Re: SSID is getting wrong ip address

rajaayman · ‎05-01-2020

HI Team

When users are connecting to the corp-SSID they are getting the ip from the WLC management sub net . In the flex connect i have set the Vlan and tested too but still no luck .

WLC issue, Other Wireless-Mobility Subjects

Below is AP details

cisco AIR-AP1832I-E-K9 ARMv7 Processor rev 0 (v7l) with 967420/705872K bytes of memory.
Processor board ID KWC203705ZI
AP Running Image : 8.3.143.0
Primary Boot Image : 8.3.143.0
Backup Boot Image : 8.2.111.0
2 Gigabit Ethernet interfaces
2 802.11 Radios
Radio FW version : c5d79906494f60ee03674c0779e5c30b
NSS FW version : NSS.AK.1.0.c10-00017-E_custC-1.67978.1

Base ethernet MAC Address : D4:2C:44:E0:0F:F8
Part Number : 0-0000-00
PCA Assembly Number : 074-104313-02
PCA Revision Number : 01
PCB Serial Number : KWC203705ZI
Top Assembly Part Number : 000-00000-00
Top Assembly Serial Number : KWC203705ZI
Top Revision Number : A0
Product/Model Number : AIR-AP1832I-E-K9

Controller details

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.3.143.0
RTOS Version..................................... 8.3.143.0
Bootloader Version............................... 8.3.15.96
Emergency Image Version.......................... 8.3.143.0

OUI File Update Time............................. Sun Sep 07 10:44:07 IST 2014

Build Type....................................... DATA + WPS

System Name...................................... HQ-WLC
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1631
IP Address....................................... 142.100.64.11
IPv6 Address..................................... ::
System Up Time................................... 0 days 2 hrs 8 mins 42 secs
System Timezone Location......................... (GMT +4:00) Muscat, Abu Dhabi
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

SSID details

WLAN Identifier.................................. 1
Profile Name..................................... Corp-SSID
Network Name (SSID).............................. Corp-SSID
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Maximum number of Clients per AP Radio........... 200

ATF Policy....................................... 0
Number of Active Clients......................... 1
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ vlan 10
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured
Quality of Service............................... Silver

Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=0)
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Interim Update............................. Enabled
Interim Update Interval.................... 0
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Mu-Mimo.......................................... Enabled
Security

802.11 Authentication:........................ Open System
FT Support.................................... Adaptive
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled

AES Cipher.............................. Enabled
CCMP256 Cipher.......................... Disabled
GCMP128 Cipher.......................... Disabled
GCMP256 Cipher.......................... Disabled
OSEN IE.................................... Disabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
OSEN-1X................................. Disabled
SUITEB-1X............................... Disabled
SUITEB192-1X............................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled

--More-- or (q)uit
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web Authentication Timeout.................... 300
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
FlexConnect Central Association............... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200

--More-- or (q)uit
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
Flex Avc Profile Name............................ None
Flow Monitor Name................................ None
Split Tunnel Configuration
Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Enabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Enabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Enabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled

--More-- or (q)uit
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled

Mobility Anchor List
WLAN ID IP Address Status Priority
------- --------------- ------ --------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------
Priority Policy Name
-------- ---------------

QoS Fastlane Status.............................. Disable
Selective Reanchoring Status..................... Disable

Switch Config

WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled

Server connected ( WLC) ESXI

interface FastEthernet1/0/2
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk

AP
interface FastEthernet1/0/19
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk

interface Vlan10 ( usersubnet)
ip address 192.168.1.254 255.255.255.0
ip helper-address 192.168.1.254
!
interface Vlan100 ( managment Subnet )
ip address 142.100.64.253 255.255.255.0
ip helper-address 142.100.64.253

ip dhcp pool 1
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.10 8.8.8.8
option 150 ip 192.168.1.11
domain-name nsccme.online
default-router 192.168.1.254
!
ip dhcp pool wlc
network 142.100.64.0 255.255.255.0
default-router 142.100.64.253
dns-server 192.168.1.10 8.8.8.8
domain-name nsccme.online
option 43 ip 142.100.64.11
!

Please help to resolve the issue

Regards

raja

Jurgens L · ‎05-01-2020

Can you also provide the output of your flexconnect group:

show flexconnect group detail <group name>

rajaayman · ‎05-01-2020

HI

Please find the below

(Cisco Controller) >show flexconnect group detail default-flex-group

Number of APs in Group: 1

AP Ethernet MAC Name Status Mode Type Conflict with PnP
-------------------- -------------------- --------------- ---------------- -------- -----------------

d4:2c:44:e0:0f:f8 AP-01 Joined Flexconnect Manual No

Efficient AP Image Upgrade ..... Disabled

Master-AP-Mac Master-AP-Name Model Manual

Group Radius Servers Settings:
Type Server Address Port
------------- ---------------- -------
Primary Unconfigured Unconfigured
Secondary Unconfigured Unconfigured
Group Radius/Local Auth Parameters :
Radius Retransmit Count......................... 3 (default)
Active Radius Timeout........................... 5 (default)

Group Radius AP Settings:

--More-- or (q)uit
AP RADIUS server............ Disabled
EAP-FAST Auth............... Disabled
LEAP Auth................... Disabled
EAP-TLS Auth................ Disabled
EAP-TLS CERT Download....... Disabled
PEAP Auth................... Disabled
Server Key Auto Generated... No
Server Key.................. <hidden>
Authority ID................ 436973636f0000000000000000000000
Authority Info.............. Cisco A_ID
PAC Timeout................. 0
HTTP-Proxy Ip Address....... 0.0.0.0
HTTP-Proxy Port............. 0
Multicast on Overridden interface config: Disabled
DHCP Broadcast Overridden interface config: Disabled
Number of User's in Group: 0
FlexConnect Vlan-name to Id Template name: none
Group-Specific Vlan Config:
Vlan Mode.................... Disabled
Override AP Config........... Disabled
Group-Specific FlexConnect Wlan-Vlan Mapping:

WLAN ID Vlan ID

--More-- or (q)uit
-------- --------------------

WLAN ID SSID Central-Dhcp Dns-Override Nat-Pat

rajaayman · ‎05-01-2020

On the Wlan i have removed FlexConnect Local Switching then it is getting the Correct DHCP is that correct Please advise

does this make any issue

Jurgens L · ‎05-01-2020

You will need to setup a FlexConnect Group or modify the default flex group, under WLAN VLAN Mapping tab you need to:

- Enable VLAN Support and enter your native VLAN, VLAN 100

- Map your WLAN ID, (WLAN 1) to VLAN 10

- Map your AP to the Flex Connect Group by going under the General Tab depending your WLC version you should see "FlexConnect AP" where you can go and add the AP.

<<< Pls remember to rate all useful responses >>>

Rich R · ‎05-02-2020

And 8.3.143.0 is quite old code (went end of software maintenance last year) so you might want to think about getting onto at least 8.5 code - see https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html and check your hardware support in https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html and the release notes for the chosen release. If you need to stay on 8.3 then at least think about getting onto latest 8.3.150.x Escalation build.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs