Wireless Access

Good day,

as the title says, last week I installed a IAP103 to a customer (upgraded to the latest firmware 6.5.3.1), and configured two SSIDs: the one with DHCP managed by the network works fine, despite the guest SSID with IP assigned by virtual controller doesn't allow Internet to be accessed.

Clients connect correctly, the IP is assigned (172.31.99.x) but on different smartphones the saeìme message "no Internet" appears.

I tried both with no restrictions and also allowing only dhcp and dns services, but it's still the same.

I tried adding another guest network, with no success.

Any suggestion?

Thanks in advance.

 

Alain

Network traffic for guests that are on a Virtual Controller assigned VLAN would be natted out of the ip address of the Master Virtual Controller.  If the ip address of that master controller does not have permission on your external firewall to go to the internet, your guests will not have any connectivity..

I already allowed the only ap to access the internet.

Alain Pasquali - SISTEC S.r.l

________________________________

Hai bisogno di assistenza tecnica?

Registrati ed accedi al portale helpdesk.sistec.net oppure invia una mail a helpdesk@sistec.net
Per l'assistenza remota, utilizza Teamviewer scaricandolo dal seguente indirizzo: https://get.teamviewer.com/rw6pa5h

________________________________

--
Questo messaggio e' stato analizzato da Libra ESVA ed e' risultato non infetto.
This message was scanned by Libra ESVA and is believed to be clean.
Per informazioni: http://helpdesk.sistec.net

You should do a trace on your firewall to see if you see traffic from that IAP.  If you have configured a Virtual IP address, that would be the address the traffic is coming from..

Thank you, I'm going to try in a few minutes.

Alain Pasquali - SISTEC S.r.l

________________________________

Hai bisogno di assistenza tecnica?

Registrati ed accedi al portale helpdesk.sistec.net oppure invia una mail a helpdesk@sistec.net
Per l'assistenza remota, utilizza Teamviewer scaricandolo dal seguente indirizzo: https://get.teamviewer.com/rw6pa5h

________________________________

--
Questo messaggio e' stato analizzato da Libra ESVA ed e' risultato non infetto.
This message was scanned by Libra ESVA and is believed to be clean.
Per informazioni: http://helpdesk.sistec.net

Hi,

yesterday I wasn’t able to do the trace on the firewall, but I can tell you that only guest network (with addresses assigned by the virtual controller) aren’t able to access the Internet.

It seems that the firewall (router, is an old Funkwerk R3000) doesn’t let the guest network pass, even if it arrives “natted” by the virtual controller.

Any suggestion?

Thanks

Hi,

I just collected a trace of the firewall's traffic with a client connected to the guest network, and looking at it with Wireshark I wasn't able to find anything related to the virtual controller's IP.

 

---

@pasky wrote:

Good day,

as the title says, last week I installed a IAP103 to a customer (upgraded to the latest firmware 6.5.3.1), and configured two SSIDs: the one with DHCP managed by the network works fine, despite the guest SSID with IP assigned by virtual controller doesn't allow Internet to be accessed.

Clients connect correctly, the IP is assigned (172.31.99.x) but on different smartphones the saeìme message "no Internet" appears.

I tried both with no restrictions and also allowing only dhcp and dns services, but it's still the same.

I tried adding another guest network, with no success.

Any suggestion?

Thanks in advance.

 

Alain

---

Is this only a single IAP or multiple IAPs?  Can you share the SSID configuration for the guest SSID?

There is only one IAP installed in the environment.

The guest SSID network is configured with:

- no start page

- WPA2-PSK

- Virtual Controller-managed DHCP

Access rules are configured as follows:

1) DNS, DHCP access granted to any destination

2) traffic to LAN denied

3) traffic to any granted

 

I see in your first post that you also tried it with no restrictions.  When you try that, can you ping anywhere outside of the IAP?

Unfortunately I didn't make that test, and now I'm away from the customer.

Yesterday I tried to make the same test with the rules I mentioned above, and I was able to reach only the VC (with IP 172.31.98.1), no local IP addresses nor public IPs neither public hostnames.

 

If you SSH into the IAP during the test, you should be able to type "show datapath session table" to see what traffic the client is attempting to send and if it is getting blocked by the IAP.  That test will only work if you have rules applied on your guest clients.  If you have it as "unrestricted" it will not work, so just have a single rule allowing all traffic before you try that command.

 

You can also use the "debug pkt" method to trace network traffic coming out of that AP from that client:  http://community.arubanetworks.com/t5/Controller-less-WLANs/Debugging-DHCP-packets-on-Aruba-Instant-IAP/ta-p/179058

Thanks a lot for your suggestions, I will try ASAP.

I've just noticed that the AP is rebooting itself every about 5 minutes...it's connected to an HP 2530-8G PoE switch (that is working fine).

I'm trying to update the firmware of the switch, in case of PoE issues.

I confirm what I told before: the IAP is rebooting itself every 5 minutes. I suppose it has some kind of hardware issue, what do you think?

Thanx in advance.

"show version" will say why it rebooted.  That might give you a clue...

I think I found the solution: in the customer's network someone gave static addresses to applicances not managed by me, which are included in the DHCP pool. The IAP103 took an address already assigned to some kind of appliance, and that is causing all the issues.

I've no confirmation at the moment, the IP assigned by DHCP to the IAP answers also when the AP is rebooting... :-)

 

After creating a DHCP exclusion for the IP manually assigned and (obviously) automatically given to the IAP103, and assigning a static IP to the AP, all problems have been solved.

Thanks a lot for your help.