Solved: Re: Clients on Guest WLAN Losing Layer 3 Connectivity - Page 3

s.clinard · ‎08-01-2008

Hello NetPro gurus!

I am currently troubleshooting an issue we are having with our Guest (completely open) WLAN in which it seems certain clients are losing their layer 3 connectivity while staying 'connected' to the LWAP(s). These certain clients lose their layer 3 configuration and are not able to access internal or external resources until they disable/enable their wireless connection.

I specifically have this problem, and it's only on the Guest WLAN that this occurs. I am using a Lenovo T61 with an Intel 4965AG internal wireless chipset. I know this chipset is relatively new and I have tried multiple drivers, all with the same result. Not all machines have this issue. MacPro laptops do not seem to have this issue nor do machines with Intel Pro 2200BG chipsets. I tested with a Netgear PCMCIA card and did not have this issue either.

Here's some more background information:

We have 5 WLCs (2 WiSM blades each in a Catalyst 6509 and 1 WLC 4402) and 7 WLANs. The 4 WiSM controllers have each WLAN configured on it, and the 4402 WLC only knows about one Guest wireless network (it is a completely open WLAN i.e. no security). This is the particular network we see this issue with. We have approximately 200 LWAP 1131AG's (47 in one building, 154 in another) all broadcasting the Guest SSID. Our server core Catalyst 6509's each have seperate VLANs (with Port-channels in them) for the WiSM blades. The Guest WLC 4402 is in the DMZ in its own VLAN. Each WLC is providing DHCP for each of the WLANs.

The issue that seems to be occuring is the fact that during our troubleshooting I lose all layer 3 connectivity. I continue to stay "connected" to the AP and signal strength is excellent however my continuous pings to the Guest WLC (192.168.0.x network) time out and I cannot get out to the Web. I noticed the following error on my laptop (Lenovo T61 w/ an Intel 4965AG wireless chipset) in the system event viewer:

Description:

The system detected that network adapter Intel(R)...Link 4965AG - Packet Scheduler Miniport was disconnected from the network, and the adapter's network configuration has been released. If the network adapter was not disconnected, this may indicate that it has malfunctioned. Please contact your vendor for updated drivers.

This occured at the exact time I lost my layer 3 connectivity. A co-worker and I did some research and determined that this was exactly one half of the way through my 1-hour DHCP lease from the Guest WLC (the 4402). The DHCP leases are set to expire at 1 hour as we have a lot of clients on the Guest WLAN that come and go and only have one network configured for the Guest WLAN w/ 229 available IP's to be handed out. We were wondering if it was an issue with the DHCP renewal process from the WLC. This does not occur on the Internal WLANs configured with strict authentication security.

We tested with a few machines, such as an Apple laptop, an older laptop with an Intel Pro 2200BG chipset, and even my same laptop with a Netgear PCMCIA WiFi card none of which exhibited this problem. Connectivity at layer 3 was not interrupted. I have tried multiple drivers as well, all with the same result.

Now, we are not sure if it is an issue with the WLC itself or a chipset issue. The Intel 4965AG chipset is rather new but we have a lot of WLAN clients with this chipset on the network. That also doesn't explain why this issue ONLY occurs on the Guest WLAN.

We were thinking of placing a small DHCP server on the network to take over DHCP responsibilities from the Guest WLC to see if that makes a difference. Another idea we had was to increase the DHCP scope to two Class B networks (191.168.0.0 - 191.168.1.255 /23 to give us 510 hosts so we can extend the DHCP lease time).

I plan on doing further testing today by placing a few more machines on the Guest WLAN with multiple chipsets and taking note of which ones exhibit the problem.

Any and all help is MUCH appreciated. Thanks!

Shane

Scott Fella · ‎08-17-2008

What ip address is the wlc's and the guest wlc. Also what is their dynamic interface and VIP.

-Scott
*** Please rate helpful posts ***

brian.kachel · ‎08-17-2008

10.1.254.150 is the local WLC.

10.2.254.150 is the guest WLC.

The dynamic interface is 10.99.0.1 and the SVI on the 6509 is 10.99.1.254.

Scott Fella · ‎08-17-2008

Okay, well you have a local controller in your inside network (10.1.254.150) and your port 1 on the guest controller is on your internal network also (10.2.254.150), but your port 2 is on the DMZ and is only being used by your guest ssid and the dynamic interface you created for it.

Do you have symmetric tunneling enabled on both the local and guest controllers?

Is you Guest wlan ssid configured exactly the same and both are set on the management interface?

You guest wlc wlan ssid is only configured for port 2 and not a backup of port 1?

Mobility group is configured and you can eping and mping both ways?

The virtual ip and mobility group name is the same or different between the local and guest wlc's?

What code are you running on both now?

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎08-17-2008

Made a mistake... the local wlan guest ssid is mapped to the management interface and you create an anchor to the guest and on the guest wlan ssid you have that mapped to they dynamic interface that is using port 2.

-Scott
*** Please rate helpful posts ***

brian.kachel · ‎08-17-2008

Yes, you have a correct understanding of the setup.

I do not have symmetric tunneling enabled (unless that is enabled by default, but I don't think it is). Is that required? I couldn't gain a good understanding from documentation on what that provided for this architecture.

The guest WLC wlan ssid is only conf'd for port 2 - not a backup for port 1.

Mobility groups appear up, eping and mping is OK in both directions.

The virtual IP is the same on all controllers (4.4.4.4)

The local controllers are NOT the same mobility group as the anchor controller, although this should not be a requirement as far as I know.

5.1.151 is on all controllers now.

To clarify - the guest network works initially - its just after a random amount of time (anywhere from 10 - 20 minutes) the dhcp required state comes back, and wth web auth enabled requires a refresh of accepting the web auth screen.

Scott Fella · ‎08-17-2008

Is the WLAN setup for DHCP required on both the local and the guest wlc? I just wanted to verify that both wlc is either setup for symmetric tunneling or not. Looks like the wlc is not allowing the client on the network because dhcp required is checked. Since the client seems to keep the ip and not renewing for some reason, the wlc stops client traffic.

-Scott
*** Please rate helpful posts ***

brian.kachel · ‎08-17-2008

The DHCP config is only on the Anchor side - it does not need to be configured on the local WLCS side.

I've just looked under the Controller/Mobility Anchor config and Symetric mobility tunneling mode is DISABLED on both sides.

Scott Fella · ‎08-17-2008

Okay, but on the guest wlan ssid, do you have dhcp required unchecked on both the local and the guest controller?

-Scott
*** Please rate helpful posts ***

brian.kachel · ‎08-17-2008

Yes that is unchecked so I can do testing with staticly assigned clients.

Do you think it should be checked ?

Scott Fella · ‎08-17-2008

No... you should keep that unchecked, just makes it simpler for clients to connect. The error message shows that dhcp required is checked, which is weird, because you do not have it checked. The wlc seems to think that is checked for some reason. Try to delete the ssid and recreate it on both the local and guest wlc.

-Scott
*** Please rate helpful posts ***

brian.kachel · ‎08-18-2008

I was hoping it was checked - but it is unchecked on all of my controllers.

I will attempt rebuilding on new controllers - but this problem is consistent across 4 different local controllers in Raleigh and Atlanta where the problem is present.

The Anchor is at a hosted datacenter in North Carolina. The WAN links are 100mb, with less than 40ms latency.

Do I need symetric tunneling enabled ?

Scott Fella · ‎08-18-2008

You don't need it, but if you do, then you will have to enable that on all wlc's in the mobility group and reboot the wlc's. Is there alot of roaming when this happens?

-Scott
*** Please rate helpful posts ***

brian.kachel · ‎08-18-2008

No roaming. I can reproduce the issue with the laptops sitting next to me in the office.

s.clinard · ‎08-18-2008

It seems like Brian's issue and my issue is a little different, however I am thinking that mine might be due to the fact that symmetric mobility tunneling is not enabled. Here's why: When we implemented an external DHCP server on the 192.168.0.0 /24 network (Guest WLAN network), we saw the DHCP server responding to the requests but never saw client acknowledgements accepting the DHCP information. I am thinking this is because the firewall sees the source IP not matching the subnet on which the packets are received (the firewall). I was looking at a WLC document which outlined the following:

You should also enable symmetric mobility tunneling if a firewall installation in the client packet path may drop the packets whose source IP address does not match the subnet on which the packets are received.

brian.kachel · ‎08-20-2008

Well.. to complete a nice happy ending to my saga.. BUG FOUND!

I opened a TAC case and we came to this conclusion.

In the Advanced settings of the WLAN there is a client time-out default of 1800 seconds.

The clients were dis-associating due to inactivity according to the sniffer traces, causing the dhcp process to kick off and the web_auth reqd state.

We set this down to 60 seconds and watched it over and over..

I have now set it to the max allowed of 65535 (18 hours) as a work around.

Cisco admitted there are bugs when setting this to 0, so they suggest the 65535.

Hope this info helps some of you out!!