Solved: Multiple IP address on single Access point

zeljkosan · ‎07-29-2025

Hello team, I have some weird problem on few access points connected to L3 switch.

This is situation:

L3 switch is DHCP for few access points connected directly to it.

ip dhcp pool VLAN75_WIFI_MGMT
network 10.2.75.0 255.255.255.0
default-router 10.2.75.1
option 43 hex f104.0a00.680a
dns-server 10.0.66.10 10.0.66.11
domain-name wr

with exlude on : ip dhcp excluded-address 10.2.75.1 10.2.75.30

And on port there are MAC address (they are connected):

switch#show mac ad int Gi0/41
75 f44e.0581.027c DYNAMIC Gi0/41

But for that MAC address

switch#show arp | inc f44e.0581.027c
Internet 10.2.75.99 229 f44e.0581.027c ARPA Vlan75
Internet 10.2.75.96 239 f44e.0581.027c ARPA Vlan75
Internet 10.2.75.102 219 f44e.0581.027c ARPA Vlan75
+ at least 15 lines of different IP with same MAC

there are large number of IP address. I have pinged broadcast address to find ''alive'' addresses in subnet, and found

Reply to request 0 from 10.2.75.171, 1 ms
Reply to request 0 from 10.2.75.169, 1 ms
Reply to request 0 from 10.2.75.170, 1 ms
Reply to request 0 from 10.2.75.31, 1 ms

So practically there are only 4 address (and there should be 4 addresses, not more)

But in other iteration of pinging broadcast address, I get different

Reply to request 0 from 10.2.75.174, 1 ms
Reply to request 0 from 10.2.75.173, 1 ms
Reply to request 0 from 10.2.75.172, 1 ms
Reply to request 0 from 10.2.75.31, 1 ms

Switch: WS-C3560G-48TS , Version/Image : 12.2(25)SEB4 C3560-IPBASE-M

AP: cisco AIR-CAP1702I-E-K9, Version : Cisco IOS Software, C1700 Software (AP3G2-K9W8-M), Version 15.3(3)JD17

What could cause problem, because in ''show logging'' there are no info about ports with AP.

Rich R · ‎09-01-2025

Hi @zeljkosan - this is covered in the Field Notice 63942 (link below) - you simply need to follow all the steps in the field notice to resolve it: disable NTP, set date/time to before expiry, configure WLC to ignore expired certs, allow APs to join and get updated config (to ignore expired certs), then re-enable NTP.

BUT you will still be affected by Field Notice 72524 (link below) which you can only resolve by upgrading to 8.5.182.12 as I recommended in my previous reply. That means any new AP which doesn't have the correct software version installed will need to be manually upgraded via CLI and TFTP because it will not be able to download from WLC. That will also be the case if you upgrade to 8.5.182.12 because it is only resolved after the AP has been upgraded.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

MHM Cisco World · ‎07-29-2025

Multi IP to same MAC

This MAC is for interface?

MHM

zeljkosan · ‎07-29-2025

Hello, yes this MAC is on active port with AP.

We have controller (but in different network), and I just read that these AP have problems regarding lost of power, which happened here.

So only solution is to add manually AP on wireless controller

MHM Cisco World · ‎07-29-2025

This AP work as ME ?

If yes what you see normal' wifi connect to AP is get IP from dhcp and SW add mac of AP to IP assign to wifi client.

MHM

Saikat Nandy · ‎07-29-2025

@MHM Cisco World AP model is 1700 - so ME is out of equation.
@zeljkosan how frequently are you seeing APs to change the IP address? do you have wireless clients as well on the same vlan 75 where your APs are?These APs are configured with static ip or DHCP?anything on this VLAN configured with static IP?

MHM Cisco World · ‎07-29-2025

It two case

If AP reboot then it ask IP' so it have multi IP' but his ping test is eliminate this.

He ping IPs and get reply' so IP is assign to active host and it not AP reboot issue.

Other case is host connect to AP

He can by take laptop and connect to AP and check if laptop get IP same as what he see in arp.

Thanks

MHM

MHM Cisco World · ‎07-29-2025

@zeljkosan if you ping and get reply from IP to same Mac ? Or you get reply from IP other than that?

switch#show arp | inc f44e.0581.027c
Internet 10.2.75.99 229 f44e.0581.027c ARPA Vlan75
Internet 10.2.75.96 239 f44e.0581.027c ARPA Vlan75
Internet 10.2.75.102 219 f44e.0581.027c ARPA Vlan75
+ at least 15 lines of different IP with same MAC

If not same IP then your AP reboot

Remember ping and reply meaning IP from active host

Ping and not get reply for IP (only one) then you have AP reboot

MHM

zeljkosan · ‎07-29-2025

Hello guys, thanks for tips.

For example, there is AP connected to port 0/43, and this is MAC:

switch#show mac ad int Gi0/43

Vlan Mac Address Type Ports
---- ----------- -------- -----
75 f07f.06c0.3da0 DYNAMIC Gi0/43

show arp | inc f07f.06c0.3da0

Internet 10.2.75.194 71 f07f.06c0.3da0 ARPA Vlan75
Internet 10.2.75.197 61 f07f.06c0.3da0 ARPA Vlan75
Internet 10.2.75.203 42 f07f.06c0.3da0 ARPA Vlan75
Internet 10.2.75.200 51 f07f.06c0.3da0 ARPA Vlan75
Internet 10.2.75.206 32 f07f.06c0.3da0 ARPA Vlan75
Internet 10.2.75.209 23 f07f.06c0.3da0 ARPA Vlan75
Internet 10.2.75.215 3 f07f.06c0.3da0 ARPA Vlan75
Internet 10.2.75.212 13 f07f.06c0.3da0 ARPA Vlan75

+ many more lines with different IP but same MAC address

As there are many IPs, I ping broadcast address to check live address from that subnet:

KBC-N020#ping 10.2.75.255

Reply to request 0 from 10.2.75.215, 1 ms
Reply to request 0 from 10.2.75.217, 1 ms
Reply to request 0 from 10.2.75.216, 1 ms
Reply to request 0 from 10.2.75.31, 1 ms

switch#show arp | inc f07f.06c0.3da0
Internet 10.2.75.194 74 f07f.06c0.3da0 ARPA Vlan75
Internet 10.2.75.155 199 f07f.06c0.3da0 ARPA Vlan75
Internet 10.2.75.215 7 f07f.06c0.3da0 ARPA Vlan75

switch#
switch#ping 10.2.75.215
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.75.215, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
switch#
switch#ping 10.2.75.194

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.75.194, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
switch#ping 10.2.75.155
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.75.155, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
switch#

So, I also agree with MHM, I think they are rebooting all the time, and I would like to add them manually on wlc controler, cause I think that could prevent reboot, if I add it to WLC

MHM Cisco World · ‎07-29-2025

Yes friend

Since only one IP reply then AP reboot and this make it ask IP each time.

I dont recommend connect it to wlc.

Try check why it reboot always maybe it PoE issue or cable.

MHM

zeljkosan · ‎07-29-2025

Hello, thanks for help, will check tips you mentioned.

Switch is not PoE, APs have ''normal'' power supply

zeljkosan · ‎08-21-2025

Hello team,

We came with conclusion that AP are old, and there is problem to connect them to new WLC.

When I will have more info, I will post.

Br

Rich R · ‎08-30-2025

@zeljkosan you have not mentioned what the WLC model is?

We can deduce from the AP software version 15.3(3)JD17 that it's running AireOS 8.3.150.0 which means that it very likely supports, and should be running, 8.5.182.12. If it's 3504/5520/8540 then it should be running 8.10.196.0.

There's a bug which affected some versions of AireOS which causes the APs to reload every few minutes if they can't ping the default gateway - so make sure your APs are allowed to ping their default gateway (this still applies to mesh APs) and that it's not being blocked by ACL or firewall.

What do you mean by "add them manually on wlc controler"?

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Stefan Mihajlov · ‎08-30-2025

This usually happens when the AP port is trunk/WGB or the switch is learning ARP from odd traffic. Make sure AP ports are ACCESS in VLAN 75 (no smartport macro, no trunk) and the AP is not in Workgroup-Bridge/Universal WGB mode — WGB makes many IPs map to the AP’s MAC (exact symptom you see).

On the 3560G (very old 12.2(25)SEB4), ARP can get “sticky.” Enable DHCP Snooping on VLAN 75 (trust only the uplink to the DHCP server) and DAI; then clear arp-cache. This will repopulate bindings only from valid DHCP.

If entries keep returning, upgrade the 3560G to a newer SE train (e.g., 12.2(55)SE/15.0(2)SE) — there are known ARP/gleaning quirks on the older code.

zeljkosan · ‎09-01-2025

Hello team,

we found problem in certificate which was older then 10 years, so it refuses to start up tunnel to WLC (btw WLC Cisco 5508).

After all, we agreed with client that buying new AP will solve problem, so they will buy new ones, as there is new WLC as well. ( Cisco 9800 series)

Talking about this problem: https://www.wiresandwi.fi/blog/cisco-wlc-or-ap-device-certificate-expired-what-you-can-do

Br

Rich R · ‎09-01-2025

Hi @zeljkosan - this is covered in the Field Notice 63942 (link below) - you simply need to follow all the steps in the field notice to resolve it: disable NTP, set date/time to before expiry, configure WLC to ignore expired certs, allow APs to join and get updated config (to ignore expired certs), then re-enable NTP.

BUT you will still be affected by Field Notice 72524 (link below) which you can only resolve by upgrading to 8.5.182.12 as I recommended in my previous reply. That means any new AP which doesn't have the correct software version installed will need to be manually upgraded via CLI and TFTP because it will not be able to download from WLC. That will also be the case if you upgrade to 8.5.182.12 because it is only resolved after the AP has been upgraded.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390