Wireless Access

Is anyone else having this issue?  We are having issues with iPads/iPhones running IOS6 connecting to our guest wireless.  Once they get connected, usually by powering off/on the device, they work fine for the rest of the day.  However, when they come back in the next day they have the same issue.

Obviously this appears to be an Apple issue, since it seems to only be IOS6 and is temporarily resolved by powering off/on the device, but we see something very strange when doing a packet capture on the AP or controller.

When doing a packet capture, I see the IOS device attempt to go to the website www.apple.com/library/test/success.html.  It uses this site to determine if it can get to the Internet, or if there is a captive portal involved.  Since we are running a captive portal and the user is not authenticated, the controller should intercept the three-way TCP handshake initiated by the IOS device and then should send a http 302 redirect to the captive portal page.  When everything is working properly, that is exactly what happens.  But when the IOS device is not able to connect properly, the packet capture shows the IOS device sending a TCP SYN packet.  The controller however doesn't intercept it and respond with a SYN/ACK, it just ignores the packet.

So while this appears on the surface to be an IOS6 issue, packet captures tells a different story.  The IOS device is attempting to connect to the web page as it always does, but the controller is not responding properly.  We have a case open with Aruba, but have not had any success getting it resolved, or getting an explanation why the controller is not responding properly.

Try this, We are having the same issues. Also having issues with users on macs/ipads/iphone with connecting to our ap's.

https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1680

Thanks for the reply.  Whitelisting apple.com isn't really an option for us because then the clients can go to any apple.com site without authenticating through the captive portal.

I've been doing some more troubleshooting on this issue, and looking at my packet captures, I now see that after the IOS device sends a TCP SYN, the Aruba controller sends an ARP to get the IOS device's MAC address.  But when this problem is occurring, the IOS device does not respond with an ARP reply.  Therefore the controller can not respond with a SYN/ACK.

I have opened a case with Apple and they have forwarded it on to their engineering department.  They have a copy of my packet capture, so hopefully they can see the issue for themselves.  I will update this thread with any results I get from them.  They said it will be late next week.

In the meantime, I started wondering why this issue doesn't appear at my home.  And then it dawns on me that my IOS device always connects on 802.11a at work, but uses 802.11n at home since my home network doesn't support 802.11a.  As a test, I have disabled 802.11a on the APs near me and now my devices connects on 802.11g.  I guess I'll find out if that is related to the problem when I come back in on Monday.  If I can connect and get the captive portal page right away, I'll start to believe it is an 802.11a problem only.  Once again, I'll keep this thread updated.

Robert

I tried the disable the a radio, and got the same issue. After whitelisting apple, all is good for us. I will be curious to see what they come back with.

---

@rluechtefeld wrote:

Thanks for the reply.  Whitelisting apple.com isn't really an option for us because then the clients can go to any apple.com site without authenticating through the captive portal.

 

I've been doing some more troubleshooting on this issue, and looking at my packet captures, I now see that after the IOS device sends a TCP SYN, the Aruba controller sends an ARP to get the IOS device's MAC address.  But when this problem is occurring, the IOS device does not respond with an ARP reply.  Therefore the controller can not respond with a SYN/ACK.

 

I have opened a case with Apple and they have forwarded it on to their engineering department.  They have a copy of my packet capture, so hopefully they can see the issue for themselves.  I will update this thread with any results I get from them.  They said it will be late next week.

 

In the meantime, I started wondering why this issue doesn't appear at my home.  And then it dawns on me that my IOS device always connects on 802.11a at work, but uses 802.11n at home since my home network doesn't support 802.11a.  As a test, I have disabled 802.11a on the APs near me and now my devices connects on 802.11g.  I guess I'll find out if that is related to the problem when I come back in on Monday.  If I can connect and get the captive portal page right away, I'll start to believe it is an 802.11a problem only.  Once again, I'll keep this thread updated.

 

Robert

 

---

Whitelisting www.apple.com is the only consistent way to fix this in the short term.  While whitelisting does NOT fix all of Apple's wireless issues, it does fix a huge one at the cost of users browsing the Apple Page.  If you had Amigopod/ClearPass, we also offer a way to fix it here via a special URL  http://www.arubanetworks.com/wp-content/uploads/Amigopod-CNA-bypass-AppNote.pdf?repo=tech

If you don't have a Captive Portal at home, you probably won't see this issue.

Did you receive any word from Apple on the arp issue? We've been struggling with the same issue for a while.

I haven't heard anything yet, but I am scheduled to get a call around noon today CST.  Unfortunately I expect them to say that they haven't found anything yet, but I will post whatever response they do give. 

Apple did call the other day and said that the ARP issue was a known defect. 

While they did not give me an indication that the issue was fixed in iOS 6.1, when 6.1 came out on Monday I installed it.  For the last two days, I have not had a problem with the captive portal.  While two days without an issue does not mean it's fixed definitively, it is a good sign.

It's been a week since I upgraded to iOS 6.1 and the captive portal is working flawlessly.  I never did hear from Apple beyond the first call back (no surprise there), but I think it is safe to say that the issue is fixed.

I hwve white listed apple.com per the bottom section, and appears to have my issue resolved. Give it a go..