No DHCP in network - APs don't get connected to HiveManager Online

  • 1
  • Question
  • Updated 3 years ago
Hello people.
I'm very new to most of this, but I got rather far and now I'm stuck.
I tried to find information in answered questions, but I still can't solve my problem.

I have 5 AP230 for our school and I have connected them to HiveManager online at home using my router (with DHCP). All white lights, all good.

At school, I don't have a DHCP server, we are using fixed IP-Addresses.
So I configured the APs to use DHCP with Fallback IPs that I'm using at the school.

Plug in - light red - WiFi works, keys work etc but no connection to Hive Manager!

So: Having read the other questions, I SSHed into the AP via the fallback IP and found out that the CAPWAP server IP is 0.0.0.0

Maybe that's the problem? No DNS Server found? So I even told the AP
* ntp server <NTP Source IP Address>
* dns server-ip <DNS Server IP Address>
(I found this somewhere)

Now there is a server IP, but it still can't connect.
Maybe one of you has an idea!

Thanks a lot
Photo of Jens Fehn

Jens Fehn

  • 10 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of mdparker04

mdparker04

  • 11 Posts
  • 4 Reply Likes
I assume that you guys have a firewall at school.  Do you have udp port 12222 open to the internet?  if that fails, it will failback to TCP 80 and 443 are tried.  The failback will work, but it has been my experience that having 122222 open is more reliable.
Photo of Jens Fehn

Jens Fehn

  • 10 Posts
  • 0 Reply Likes
Thanks for the advice. We do hava firewall and it seems to be blocking the port 12222.
I need the school district tech people to change that. It doesn't seem to go to the other ports.
The ping doesn't go through, but the DNS seems to work, I get an IP number to ping.
Photo of mdparker04

mdparker04

  • 11 Posts
  • 4 Reply Likes
Also do something like this: capwap ping hm-useast-217.aerohive.com   That will tell you if your dns is working and the AP is able to ping a capwap server.
Photo of Malcolm Snelgrove

Malcolm Snelgrove

  • 21 Posts
  • 2 Reply Likes
I had to change my APs to use http specifically to get past a firewall. I used the commands in this post:
https://community.aerohive.com/aerohive/topics/issues-connecting-a-ap330-to-a-hwol-they-appear-in-hi...
So manually change the capwap server to the correct address, you can ping it and use the IP address to get around the DNS requirement. 
Then change the port and transport required as per the link and see if that works. Then you know if it is a firewall at school or not.
Photo of Jens Fehn

Jens Fehn

  • 10 Posts
  • 0 Reply Likes
Thanks for the help!
I changed the port to 80, but in the ping it is still using 12222 (and can't get through since we have a firewall blocking it). The DNS seems to work fine.

capwap client transport http
capwap client server port 80

I now seem to be losing my IP address however
(Edited)
Photo of Malcolm Snelgrove

Malcolm Snelgrove

  • 21 Posts
  • 2 Reply Likes
You can use the IP address 52.5.91.205 from your ping as the CAPWAP server name. i.e.:

capwap client server name 52.5.91.205

then do the 

no capwap client enable
capwap client enable
commands. 

Then your APs should be able to talk to the CAPWAP server via http on port 80 and appear in HiveManager Online.
If the AP can't talk to the redirector, then it can't get your CAPWAP server name/IP and will not find your hive settings.
(Edited)
Photo of Jens Fehn

Jens Fehn

  • 10 Posts
  • 0 Reply Likes
AH-5f37c0#sh capwap client
CAPWAP client:   Enabled
CAPWAP transport mode:  HTTP on TCP

CAPWAP client IP:        0.0.0.0
CAPWAP server IP:        0.0.0.0
HiveManager Primary Name:freeap-useast-001.aerohive.com
HiveManager Backup Name:
CAPWAP Default Server Name: redirector.aerohive.com
Virtual HiveManager Name: Jens_Fehn
Server destination Port: 80
CAPWAP send event:       Enabled
CAPWAP DTLS state:       Enabled
CAPWAP DTLS negotiation: Disabled
     DTLS next connect status:   Enable
     DTLS always accept bootstrap passphrase: Enabled
     DTLS session status: Disconnect
     DTLS key type: passphrase
     DTLS session cut interval:     5 seconds
     DTLS handshake wait interval: 60 seconds
     DTLS Max retry count:          3
     DTLS authorize failed:         0
     DTLS reconnect count:          0
Discovery interval:      5 seconds
Heartbeat interval:     30 seconds
Max discovery interval: 10 seconds
Neighbor dead interval:105 seconds
Silent interval:        15 seconds
Wait join interval:     60 seconds
Discovery count:         0
Max discovery count:     3
Retransmit count:        0
Max retransmit count:    2
Primary server tries:    3
Backup server tries:     2
Keepalives lost/sent:    0/0
Event packet drop due to buffer shortage: 0
Event packet drop due to loss connection: 8

AH-5f37c0#capwap ping hm-useast-217.aerohive.com
CAPWAP ping parameters:
    Destination server: hm-useast-217.aerohive.com (52.5.91.205)
    Destination port: 12222
    Count: 5
    Size: 56(82) bytes
    Timeout: 5 seconds
--------------------------------------------------
CAPWAP ping result:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    ------- hm-useast-217.aerohive.com CAPWAP ping statistics -------
    5 packets transmitted, 0 received, 100.00% packet loss, time 25004.887ms
Photo of mdparker04

mdparker04

  • 11 Posts
  • 4 Reply Likes
Yes, the Capwap Client IP, is of course your APs IP address.  Are you sure that it was getting one?  The only times that I've not seen one of my APs not get an IP address is when one of the following occurs:
1. Client not getting DHCP because dhcp server server or relay agent not working correctly
2. Incorrect switch port settings: example, AP is configured for trunk port and the switch port is set to static access or vice versa, switch port set to wrong vlan, etc.
Photo of Jens Fehn

Jens Fehn

  • 10 Posts
  • 0 Reply Likes
Since I don't have a DHCP, this can't be the problem.
I gave it a fixed IP that I can use to SSH onto the device. But in the config the IP is gone.
Must have been one of the many things I tried to make it work.

Can I assign an IP via SSH command?
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
If you've changed it over to using HTTP over TCP via port 80, just do a normal ping, not a CAPWAP ping of the IP.  This will tell you if you have L3 connectivity to the server.  A show int mgt0 dhcp client will also show you any IP info obtained via DHCP.  

edit:  Unless you're also blocking ICMP outbound via your firewall, then this will fail also.
(Edited)
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
A really cool tool is TCPing that allows you to send TCP SYN packets on specific ports and see if you get a response.  It is extremely useful on networks where ICMP is blocked or unreliable.

In the screenshot below I have used a standard ICMP ping and a TCP ping (if no TCP port is specified then port 80 is used by default).

(Edited)
Photo of Jens Fehn

Jens Fehn

  • 10 Posts
  • 0 Reply Likes
This is how far I get:

AH-5f37c0#sh capwap client
CAPWAP client:   Enabled
CAPWAP transport mode:  HTTP on TCP
IDLE state: Preparing to enter the DISCOVERY state
CAPWAP client IP:        10.87.100.151
CAPWAP server IP:        52.5.91.205
HiveManager Primary Name:52.5.91.205
HiveManager Backup Name:
CAPWAP Default Server Name: redirector.aerohive.com
Virtual HiveManager Name: Jens_Fehn
Server destination Port: 80
CAPWAP send event:       Enabled
CAPWAP DTLS state:       Enabled
CAPWAP DTLS negotiation: Disabled
     DTLS next connect status:   Enable
     DTLS always accept bootstrap passphrase: Enabled
     DTLS session status: Disconnect
     DTLS key type: passphrase
     DTLS session cut interval:     5 seconds
     DTLS handshake wait interval: 60 seconds
     DTLS Max retry count:          3
     DTLS authorize failed:         0
     DTLS reconnect count:          0
Discovery interval:      5 seconds
Heartbeat interval:     30 seconds
Max discovery interval: 10 seconds
Neighbor dead interval:105 seconds
Silent interval:        15 seconds
Wait join interval:     60 seconds
Discovery count:         0
Max discovery count:     3
Retransmit count:        0
Max retransmit count:    2
Primary server tries:    2
Backup server tries:     1
Keepalives lost/sent:    0/0
Event packet drop due to buffer shortage: 0
Event packet drop due to loss connection: 8

--
after that I lose both server IP and client IP and then loopings.
Any suggestions or possible explainations?
Photo of mdparker04

mdparker04

  • 11 Posts
  • 4 Reply Likes
Comparing your output to mine, I don't see any obvious discrepancies. It look and sounds like it should all work at this point unless your school firewall is still blocking somehow.  For instance, to access the internet from a workstation, do you have to pass any network credentials to a proxy server?  That would definitely cause a problem for the APs since they aren't passing those credentials.  We used to have a device like that and we'd have to tell the server to allow this particular client IP to by-pass network authentication.  In re-reading through the posts, I see that you had them connected to HMOL from home.  Probably a stupid question, but you didn't remove them from the inventory did you (Monitor > Device Inventory > Remove)?  If you did,  the APs won't reconnect to HMOL because the server no longer recognizes them as valid APs for your site.  To remedy that, you'd have to click on Device Inventory > Add/Import and add the serial numbers of each AP.  If by chance you get an error about the serial already existing, you would have to call support and have them associate the serial number with your VHN.
Photo of Jens Fehn

Jens Fehn

  • 10 Posts
  • 0 Reply Likes
I'm going to take the AP back home and hook it up to my router with DHCP.
I'm pretty sure it'll work then, but the port isn't blocked.

Oh, and to your other suggestion: We have no proxy server running.
I'll report back later.
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
It's not losing its IP address.  It is restarting the connection process.  A "show int mgt0" will show you that the statically assigned IP that you gave it still applies.  Your issue most likely lies with your firewall and/or content filter.  Look for any logs in them that source from the statically assigned IP that you gave the AP.  
Photo of Jens Fehn

Jens Fehn

  • 10 Posts
  • 0 Reply Likes
Thanks Brian,  I think you're right that our firewall is most likely the main problem.
I guess I need to have the school district people open the ports for me.
The fallback IP seems to work fine.
The AP works and provides an internet connection, but just can't connect through the firewall.
It was to my understanding that the connection will (eventually) try to use port 80 if others fail.
Apparently this isn't so.
Photo of Jens Fehn

Jens Fehn

  • 10 Posts
  • 0 Reply Likes
AH-5f37c0#sh int mgt0
Admin state=enabled; Operational state=up;
DHCP client=enabled;
Default IP subnet=192.168.0.0/255.255.0.0;
IP addr=10.87.100.151; Netmask=255.255.0.0; Default Gateway:0.0.0.0;
VLAN id=1;  Native vlan id=1;
MAC addr=9c5d:125f:37c0; MTU=1500;
Rx packets=202846; errors=0; dropped=0;
Tx packets= 58811; errors=0; dropped=0;
Rx bytes=48406631 (46.164 MB); Tx bytes=10059029 (9.593 MB);

This looks alright, apart from the gateway. Did I forget to configure this or is this ok?
Photo of Malcolm Snelgrove

Malcolm Snelgrove

  • 21 Posts
  • 2 Reply Likes
"Event packet drop due to loss connection" I had simular errors when a firewall was blocking the AP attempting to establish a SSH tunnel to the Hive Manager.

Can you plug it into another internet connection, or after the firewall to see if it comes up then?

See this post for a description and the ports that need to be open in a firewall:
https://community.aerohive.com/aerohive/topics/are_there_any_ports_that_must_be_opened_up_on_a_firew...
Photo of Jens Fehn

Jens Fehn

  • 10 Posts
  • 0 Reply Likes
Thanks for the post link! I'll try from home and see what happens.