Why does AIR-CAP3702I keep releasing the DHCP lease every 5-7 seconds

AimeeP · ‎07-12-2023

We are trying to move our DHCP server from windows servers to our PA-820 firewalls. There is no issue for any devices getting DHCP addresses except the Cisco AIR-CAP3702I. It requires DHCP option 43 which I have configured with an IP, ASCII, and hex. No matter what option I select, the AP gets a DHCP address and within a few seconds releases it and requests a new one. I was unable to find any documentation on other people having this issue.
The AP has no trouble getting an IP from the DHCP server and connecting back to the controller, when I use the DHCP relay on the firewall to send the requests to the Windows server.

The other devices connecting to the firewall for DHCP that don't require option 43, but do require other options are not having any issues.
I have a ticket opened with Palo support, but since the device is getting and IP and is the same device that is releasing the IP to get a new one, they aren't being much help.

I don't currently have access to console connection on the AP, but should tomorrow, but if anyone has any ideas on what could be causing this I'd appreciate it.

Flavio Miranda · ‎07-12-2023

Hi

Option 43 is problematic as every vendor deploy differently. But, called my attention when you said "IP, ASCII, and hex". Usually is one or other.

AimeeP · ‎07-14-2023

In the Windows DHCP server, we use f1040a010101 and it works just fine. Because that configuration wasn't working in the firewall, I tried using different variations in an attempt to get it to work. I see the same behavior no matter how I configured it. So whether I used the option for IP, ASCII, or hex and their appropriate values in the firewall's DHCP options (at different times, not all configured at once), the AP will still get an IP and then release it 5-8 seconds later and request a new one. The lease is set for 8 days.

Rich R · ‎07-29-2023

Get a packet capture of the DHCP packets to/from the PA firewall and compare to the packet capture of DHCP from the Windows server - share here if you want us to look. The PA might be sending additional parameters which the 3700 doesn't support.

Very important to get the complete console log from the AP to see what that shows. If it's staying on the same IP can't you SSH into the AP to check the log?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390