Clients unable to connect to MR33 keep getting 0.0.0.0 IP

ZeeBoussaid
Getting noticed

Clients unable to connect to MR33 keep getting 0.0.0.0 IP

we have about 200 MRs some are 42 and most are 33. recently I start receiving calls about users unable to connect to to some MR33. no changes were made and i know other MR 33 in our network are working just fine. the MR in question is showing users with 0.0.0.0 IPs, Radius servers are configured correctly since these MRs were bounded to a template when first deployed. i checked ISE and the NAD is sending incomplete authentication requests often in the same millisecond. I don’t know how ISE is supposed to process them that fast   i reboot it couple times, even removed it from ISE and add it back and still unable to figure this out. firmware is up-to-date 27.1.1. any thoughts? thank you in advance.

 

 

Cheers.

13 Replies 13
Inderdeep
Kind of a big deal
Kind of a big deal

@ZeeBoussaid : I saw this issue earlier as well. Try to reset and if problem didn’t resolved open a case with Meraki 

https://community.meraki.com/t5/Wireless-LAN/MR46-Wont-Get-DHCP-IP-IP-Stuck-at-0-0-0-0/m-p/95935#M14...

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
ZeeBoussaid
Getting noticed

that's not the same issue, all my MRs have static assigned, the clients who are not getting a valid IP.

PhilipDAth
Kind of a big deal
Kind of a big deal

Any chance the DHCP scope is full?

 

What does Meraki Health show?

 

Is the VLAN that the SSID maps to definitely allowed on the switch port?

ZeeBoussaid
Getting noticed

@PhilipDAth: the MR is connected to an MX67 via port 4, and VLAN is allowed in that port, I already checked, but for some weird reason, under Clients in the MX, the only device im testing to connect to the MR, is showing VLAN0, but the allowed VLAN is 100. I dont think it's a DHCP scope issue since only about 10 employees in the office in question.
cmr
Kind of a big deal
Kind of a big deal

@ZeeBoussaid how is the MR33 connected to the MX, via a PoE injector or are you powering it directly?  For the SSID you are connecting to, is it in bridged mode and have you set the VLAN to 100?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
ZeeBoussaid
Getting noticed

@cmr the MR is connected to port 4 on the MX, in bridge mode. port 4 on the MX is set to access Vlan100. Meraki is unable to figure this out, and asking to troubleshoot it in real time.

cmr
Kind of a big deal
Kind of a big deal

@ZeeBoussaid I'd set the port to trunk native 100 and my question was more have you set the VLAN on the SSID?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
ZeeBoussaid
Getting noticed

@cmr that's actually a good test to assign the port on the MX to truck with native 100. im just confused why out of 200 MRs this one refuses to work. i can use the Vlan tagging and assign Vlan 100 just for the sake of testing. i also get the error below in ISE, looks like a bottleneck somewhere.

 

  • Event 5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session.
  • Failure Reason 5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session.
JSalmond
Here to help

@ZeeBoussaid did you get this resolved ? We are also experiencing issues with our MR33 and MR42 but not our MR36 that sound similar to yours. A number of our iPads  can connect to the network but at random times normally after being unlocked from sleep they will display as connected but show as having no internet access. 

 

Although our devices show as having an IP address  we are getting the same "5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session." in the ISE 

 

We also have noticed that we get a "unexpectedly disassociated, but the client had a successful connection to <SSID> SSID 802.11 REASON (CODE 34) Missing Acknowledgements" within Clint Timeline, not sure if you get this ?

 

We have had a call in with support for few weeks now but haven't got to the bottom of he issue . 

 

ZeeBoussaid
Getting noticed

@JSalmond I have a ticket open with Meraki Support, they refer it to their Cisco TAC team, Meraki doesn't even know what the error showing in ISE means. the weird thing is, the MR33 that I initially had an issue with is now working, clients are getting IPs and authenticating correctly. yesterday I added a new MR42 in our HQ and I successfully connected to it at the beginning and then it dropped, my laptop won't get an IP. if you have multiple people unable to connect and it's a big deal, try to set the SSID with a PSK and no splash, it will bypass ISE temporarily. share the SSID password with your clients so they can connect while you can troubleshoot this.

ZeeBoussaid
Getting noticed

I think the problem is ISE itself, check your last patch. we rebooted the 2 ISE radius servers and that seems to fix the issue.

henleyjj
Here to help

What version of ISE are your PSNs running atm? We're on v2.6.0.156 and have started to experience  the same issue only 2 days ago, which seemly only is limited to sites with clients trying to connect to 1 particular SSID via MR46 APs.

Seems like they're ISE Is struggling to respond to clients and is going in a loop with the 5441 & 5405 msgs. 

henleyjj_0-1653291647859.png

 

JSalmond
Here to help

Hi @henleyjj  our ISE was running 2.7.0.356 with patches 2,4,5 and it now running patch 7 however the issue for us turned out to be caused by the bonjour service, once this was disabled we no longer experienced issues. 

 

Unsure if the symptoms you are experiencing are the same as ours, I also have a post on the Cisco ISE community regarding our issue with a break down of the symptoms we had. 

 

https://community.cisco.com/t5/network-access-control/ios-device-re-auth-after-wakeup-on-meraki-ise/...

 

Hope you get your issue resolved 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels