WLC 5508 and WPA/WPA2 causes client DNS lookups to fail

malmgren · ‎02-03-2011

Hi all, we just recently received a brand new 5508 with 6.0.199.4 firmware. We currently have three LAP-1250s that associate just fine to the WLC.

For testing purposes only, we enabled WPA2 with both types of encryption TKIP and AES with an ASCII PSK. The clients are able to connect, authenticate and get an IP address from our local (same subnet) DHCP server. They also get the DNS info from our DHCP server. However, the problem is that they are not able to do any DNS lookups. I haven't run wireshark yet to confirm, but it sounds very familiar to this problem: https://supportforums.cisco.com/message/3202369

I've even had clients use nslookup with both of my DNS servers and they are not able to resolve. I'm not sure if the request or the reply is being blocked/dropped, but I can find out tomorrow.

Now the strange part - if I turn off WLAN security altogether, it works! That's right, I just disable L2 security for the WLAN and re-connect the clients and they are able to do full DNS lookups.

AND - if I leave L2 security configured (WPA2 with PSK), and enable L3 Passthrough security - the clients get to the auth web page, click the "accept" button and are then able to do full DNS lookups too.

What could be the problem here? There's nothing I see configured for the L2 or L3 security settings that could be the culprit. We're using default (from Cisco) configuration, so there's no ACLs configured or anything like that to block DNS.

Another strange thing here which may or not be related - during initial configuration the setup asked for a virtual IP - so I gave it one - 1.1.2.2. Now when I do an ipconfig /all on the client, I see this 1.1.2.2 address listed as the DHCP server. Why is this? It's definitely getting an IP address and DNS info from the correct DHCP server, so not sure why this is showing up.

Thanks, Matt

malmgren · ‎02-04-2011

Just a reply to myself and others interested...

After upgrading to the latest "Cisco AireOS Version 7.0.98.0" release, and resetting config back to factory defaults, I am still seeing this problem, but I still to be having this problem on my MAC clients.

Digging more...

Peter Nugent · ‎02-04-2011

The virtual interface does the following so no worries there　

The virtual interface is used to support mobility management, Dynamic Host Configuration Protocol (DHCP) relay, and embedded Layer 3 security such as guest web authentication and VPN termination. It also maintains the DNS gateway host name used by Layer 3 security and mobility managers to verify the source of certificates when Layer 3 web authorization is enabled.

As everything works ok without security my first instinct would be to look at the client firmware, what clients are you running and what firmware, also what access points? Also if you run both TKIp and AES on the same WLAN clients can get confused.Try with just one

Peter Nugent · ‎02-04-2011

Sorry the web pass through seems like normal behaviour never used it b

ut they are not entering a username and poassword just a click through

malmgren · ‎02-04-2011

Thanks for the info Pete. When you ask for client version - are you referring to each AP version?

The AP version is 7.0.98.0 as well. Otherwise, the clients are a mix of Windows and Mac clients.

Thx, Matt

Peter Nugent · ‎02-04-2011

Sorry I mean the laptop wireless client is i intel 5200 etc and the driver version.

Apologies for not being clear.

Many many issues in wireless are client related.

Andrew Betz · ‎02-17-2011

Hi Matt,

Just wanted to jump in, and also mention it may be worth attempting to disable the fastpath feature on the 5508, and test your failing client again. You may be hitting CSCti34667.

debug fastpath cfgtool --fc.disable

This command can be run via Telnet/SSH. Please keep in mind that fastpath will automatically re-enable periodically, so we recommend disabling every 10 minutes as a workaround for any known fastpath issues. You can do so by running the following Macro in TeraTerm:

:mainloop

sendln "debug fastpath cfgtool --fc.disable"

pause 600

goto mainloop

If you find that disabling fastpath resolves your concern, you can reach out to TAC for an Escalation Image with the fix for this one.

Best,

Drew