect to your AP on any switch-port that enable for DHCP (irrespective of managed switches vs unmanaged switch)
dot11 ssid <SSID_NAME>
authentication key-management wpa version 2
wpa-psk ascii <SSID_PASSWORD>
encryption mode ciphers aes-ccm
channel width 40-above
encryption mode ciphers aes-ccm
ip address dhcp
*** Pls rate all useful responses ***
The LAP 1142 by default requires a WLC and once it links you can't console into it and do much anymore.
The 3520? how about a CAP3502? that also requires a WLC..
Once the AP receives its IP, it reaches out to the WLC, establishes a DTLS tunnel that terminates in the WLC.
It be the WLC that passes traffic to the target interface (vlan) assigned to a SSID.
Now if these have been converted to autonomous.. then yes you COULD configure via CLI but most of us do it via the AP's GUI.. it does such nice magic..
Thanks for the test config - I will give it a go.
The APs used to be connected to an ASA5505 but for the sake of troubleshooting I have replaced it with a simple NetGear router I had laying around. Problem persisted when using the APs. I have then put in an old Linksys WAP300N I had and that has been working flawlessly since I started it.
So I am confident that there is something in the config of the APs that is invalid.