Wireless Access

Reply
MVP

Remote guest canot go to the Internet

Controllers: 7200s, AP-105, AOS 6.5

I have a remote site with two Wi-Fi networks: Employee is bridge, and guest is tunnel.  All APs at site are terminated at the HQ controller.  Recently switch upgrade at this site causes guest not working.  Nothing change at the controller.   Althought I can see guests connect, getting correct IP addresses and DNSs but when user open web browser or any apps, nothing work.  I can even see the guest users on firewall logs that show traffic is passing. 

Any ideas or suggestions?  I cannot be at the site, and no IP personnel available at site, just typical user.  Note that employee Wi-Fi is working normal.

Regards,

~Trinh Nguyen~
Boys Town

Re: Remote guest canot go to the Internet

Has there been any routing changes? Can you confirm the firewall has a correct route back to the guest subnet?


ACMA, ACMP, ACSA
If my post addresses your query, give kudos:)
MVP

Re: Remote guest canot go to the Internet

see next post

~Trinh Nguyen~
Boys Town
MVP

Re: Remote guest canot go to the Internet

Hi,

No routing change.  Guest is L-2 user-> AP -> controller -> FW, and FW is the gateway.  FW access tracker shows correct guest user IP, and guest traffic is passing. 

Thanks for looking.

~Trinh Nguyen~
Boys Town
Guru Elite

Re: Remote guest canot go to the Internet

Type "show datapath session table <ip address of guest>" to see what traffic is being sent back and forth.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Remote guest canot go to the Internet

Sounds odd, I assume your User Roles are as per they were before and working? If you run a packet capture on the client do you see the internet traffic returning at all?


ACMA, ACMP, ACSA
If my post addresses your query, give kudos:)
MVP

Re: Remote guest canot go to the Internet

does this look like it working? 

(WC01) #show datapath session table 10.18.1.149


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop
       A - Application Firewall Inspect
       B - Permanent, O - Openflow

Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
209.85.164.233  10.18.1.149     6    443   46646  1/2     0    24  13  tunnel 598  155  2          2852
54.246.89.117   10.18.1.149     6    443   38610  1/2     0    24  6   tunnel 598  1d4  4          5704
10.18.1.149     74.125.192.188  6    39989 443    1/2     0    24  4   tunnel 598  189  0          0          TC
209.85.164.233  10.18.1.149     6    443   46583  1/2     0    24  37  tunnel 598  2d3  2          2852
10.18.1.149     54.246.89.117   6    38610 443    1/2     0    24  28  tunnel 598  1d4  0          0          TC


192.12.31.97    10.18.1.149     6    5223  46854  1/2     0    24  33  tunnel 598  22b  0          0
74.125.192.188  10.18.1.149     6    443   39989  1/2     0    24  4   tunnel 598  189  0          0
10.18.1.149     64.233.186.188  6    39475 443    1/2     0    24  28  tunnel 598  1005 0          0          TC
209.85.164.233  10.18.1.149     6    443   46649  1/2     0    24  7   tunnel 598  10d  0          0
209.85.164.233  10.18.1.149     6    443   46591  1/2     0    24  31  tunnel 598  28c  0          0


64.233.186.188  10.18.1.149     6    443   39475  1/2     0    24  28  tunnel 598  1005 0          0
209.85.164.233  10.18.1.149     6    443   46580  1/2     0    24  51  tunnel 598  3da  1          1426
10.18.1.149     209.85.164.233  6    46583 443    1/2     0    24  41  tunnel 598  2d3  0          0          TC
10.18.1.149     209.85.164.233  6    46591 443    1/2     0    24  32  tunnel 598  28c  0          0          TC
10.18.1.149     209.85.164.233  6    46580 443    1/2     0    24  51  tunnel 598  3da  0          0          TC


10.18.1.149     192.12.31.97    6    46854 5223   1/2     0    24  34  tunnel 598  22b  0          0          TC
10.18.1.149     209.85.164.233  6    46649 443    1/2     0    24  8   tunnel 598  10d  0          0          TC
10.18.1.149     209.85.164.233  6    46646 443    1/2     0    24  17  tunnel 598  155  0          0          TC

(WC01) 
~Trinh Nguyen~
Boys Town
Guru Elite

Re: Remote guest canot go to the Internet

I think you need to do more troubleshooting.  There is nothing that I can see from this client's traffic.  What is the default gateway for this client?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP

Re: Remote guest canot go to the Internet

Gateway is 10.18.0.1.

 

~Trinh Nguyen~
Boys Town
Guru Elite

Re: Remote guest canot go to the Internet

and what is that device?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: