I did not yet get the configuration from the customer, but as far I know they don't use any static ARP entries.

As soon as I have the configuration of the root-AP and the WGB I will post again.

It's a classic with passive clients behind the WGB.

Either the client doesn't appear in the show dot11 assoc of the root AP (and there it's the WGB who did not advertise it through IAPP with the root AP, solution is the bridge command to force the presence of client on the wgb)

Either the client appears on the infrastructure but is unpingable because not replying to ARP. There comes the static arp entry.

Try to pinpoint which situation you are in.

Cheers,

Nicolas

===

Don't forget to rate answers that you find useful

Hi Nicolas

what could be the problem, if the WGB does not advertise via IAPP?

Here are the configurations of the Root-AP, the WGB and the Switch (where the WGB is connected) -> I shortened the configuration (there are a lot more VLANs and SSIDs, but it is still long for a net pro post).

For me there are the following points on the WGB, which are not clear why they are configured (the configuration made another company):

1. the aaa groups are not needed on the WGB?

2. in my opinion, the dot11Radio 0.900 should not be the configured as native VLAN?

Maybe you just see any other problems.

Root-AP

*********

aaa new-model

!

!

aaa group server radius rad_eap

server x.x.x.x auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

server x.x.x.x auth-port 1645 acct-port 1646

!

aaa group server radius rad_acct

server x.x.x.x auth-port 1645 acct-port 1646

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods group rad_mac

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

dot11 vlan-name Data_WPA_PSK vlan 900

!

dot11 ssid VLAN900

   vlan 900

   authentication open

   authentication key-management wpa

   wpa-psk ascii 7 xxx

!

dot11 wpa handshake timeout 500

dot11 ids mfp detector

dot11 network-map

power inline negotiation prestandard source

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 900 mode ciphers tkip

!

ssid VLAN900

!

speed basic-1.0 basic-2.0 5.5 11.0

no power client local

power client 14

power local cck 14

power local ofdm 14

no preamble-short

channel 2437

station-role root

rts threshold 2312

!

interface Dot11Radio0.900

encapsulation dot1Q 900

no ip route-cache

bridge-group 50

bridge-group 50 subscriber-loop-control

bridge-group 50 block-unknown-source

no bridge-group 50 source-learning

no bridge-group 50 unicast-flooding

bridge-group 50 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

speed 100

full-duplex

!

interface FastEthernet0.900

encapsulation dot1Q 900

no ip route-cache

bridge-group 50

no bridge-group 50 source-learning

bridge-group 50 spanning-disabled

!

interface BVI1

ip address x.x.x.x x.x.x.x

no ip route-cache

!

ip default-gateway x.x.x.x

ip http server

ip http access-class 2

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

access-list 2 remark Telnet_Zugriff

access-list 2 permit x.x.x.x x.x.x.x

radius-server attribute 32 include-in-access-req format %h

radius-server dead-criteria tries 2

radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 xxx

radius-server retransmit 2

radius-server deadtime 1

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

!

sntp server x.x.x.x

WGB

******

aaa new-model

!

!

aaa group server radius rad_eap

server x.x.x.x auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

server x.x.x.x auth-port 1645 acct-port 1646

!

aaa group server radius rad_acct

server x.x.x.x auth-port 1645 acct-port 1646

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods group rad_mac

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

ip dhcp pool xxx

!

!

dot11 vlan-name Data_WPA_PSK vlan 900

!

dot11 ssid VLAN900

   vlan 900

   authentication open

   authentication key-management wpa

   wpa-psk ascii 7 xxx

!

dot11 ids mfp detector

dot11 network-map

power inline negotiation prestandard source

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 900 mode ciphers tkip

!

ssid VLAN900

!

speed  basic-1.0 basic-2.0 5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0

power local 2

power client 14

no preamble-short

station-role workgroup-bridge

!

interface Dot11Radio0.900

encapsulation dot1Q 900 native

no ip route-cache

bridge-group 1

!

interface FastEthernet0

no ip address

no ip route-cache

speed 100

full-duplex

bridge-group 1

!

interface BVI1

ip address x.x.x.x

no ip route-cache

!

ip default-gateway x.x.x.x

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

access-list 2 permit any

radius-server attribute 32 include-in-access-req format %h

radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 xxx

radius-server vsa send accounting

bridge 1 route ip

bridge 1 address yyyy.yyyy.yyyy forward FastEthernet0

bridge 1 address yyyy.yyyy.yyyy forward FastEthernet0

bridge 1 address yyyy.yyyy.yyyy forward FastEthernet0

!

sntp server x.x.x.x

Switch

********

aaa new-model

aaa group server tacacs+ tacacsgroup

server x.x.x.x

!

aaa authentication login default group tacacsgroup local-case

aaa authorization exec default group tacacsgroup local

aaa accounting exec default start-stop group tacacsgroup

aaa accounting commands 15 default start-stop group tacacsgroup

!

aaa session-id common

clock timezone MET 1

clock summer-time UTC recurring last Sun Mar 2:00 last Sun Oct 3:00

system mtu routing 1500

vtp domain mah

vtp mode transparent

ip subnet-zero

!

no file verify auto

!

spanning-tree mode rapid-pvst

spanning-tree portfast bpduguard default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 900,xxx-xxx

!

interface FastEthernet0/1

switchport access vlan 900

switchport mode access

speed 100

duplex full

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/2

switchport access vlan 900

switchport mode access

speed 100

duplex full

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/3

switchport access vlan 900

switchport mode access

speed 100

duplex full

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/4

switchport trunk encapsulation dot1q

switchport trunk native vlan 900

switchport trunk allowed vlan 900

switchport mode trunk

speed 100

duplex full

no mdix auto

spanning-tree portfast trunk

!

interface FastEthernet0/5

switchport access vlan 900

switchport mode access

speed 100

duplex full

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/6

switchport access vlan 900

switchport mode access

speed 100

duplex full

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/7

switchport access vlan 900

switchport mode access

speed 100

duplex full

spanning-tree portfast

spanning-tree bpduguard enable

!

interface FastEthernet0/8

switchport access vlan 900

switchport mode access

speed 100

duplex full

spanning-tree portfast

spanning-tree bpduguard enable

!

interface GigabitEthernet0/1

!

interface Vlan1

no ip address

no ip route-cache

!

interface Vlan900

ip address x.x.x.x x.x.x.x

no ip route-cache

!

ip default-gateway x.x.x.x

ip classless

no ip http server

!

tacacs-server host x.x.x.x

tacacs-server directed-request

tacacs-server key 7 xxx

radius-server source-ports 1645-1646

!

control-plane

!

rtr 10

type echo protocol ipIcmpEcho x.x.x.x

request-data-size 128

owner Jnet

tag xxx

distributions-of-statistics-kept 5

statistics-distribution-interval 50

lives-of-history-kept 2

buckets-of-history-kept 5

filter-for-history all

rtr schedule 10 life forever start-time now

rtr 20

type echo protocol ipIcmpEcho x.x.x.x

request-data-size 128

owner Jnet

tag xxx

distributions-of-statistics-kept 5

statistics-distribution-interval 50

lives-of-history-kept 2

buckets-of-history-kept 5

filter-for-history all

rtr schedule 20 life forever start-time now

!

ntp clock-period 36029004

ntp server x.x.x.x prefer

Thanks a lot and regards

Dominic

- The aaa group config is not needed on WGB no. But it's apparently not needed on the root either because the ssid is PSK :-)

-Well, if there is only one ssid and if you put the subint 0.900 in bridge-group 1, what's the point of configuring vlans and bridge-groups ?

The config would work the same if you would not specify any subinterface or vlan. The WGB and root AP would just forward everything untagged, not taking care of vlans.

So you could simply the config a lot and that is always a good thing too.

Nicolas

On the Root-AP are a lot of other SSIDs with dot1x, so I can not remove the aaa configuration for sure ;-)

> -Well, if there is only one ssid and if you put the subint 0.900 in bridge-group 1, what's the point of configuring vlans and bridge-groups ?

But because of the multiple VLANs on the Root-AP I need the subinterfaces on the WGB, right?

Thanks

Dominic

Ah if there is a hidden part of config, then yes.

The WGB doesn't need any aaa item for this SSID anyway.

The WGB should then not use native in its 0.900 but since it has dot11radio0.900, it would also benefit a fastethernet0.900

They are all in bridge group 1 but .... never know

OK that was what I wanted to hear ;-)

The following steps I will do on Tuesday:

1. Remove aaa config from WGB

2. Configure Dot11Radio 0.900 not as native

3. Configure Fa0.900

Maybe this helps to solve the passive client problem.

I will update the post again on Tuesday.

Thanks a lot Nicolas and have a nice weekend

Dominic

Hi Nicolas

we can not configure the "infrastructure-client" because we do not have the SSID as native VLAN, so we are not allowed to configure "infrastructure-ssid".

Are there any other things to look at?

If we reconnect the cable to the switch, the client answers the echo requests, but then after a while it gets lost again.

Thanks

Dominic

Infrastructure-ssd makes no sense. If you read, you will see I never mentioned it :-)

My point was "is it the root AP losing the client in the association table ?" (in which case problem is between client and root AP).

Or is it the WGB who completely loses track of the client too ? (show bridge x), in which case the problem is only between client and bridge. I would doubt of this last one since you said you configured a static bridge entry on the wgb.

But I don't recall you mentioning the show dot11 assoc result

Nicolas

Hi Nicolas

sorry for the stupid questions, but I really don't know it better ;-) I also mixed up the net pro topics because of the infrastructure-ssid

I think it is a problem between the client and the root ap, because if we are on the switch or the wgb, we always can reach the clients behind the fa 0. But maybe this is completly wrong.

Here is the output of the WGB:

xxx#show dot11 associations

802.11 Client Stations on Dot11Radio0:

SSID [VLAN900] :

MAC Address    IP address      Device        Name            Parent         State

0017.0fdb.47a0 2.2.30.3        ap1240-Parent yyy         -              Assoc

xxx#show dot11 associations al

Address           : 0017.0fdb.47a0     Name             : yyy

IP Address        : 2.2.30.3           Interface        : Dot11Radio 0

Device            : ap1240-Parent      Software Version : NONE

CCX Version       : 4                  Client MFP       : Off

State             : Assoc              Parent           : Our Parent

SSID              : VLAN900

VLAN              : 850

Hops to Infra     : 0                  Association Id   : 1

Tunnel Address    : 0.0.0.0

Key Mgmt type     : WPA PSK            Encryption       : TKIP

Current Rate      : 11.0               Capability       : WMM ShortSlot

Supported Rates   : 1.0 2.0 5.5 11.0

Voice Rates       : disabled

Signal Strength   : -66  dBm           Connected for    : 2113 seconds

Signal to Noise   : 32  dBm            Activity Timeout : 14 seconds

Power-save        : Off                Last Activity    : 1 seconds ago

Apsd DE AC(s)     : NONE

Packets Input     : 51935              Packets Output   : 20722

Bytes Input       : 7179273            Bytes Output     : 3417628

Duplicates Rcvd   : 0                  Data Retries     : 1448

Decrypt Failed    : 14770              RTS Retries      : 3

MIC Failed        : 0                  MIC Missing      : 0

Packets Redirected: 0                  Redirect Filtered: 0

xxx#show bridge 1

Total of 300 station blocks, 292 free

Codes: P - permanent, S - self

Bridge Group 1:

    Address       Action   Interface       Age   RX count   TX count

0017.9e00.2c08   forward   FastEthernet0     0       5140       9296

0016.477e.85c7   forward   Vi0.850           0      29929          1

001c.2325.0f41   forward   FastEthernet0     0       2573       2405

0017.9e00.257c   forward   FastEthernet0    P         322         11

0024.505e.dd41   forward   FastEthernet0     1       1733        815

0090.e814.1a87   forward   FastEthernet0    P          84         76

0000.0c07.ac00   forward   Vi0.850           2          2        874

0024.505e.dd09   forward   FastEthernet0     0       6043          5

xxx#show arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  2.2.136.161             -   0023.5e02.802c  ARPA   BVI1

Internet  2.2.136.191             6   0090.e814.1a87  ARPA   BVI1

Internet  2.2.136.182             6   0017.9e00.2c08  ARPA   BVI1

Internet  2.2.136.183            39   0017.9e00.257c  ARPA   BVI1

Internet  2.2.136.1               4   0000.0c07.ac00  ARPA   BVI1

Internet  2.2.136.2               6   0016.477e.85c7  ARPA   BVI1

Here is the output of the root AP. We are looking for 2.2.136.182, 2.2.136.183 and 2.2.136.191:

yyy#show arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  2.2.24.28               0   0016.477e.85c4  ARPA   BVI1

Internet  2.2.24.30               8   0000.0c07.ac00  ARPA   BVI1

Internet  2.2.30.3                -   0018.1842.4806  ARPA   BVI1

Hi Nicolas

thanks for your kind help, I will discuss with the customer and think I will go and open a TAC case.

Regards

Dominic

Hi Nicolas

We were able to find a "workaround", we just configured a static ARP with

arp x.x.x.x yyyy.yyyy.yyyy arpa on the L3 switch.

That's enough for the customer.

Thanks and regards

Dominic