Check you ACL's even the ACL's that have no usage as it wasn't applied to anything.
But under your Policies there is a ValidUser ACL that needed to have the network from our Palo Alto handing out DHCP on vlan 335. We don't use the 192.168.x.x network in production but that's what we were using for this bridged ssid connection. As soon as I added the network statement to that policy/acl everything worked. Hopefully it helps someone else down the road has TAC wasn't any help and just kept rescheduling our meetings for 2-3 days even after escalating.
Original Message:
Sent: Jun 26, 2023 06:57 PM
From: lord
Subject: Campus AP - Bridge Mode - Clients get DHCP but no Internet
You have to check which aruba user role is used, which ACL is used in this role and what the AP does with the user traffic.
Check aruba user role
Use "show user ap-name <your-ap-name>". Look for the MAC address or IP address and check the role name. Post the output.
Check ACLs
Take the role name from "show user..." and use "show rights <aruba user role>", post the output.
Check user traffic
Use the command "show datapath session ap-name <your-ap-name> table <your-client-ip>". Post the output.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jun 26, 2023 11:08 AM
From: bergew
Subject: Campus AP - Bridge Mode - Clients get DHCP but no Internet
Wireless Controller config
Original Message:
Sent: Jun 26, 2023 04:01 AM
From: cordless
Subject: Campus AP - Bridge Mode - Clients get DHCP but no Internet
Could you please paste the show run from the Controller and not from the Mobility Conductor.
Original Message:
Sent: Jun 23, 2023 12:22 PM
From: bergew
Subject: Campus AP - Bridge Mode - Clients get DHCP but no Internet
Just PSK - clients connect to it show up on WLC has seen in previous screenshot - Get DHCP but no internet.
Original Message:
Sent: Jun 23, 2023 11:47 AM
From: cordless
Subject: Campus AP - Bridge Mode - Clients get DHCP but no Internet
Ok, how do you authenticate the Client?
Can you please paste an "show run" output
Original Message:
Sent: Jun 23, 2023 11:35 AM
From: bergew
Subject: Campus AP - Bridge Mode - Clients get DHCP but no Internet
Screenshot is within MC - Showing the client with vlan 0 - This is my phone
I don't see the vlan in the cli output of the requested command but here is that data - found user on our 2nd controller
(NoWires2) [MDC] *#show user mac 7e:ed:98:95:36:7f
This operation can take a while depending on number of users. Please be patient ....
The phy column shows client's operational capabilities for current association
Flags: A: Active, B: Band Steerable, H: Hotspot(802.11u) client, K: 802.11K client, M: Mu beam formee, R: 802.11R client, W: WMM client, w: 802.11w client, V: 8 02.11v BSS trans capable, P: Punctured preamble, U: HE UL Mu-mimo, O: OWE client, S: SAE client, E: Enterprise client, m: Agile Multiband client, C: Cellular Da ta Capable - network available, c: Cellular Data Capable - network unavailable,p: Pending GSM activation, T: Individual TWT client, t: Broadcast TWT client
PHY Details: HT : High throughput; 20: 20MHz; 40: 40MHz; t: turbo-rates (256-QAM)
VHT : Very High throughput; 80: 80MHz; 160: 160MHz; 80p80: 80MHz + 80MHz
HE : High Efficiency; 80: 80MHz; 160: 160MHz; 80p80: 80MHz + 80MHz
<n>ss: <n> spatial streams
Association Table
-----------------
Name bssid mac auth assoc aid l-int essid vlan-id tunnel-id phy assoc . time num assoc Flags Band steer moves (T/S) phy_cap
---- ----- --- ---- ----- --- ----- ----- ------- --------- --- ----- ------ --------- ----- ---------------------- -------
7e:ed:98:95:36:7f-b0:b8:67:00:46:52 Stats
------------------------------------------
Parameter Value
--------- -----
Channel 44
Channel Frame Retry Rate(%) 0
Channel Frame Low Speed Rate(%) 0
Channel Frame Non Unicast Rate(%) 0
Channel Frame Fragmentation Rate(%) 0
Channel Frame Error Rate(%) 0
Channel Bandwidth Rate(kbps) 0
Channel Noise 0
Client Frame Retry Rate(%) 0
Client Frame Low Speed Rate(%) 0
Client Frame Non Unicast Rate(%) 0
Client Frame Fragmentation Rate(%) 0
Client Frame Receive Error Rate(%) 0
Client Bandwidth Rate(kbps) 0
Client Tx Packets 8995
Client Rx Packets 372
Client Tx Bytes 304774
Client Rx Bytes 69910
Client SNR 41
A2C_SM SeqNum, Old SeqNums 121 0
Client non-preferred channels Disabled
Original Message:
Sent: Jun 23, 2023 11:18 AM
From: cordless
Subject: Campus AP - Bridge Mode - Clients get DHCP but no Internet
can you please give an CLI output of
show user mac C0:3E:BA:4A:F9:7D
on the controller.
This is to verify if user is bridged and into which VLAN he is bridged.
Original Message:
Sent: Jun 23, 2023 10:53 AM
From: bergew
Subject: Campus AP - Bridge Mode - Clients get DHCP but no Internet
Sorry I edited that last statement because I had my wireless client statically assigned and didn't see that. Here they are both with dhcp - neither can ping the gateway but the wired client can still ping out to 8.8.8.8 but the wireless client can't
**Wired Client**
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Ethernet Connection (6) I219-V
Physical Address. . . . . . . . . : C0-3E-BA-4A-F9-7D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.111.7(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, June 23, 2023 8:52:27 AM
Lease Expires . . . . . . . . . . : Friday, June 23, 2023 1:44:09 PM
Default Gateway . . . . . . . . . : 192.168.111.1
DHCP Server . . . . . . . . . . . : 192.168.111.1
DNS Servers . . . . . . . . . . . : 192.168.111.1
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\Users\bergew>
C:\Users\bergew>ping 192.168.111.1
Pinging 192.168.111.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.111.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\bergew>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=20ms TTL=116
Reply from 8.8.8.8: bytes=32 time=20ms TTL=116
Reply from 8.8.8.8: bytes=32 time=20ms TTL=116
Reply from 8.8.8.8: bytes=32 time=21ms TTL=116
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 20ms, Maximum = 21ms, Average = 20ms
**Wireless Client**
C:\Users\bergew>ipconfig /all
Windows IP Configuration
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Wireless-AC 9560 160MHz
Physical Address. . . . . . . . . : 14-F6-D8-EB-FF-64
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.111.8(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, June 23, 2023 9:45:28 AM
Lease Expires . . . . . . . . . . : Friday, June 23, 2023 1:45:27 PM
Default Gateway . . . . . . . . . : 192.168.111.1
DHCP Server . . . . . . . . . . . : 192.168.111.1
DNS Servers . . . . . . . . . . . : 192.168.111.1
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\Users\bergew>ping 192.168.111.1
Pinging 192.168.111.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.111.8: Destination host unreachable.
Ping statistics for 192.168.111.1:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
C:\Users\bergew>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\bergew>
Original Message:
Sent: Jun 23, 2023 10:35 AM
From: cordless
Subject: Campus AP - Bridge Mode - Clients get DHCP but no Internet
Could you please test to ping the Default Gateway from the wireless Client.
in my inbox I received this information which is not seen in your answer...which is interesting because this could be the source of the issue
Original Message:
Sent: Jun 23, 2023 10:17 AM
From: bergew
Subject: Campus AP - Bridge Mode - Clients get DHCP but no Internet
Wireless Client details
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Wireless-AC 9560 160MHz
Physical Address. . . . . . . . . : 14-F6-D8-EB-FF-64
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.111.8(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, June 23, 2023 9:18:25 AM
Lease Expires . . . . . . . . . . : Friday, June 23, 2023 1:18:24 PM
Default Gateway . . . . . . . . . : 192.168.111.1
DHCP Server . . . . . . . . . . . : 192.168.111.1
DNS Servers . . . . . . . . . . . : 192.168.111.1
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\Users\bergew>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 192.168.111.8: Destination host unreachable.
Request timed out.
Reply from 192.168.111.8: Destination host unreachable.
Ping statistics for 8.8.8.8:
Packets: Sent = 3, Received = 2, Lost = 1 (33% loss),
Control-C
^C
C:\Users\bergew>tracert 8.8.8.8
Tracing route to 8.8.8.8 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
Wired Client details
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Ethernet Connection (6) I219-V
Physical Address. . . . . . . . . : C0-3E-BA-4A-F9-7D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.111.7(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, June 23, 2023 8:52:27 AM
Lease Expires . . . . . . . . . . : Friday, June 23, 2023 12:52:27 PM
Default Gateway . . . . . . . . . : 192.168.111.1
DHCP Server . . . . . . . . . . . : 192.168.111.1
DNS Servers . . . . . . . . . . . : 192.168.111.1
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\Users\bergew>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=20ms TTL=116
Reply from 8.8.8.8: bytes=32 time=20ms TTL=116
Ping statistics for 8.8.8.8:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 20ms, Maximum = 20ms, Average = 20ms
Control-C
^C
C:\Users\bergew>tracert 8.8.8.8
Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.111.1
2 7 ms 13 ms 11 ms
3 1 ms 1 ms 1 ms
4 1 ms 1 ms 1 ms
5 1 ms 1 ms 1 ms
6 2 ms 1 ms 2 ms
7 5 ms 5 ms 5 ms
8 13 ms 13 ms 13 ms
9 11 ms 12 ms 12 ms
10 20 ms 20 ms 20 ms
11 21 ms 21 ms 21 ms
12 20 ms 20 ms 20 ms
13 20 ms 20 ms 20 ms dns.google [8.8.8.8]
So both seem to have the same result for ip whether it's wired or wireless. Just Wireless clients can't get internet but wired clients can
Original Message:
Sent: Jun 23, 2023 08:42 AM
From: cordless
Subject: Campus AP - Bridge Mode - Clients get DHCP but no Internet
Where does the client gets the IP address from?
Is the VLAN configured on the Switch Uplink port of the AP?
Is it possible to ping the Clients IP from the wired network?
Which OS Version are you using? Instant or AOS10?
Original Message:
Sent: Jun 23, 2023 08:33 AM
From: bergew
Subject: Campus AP - Bridge Mode - Clients get DHCP but no Internet
Try to do a traceroute to 8.8.8.8 for instance to see where it stucks.
- Traceroute sticks at wireless client IP handed out by DHCP
Can the Client ping the Gateway?
I don't believe so but will check. Assumption since traceroute didn't get past client IP, I believe it won't get to gateway
Why are you using "route src nat statement"?
Trying anything on the role. IP any any didn't do. Tried adding individual services in case something was getting stuck. Then airhead forums mentioned to add that statement so I tried it but no success.
Wireless clients get dhcp/no internet same vlan/same switch.. Wired client get dhcp/internet same vlan/switch.
So seems like I'm missing something in the configuration on mc/wlc or the 205AP isn't handling bridge mode properly maybe.
It looks like I'm at step 7/8 in the process because I can get dhcp address from our dhcp server were using for this. Same ip,sn,gw,dns is handed out for wired and wireless clients on vlan 335 were using
AP Configuration and Client Connection Workflow
In the bridge mode topology, the AP configuration and client connection workflow includes the following steps:
The administrator configures a WLAN SSID in the Bridge mode for the AP group in AOS 10.x and the APs in the group inherit this configuration.
The APs in the group advertise the WLAN SSID.
The WLAN client connects to the SSID broadcast on an AP.
Based on the security profile configured for the WLAN SSID, the AP authenticates the client.
Based on the security and role assignment policy configured for the WLAN SSID, the AP derives the user role and VLAN information either locally or from the external authentication server.
The client gets an IP address from DHCP server.
After the client is successfully connected, the client traffic is encapsulated and sent to the AP.
The AP decrypts and bridges traffic on the client VLAN.
When the client roams from one AP to another within the VLAN, the Cloud-Assisted Roaming Services feature ensures that the client connection is seamless without the need for re-authentication
Original Message:
Sent: 6/23/2023 3:48:00 AM
From: cordless
Subject: RE: Campus AP - Bridge Mode - Clients get DHCP but no Internet
Try to do a traceroute to 8.8.8.8 for instance to see where it stucks.
Can the Client ping the Gateway?
Why are you using "route src nat statement"?
Original Message:
Sent: Jun 22, 2023 01:48 PM
From: bergew
Subject: Campus AP - Bridge Mode - Clients get DHCP but no Internet
Hello,
Trying to get bridge mode setup - Clients can get a dhcp address from our DHCP server on that same vlan but no internet.
Wired clients on the same vlan get internet access so it's seems to be something on the WLC/AP group or within the profiles.
Any thoughts on why wireless clients can get a dhcp IP address from dhcp server but no internet access?
I've tried the ipv4, user, any, any, route src nat statement with no success - The rule is allowing everything ip any any and the session acl is allow all
Thank you,
Eric