Wireless Access

Hi Guy's

 

I have an Aruba IAP 225, DHCP server is configured for certain VLAN in the IAP itself, An open SSID is created and associated with that VLAN.

 

Users are getting IP address when they connect to the SSID but they are not even able to ping the gateway, but we could easily ping the gateway from IAP itself.

 

Then, From IAP i could also ping internet using only IP-addresses but ping is dropped when we use hostname.

 

We can see that, DNS resolution is failing and we are using global DNS 8.8.8.8 as DNS

 

Any idea what could be the problem, Any help is much appreciated.

 

What are your role acls? do you allow icmp and dns in your role?


#AirheadsMobile

When you say "certain VLAN", do you mean the VLAN is inside the IAP or exist in the network/wired side?

If the later, check your routing config.

 

For IAP can't access hostname, check your ISP dns server, in some cases, ISP won't allow DNS using other servers (especially in indonesia)

 

-Yopianus Linga-

Hi Guy's, Thanks for your time.

 

@pmonrado, The role is authenticated and yes both ICMP and DNS are allowed.

 

@Yopianus Linga, The VLAN is present in wired side and on IAP we have configured DHCP scope for that particular VLAN

 

The problem is that, Once users are connected to SSID they are not even able to ping the gateway of that VLAN, But the same is possible from IAP.

 

Hey, might be worth letting us know a little about how the IAP is connected? Is the IAP on a trunk port, what is the native VLAN and what is the VLAN for the client in question? Where is the default gateway for the client located, is this on the core switch or a firewall? Do you have any restrictions  or ACL's on the default gateway which deny ICMP from certain VLAN's or subnets? Do the clients have an ARP entry for the default gateway?

Hi Zalion0,

 

i.  No, IAP is connected to access port that has VLAN '372' tagged into it

 

ii. Native VLAN is VLAN-1, and the VLAN in question is VLAN-372

 

iii.  Clients (VLAN) gateway is on core-switch and no traffic is being restricted. Network has full access to internet and other resources

iv. Do the clients have an ARP entry for the default gateway?

     I didnt get this.

Is using an Access Port as opposed to a Trunk port by design?

Having a similar issue. Deployed 10 IAP225s using one as a virtual controller. Users connect and browse fine until they roam to another wap. The issue exists on an open ssid as well as a password protected ssid. They join the other wap strongly, but can not at that point ping gateway. APs are all on trunks with the proper vlan tagged. Clients just seem to prefer the first WAP they connect to. I checked in the switch (juniper ex) to see if it was blocking mac moves, but the switch is allowing and logging mac moves to other interfaces. Really scratching my head here. Going to try deleting and readding ssids tonight.

Have started a tac case but so far everything seems well as far as signal and connection.