Guests cannot connect

  • 1
  • Question
  • Updated 4 years ago
  • Answered
We're having a problem with a new deployment - clients are unable to connect to a "guest" SSID. We've got to the following state:

- Using a GRE tunnel from an AP330 at one site to 2 x CVG (virtual) in a DMZ
- DHCP addresses are being assigned by a central DHCP server (not Aerohive)
- The DMZ CVGs are configured as DHCP relays - they forward the clients requests to the DHCP server
- Using HiveManager on premise
- The tunnel policy looks good - source and destination are okay
- Diagnostics for the tunnel are okay - the AP shows a connection to one of the CVGs (we were testing with one client initially)
- The VPN assignments look okay (the CVGs are on a different VLAN to the "management/native VLAN" settings in HM - we're overriding this using device tags, checked the running config - it looks fine)

Having performed a few remote sniffer traces:
- on the CVG device it shows the client broadcast a DHCP DISCOVER, and the cvg (dhcp relay agents) send it on to the DHCP server
- The DHCP server replies with an OFFER, and the CVG relay agent broadcasts it out onto the local subnet
- we don't see a DHCP OFFER from the client, it just continues to send discovers

- running wireshark on the client, it shows it sending the DHCP discover, but it never receives the offer
So, the problem seems to be that the client is not receiving the broadcasts from the CVG with the DHCP offer ! I'm out of ideas why !

Frustratingly, alongside the "on premise" deployment, we are still running an evaluation hive, using the cloud HM. This has pretty much an identical setup, with the APs on the same subnets (we used an AP in the DMZ for GRE tunnel termination for the eval) and this works fine - clients can get a DHCP lease and connect to the outside world.

Suggestions gratefully received :-)


Photo of Kier PW

Kier PW

  • 6 Posts
  • 3 Reply Likes

Posted 4 years ago

  • 1
Photo of Kier PW

Kier PW

  • 6 Posts
  • 3 Reply Likes
Update - we fixed it !

There were a couple of issues, the first one being that 'promiscuous mode' needed to be enabled (Accept option) on the vSwitch that the CVGs were "connected to".

This then allowed us to see a firewall issue that was blocking GRE traffic.

Fixed both of those, and we were able to connect devices onto the Guest SSID !
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Thank you for updating this thread, I'm very glad you found the underlying problem.