Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 5556 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Separate zone WLAN problem, DHCP client not accepting OFFER

kerobra_retired

Hey folks,

I have a strange problem with a newly activated wireless subscription. First of all, I configured nearly 30 UTMs the same way, but this time it runs into a problem. As we "bricked" some APs due to nervous technicians onsite I usually configure the whole WLAN thing in our office, and after every AP has the needed firmware from the UTM he will be connected to (via DHCP 234 option) I test the WLAN config.

The actual customer only wants a guest wireless network, so I created a separate zone config. Firewall rules allow Any to Internet IPv4, web filtering is not active, Masquerading is active. DNS servers are from google.

The client (iPhone6) connects successfully to the wireless network:

hostapd: wlan1: STA 11:22:33:44:55:66 IEEE 802.11: authenticated
hostapd: wlan1: STA 11:22:33:44:55:66 IEEE 802.11: associated (aid 1)
awelogger[1294]: id="4103" severity="info" sys="System" sub="WiFi" name="STA authentication" ssid="EQ-GAST" ssid_id="WLAN1.0" bssid="00:1a:8c:b2:55:24" sta="11:22:33:44:55:66" status_code="0"
awelogger[1294]: id="4104" severity="info" sys="System" sub="WiFi" name="STA association" ssid="EQ-GAST" ssid_id="WLAN1.0" bssid="00:1a:8c:b2:55:24" sta="11:22:33:44:55:66" status_code="0"
hostapd: wlan1: STA 11:22:33:44:55:66 WPA: pairwise key handshake completed (RSN)
awelogger[1294]: id="4101" severity="info" sys="System" sub="WiFi" name="STA connected" ssid="EQ-GAST" ssid_id="WLAN1.0" bssid="00:1a:8c:b2:55:24" sta="11:22:33:44:55:66"
hostapd: wlan1: STA 11:22:33:44:55:66 IEEE 802.11: disassociated
awelogger[1294]: id="4102" severity="info" sys="System" sub="WiFi" name="STA disconnected" ssid="EQ-GAST" ssid_id="WLAN1.0" bssid="00:1a:8c:b2:55:24" sta="11:22:33:44:55:66"
hostapd: wlan1: STA 11:22:33:44:55:66 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)

But on the iPhone it says "no internet connection". Looking under the info button I can see that it does not obtain an IP.
Looking in DHCPD log I can see that it requests an IP and that the server offers one:

dhcpd: DHCPDISCOVER from 11:22:33:44:55:66 (kb) via wlan1
dhcpd: DHCPOFFER on 192.168.71.101 to 11:22:33:44:55:66 (kb) via wlan1
dhcpd: DHCPDISCOVER from 11:22:33:44:55:66 (kb) via wlan1
dhcpd: DHCPOFFER on 192.168.71.101 to 11:22:33:44:55:66 (kb) via wlan1

There are no blocks in the firewall log, same on IPS.

We are connected via site-to-site IPSEC VPNs to our customers and firewall rules allow any from us to them and the other way. As I said above, I configured all wireless protections and APs this way in the past and tested them successfully and never had any problem with it. I could imagine everything will be fine when the AP is physically at customer's site, but what if not...

Has anyone an idea, what is going wrong here? The UTM has 9.505-4 installed.



This thread was automatically locked due to age.
  • 0

    I haven't seen that, Kevin - does the iPhone connect to other APs?

    In any case, I would get the UTM Up2Dated to 9.506 as it's the first 9.5 version I like.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    yes the same iPhone accepts an offer on another WPA2P separate zone WLAN. So the issue is not the phone.
    Maybe the firmware is, the "good" UTM uses 9.506, the one I got the failure on is @9.505. Yesterday we got that issue on a customer's UTM with other devices, too.

    Will try to update the firmwares to 9.506 on both where the error occured. Will report...

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Unfiltered HTML