I have an open case with TAC on this(607840875) but want a fresh set of eyes to look at it. We are running 4.1.3 in-line with Real-IP with the CAS acting as the DHCP server (so we can hand out /29 and /30 networks to clients). Agent is 4.1.3.1. All VLANs terminate at the CAS. We have 1 VLAN per building, with multiple managed subnets per VLAN.
We have a handful of clients that are unable to login to the agent. The Agent never pops up and when you right-click it the "login" area is grayed out. I verified the client is not logged in through the CAM. Usually when we've seen this problem before, it is from a local firewall being installed, or being installed at one time and left over components are still installed. Norton Internet Security is notorious around here for doing that. We ran the uninstaller tool from Norton to make sure that was all gone and checked our other usual culprits for problems (zonealarm, malware installed, etc). Everything looks good. If I take the client and plug it into a different managed subnet other than the building(VLAN) where the student lives, the agent works fine and allows the client to login. Move the client back to the original building, nothing....Agent won't popup or let the user login. After a lot of troubleshooting, we finally realized that when the agent won't let the user login, the CAS DHCP server hands out the wrong gateway to the client. Here's what the client should be getting: IP: 129.3.138.22 Mask: 255.255.255.248 GW: 129.3.138.17 And here was what the CAS DHCP server actually hands out to the client: IP: 129.3.138.22 Mask: 255.255.255.248 GW: 129.3.136.9 The managed subnet that is experiencing the problem is one VLAN that contains 2 managed subnets (129.3.136.0/23 and 129.3.138.0/24). 129.3.136.9 is the gateway address of the first enabled auto-generated subnet in that VLAN (first subnet is always disabled for some reason). Other clients that obtain an IP address within the same 129.3.138.16/29 also experience the same problem of the CAS giving out the wrong gateway address. If I disable the /29 subnet that is experiencing the problems, the clients will begin to function(ie: they pickup an IP in a different address range)....But within a few days or so I have new clients that are experiencing the same problem but in the next higher managed subnet from the one I disabled....in this case 129.3.138.24/29. Any help is appreciated! --greg Gregory A. Fuller - CCNA Network Engineer State University of New York at Oswego http://www.oswego.edu/~gfuller
