AP330 on not passing through DHCP requests on native VLAN

  • 1
  • Question
  • Updated 9 months ago
Before I open a support ticket: Has anyone else see a situation where an AP330 on HiveOS 6.5r8a does not pass through Client DHCP request when the user profile puts them into VLAN 1, which is the also the native & management VLAN for the Access Points?

We have a 2nd SSID with PPSK and multi-user-profile assignment configured, and they all work except the one ppsk-group that puts users into VLAN 1 as well.

The configuration has been like this for a while, and we only received reports 1 week later, so I am not sure if the upgrade is really connected. Furthermore, after downgrading back to 6.5r6, we still have the same issue.

- VLAN Probe on the AP says that VLAN 1 is ok, DHCP server is available
- Client Monitor for clients show that DHCP discover messages are being received from the clients, but nothing else
- A traffic sniffer on the local Firewall which also acts as DHCP server shows no incoming DHCP traffic
- A new & clean SSID with a new user profile, VLAN 1, has the same problem
- Any other VLAN works fine

Any ideas?
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes

Posted 9 months ago

  • 1
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Btw, I did open a support ticket as well, so I will update here if I have any feedback from that side.
Photo of Ben Swaby

Ben Swaby

  • 41 Posts
  • 2 Reply Likes
If I am reading your post correctly you are using the native vlan and not specifying one.  If that's the case, is there anyway you can wire a regular computer into that same network and see if you get an IP address?
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Yes, done that today. Client receives an IP from the dhcp server straight away.
Photo of Ben Swaby

Ben Swaby

  • 41 Posts
  • 2 Reply Likes
In that case DHCP helpers sounds to be working good.  did a quick look on the community and did find this post awhile back.  Possibly might Uber some things in there to help you out.  https://community.aerohive.com/aerohive/topics/dhcp-offer-not-recieved-by-client
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Thanks Ben! Is saw that, and my case is slightly different: The DHCP DISCOVER messages from the clients never arrive at the Firewall (= default gw & dhcp server). As if the APs would not bridge any traffic into VLAN 1.

Here is what Support answered, I will try this next when possible and report back here:

We may want to try enabling a frame filter on one of the APs. This can give us an indication of whether these requests are passing the AP or being dropped there. If we can observe a DHCP request leaving the device's ethernet interface then from there we will need to see if the issue lies upstream. 

 To enable a frame filter you will want to access CLI on the AP and issue the following commands:

_kdebug fe detail
_kdebug eth all
_ff src-mac [MAC address of test client device] bidirectional

 The brackets around the MAC address are not included in the command and format will be delimiters every 2 digits xx:xx:xx:xx:xx:xx 
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
Carsten,

Any update regarding this?  Genuinely curious as to the cause/fix if one has been found.  

A question or two:
When you created the new SSID/User Profile, was it still using PPSK as auth method?
If so, did your Attribute # in your User Profile match your User Profile Attribute in your PPSK Local User Group?  As I believe they must match or things get really finicky.  
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Brian,

inconclusive... Support says they can see DHCP requests being passed on to eth0 and ask to use a port mirror with packet sniffer on the switch, but they have not yet realized that the Firewall is not just DHCP server but also the switch... (Fortigate 60c-PoE). And when I sniff the traffic here, nothing comes in... but I will do it by using a port-mirror-like sniffer and check again.

We had 2 SSIDs: One with PPSK, 4 user groups, one assigning VLAN 1. And it was working. Then a 2nd SSID, with PSK, VLAN 1, it also used to work. Suddenly (?) in both cases users were not receiving an IP anymore when on VLAN 1. For testing I then created a 3rd, clean SSID, WPA2-PSK, with a clean user profile assigning VLAN 1, and I got the same issue. In the Client Monitor I always see a successful 4-way-handshake and then DHCP Discover messages, and that's it.

carsten