12-07-2010 12:32 AM - edited 07-03-2021 07:30 PM
Hi there
a customer of us has the following situation:
3 (passive) clients <-> Catalyst 3560 <-> Aironet 1242 (WGB) < - - - - - - - - > Aironet 1242 (Root AAP) <-> LAN
they have configured the bridge x address yy:yy:yy:yy:yy:yy
from time to time (random), they can not reach the 3 clients behind the WGB, even if they can ping them from the Cat 3560 and from the Aironet 1242 (WGB).
First of all, what could be the problem of this situation? If the set a port configuration of the Cat 3560 back to Default and configure it again, it works for some hours, but then it is not reachable anymore. They already changed the Switch and the AAPs, but nothing helped.
Does anyone has a solution for this?
Solved! Go to Solution.
12-14-2010 05:07 AM
Sounds like the WGB not advertising the wired clients presence via IAPP.
This would deserver some in-depth troubleshooting.
Maybe a TAC case is worth the effort ?
12-07-2010 01:10 AM
When the problem happens, do you see the wired clients in "Show dot11 assoc" on the root AP ?
Do you have a static ARP configured on the infrastructure side maybe ?
Nicolas
===
Don't forget to rate answers that you find useful
12-07-2010 06:55 AM
I did not yet get the configuration from the customer, but as far I know they don't use any static ARP entries.
As soon as I have the configuration of the root-AP and the WGB I will post again.
12-07-2010 07:07 AM
It's a classic with passive clients behind the WGB.
Either the client doesn't appear in the show dot11 assoc of the root AP (and there it's the WGB who did not advertise it through IAPP with the root AP, solution is the bridge command to force the presence of client on the wgb)
Either the client appears on the infrastructure but is unpingable because not replying to ARP. There comes the static arp entry.
Try to pinpoint which situation you are in.
Cheers,
Nicolas
===
Don't forget to rate answers that you find useful
12-10-2010 04:27 AM
Hi Nicolas
what could be the problem, if the WGB does not advertise via IAPP?
Here are the configurations of the Root-AP, the WGB and the Switch (where the WGB is connected) -> I shortened the configuration (there are a lot more VLANs and SSIDs, but it is still long for a net pro post).
For me there are the following points on the WGB, which are not clear why they are configured (the configuration made another company):
1. the aaa groups are not needed on the WGB?
2. in my opinion, the dot11Radio 0.900 should not be the configured as native VLAN?
Maybe you just see any other problems.
Root-AP
*********
aaa new-model
!
!
aaa group server radius rad_eap
server x.x.x.x auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
server x.x.x.x auth-port 1645 acct-port 1646
!
aaa group server radius rad_acct
server x.x.x.x auth-port 1645 acct-port 1646
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 vlan-name Data_WPA_PSK vlan 900
!
dot11 ssid VLAN900
vlan 900
authentication open
authentication key-management wpa
wpa-psk ascii 7 xxx
!
dot11 wpa handshake timeout 500
dot11 ids mfp detector
dot11 network-map
power inline negotiation prestandard source
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 900 mode ciphers tkip
!
ssid VLAN900
!
speed basic-1.0 basic-2.0 5.5 11.0
no power client local
power client 14
power local cck 14
power local ofdm 14
no preamble-short
channel 2437
station-role root
rts threshold 2312
!
interface Dot11Radio0.900
encapsulation dot1Q 900
no ip route-cache
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
bridge-group 50 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
!
interface FastEthernet0.900
encapsulation dot1Q 900
no ip route-cache
bridge-group 50
no bridge-group 50 source-learning
bridge-group 50 spanning-disabled
!
interface BVI1
ip address x.x.x.x x.x.x.x
no ip route-cache
!
ip default-gateway x.x.x.x
ip http server
ip http access-class 2
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 2 remark Telnet_Zugriff
access-list 2 permit x.x.x.x x.x.x.x
radius-server attribute 32 include-in-access-req format %h
radius-server dead-criteria tries 2
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 xxx
radius-server retransmit 2
radius-server deadtime 1
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
sntp server x.x.x.x
WGB
******
aaa new-model
!
!
aaa group server radius rad_eap
server x.x.x.x auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
server x.x.x.x auth-port 1645 acct-port 1646
!
aaa group server radius rad_acct
server x.x.x.x auth-port 1645 acct-port 1646
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
ip dhcp pool xxx
!
!
dot11 vlan-name Data_WPA_PSK vlan 900
!
dot11 ssid VLAN900
vlan 900
authentication open
authentication key-management wpa
wpa-psk ascii 7 xxx
!
dot11 ids mfp detector
dot11 network-map
power inline negotiation prestandard source
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 900 mode ciphers tkip
!
ssid VLAN900
!
speed basic-1.0 basic-2.0 5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
power local 2
power client 14
no preamble-short
station-role workgroup-bridge
!
interface Dot11Radio0.900
encapsulation dot1Q 900 native
no ip route-cache
bridge-group 1
!
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
bridge-group 1
!
interface BVI1
ip address x.x.x.x
no ip route-cache
!
ip default-gateway x.x.x.x
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 2 permit any
radius-server attribute 32 include-in-access-req format %h
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 xxx
radius-server vsa send accounting
bridge 1 route ip
bridge 1 address yyyy.yyyy.yyyy forward FastEthernet0
bridge 1 address yyyy.yyyy.yyyy forward FastEthernet0
bridge 1 address yyyy.yyyy.yyyy forward FastEthernet0
!
sntp server x.x.x.x
Switch
********
aaa new-model
aaa group server tacacs+ tacacsgroup
server x.x.x.x
!
aaa authentication login default group tacacsgroup local-case
aaa authorization exec default group tacacsgroup local
aaa accounting exec default start-stop group tacacsgroup
aaa accounting commands 15 default start-stop group tacacsgroup
!
aaa session-id common
clock timezone MET 1
clock summer-time UTC recurring last Sun Mar 2:00 last Sun Oct 3:00
system mtu routing 1500
vtp domain mah
vtp mode transparent
ip subnet-zero
!
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 900,xxx-xxx
!
interface FastEthernet0/1
switchport access vlan 900
switchport mode access
speed 100
duplex full
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/2
switchport access vlan 900
switchport mode access
speed 100
duplex full
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/3
switchport access vlan 900
switchport mode access
speed 100
duplex full
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 900
switchport trunk allowed vlan 900
switchport mode trunk
speed 100
duplex full
no mdix auto
spanning-tree portfast trunk
!
interface FastEthernet0/5
switchport access vlan 900
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/6
switchport access vlan 900
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/7
switchport access vlan 900
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/8
switchport access vlan 900
switchport mode access
speed 100
duplex full
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/1
!
interface Vlan1
no ip address
no ip route-cache
!
interface Vlan900
ip address x.x.x.x x.x.x.x
no ip route-cache
!
ip default-gateway x.x.x.x
ip classless
no ip http server
!
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key 7 xxx
radius-server source-ports 1645-1646
!
control-plane
!
rtr 10
type echo protocol ipIcmpEcho x.x.x.x
request-data-size 128
owner Jnet
tag xxx
distributions-of-statistics-kept 5
statistics-distribution-interval 50
lives-of-history-kept 2
buckets-of-history-kept 5
filter-for-history all
rtr schedule 10 life forever start-time now
rtr 20
type echo protocol ipIcmpEcho x.x.x.x
request-data-size 128
owner Jnet
tag xxx
distributions-of-statistics-kept 5
statistics-distribution-interval 50
lives-of-history-kept 2
buckets-of-history-kept 5
filter-for-history all
rtr schedule 20 life forever start-time now
!
ntp clock-period 36029004
ntp server x.x.x.x prefer
Thanks a lot and regards
Dominic
12-10-2010 04:38 AM
- The aaa group config is not needed on WGB no. But it's apparently not needed on the root either because the ssid is PSK :-)
-Well, if there is only one ssid and if you put the subint 0.900 in bridge-group 1, what's the point of configuring vlans and bridge-groups ?
The config would work the same if you would not specify any subinterface or vlan. The WGB and root AP would just forward everything untagged, not taking care of vlans.
So you could simply the config a lot and that is always a good thing too.
Nicolas
12-10-2010 04:48 AM
On the Root-AP are a lot of other SSIDs with dot1x, so I can not remove the aaa configuration for sure ;-)
> -Well, if there is only one ssid and if you put the subint 0.900 in bridge-group 1, what's the point of configuring vlans and bridge-groups ?
But because of the multiple VLANs on the Root-AP I need the subinterfaces on the WGB, right?
Thanks
Dominic
12-10-2010 04:52 AM
Ah if there is a hidden part of config, then yes.
The WGB doesn't need any aaa item for this SSID anyway.
The WGB should then not use native in its 0.900 but since it has dot11radio0.900, it would also benefit a fastethernet0.900
They are all in bridge group 1 but .... never know
12-10-2010 04:56 AM
OK that was what I wanted to hear ;-)
The following steps I will do on Tuesday:
1. Remove aaa config from WGB
2. Configure Dot11Radio 0.900 not as native
3. Configure Fa0.900
Maybe this helps to solve the passive client problem.
I will update the post again on Tuesday.
Thanks a lot Nicolas and have a nice weekend
Dominic
12-14-2010 04:29 AM
Hi Nicolas
we can not configure the "infrastructure-client" because we do not have the SSID as native VLAN, so we are not allowed to configure "infrastructure-ssid".
Are there any other things to look at?
If we reconnect the cable to the switch, the client answers the echo requests, but then after a while it gets lost again.
Thanks
Dominic
12-14-2010 04:36 AM
Infrastructure-ssd makes no sense. If you read, you will see I never mentioned it :-)
My point was "is it the root AP losing the client in the association table ?" (in which case problem is between client and root AP).
Or is it the WGB who completely loses track of the client too ? (show bridge x), in which case the problem is only between client and bridge. I would doubt of this last one since you said you configured a static bridge entry on the wgb.
But I don't recall you mentioning the show dot11 assoc result
Nicolas
12-14-2010 05:04 AM
Hi Nicolas
sorry for the stupid questions, but I really don't know it better ;-) I also mixed up the net pro topics because of the infrastructure-ssid
I think it is a problem between the client and the root ap, because if we are on the switch or the wgb, we always can reach the clients behind the fa 0. But maybe this is completly wrong.
Here is the output of the WGB:
xxx#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [VLAN900] :
MAC Address IP address Device Name Parent State
0017.0fdb.47a0 2.2.30.3 ap1240-Parent yyy - Assoc
xxx#show dot11 associations al
Address : 0017.0fdb.47a0 Name : yyy
IP Address : 2.2.30.3 Interface : Dot11Radio 0
Device : ap1240-Parent Software Version : NONE
CCX Version : 4 Client MFP : Off
State : Assoc Parent : Our Parent
SSID : VLAN900
VLAN : 850
Hops to Infra : 0 Association Id : 1
Tunnel Address : 0.0.0.0
Key Mgmt type : WPA PSK Encryption : TKIP
Current Rate : 11.0 Capability : WMM ShortSlot
Supported Rates : 1.0 2.0 5.5 11.0
Voice Rates : disabled
Signal Strength : -66 dBm Connected for : 2113 seconds
Signal to Noise : 32 dBm Activity Timeout : 14 seconds
Power-save : Off Last Activity : 1 seconds ago
Apsd DE AC(s) : NONE
Packets Input : 51935 Packets Output : 20722
Bytes Input : 7179273 Bytes Output : 3417628
Duplicates Rcvd : 0 Data Retries : 1448
Decrypt Failed : 14770 RTS Retries : 3
MIC Failed : 0 MIC Missing : 0
Packets Redirected: 0 Redirect Filtered: 0
xxx#show bridge 1
Total of 300 station blocks, 292 free
Codes: P - permanent, S - self
Bridge Group 1:
Address Action Interface Age RX count TX count
0017.9e00.2c08 forward FastEthernet0 0 5140 9296
0016.477e.85c7 forward Vi0.850 0 29929 1
001c.2325.0f41 forward FastEthernet0 0 2573 2405
0017.9e00.257c forward FastEthernet0 P 322 11
0024.505e.dd41 forward FastEthernet0 1 1733 815
0090.e814.1a87 forward FastEthernet0 P 84 76
0000.0c07.ac00 forward Vi0.850 2 2 874
0024.505e.dd09 forward FastEthernet0 0 6043 5
xxx#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 2.2.136.161 - 0023.5e02.802c ARPA BVI1
Internet 2.2.136.191 6 0090.e814.1a87 ARPA BVI1
Internet 2.2.136.182 6 0017.9e00.2c08 ARPA BVI1
Internet 2.2.136.183 39 0017.9e00.257c ARPA BVI1
Internet 2.2.136.1 4 0000.0c07.ac00 ARPA BVI1
Internet 2.2.136.2 6 0016.477e.85c7 ARPA BVI1
Here is the output of the root AP. We are looking for 2.2.136.182, 2.2.136.183 and 2.2.136.191:
yyy#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 2.2.24.28 0 0016.477e.85c4 ARPA BVI1
Internet 2.2.24.30 8 0000.0c07.ac00 ARPA BVI1
Internet 2.2.30.3 - 0018.1842.4806 ARPA BVI1
12-14-2010 05:07 AM
Sounds like the WGB not advertising the wired clients presence via IAPP.
This would deserver some in-depth troubleshooting.
Maybe a TAC case is worth the effort ?
12-14-2010 05:26 AM
Hi Nicolas
thanks for your kind help, I will discuss with the customer and think I will go and open a TAC case.
Regards
Dominic
12-14-2010 09:32 AM
Hi Nicolas
We were able to find a "workaround", we just configured a static ARP with
arp x.x.x.x yyyy.yyyy.yyyy arpa on the L3 switch.
That's enough for the customer.
Thanks and regards
Dominic
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide