Controllerless Networks

Hey All -

First, I'd like to say I'm not entirely convinced this is an IAP related issue but it was suggested (by others) that it could be since it only appears to surface on wirelessly connected devices.

The issue is that there appears to be some sort of ICMP redirect occuring.  If you are on the wireless LAN and attempting to ping a device on the same LAN subnet that is connected via ethernet the following is returned:

--

ping 192.168.0.252
PING 192.168.0.252 (192.168.0.252): 56 data bytes
36 bytes from PFSENSE (192.168.0.254): Redirect Host(New addr: 192.168.0.252)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  c0 0054 e34c   0 0000  40  01 140e 192.168.0.66  192.168.0.252 

64 bytes from 192.168.0.252: icmp_seq=0 ttl=64 time=3.118 ms
36 bytes from PFSENSE (192.168.0.254): Redirect Host(New addr: 192.168.0.252)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  c0 0054 b243   0 0000  40  01 4517 192.168.0.66  192.168.0.252 

64 bytes from 192.168.0.252: icmp_seq=1 ttl=64 time=3.161 ms
^C

--

Wired devices pinging other wired devices have a normal ping reply:

--

ping 192.168.0.252

PING 192.168.0.252 (192.168.0.252): 56 data bytes

64 bytes from 192.168.0.252: icmp_seq=0 ttl=63 time=55.501 ms

64 bytes from 192.168.0.252: icmp_seq=1 ttl=63 time=31.535 ms

64 bytes from 192.168.0.252: icmp_seq=2 ttl=63 time=26.582 ms

^C

--

To recap, all devices are on 1 small LAN:

PF Sense Router - 192.168.0.0/24

4 IAP 225s obtaining their IP via DHCP (from 192.168.0.254 - PFsense)

24 Port PoE switch - 192.168.0.1

What is also odd here is that during a traceroute from a wirelessly connected device the PFSense router (192.168.0.254) appears:

traceroute to 192.168.0.201 (192.168.0.201), 64 hops max, 52 byte packets

 1  192.168.0.254 (192.168.0.254)  42.051 ms  23.188 ms  22.835 ms

 2  192.168.0.201 (192.168.0.201)  28.646 ms  29.944 ms  25.897 ms

On any wired connected device that hop is missing:

traceroute to 192.168.0.201 (192.168.0.201), 64 hops max, 52 byte packets

 1  192.168.0.201 (192.168.0.201)  28.646 ms  24.644 ms  27.947 ms

Any ideas on what is occuring here and why it only appears to be impacting devices connected wirelessly behind the IAPs?

Thanks

Hi, 

What is the netowork type and vlan assigment? 

What are the ACLs for the user-role? 

Thanks, 

Rajaguru Vincent 

Hello,

For IP assignment its configured for "Network Assigned" for Client VLAN Assigment it's configured for "Default".  Addtional VLANs have not been configured in the IAP - pretty basic configuration at the moment until I get more up to speed on these devices.

Default ACLs are in use - I haven't created any custom ACLs at this time.

Hi,

Just to verify things, try the below steps.

1. # show clients

Check what is the user-role of the client.

2. # show access-rule <Role-Name>

Verify if there are any redirect ACLs.

3. # show datapath session | include <Client-IP>

Check the flags when you ping.

This should give you an idea.

Thanks,
Rajaguru Vincent

So I've nailed down the issue but don't understand why it appears to be the culprit.

I've disabled IPv6 on the ISP router as well as the connected switch.  Release/renew all clients and pings look normal as do the traceroutes on all devices.

Re-enable IPv6, perform a release renew on all devices and problem returns...but only for wirelessly connected devices.

Any ideas?

Seems like it needs some troubleshooting. Please raise a TAC case. 

Thanks, 

Rajaguru Vincent