Re: Catalyst 9800 dhcp issue

stefxoxo · ‎07-12-2021

Hi,

Our deployment is currently composed by:

- Catalyst 9800-40 release Amsterdam 17.3.3 (upgrade performed from the default version 16.12.02s) - Access Point 9120AX

We are not allowed to configure the helper address on the Gateway (Firewall Checkpoint).

During the test phase the following problem has been checked: issue with the IP release for the Clients connected to the new AP 9120 AX in local mode (no flexconnect central switching/local).

We configure :

Interface vlan 222

description management_plane

ip address y.y.y.y

interface vlan 111

description dataplane

ip address x.x.x.x

ip helper-address x.x.x.x

ip dhcp relay source-interface vlan 222

ip route 0.0.0.0 0.0.0.0 y.y.y.1

Do we have to configure something else ? the client don't receive the ip address .

Thank you

balaji.bandi · ‎07-12-2021

First, i would check is the DHCP Server reachable using VLAN 222?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

.Jaidev Hattiangadi. · ‎07-12-2021

Check at what stage of DHCP are the clients in. Does the DISCOVER go through? if yes, are the OFFERs coming in?

Then check if the server is even getting the DISCOVERs

Cheers!

stefxoxo · ‎07-12-2021

Hi,

the dhcp is pingable from the vlan 222, the firewall do not drop the dhcp request. Yes the discover go through, but we do not have the response back from the dhcp. We need to define option 82 ?

Us i told we can't configure the ip helper address on the DG, and we try to set the helper on the wlc. This configuration is not well documented from cisco.

Thx

stefxoxo · ‎07-14-2021

We try to set the ip add dhcp on the svi and we received this error:

CAT9800(config-if)#%Unknown DHCP problem.. No allocation possible
Jul 14 07:08:45.117: DHCP: Waiting for 5 seconds on interface Vlan111

tHX

Rich R · ‎07-13-2021

We are using ip helper-address on the client vlan interface and it's working.

Just remember this is effectively an IOS-XE router now so the traffic must be able to route both ways, which also means you need the right security (ACLs) in place. Note this is not the Cisco recommended approach (they'd rather you do that on the next hop switch/router) but it works.

Note we are *not* using ip dhcp relay source-interface because when the packet is routed to the DHCP server out of your vlan 222 (following the routing table) it will pick up the outgoing interface IP by default.

Try without the relay source-interface command?

And do packet captures on the DHCP server and the 9800 (vl222) to see what is getting sent and received on each so you'll quickly see where it's getting lost.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

stefxoxo · ‎07-13-2021

We tested with and without ip dhcp relay source xx, we tested with vrf and static route on data vlan but the documentation say that is not supported.

Maybe this is a bug or we forgot some commands. With a static IP all works.

Last things to do is a packet capture..the dhcp is a MS server

How is it possible that i'm the only one who found this problem ? The old wlc (aireos)work perfecly on the same vlan !!

maybe there is a problem with the dhcp proxy feature...

Thx all

stefxoxo · ‎07-14-2021

We try to set ip add dhcp on the svi and we received the following error

wlc(config-if)#%Unknown DHCP problem.. No allocation possible
Jul 14 07:08:45.117: DHCP: Waiting for 5 seconds on interface Vlan111

Thx

Rich R · ‎07-14-2021

Why would you do that? I Wouldn't expect that to work at all. That's only for obtaining an IP from a DHCP server on the connected interface! The interface must have a static Ip to be able to relay.

Like I already said it *does* work. We have it working on 17.5.1 so maybe try that version.

> The old wlc (aireos)work perfecly on the same vlan !! maybe there is a problem with the dhcp proxy feature...

This is a completely new operating system and some things (like this) work differently so you have to redesign. AireOS proxied (and relayed) the DHCP, IOS-XE does not. Like it or not you need to make it work with the new approach. There is no DHCP proxy feature on the 9800 WLC.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

stefxoxo · ‎07-14-2021

from cisco document the dhcp proxy is supported on cat9800. or this doc is wrong....

Rich R · ‎07-14-2021

I may be wrong about the proxy feature or somebody has confused proxy and relay as being the same ...

Only way to be sure is open a TAC case and get TAC to query with the BU.

If it's a mistake in the doc then they'll fix the doc not the code.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

stefxoxo · ‎07-14-2021

From the release notes the 17.5.1 seems that do not support AP 2700, for us this is a problem...

Thx

Rich R · ‎07-14-2021

It was always made clear that the AC Wave 1 APs (including 2700) would have limited support on 9800. That's because of their end of life dates and we've all had plenty of time to prepare for that: https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-2700-series-access-point/eos-eol-notice-c51-740711.html

"End of SW Maintenance Releases Date HW: The last date that Cisco Engineering may release any final software maintenance releases or bug fixes. After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software. April 29, 2020"

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

stefxoxo · ‎07-14-2021

from the relase notes of 17.5.1 ...

Dhcp relay behaviour

This feature aligns the setting of DHCP relay parameters, such as, Gateway IP address, Option 82, and DHCP server address with the Cisco AireOS behaviour.

Rich R · ‎07-14-2021

But the routing is still different to the way AireOS works.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs