Performance issue in guest access anchored in DMZ

Hello,
I've been having performance issue in our wifi guest network anchored in the DMZ.
I have 3-5508 anchor controllers behind the Checkpoint gaia firewall and have 24 guest SSIDs in here.
Right now, only 14 guest SSIDs are enabled and tunnelled out in this anchor DMZ setup, whenever I try to add few more SSIDs I run into performance issue.
It seems to me that the problem is not about these additional SSIDs that I add because the performance issue starts to appear only when the traffic peaks or associated clients reached to certain number which is in my case 4000 users.
The firewall serves as the NAT device and gateway for all these guest SSIDs. The cpu, memory, number of connections have been checked and verified low.
Has anyone seen a problem like this? or has a setup like mine?
thanks!

Presuming you're not exceeding client count maximums on the individual WLCs I can't say I've seen anything in line with this "specific problem", but anything is possible.
What are the specific "performance issues" the clients are experiencing? Is it just general poor performance (slow web browsing/etc) or do you see other issues like no internet connectivity at all or something else?
May I ask, what is the use-case behind having 24 SSIDs on your anchors?

Similar Messages

WLC as a Mobility Anchor for guest access - Management on DMZ or not DMZ

When using Guest Access Cisco recommend a Mobility Anchor Controller be placed on a DMZ and the guest access wireless Lan is tunneled to this controller. This means that 2 DMZ subnetworks are required - one for the management interface and one for the wireless lan's dynamic interface itself.
I am trying to see if there are any disadvantages/security risks using 2 physical ports on the controller (no LAG) and placing one on a corporate network inside the firewall for management and to terminate the mobility anchor tunnel, and one outside the firewall on a DMZ for the wireless lan's dynamic interface.
Advantages that I see are that no tunnels need to go though a firewall, management of the WLC is kept completely inside the corporate network, protected by the firewall and not left on the DMZ.
Thanks.

OK, so to recap;
- place the 2nd WLC in the DMZ with only 1 port (set for dynamic AP management)?
- Then Anchor the guest SSID (on it's DMZ IP instead of management IP as is now)
And to make that kind of anchoring work, I have to open ports below on the firewall.. right?
UDP port 16666 for inter-WLC communication, and IP protocol ID 97 Ethernet in IP for client traffic.
and:
•TCP 161 and 162 for SNMP
•UDP 69 for TFTP
•TCP 80 or 443 for HTTP, or HTTPS for GUI access
•TCP 23 or 22 for Telnet, or SSH for CLI access
Thanks to confirm that

AP Groups - Guest Access - Anchor Controller

Need clarification - I think it does work
Does the AP Group feature work with the anchor controller guest access feature
SSID guest --- LWAP -- LWAPP -- Foreign WLC --- EoIP --- Anchor Controller --- VLAN 10 or VLAN 11
ie
Guests in Building 1
SSID guest VLAN 10
Guests in Building 2
SSID guest VLAN 11
Mark

Hi,
As far as I know, AP Group only works locally in each controller, and the mapping between SSID and VLAN is done in the anchor controller.
Therefore, all clients will end up in the same VLAN, even if access points are in different AP Groups in the first WLC.
Kind regards
Johan

Performance issues of SQL access to AW

Hi Experts:
I wonder whether there is performance issues when using SQL to access AW. When using SQL to access cubes in AW, the SQL queries the relational views for AW objects. And the views are based on OLAP_TABLE function. We know that, views based on any table function are not able to make use of index. That is to query a subset of the data of a view, we would have to full scan the view and then apply the filter. Such query plan always lead to bad performance.
I want to know, when I use SQL to retrieve a small part of data in an AW-cube, will Oracle OLAP engine retrieve all data in the cube and then apply the filter? If the Oracle OLAP engine only retrieves data needed from AW, how can she did it?
Thanks.

For most requests the OLAP_TABLE function can reduce the amount of data it produces by examining the rowsource tree , or WHERE clause. The data in Oracle OLAP is highly indexed. There are steps a user can take to optimize the index use. Specifically, pin down the dimension(s) defined in the OLAP_TABLE function LIMITMAP via (NOT)IN lists on the dimension, parent, level or GID columns. Use of valuesets for the INHIER object, instead of a boolean object.
In 10g, WHERE clauses like SALES > 50 are also processed prior to sending data out.
For large requests (thousands of rows) performance can be a problem because the data is being sent through the object layer. In 10 this can be ameliorated by wrapping the OLAP_TABLE function call with a SQL MODEL clause. The SQL MODEL knows a bit more about the Olap options and does not require use to pipe the data through the object layer.
SQL MODEL example (note no ADT defintion, using of auto ADT) This can be wrapped in a CREATE VIEW statement :
select * from olap_table('myaw duration session', null, null, 'measure sales as number from aw_sales_obj dimension d1 as varchar2(10) from geog ...rest of dimensions')
sql model dimension by (d1, d2, d3, d4) measures (sales, any attributes, parent columns etc...) unique single reference rules update sequential order ()
Example of WHERE clause with above select.
SELECT *
FROM (select * from olap_table('myaw duration session', null, null, 'measure sales as number from aw_sales_obj dimension d1 as varchar2(10) from geog ...rest of dimensions')
sql model dimension by (d1, d2, d3, d4) measures (sales, any attributes, parent columns etc...) unique single reference rules update sequential order ()))
WHERE GEOG NOT IN ('USA', 'CANADA')
and GEOG_GID = 1
and TIME_PARENT IN ('2004')
and CHANNEL = 'CATALOG'
and SALES > 50000;

Cisco ASR 1002- performance issue due to access list

Hi,
We are planning to implement inbound access-list to block subnets from particular country. Since the subnets are not contiguous, we have about 16000 lines of acl entries.
I want to know, would there be any performance or latency issues after applying 16k lines of acl?
Is there a good document where I can read more about ACL limitations and performance issues on ASR.
This is for ASR1002, running IOS-XE 15.3(1)S1.
Thanks

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Sorry, I don't know the answer to your questions, but I'm writing to mention a 7200 feature, that if supported on the ASR, might help in your situation. See http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#turbo

WEB Authentication Certificate on WLC4400 - Guest Access

I need to know if there is a debug command to trouble shoot Web Authentication Certificate Issue for Guest Access. I'm currently troubleshooting an issue to verify if our Anchor controller is passing redirects to our web Server. Any advise would be appreciated.
This is on a WLC4404 Controller

Is the redirect url configured with a name or IP address? If it is a name make sure there are no issues getting DNS resolution of the name.
The best troubleshooting method I can recommend is using a sniffer to capture the traffic at the anchor controller towards the webserver to see if the traffic passes to the webserver.

Using ISE for guest access together with anchor controller WLC in DMZ

Hi there,
I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
Thx
Frank

So i ran into a similar scenario on a recent deployment:
We had the following:
WLC-A on private network (Inside)
ISE Servers ISE01 and ISE02 (Inside)
WLC-B Anchor in DMZ for Guest traffic (DMZ)
ISE Server 3 (DMZ)
ISE01 and ISE02 are used for 802.1X for the private network WLAN.
Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth. Since we want to do CWA, we use Mac Filtering with ISE as the radius server. If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to. Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails. (This was a limitation of ISE 1.1. Not sure if this persists in 1.2 or not.
So what now? In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to. Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session. Note, you do have to allow ISE03 to send a CoA.
In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

ISE with CWA and wired guest access via WLC Anchor

Can an Anchor WLC (WLCa) provide a wired guest LAN service if the wlan guest access is using CWA?
We are deploying a WLAN only ISE solution (it is a full license ISE though) but they just want a few wired guest ports. I was hoping to add L2 switch to the DMZ where the WLCa is and that the L2 switch wouldnt need any other config as the WLCa just bridges the wired to the wlan vlan. This Im sure i have done before.
So now I have set wiredguest the same as i have done before ISE and my wired clients get an IP address, but when they redirect, the URL they get is different, and the redirect just doesnt work.
It comes out as:
https://my_ise_ip:8443/guestportal/Login.action?switch_url=https://my_ise_host/login.html&wlan=my_wired_guest_lan&redirect=www.google.co.uk
So does my simple L2 only switch need an ISE config on it or should the WLCa be handling or the redirection just as it would for a wlan device.

The ISE never receives an auth entry, so i dont believe the redirect is working for the wired client. So even though the clients browser gets a redirect url which fails connection, the client info in the WLCa doesnt have a redirect ACL listed like a wlan client would

Wireless guest access with CWA and ISE using mobility anchor

My team is trying to demo wireless guest access using CWA with an ISE server. We appear to be hitting an issue when combining this with mobility anchoring.
When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound. The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.
When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.
Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.
I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.
When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.

FOREIGN
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0 cur: 0
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station: (callerId: 20) in 10 seconds
*radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253
*radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
MAC: 00:1e:c2:c0:96:05, source 2
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is 0
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule
type = Airespace AP Client
on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID = 255,
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 84, Local Bridging intf id = 0
*mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   requested ip: 10.130.98.8
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0, yiaddr: 10.130.98.8
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   siaddr: 10.30.4.173, giaddr: 0.0.0.0
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   server id: 1.1.1.2 rcvd server id: 1.1.1.2
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
type = Airespace AP Client
on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 84, Local Bridging intf id = 0
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA
*pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
*pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4
*pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
MAC: 00:1e:c2:c0:96:05, source 2
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
type = Airespace AP Client
on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 84, Local Bridging intf id = 0
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is 1
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station: (callerId: 49) in 3600 seconds
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600
*apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
*apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
*pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
*pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4

Guest access to the Internet with Guest Anchor Controller

Hi;
We are doing our initial implementation of an enterprise wireless system. I deployed a WLC 5508 connected to our data center core switch using LAG. The 5508 is configured in FlexConnect mode since it is serving APs deployed to a handful of remote offices. Employee wireless access has been rolled out and is working well.
I am designing guest access. As is typical, I want to enforce a policy that guest wireless traffic is forwarded to the Internet Edge in our DMZ and directed out to the Internet. We do not plan to deploy a Guest Anchor controller in the first phase of the roll out.
What is the best way to enforce forwarding of guest traffic towards the Internet Edge once the guest traffic arrives at the 5508? A guest VLAN between the core switch and the Internet Edge isn't feasible since there is a firewall between the core and DMZ that is configured in Routed mode.
Thanks for the assistance! Glenn Morrison

you'd have to do a VLAN between the core and the firewall for the guest traffic until you get the anchor installed.
HTH,
Steve

Guest access web authentication issue

Hello experts-
we have a problem concerning secure guest access. One controller 4402 is installed in DMZ and is working as guest anchor WLC. The guest user terminates as this anchor wlc. From this controller the client will get the ip address but when the user will open the browser and insert the url like www.cisco.com, there is no redirect to the web authentication page. If we try to reach the virtual IP via Web browser the authentication page will not be seen. Proxy setting in browser are deactivated. DNS works, if no authentication is configured Internet access is working well. But if we configure "Pass Thru", the client is in status "Authentication required" again.
Has anybody any ideas?
Thanks a lot, Martin

First of all, when you configure the wlan to open, do you see that device on the anchor controller or the foreign wlc? You should see the user authenticated on the anchor. If not, then your mobility between the foreign and anchor is not working. Mping and Eping between the foreign and anchor wlc. Verify that the ssid has mobility anchor configured. Also you must make sure that your ssid on the foreign and on the anchor wlc. The webauth page will need to be installed on the anchor wlc along with the 3rd party certificate if you use one.

Performance issues while accessing the Confirm/Goods Services' transaction

Hello
We are using SRM 4.0 , through Enterprise Portal 7.0.
Many of our users are crippled by Performance issues when accessing the Confirm/Goods Services tab( Transaction bbpcf02).
The system simply clocks and would never show the screen.
This problem occurs for some users all the time, and some users for some time.
It's not related to the User's machine as others are able to access it fast using the same machine.
It is also not dependent on the data size (i.e.no . of confirmations created by the user).
We would like to know why only some users are suffering more pronouncedly, and why is this transaction generally slower than all others.
Any directions for finding the Probable cause will be highly rewarded.
Thanks
Kedar

Hi Kedar,
Please go through the following OSS Notes:
Note 610805 - Performance problems in goods receipt
Note 885409 - BBPCF02: The search for confirmation and roles is slow
Note 1258830 - BBPCF02: Display/Process confirmation response time is slow
Thanks,
Pradeep

Can't access root share sometimes and some strange performance issues

Hi :)
I'm sometimes getting error 0x80070043 "The network name cannot be found" when accessing \\dc01 (the root), but can access shares via \\dc01\share.
When I get that error I also didn't get the network drive hosted on that server set via Group Policy, it fails with this error:
The user 'W:' preference item in the 'GPO Name' Group Policy Object did not apply because it failed with error code '0x80070008 Not enough storage is available to process this command.' This error was suppressed.
The client is Windows Server 2012 Remote Desktop and file server is 2012 too. On a VMware host.
Then I log off and back on, and no issues.
Maybe related and maybe where the problem is: When I have the issue above and sometimes when I don't (the network drive is added fine) I have some strange performance issues on share/network drive: Word, Excel and PDF files opens very slowly. Offices says
"Contacting \\dc01\share..." for 20-30 sec and then opens. Text files don't have that problem.
I have a DC02 server also 2012 with no issues like like this.
Any tips how to troubleshoot?

Hi,
Based on your description, you could access shares on DC via
\\dc01\share. But you couldn’t access shares via \\dc01.
Please check the
Network Path in the Properties of the shared folders at first. If the network path is
\\dc01\share, you should access the shared folder by using
\\dc01\share.
And when you configure
Drive Maps via domain group policy, you should also type the Network Path of the shared folders in the
Location edit.
About opening Office files very slow. There are some possible reasons.
File validation can slow down the opening of files.
This problem caused by the issue mentioned above.
Here are a similar thread about slow opening office files from network share
http://answers.microsoft.com/en-us/office/forum/office_2010-word/office-2010-slow-opening-files-from-network-share/d69e8942-b773-4aea-a6fc-8577def6b06a
For File Validation, please refer to the article below,
Office 2010 File Validation
http://blogs.technet.com/b/office2010/archive/2009/12/16/office-2010-file-validation.aspx
Best Regards,
Tina

I'm facing performance issue while accessing the PLAF Table

Dar all,
I'm facing performance issue while accessing the PLAF Table.
The START-OF-SELECTION of the report starts with the following select query.
    SELECT plnum pwwrk matnr gsmng psttr FROM plaf
    INTO CORRESPONDING FIELDS OF TABLE it_tab
    WHERE matnr IN s_matnr
      AND pwwrk = p_pwwrk
      AND psttr IN s_psttr
      AND auffx = 'X'
      AND paart = 'LA' .
While executing the report in the Quality system it does not face any performance issue...
When it comes to Production System the above said select query itself it is taking 15 - 20 minutes time to move further.
Kindly help me to over come this problem...
Regards,
Jessi

Hi,
"Just implement its primary Key
WHERE PLNUM BETWEEN '0000000001' AND '9999999999' " By this you are implementing the Primary Key
This statement has nothing to do with performance, because system is not able to use primary key or uses every row.
Jessica, your query uses secondary index created by SAP:
1     (Material, plant) which uses fields MANDT MATNR and PLWRK.
but it is not suitable in your case.
You can consider adding new one, which would containt all fields: MANDT, MATNR, PWWRK, PSTTR AUFFX PAART
or - but it depends on number of rows meeting and not meeting (auffx = 'X' AND paart = 'LA' ) condition.
It could speed the performance, if you would create secondary index based on fields MANDT, MATNR, PWWRK, PSTTR
and do like Ramchander suggested: remove AUFFX and PAART from index and where section, and remove these unwanted rows
after the query using DELETE statement.
Regards,
Przemysław
Please check how many rows in production system

1801W wireless (guest access) config issues

Trying to setup wireless on 1801w ISR. Wired access to Internet and LAN works fine (Vlan1); however, wireless (Vlan2) does not.
Trying to setup wireless "guest" access with Internet access only (no access to LAN).
Wireless will not come up. Dot11Radios show "reset/down".
Below is the wireless config and a couple of troubleshooting commands as well:
dot11 ssid open
   vlan 2
   authentication open
====================================================
!(Sets up DHCP and excluded addresses.)
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.25.1 172.16.25.99
ip dhcp excluded-address 172.16.25.116 172.16.25.255
ip dhcp pool open
   import all
   network 172.16.25.0 255.255.255.0
   default-router 172.16.25.1
   dns-server 4.2.2.1 4.2.2.1
   lease 3
====================================================
(Turned on integrated routing and bridging.)
bridge irb
====================================================
(Wireless radio interface config.)
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
encryption vlan 2 mode wep optional
!---(SSID is given as "open")
ssid open
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Vlan1
description LAN
ip address 192.168.0.100 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Vlan2
description Wireless VLAN
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
ip address 172.16.25.1 255.255.255.0
ip nat inside
ip virtual-reassembly
bridge 1 protocol ieee
bridge 1 route ip
====================================================
Verifying...
RTR#sho dot11 associations
802.11 Client Stations on Dot11Radio1:
802.11 Client Stations on Dot11Radio0:
SSID [open] : DISABLED, not associated with a configured VLAN
====================================================
RTR#sho ip int brief
Dot11Radio0                unassigned      YES NVRAM reset                 down
Dot11Radio0.1             unassigned      YES unset reset                 down
Dot11Radio1                unassigned      YES NVRAM reset                 down

Your ssid is configured in vlan 2.
But you forgot to configure dot11radio0.2 with under it "encapsulation dot1q 2".
That should allow the radio to broadcast ssid
Nicolas
===
Don't forget to rate answers that you find useful

Performance issue in guest access anchored in DMZ

Similar Messages

Maybe you are looking for