Wireless Access

Controllers: 7200s, AP-105, AOS 6.5

I have a remote site with two Wi-Fi networks: Employee is bridge, and guest is tunnel.  All APs at site are terminated at the HQ controller.  Recently switch upgrade at this site causes guest not working.  Nothing change at the controller.   Althought I can see guests connect, getting correct IP addresses and DNSs but when user open web browser or any apps, nothing work.  I can even see the guest users on firewall logs that show traffic is passing. 

Any ideas or suggestions?  I cannot be at the site, and no IP personnel available at site, just typical user.  Note that employee Wi-Fi is working normal.

Regards,

Has there been any routing changes? Can you confirm the firewall has a correct route back to the guest subnet?

see next post

Hi,

No routing change.  Guest is L-2 user-> AP -> controller -> FW, and FW is the gateway.  FW access tracker shows correct guest user IP, and guest traffic is passing. 

Thanks for looking.

Type "show datapath session table <ip address of guest>" to see what traffic is being sent back and forth.

does this look like it working? 

(WC01) #show datapath session table 10.18.1.149


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop
       A - Application Firewall Inspect
       B - Permanent, O - Openflow

Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
209.85.164.233  10.18.1.149     6    443   46646  1/2     0    24  13  tunnel 598  155  2          2852
54.246.89.117   10.18.1.149     6    443   38610  1/2     0    24  6   tunnel 598  1d4  4          5704
10.18.1.149     74.125.192.188  6    39989 443    1/2     0    24  4   tunnel 598  189  0          0          TC
209.85.164.233  10.18.1.149     6    443   46583  1/2     0    24  37  tunnel 598  2d3  2          2852
10.18.1.149     54.246.89.117   6    38610 443    1/2     0    24  28  tunnel 598  1d4  0          0          TC


192.12.31.97    10.18.1.149     6    5223  46854  1/2     0    24  33  tunnel 598  22b  0          0
74.125.192.188  10.18.1.149     6    443   39989  1/2     0    24  4   tunnel 598  189  0          0
10.18.1.149     64.233.186.188  6    39475 443    1/2     0    24  28  tunnel 598  1005 0          0          TC
209.85.164.233  10.18.1.149     6    443   46649  1/2     0    24  7   tunnel 598  10d  0          0
209.85.164.233  10.18.1.149     6    443   46591  1/2     0    24  31  tunnel 598  28c  0          0


64.233.186.188  10.18.1.149     6    443   39475  1/2     0    24  28  tunnel 598  1005 0          0
209.85.164.233  10.18.1.149     6    443   46580  1/2     0    24  51  tunnel 598  3da  1          1426
10.18.1.149     209.85.164.233  6    46583 443    1/2     0    24  41  tunnel 598  2d3  0          0          TC
10.18.1.149     209.85.164.233  6    46591 443    1/2     0    24  32  tunnel 598  28c  0          0          TC
10.18.1.149     209.85.164.233  6    46580 443    1/2     0    24  51  tunnel 598  3da  0          0          TC


10.18.1.149     192.12.31.97    6    46854 5223   1/2     0    24  34  tunnel 598  22b  0          0          TC
10.18.1.149     209.85.164.233  6    46649 443    1/2     0    24  8   tunnel 598  10d  0          0          TC
10.18.1.149     209.85.164.233  6    46646 443    1/2     0    24  17  tunnel 598  155  0          0          TC

(WC01) 

I think you need to do more troubleshooting.  There is nothing that I can see from this client's traffic.  What is the default gateway for this client?

Gateway is 10.18.0.1.

and what is that device?

Colin,

Gateway 10.18.0.1 is physical Check Point firewall.  I have more than 20 remote sites over MPLS.  All guest Wi-Fi are in the same Ap-Group, same IP address of 10.18.0.0/20.  All guest traffic tunnel back to the 7220 controller at the HQ and send directly out to the Firewall to the Internet.  ONLY ONE site is having the problem.  TAC case has been opened and logs were sent.  I am waiting for their response.    

Thanks, 

I have resolution for this problem:

Because the DMVPN tunnel was set at MTU 1400, TAC change MTU of the wireless tunnel 1400.

Sounds odd, I assume your User Roles are as per they were before and working? If you run a packet capture on the client do you see the internet traffic returning at all?