Client not getting IP address, VLAN is behind ASA firewall

gabbybher
Comes here often

Client not getting IP address, VLAN is behind ASA firewall

Hi,

 

It's my first time deploying Meraki and I'm having an issue with a specific SSID as the client is not getting an IP address. I will be replacing aironet with Meraki.

 

Meraki SSID with issue is on Bridge mode and it's using VLAN 308 for VLAN tagging.

The switchport is on trunk-mode and native VLAN is set to the VLAN for Meraki management IP(NO VLAN filtering on switchport), VLAN 308 is on the VLAN database of the core and access switches but VLAN 308 is behind Cisco ASA firewall.

 

VLAN 308 is already existing and it's being used by aironet access points. Clients connected to SSID from aironet are able to acquire IP address.

 

DHCP IPs are not depleted as well.

 

Kindly guide me if there is something I need to add on Meraki Dashboard or on Cisco ASA.

 

Thank you.

9 Replies 9
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @gabbybher go to Wireless > configure > Firewall and Traffic shaping

 

Are you Allowing or Denying clients access to the LAN?  If set to deny then clients won’t get an Ip from your dhcp server

 

2895ADF4-7722-4C2B-91E7-3DA7AC8AE6E3.png

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

Hi Ucert,

 

I think the SSID is on default settings for Firewall and Traffic Shapping.

gabbybher_0-1655821836685.png

 

DarrenOC
Kind of a big deal
Kind of a big deal

Scroll down on that page. What are your outbound rules?  By default Local LAN is blocked

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
DarrenOC
Kind of a big deal
Kind of a big deal

image.jpg

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

it's also on default, allow IPv4 any any.

 

gabbybher_0-1655823556407.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Some part of the information you have supplied is wrong - as the above should work  - so you need to double check everything.

 

Make sure the SSID is set to bridge mode and is definitely bridging to VLAN308.

Make sure the switch port is definitely in trunk mode and definitely allowing VLAN308.  Make sure the switch's uplink is able allowed to send and receive VLAN308.

 

Make sure the client is definitely authenticated to the SSID.  They wont get an IP address if they haven't authenticated.

Hi PhilipDAth,

 

SSID is set to bridge mode.

Switchport is on trunk(no VLAN filtering)

Switch uplink allows all VLANs.

VLAN 308 is on the VLAN database of Core and Access switches.

 

The tester is able to authenticate and connect to SSID but it's not getting an IP from the DHCP server, just getting APIPA(169.254.x.x).

VLAN 308 is behind Cisco ASA firewall.

Are there configurations that I should add on Dashboard or Cisco ASA side?

 

Thank you.

DarrenOC
Kind of a big deal
Kind of a big deal

@gabbybher , what are you seeing in the ASA logs?  Can you see the dhcp requests from the clients?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
PhilipDAth
Kind of a big deal
Kind of a big deal

If the other WiFi system has security features try turning them off.  Perhaps it is seeing a rogue connected AP and is sending dis-association requests to prevent the client from being attached to the Meraki AP.

 

What does Meraki Wireless Sentry say?  Anything in the Meraki wireless event log?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels