Layer 3 Roaming Issues

  • 3
  • Question
  • Updated 2 years ago
  • Answered
Greetings!

I have segmented my network into multiple subnets with separate VLANs based on the different sections of the physical building. I am using classifier tags to have the AP's automatically dump the clients onto the appropriate VLAN for each section of the building. So far this is working quite well....as long as the clients don't move...at all.

I have enabled layer 3 roaming in the user profile, but I'm having trouble with it working correctly. The issue is that the client will successfully authenticate to the SSID, but then will be unable to obtain a DHCP lease after it moves around a bit.

I sniffed the AP's switch port with Wireshark and see that the client is sending a broadcast for DHCP Discover and not receiving a response.

DHCP Relay is set up on all my routers and is working correctly because wired and other wireless clients will obtain an IP just fine. It appears to happen only if the client roams away and then comes back.

At this point I'm not even sure how to troubleshoot further. Attached is a network diagram with all the IP info.

Photo of Benjamin Lambert

Benjamin Lambert

  • 27 Posts
  • 5 Reply Likes
  • frustrated

Posted 5 years ago

  • 3
Photo of Benjamin Lambert

Benjamin Lambert

  • 27 Posts
  • 5 Reply Likes
Other info:
-They are all the same Hive
-AP's can see each other via background scans, and others I manually neighbored.
-The switch port the AP's are connected to is tagged for that client VLAN
-All AP's are reachable via HMOL
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Just to summarise:

* The wireless client associates correctly initially and is given a correct IP address via DHCP for the building they are in.
* If the wireless client remains in the building they initially associated in they don't have an issue?
* If the wireless client moves between buildings they lose their IP address?

Does this sound correct?

What should be happening is that the wireless client initially associates in building x and is given an IP address from the DHCP IP scope for building x. The wireless client then moves to building y and retains their IP address from building x - i.e. their IP address does not change as they move between the buildings.
Photo of Benjamin Lambert

Benjamin Lambert

  • 27 Posts
  • 5 Reply Likes
yes, that's a pretty good summary. I'll be doing some more testing tomorrow to see if I can figure out some more details.
Photo of Tim Ruda

Tim Ruda, Official Rep

  • 40 Posts
  • 56 Reply Likes
Hi Benjamin,

Depending on your version, you may want to try enabling this feature in the management options...

(Network Policy) > Additional Settings > Service Settings > Management Options > (Modify)



This will allow the vlan to sync when the client roams to the second AP and forms the GRE tunnel to the original AP it connected to.
Photo of Benjamin Lambert

Benjamin Lambert

  • 27 Posts
  • 5 Reply Likes
Thank you for the response Tim. I did enable that option and reboot the APs, and it does appear to be working better.

I was able to take my laptop streaming a YouTube video and walk to a different section of the building while keeping my IP and video stream. I then walked to a different section and eventually ended up being disconnected.

I could see the AP's and authenticate, but again it refused to either do a 'soft' layer 3 roam or even a 'hard' roam and obtain a new IP address. Once I brought it back to my office where I originated it obtained its original IP and worked fine again.

I'll keep testing. I just noticed that the ACSP Neighbor info FINALLY populated in the AP details so I'll see if that made a difference.

Thanks again for your responses!
Photo of Tim Ruda

Tim Ruda, Official Rep

  • 40 Posts
  • 56 Reply Likes
Hi Benjamin,

Can you confirm which version of code is being used on the HiveManager and AP's?
Photo of Benjamin Lambert

Benjamin Lambert

  • 27 Posts
  • 5 Reply Likes
6.1r1
Photo of Benjamin Lambert

Benjamin Lambert

  • 27 Posts
  • 5 Reply Likes
Ok, time for a shameless bump....

It appears that I'm basically having the same issue...but since school is now back in session....there's a lot more of it going on.

I THINK it is because for some reason the AP is keeping a hold of the VLAN that the client connected to in another section of the campus, but is refusing to let it go....or kick in the roaming (probably because they are in different subnets and I can't manually neighbor EVERYTHING).

The only thing that I can think of is instead of worrying about tagging the client VLAN on the AP, is just have the AP's dump the clients on to whatever VLAN/subnet the AP is attached to (untagged). Then the APs wont have to worry about the VLANs themselves, just the layer 3 info, which...in theory a 'hard' roam should take care of. I think.

Any further suggestions?
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Hi Benjamin,

Can you show us how you tunnel policy is configured please?
e.g.


Kind Regards,
Gary Smith
Photo of Benjamin Lambert

Benjamin Lambert

  • 27 Posts
  • 5 Reply Likes
Here you are, thank you for the reply.

Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Thanks Benjamin. Do you see any difference in behavior between 2.4 and 5GHz roaming?
Photo of Benjamin Lambert

Benjamin Lambert

  • 27 Posts
  • 5 Reply Likes
Nothing that I've noticed. The issue does seem to pop up with both 2.4 and 5Ghz clients.
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Hi Benjamin,

I suggest that you open a support case with Aerohive so that they can take a look and maybe perform some debugging. It would be good to track the outcome on this forum.

Kind Regards,
Gary Smith
Photo of Benjamin Lambert

Benjamin Lambert

  • 27 Posts
  • 5 Reply Likes
Thank you Gary, I will do so and report back.
Photo of Benjamin Lambert

Benjamin Lambert

  • 27 Posts
  • 5 Reply Likes
From my conversation with support (which was great btw), it appears that my configuration is correct (yay!), but due to my particular oddities of subnets, VLANs and physical layout I will need to further expand my manually added neighbors.

It appears that one of the issue is that the APs may not be able to exchange roaming information over wireless due to signal strength between each other.

I will also be trying my theory to making all the traffic (management and client) untagged from the AP thus sort of taking layer 2 VLAN assignment out of the equation and hoping that layer 3 hard and soft roams work better.
Photo of Benjamin Lambert

Benjamin Lambert

  • 27 Posts
  • 5 Reply Likes
I ended up adding ALL AP's that are in neighboring subnets to the manual neighbor list for the APs. I didn't have so many that this poses an issue and it seems to work quite well.

I also ended up fiddling with the radio profile settings in order to better serve the clients, which also seems to have helped.
Photo of Anton Sinageykin

Anton Sinageykin

  • 1 Post
  • 0 Reply Likes
Hey Benjamin, would you mind expanding a little on the radio profile settings and what you did exactly? I'm having a similar issue in a building with multiple floors. 

Thanks you. 
Photo of Benjamin Lambert

Benjamin Lambert

  • 27 Posts
  • 5 Reply Likes
I don't remember exactly what I did. One of the things that I do remember is turning the radio power down to create smaller cells. IIRC I brought up the help page for the radio profile page and read through it step by step.

What sort of issues are you having?
(Edited)
Photo of Haydn St

Haydn St

  • 17 Posts
  • 1 Reply Like
Hi Benjamin

How  many APs exactly did you add as manual neighbours?

We have a school environment, most blocks are close enough to at least one other block. But I would have thought that if the client could not see the AP it originally authenticated on it would reconnect again to the closest AP.

We do want the students and teachers to roam across the entire school, do you think it would be a good idea to add all the APs as neighbours?


Photo of Smitty

Smitty

  • 37 Posts
  • 3 Reply Likes
Sorry for bringing back an old thread...but I am having the exact same issue.  I have segmented my network into multiple subnets with separate VLANs based on the different floors of the physical building. I am using device classification tags to have the AP's automatically dump the clients onto the appropriate VLAN for each floor of the building. This is working as long as the clients don't move off of their floor.

I have enabled layer 3 roaming in the user profile, but it is not working correctly. The issue is that the client will successfully authenticate to the SSID, but then when they roam they are not GRE tunneling back to their other VLAN and the client will sometimes lose it's IP address and it does not receive a new one, it ends up at 169.254.x.x.

DHCP Relay is set up on all my switches and is working correctly because wired and other wireless clients will obtain an IP just fine. It appears to happen only if the client roams.

I have manually set up all of the AP's in the building as neighbors to the other AP's in the building which hasn't helped.  I had a case open with support but we didn't make any progress on solving the issue.  I did not enable VLAN ID Sync because my HiveOS is later than 5.1r5.

It is really frustrating, somebody on the 5th floor will grab their laptop, walk down to the 4th floor.  They stay connected to the SSID the entire time but when they hit the 4th floor it isn't setting up the tunnel to route traffic so first they just can not route traffic, then eventually they lose their IP Address and instead of getting a new one they end up with 169.254.x.x and still can not route.  If they turn their wireless off and back on it grabs an IP address for that floor and starts working again.

I am out of ideas on how to fix it. 
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Hi Smitty,

To understand a little more about the issue, we'd need to see a network topology. Are the AP's on the same MGT VLAN or different? Are the clients using the same VLANs across the floors or different?

I'd be interested to look at the config over a websession. How about you open a case and ask for me?

Kind Regards,
Gary Smith