This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AP6 no IP over DHCP / No Internet

Hy!

We have a little problem with our AP6 420.

They are registered on Sophos Central so far so good.

So the AP6 is in our Managment VLAN is untagged and get a IP address and can connect to Sophos Central.

Now i want create a SSID with our Client VLAN tagged. (Untagged not possible Error only one Network can be untagged on the AP)

On the Switch (HP Aruba)  we have untagged MGMT VLAN and Tagged the Client VLAN.

Now i try to connect a client to the SSID and we dont get any DHCP Address or Internet/network with static IP.

We use a Windows DHCP Server on a different VLAN. Works quite well and Relay entries are given in our XGS2100 (SFOS 19.5.1 MR-1-Build278).

No problem with networkcables.

The next task is we want to create a Guest VLAN with another SSID but yeah if that doesnt work on the configured Client VLAN i can stop that for the moment. :-)

Does anyone have the same Problem or a Solution for that?

Thanks!



This thread was automatically locked due to age.
Parents
  • Hello  ,

    Thanks for reaching out to Sophos Community. 

    What happens when you put static IP settings on the clients instead? are they able to reach the:

    -default gateway

    -other clients on the network 

    -and internet connectivity? 

    Could you share your VLAN configuration on your Switch and AP? 

    Thank you

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Nothing i cant reach anything with static IP no gateway no Internet.

    With networkcables we dont have any Problems.

    Yes they are other clients too in the VLAN.

    Thats our Switch in the Office. Behind the Switch we have 3x 2930M Stack. Its all HP.

    The AP is on Port 5.


    trunk 23-24 trk1 lacp

    ip route 0.0.0.0 0.0.0.0 192.168.11.254

    interface 23
    name "UplinkConfig"
    exit

    interface 24
    name "Uplink HPV"
    exit


    vlan 1
    name "DEFAULT_VLAN"
    no untagged 1-22,25-28,Trk1
    ip address dhcp-bootp
    exit

    vlan 210
    name "SERVER"
    untagged 13-18,20
    tagged 11,25-28,Trk1
    no ip address
    exit

    vlan 211
    name "INFRA"
    untagged 5,21-22,Trk1
    ip address 192.168.11.50 255.255.255.0
    exit

    vlan 212
    name "CLIENT"
    untagged 1-4,6-10,12
    tagged 5,11,25-28,Trk1
    no ip address
    ip helper-address 192.168.10.210
    ip helper-address 192.168.10.211
    exit

    vlan 215
    name "VoIP"
    untagged 19
    tagged 25-28,Trk1
    no ip address
    exit

    We have a Request number too at the Support and he said other companies have this problem too, but the investigation take meanwhile over 1 week.

    LAN Bridge works on the AP fine, but we want to have a separated VLAN for the Guest Access.

  • Hello  ,

    Thank you for taking the time to update with details. Regret to hear about the issue you're currently encountering.

    Could you share with us the caseID you currently have with Support? 

    Many thanks for your time and patience, and thank you for choosing Sophos.

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Request Number 07428708

    Maybe I'm missing something but as I said, if we use cables we don't have any problems

Reply Children
  • Hello  ,

    I have left a note on your case with support. 

    On the other hand, If my assumption is correct, AP is connected to an edge switch > which is connected to a L3 switch which is (3x 2930M Stack) 

    How does VLAN 212 reach the DHCP server on the network? is it via VLAN routing on the L3 switch or through the Sophos Firewall? 

    Also, how is the L3 switch routing traffic to the Firewall? Is it through a Trunk port or a Routed port (using the Default Route to Sophos Firewall interface)? 

    What I can initially left for you to check is:

    - Make sure the switch interface connected to the AP6 is on a Tagged port for 212 (Client Vlan)

    - all uplinks (if you're connecting via trunk ports) must have VLAN 212 tagged

    - If connected through a routed port - kindly make sure there is an entry of Static route on Sophos Firewall, introducing the VLAN 212 network, so FW would know how to route traffic to and from the L3 switch which has the VLAN 212 information, so in this case make sure there's a defined network address on your L3 switch for vlan 212 e.g. 172.16.212.0 /24 and a static route on Sophos Firewall.

    -If through a trunk port - configure a VLAN subinterface with VLAN ID 212 on Sophos Firewall e.g. Port8.212 and have a FW policy configured for VLAN 212 to reach internet and other VLAN networks

    -in AP, I may recommend you to check/enable "Client isolation" under SSID > Security. 

    Otherwise, further checking on this case would be needed. 

    I hope this information helped your concern. We shall be continuing to track progress of your case with us.

    Again, many thanks for your time and patience and thank you for choosing Sophos. 

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • No we dont have a L3 Switch its all on XGS 2100 Firewall.

    We create a LAG with 2 Physical ports and on them the VLANs are binded.

    VLAN 212 is tagged through the LACP Trunk Ports for the whole company and to the Virtualization.

    FW Rules are set Subnet VLAN 212 to subnet VLAN 210 (Windows DHCP) and subnet VLAN 212 to Internet Breakout.

    DHCP Relay is defined too on the XGS.

    Client Isolation is off i checked it now again.

    It irritates me because it works normally with a cable. With a cable we immediately get an IP Lease and the network/internet works without any problems. All internal services like Windows AD/DNS/DHCP and so on works well too. 

    Only on the AP it doesnt work.

  • And before we used the AP55 on XG Firewall and we had a different setting.

    LAN Bridge into the Client VLAN and Separated Zone with own DCHP for the Guest on the old XG.

    That was quite easy to configure Slight smile