Wireless Access

Hi All,

As the title suggests, I've been having an issue with several APs that we have sent to regional sites that are connected via a Juniper VPN. I was wondering if anyone else has experienced this issue or would have any suggestions.

When the AP is connected to the local network it contacts the controller as expected, picks up the desired config and broadcasts the SSIDs. The issue is that any client connect to the SSID(s) experience awful bandwidth speeds (e.g. 0.009Mbps d/l).

I thought maybe this was down to MTU size as pings were being fragmented down to 1473, but adjusting the AP profile to reflect this made no difference.

The APs are connecting to the regional master controller and are not configured as RAPs, so they're using the Hub sites' corporate/internet connections.

Configuring the APs as RAPs also does not work as the IPSEC does not create a tunnel.

I have connected the same AP to our DMZ controller so the connection is purely over the internet and the client connection speed is much more respectable (~40Mbps d/l), so this is what makes me think the Juniper VPN may be causing an issue here. 

We have similar sites in the UK that are connected via Checkpoint firewalls, but to not suffer the same issues.

Any suggestions are greatly appreciated.

Thanks.

Can you try to configure that AP SSID on bridge mode?

Just create a new test vap and put it on bridge mode(Captive portal wont work  in this mode) but it just as test we can always make it work with split tunnel but for now  as testing do it on bridge mode

What will do the bridge mode is that the ap willl is use the network on the remote site, which mean that the L3 Switch or router which is routing take the decitions.... Your Firewall wont notice any difference from a desktop or a wireless client and it might work.

With bridge mode it wont do the tunnel and send all the traffic to the controller first, it will just bridge and send it to the default gateway on your remote site.

Cheers

Carlos 

I'm having a simmilar issue..  In my case the very poor performance only occurs when the SSID is encypted, either with WPA Personal or WEP, open SSIDs or Captive portal are fine..

I have found that reducing the ipsec mss size on the Juniper firewall improves the situation but does not completely resolve the issue. I have raise a TAC case and they also suggested bridge mode which I have yet to try..  

I spent 15 mins or so with a remote session from an Aruba Network engineer,  he suggested dropping the AP system MSS to 1200 ( the same as default for RAP )..  This resolved the issue in my test location, enabling me to remove the Juniper Firewall MSS configuration. I am awaiting confirmation from the live location..

The issue apears to be the number of nested tunnels. i.e. there is a GRE tunnel between the AP and the WLC, this runs within an IPsec tunnel due to Control Plane Security, which in turn runs within an IPsec tunnel beween the firewalls.. Why Juniper VPN has a particualr problem and Checkpoint VPN (in the original post) does not must be something to do with how the traffic is fragmented..