This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No DHCP Offers in seperate Zone WLAN

Hi there,

today I have faced a weird problem.

I've set up some wireless networks at a customers utm.

All AP's were rolle out to their final location (some of them at the local site, some of them at remote sites)

The remote sites are connected to the main office by MPLS.

All APs showed up in the UTM and had been accepted properly. WLANs are configured as seperate Zone and DHCP Server is configured for this network.

Problem is as following:

Clients in the main office can receive an ip address as expected, clients in the remote office can see SSID and connect but cannot obtain an ip address over DHCP.

 

Any Ideas?

 

Kind regards

Tobias



This thread was automatically locked due to age.
  • Hi Tobias,

    Are the DHCP discover packets received on the UTM? Show us tcpdump on port 67 and the wireless.log.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi Tobias,

    In addition to Sachin's request, ask your MPLS provider if they're passing the DHCP packets.  Also, an outside possibility, check the Intrusion Prevention log just to confirm that Anti-UDP Flooding isn't causing this problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello everybody!

    I have the same problem.

    I have several companys which are connected via SG115 over S2S VPN and RED boxes.
    At the main location we have a SG230 which is the wifi controller for all locations and DHCP server for the guest network.

    Locations which are connected over the RED the guest wifi is working but all locations which are connected over S2S VPN are not.

    The client is asking for an ip adress but the offer does not arrive at the client.

    I already tried to turn of the Anti-UDP Flooding but it did not work.

    Please can you help me?

    Thank you very much.

  • Hi, Christian, and welcome to the UTM Community!

    Are you saying that you have Sophos APs in the remote locations connected via IPsec S2S?  Are you also saying that the Guest SSID fails to deliver DHCP to the clients, but some other SSID works?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob!

    Yes the remote locations are connected via IPSec S2S.
    The other SSIDs are briged into the local network and the clients gets the IP from a local DHCP (Windows Server).
    For this I made an entry in the range options at the DHCP Server:


    The Guest SSID should get the IP from the main firewall which is the wifi controller.
    Locations which are connected with RED boxes the wifi is working.

    Regards Christian

  • Hi Christian,

    Looking at the log lines, the UTM received a discovery and an offer was made. I can see a request from the remote client. Can you verify that?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hello Sachin,

    yes the client request an IP adress. The UTM recived the discovery and made an offer but the offer but it does not arrive at the client.

     

    Regards Christian

  • I have 2 AP's, i have played with one of them and got working setup for guest WiFi.

    Today i just added a second AP and do not get client DHCP IP's on this second AP.

    I have noticed, that if i remove guest network from AP and add it back again, logs looks differently:

     

    BAD AP:

    2017:02:23-17:14:53 10.17.14.242 netifd: radio0 (13891): hostapd_setup_bss(hapd=0xb23648 (wlan0), first=1)
    2017:02:23-17:14:53 10.17.14.242 netifd: radio0 (13891): wlan0: Flushing old station entries
    2017:02:23-17:14:53 10.17.14.242 netifd: radio0 (13891): nl80211: flush -> DEL_STATION wlan0 (all)
    2017:02:23-17:14:53 10.17.14.242 netifd: radio0 (13891): wlan0: Deauthenticate all stations
    2017:02:23-17:14:53 10.17.14.242 netifd: radio0 (13891): nl80211: send_mlme - noack=0 freq=0 no_cck=0 offchanok=0 wait_time=0 fc=0xc0 nlmode=3
    2017:02:23-17:14:53 10.17.14.242 kernel: [ 5936.630000] br-vxlan100: port 2(wlan0) entered forwarding state
    2017:02:23-17:14:53 10.17.14.242 kernel: [ 5936.630000] br-vxlan100: port 2(wlan0) entered forwarding state
    2017:02:23-17:14:53 10.17.14.242 netifd: Network device 'wlan0' link is up
    2017:02:23-17:14:55 10.17.14.242 kernel: [ 5938.630000] br-vxlan100: port 2(wlan0) entered forwarding state
     
     
    GOOD AP:
     
    2017:02:23-17:47:12 10.17.14.241 kernel: [ 283.730000] br-vxlan100: port 1(vxlan.100) entered forwarding state
    2017:02:23-17:47:12 10.17.14.241 netifd: Network device 'wlan0' link is up
    2017:02:23-17:47:14 10.17.14.241 kernel: [ 285.190000] br-vxlan100: port 2(wlan0) entered forwarding state
     
    It seems that vxlan is the root cause, but i cannot check it with utm web gui and with shell i will need much time
     
    netifd: Interface 'vxlan100' is now up
    netifd: radio0 (2333): nl80211: Setup AP(wlan0) - device_ap_sme=0 use_monitor=0
    netifd: radio0 (2333): nl80211: Adding interface wlan0 into bridge br-vxlan10
    netifd: radio0 (2333): wlan0: interface state UNINITIALIZED->COUNTRY_UPDATE
    netifd: radio0 (2333): Previous country code DE, new country code DE
     
    Such log lines means, that setup is not really trivial ;)
     
    But i can remember, that i already had such error (not getting dhcp offers). And as far i remember, i've got it fixed by deleting wifi network, wlan0 iface and adding it back again.
    I'm going to try this solution NOW :)
     
  • Hmmm, the solution was to enable port 8472 UDP on Firewall. From WiFi Network (AP Network) to AP's.

    In test phase i have enabled it to one AP and was surprised after connecting another AP, that clients do not get IP's on this second AP:)

    So check your Firewall logs:)

  • Hi Vodochnik,

    Can you show us the picture of configuration that gave you the solution to this post

    Thanks

    P.S.- Edited the post for clear reference.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.