x3man
asked on
XP wireless client not receiving DHCP settings
I have many wireless XP clients that connect to the network via wireless access points using WPA2, AES, and 802.1x authentication using PEAP-MSCHAP V2. The clients are set to validate server certificates and are configured to trust the local root CA. All of the wireless configuration settings and certificate deployment is done through Group Policy.
Most of the XP clients connect to the wireles network as expected, however we have had many occasions when a client will authenticate but fails to obtain DHCP settings. I have observed the flow of traffic between the client and the DHCP server using wireshark and it appears that this only happens when there is a poor quality wireless signal - the client struggles to authenticate, with many packets exchanged, eventually succeeds but then DHCP requests are sent to the DHCP server, which the server also receives, but the responses are not received by the client. I suspect it is the signal quality because as soon as the client is placed close to an access point the authentication process is completed quickly, and the DHCP process is also completed successfully.
Has anyone else had the same issues? Is there any way of improving the clients chances of success of obtaining DHCP settings as we don't want to use static network settings?
Most of the XP clients connect to the wireles network as expected, however we have had many occasions when a client will authenticate but fails to obtain DHCP settings. I have observed the flow of traffic between the client and the DHCP server using wireshark and it appears that this only happens when there is a poor quality wireless signal - the client struggles to authenticate, with many packets exchanged, eventually succeeds but then DHCP requests are sent to the DHCP server, which the server also receives, but the responses are not received by the client. I suspect it is the signal quality because as soon as the client is placed close to an access point the authentication process is completed quickly, and the DHCP process is also completed successfully.
Has anyone else had the same issues? Is there any way of improving the clients chances of success of obtaining DHCP settings as we don't want to use static network settings?
ASKER
Hi Erk333
All clients are using 11g
All switches are set to auto negotiate as are the clients.
All clients are using 11g
All switches are set to auto negotiate as are the clients.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It sure sounds like the pool of addresses has been used up.
The IP address assignments are via "leases". So, a computer need not be present or turned on to be using up an address via the lease it received. This can cause a degree of confusion when one "knows" that there are only so many computers connected at any one time.
How many addresses are in the DHCP pool?
What is the lease time? (For a more or less static situation, I'd use 8 hours. For more dynamic situations, I'd use less - maybe 2 hours). I believe the computers will refresh their individual leases in half that time. So, if the leases are short and aren't refreshed, they will run out and make those addresses available for assignment.
How many computers are "involved"? i.e. there all the time, coming in and out, etc.?
The IP address assignments are via "leases". So, a computer need not be present or turned on to be using up an address via the lease it received. This can cause a degree of confusion when one "knows" that there are only so many computers connected at any one time.
How many addresses are in the DHCP pool?
What is the lease time? (For a more or less static situation, I'd use 8 hours. For more dynamic situations, I'd use less - maybe 2 hours). I believe the computers will refresh their individual leases in half that time. So, if the leases are short and aren't refreshed, they will run out and make those addresses available for assignment.
How many computers are "involved"? i.e. there all the time, coming in and out, etc.?
ASKER
Thanks for input guys.
NIC drivers have been updated. Changing auto negotiate settings is not an option I'm afraid. Too much work and too many other devices using it.
Not convinced that changing the DHCP server to unicast will improve things. Like I said originally it appears that the issue relates to signal quality - I can see the client struggle to authenticate, and fail to receive the dhcp response. Yet when i try in an area with good coverage the authentication and DHCP process completes without any problems. It looks like changing the default time out value for the DHCP process is not possible, otherwise that could improve things by giving the client a chance to receive responses from DHCP.
It's definitely not related to lack of available IP addresses in the current address pool - there are more than enough spare, and like I said, the issue is resolved when the wireless signal improves. Unfortunately upgrading the wireless infrastructure is not an option.
Some of the laptops suffer from this issue more than others e.g. the Atheros NICs seem to fare much better. Again suggests signal quality issues?
NIC drivers have been updated. Changing auto negotiate settings is not an option I'm afraid. Too much work and too many other devices using it.
Not convinced that changing the DHCP server to unicast will improve things. Like I said originally it appears that the issue relates to signal quality - I can see the client struggle to authenticate, and fail to receive the dhcp response. Yet when i try in an area with good coverage the authentication and DHCP process completes without any problems. It looks like changing the default time out value for the DHCP process is not possible, otherwise that could improve things by giving the client a chance to receive responses from DHCP.
It's definitely not related to lack of available IP addresses in the current address pool - there are more than enough spare, and like I said, the issue is resolved when the wireless signal improves. Unfortunately upgrading the wireless infrastructure is not an option.
Some of the laptops suffer from this issue more than others e.g. the Atheros NICs seem to fare much better. Again suggests signal quality issues?
does a reboot or restart help??
BTW, i don't mean this is a solution. this is for troubleshooting only. :)
BTW, i don't mean this is a solution. this is for troubleshooting only. :)
ASKER
No, rebooting doesn't make any difference.
One can imagine that signal quality could be an issue for DHCP depending on the amount of handshaking required, etc. But then, this just means that there's a signal quality issue overall - so that's the place to look. It seems a little odd that you've been able to pinpoint it down to DHCP but then that would be the *first* opportunity for failure wouldn't it?
Is the network secured? Often one gets a "connection" but only at the "radio" level and then DHCP fails because the security settings are wrong. Often the software doesn't tell you this and looks like the computers are "connected". I've often had to try multiple times to get the security right and end up with an IP address all while the radios were "connected" just fine. If the interfaces are from different manufacturers then the software may well be different and setup for security different - one needing more detailed information than another, etc. Don't discount this possibility.
I don't expect one computer to act the same as another on a wireless network. You seem to be saying the same thing.
Wireless networks are a bit frustrating because of signal strength being so variable. You might try using NetStumbler on a laptop so you can better see SNR, etc. and get an idea of how signal levels vary. If the SNR isn't 20dB or better then it will or can be marginal. I wouldn't recommend trying to live at 15dB and less than that is surely going to be unsatisfactory.
Solutions include: more robust access points (i.e. power level) and better antennas at both ends.
Antenna solutions are generally better than increases in power as increases in power don't yield all that many dB. 6dB is a 4X change in power level.
Is the network secured? Often one gets a "connection" but only at the "radio" level and then DHCP fails because the security settings are wrong. Often the software doesn't tell you this and looks like the computers are "connected". I've often had to try multiple times to get the security right and end up with an IP address all while the radios were "connected" just fine. If the interfaces are from different manufacturers then the software may well be different and setup for security different - one needing more detailed information than another, etc. Don't discount this possibility.
I don't expect one computer to act the same as another on a wireless network. You seem to be saying the same thing.
Wireless networks are a bit frustrating because of signal strength being so variable. You might try using NetStumbler on a laptop so you can better see SNR, etc. and get an idea of how signal levels vary. If the SNR isn't 20dB or better then it will or can be marginal. I wouldn't recommend trying to live at 15dB and less than that is surely going to be unsatisfactory.
Solutions include: more robust access points (i.e. power level) and better antennas at both ends.
Antenna solutions are generally better than increases in power as increases in power don't yield all that many dB. 6dB is a 4X change in power level.
ASKER
Thanks fmarshall
DHCP is usually the point of failure for the laptops - however we have also had a few laptops that fail to authenticate and so are refused access. Again this is variable and the same laptop has connected when relocated to a strong signal area.
I agree it is frustrating! The network was originally using WPA-PSK, and while it certainly wasn't perfect, we did have more success with connectivity. I would not be happy if we had to move back to this level of security due to connectivity issues.
I have used NetStumbler to get a picture of the signal quality across the network. I can't remember the exact SNR but it was less than satisfactory. The SNR was low in some areas and high in others, and different during different times of day (people going home etc.). Many hours have already been spent trying to optimise AP location, power levels, channels etc without any real improvements to reliability.
I am interested to know what settings you are referring to when you say "had to try multiple times to get the security right and end up with an IP address all while the radios were "connected" just fine. If the interfaces are from different manufacturers then the software may well be different and setup for security different - one needing more detailed information than another". All the laptops are using XP SP3 and the Windows XP Wireless Zero Configuration service so aren't the security settings all the same? Are you referring to using the NIC manufacturers management software? Or are you referring to the advanced properties of the device itself?
DHCP is usually the point of failure for the laptops - however we have also had a few laptops that fail to authenticate and so are refused access. Again this is variable and the same laptop has connected when relocated to a strong signal area.
I agree it is frustrating! The network was originally using WPA-PSK, and while it certainly wasn't perfect, we did have more success with connectivity. I would not be happy if we had to move back to this level of security due to connectivity issues.
I have used NetStumbler to get a picture of the signal quality across the network. I can't remember the exact SNR but it was less than satisfactory. The SNR was low in some areas and high in others, and different during different times of day (people going home etc.). Many hours have already been spent trying to optimise AP location, power levels, channels etc without any real improvements to reliability.
I am interested to know what settings you are referring to when you say "had to try multiple times to get the security right and end up with an IP address all while the radios were "connected" just fine. If the interfaces are from different manufacturers then the software may well be different and setup for security different - one needing more detailed information than another". All the laptops are using XP SP3 and the Windows XP Wireless Zero Configuration service so aren't the security settings all the same? Are you referring to using the NIC manufacturers management software? Or are you referring to the advanced properties of the device itself?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks everyone
There's some interesting points to consider. Particularly concerning data rates, broadcast and unicast etc. I'll have a look at setting the DHCP server to respond with unicast responses - see what effect, if any, that has.
It looks likely that the most successful way of improving connectivity would be to upgrade and improve the wireless AP infrastructure. However like I said before, that is unlikely to happen, hence the reason I asked if there is any other option to improve connectivity.
Thanks again to all who replied.
There's some interesting points to consider. Particularly concerning data rates, broadcast and unicast etc. I'll have a look at setting the DHCP server to respond with unicast responses - see what effect, if any, that has.
It looks likely that the most successful way of improving connectivity would be to upgrade and improve the wireless AP infrastructure. However like I said before, that is unlikely to happen, hence the reason I asked if there is any other option to improve connectivity.
Thanks again to all who replied.
ASKER
Just for info. I tried setting the DHCP server to respond with unicast responses as described in the links, and this slowed down the DHCP process for the XP clients even more - wired and wireless. As soon as I removed the setting DHCP started working again. Although the wireless clients often still have problems as mentioned above...
that and you might match the link speed (10, 100, half, full, etc...) of the NIC's to that of your switch(s) instead of 'auto'