Wireless Access

I've got two different sites that are experiencing the same problem. At both sites we have a 620 controller running 6.1.3 which is directly connection to a Cox cable modem. The port is configured access VLAN 1 and interface VLAN 1 is a static public IP address. That same IP address works fine if configured on a laptop directly connected to the modem, but doesn't communicate from the controller. Am I missing something simple here? Cox says that they do not see any MAC addresses coming from our router. I configured a Cisco router using the same config & it was able to communicate through the cable modem. The only difference was he Cisco had a L3 interface rather than a switchport. Thanks in advance.

The most obvious thing I can think, is that the controller had no reason to send traffic out of the link?

Is the controller routing user traffic out that way? If so, can you post on here the following info...

Controller IP routing table.

Controller IP interface info.

VLAN info.

Physical interface configs.

Config that shows the controller is the router for the user, by way of NAT, DHCP or however you're doing it?

The whole config would be ideal?!?

Is the controller acting as the default gateway your devices connected?  If so, you'll need a default route in place.

Guys, sorry for not getting back to you on this. The issue was resolved by the provider, but we have actually encountered the same issue twice since then. The provider pretty blames our equipment every time, but I can't argue with the fact that they do not see any MAC addresses coming from the controller to the modem. 

The controller is configured with a default route. It is a local controller and has an IPSEC tunnel back to the master at another site. The local controller is the default gateway for all wired & wireless clients. I'm going to be onsite later today to troubleshoot some more.

Is there anything else on the controller side that could be causing this? I'll watch this thread closely going forward. Thanks in advance.

---

@Clayman wrote:

Guys, sorry for not getting back to you on this. The issue was resolved by the provider, but we have actually encountered the same issue twice since then. The provider pretty blames our equipment every time, but I can't argue with the fact that they do not see any MAC addresses coming from the controller to the modem. 

 

The controller is configured with a default route. It is a local controller and has an IPSEC tunnel back to the master at another site. The local controller is the default gateway for all wired & wireless clients. I'm going to be onsite later today to troubleshoot some more.

 

Is there anything else on the controller side that could be causing this? I'll watch this thread closely going forward. Thanks in advance.

---

Clayman,

If you are trying to do a site-to-site VPN, between a controller at a local site and a headend site, there are a few requirements to make  it work properly:

#1  The Remote Controller's switchip VLAN must be one that is fully routable within your organization.  For example, if your company's internal network is 172.16.0.0 and the VLAN at that site is 172.16.2.x, the controller's management ip address must be something like 172.16.2.1.  It cannot be the garden-variety 192.168.1.x, otherwise it will not work.  Make sure that you have the "controller-ip" command point to this ip address or VLAN.  This is so that source traffic, like the controller's ip address will easily be answerable by resources on the corporate side when pings, radius and SNMP are put into place.

#1a You can also need to have a VLAN 999 that has the ip address of the local subnet (THAT can be 192.168.1.x) which could either be a public ip address or a private ip address that connects to the SOHO router.  Your default gateway on that remote controller will be the hop beyond that public ip address or the SOHO router that is doing the routing.

#2,  There must be a route on that remote controller, pointing for your corporate networks for the ipsec MAP that is created between the controllers so that local clients can access corporate resources.  The ipsec statements will automatically create a route to a network on the far side.   Any other networks that need to be reached across that tunnel need to be accessed via a static route that points to the route map.

#3,  There must be a static route in your infrastructure on your  corporate side router pointing to the controller that has the corporate side of the ipsec tunnel, in order to find that subnet (ip route 172.16.2.x 255.255.255.0 <ip address of corp controller>).

#4,  There is usually a route automatically generated on the corporate side of the network in the corporate controller (172.16.2.X in our example) as a result of the ipsec map that is created.

Use "show datapath session table <ip address" when pinging to determine the source and destination addresses of traffic when troubleshooting passing traffic across the tunnel.

Hi Guys, I'm ressurecting this old thread because I'm once again encountering the same problem with this controller. Here is a quick recap on the situation. I'm literally days away from pulling this 620 controller out & replacing it with another.

1) 620 Controller has been in place for several years in a residence. The master is at another residence. Both locations have static IP's. Both are using the same provider.

2) Over the years, periodically, internet connectivity will cease. The provider says that the modem is up & everything looks good however they do NOT see any MAC addresses being learned from the controller, but there is link. Over the years we have rebooted everything countless times. Usually the only way to resolve the issue was to reboot both the modem & controller & clear the arp cache on the modem.

3) We have had the provider's technicians out numerous times to troubleshoot signal & wiring. The modem has literally been replaced 3 times. The controller is running the newest code that it can run & still use AirGroup (6.1.3.4-AirGroup).

4) Approximately 1.5 years ago, on a whim I put a cheap 4-port Netgear switch between the modem & controller. From that point on, the connectivity was rock solid until the residence was remodeled and everything was pulled out. The Netgear was missplaced and I put in a cheap Linksys router/switch instead. Disabled routing, WIFI & firewall functionality. Only functioning as a switch at this point. Still having the same problem.

Here are some config snippets for reference:

interface gigabitethernet  1/8
	description "PUBLIC"
	trusted
	trusted vlan 1-4094
	ip access-group "pubprotect-hun" session
	spanning-tree portfast
!
interface vlan 1
	ip address <STATIC REMOVED> 255.255.255.224
	operstate up
	description "COX-PUBLIC"
!
interface vlan 41
	ip address 192.168.77.7 255.255.255.0
	ip nat inside
	operstate up
	description "PRIVATE-LAN"
!
interface vlan 42
	ip address 192.168.42.1 255.255.255.0
	no ip routing
	ip nat inside
	operstate up
	description "GUEST-LAN"
!
ip default-gateway <DG REMOVED>
no uplink wired vlan 1
uplink disable
ip route 72.89.131.122 255.255.255.255 ipsec default-local-master-ipsecmap
ip route 192.168.0.0 255.255.255.0 ipsec default-local-master-ipsecmap
ip route 192.168.21.0 255.255.255.0 ipsec default-local-master-ipsecmap
ip route 192.168.31.0 255.255.255.0 ipsec default-local-master-ipsecmap
ip route 192.168.51.0 255.255.255.0 ipsec default-local-master-ipsecmap
!
!
(aructrl-hunt) #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
       M - mgmt, U - route usable, * - candidate default

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is <DG REMOVED> to network 0.0.0.0 at cost 1
S*    0.0.0.0/0  [1/0] via <DG REMOVED>*
S    72.89.131.122/32 [1/0] ipsec map default-local-master-ipsecmap
S    192.168.0.0/24 [1/0] ipsec map default-local-master-ipsecmap
S    192.168.21.0/24 [1/0] ipsec map default-local-master-ipsecmap
S    192.168.31.0/24 [1/0] ipsec map default-local-master-ipsecmap
S    192.168.51.0/24 [1/0] ipsec map default-local-master-ipsecmap
C    184.189.107.160 is directly connected, VLAN1
C    192.168.77.0 is directly connected, VLAN41
C    192.168.42.0 is directly connected, VLAN42
C    184.186.213.116 is an ipsec map default-local-master-ipsecmap
!
!
---------------------------------------------
AFTER CLEARING COUNTERS:
!
GE 1/8 is up, line protocol is up
Hardware is Gigabit Ethernet, address is 00:1A:1E:21:E7:B9 (bia 00:1A:1E:21:E7:B9)
Description: PUBLIC (RJ45 Connector)
Encapsulation ARPA, loopback not set
Configured: Duplex ( AUTO ), speed ( AUTO )
Negotiated: Duplex (Full), speed (1000 Mbps)
MTU 1500 bytes, BW is 1000 Mbit
Last clearing of "show interface" counters 0 day 0 hr 0 min 8 sec 
link status last changed 0 day 0 hr 17 min 45 sec 
    33 packets input, 2164 bytes
    Received 33 broadcasts, 0 runts, 0 giants, 0 throttles
    0 input error bytes, 0 CRC, 0 frame
    2 multicast, 0 unicast
    12 packets output, 768 bytes
    0 output errors bytes, 0 deferred
    0 collisions, 0 late collisions, 0 throttles
This port is TRUSTED 

I've tried removing the ACL on G1/8, but that makes no difference. It's just a session ACL that allows inbound communication from the other controllers.

So, basically the config hasn't really changed over the years, bu the issue continues to occur. At first I was certain that it was a provider problem, but I'm at the point where I want to throw this controller out the window. Has anyone ran into this before? Any thoughts before I swap out this 620? Thanks in advance!

Clayman,

 

If you are trying to do a site-to-site VPN, between a controller at a local site and a headend site, there are a few requirements to make  it work properly:

 

---

Colin, to address your points, which were all good, I'm not having any issues routing traffic between sites WHEN the internet connectivity is working. When I have this issue, the IPSEC tunnel goes down & I've got no connectivity except LAN.

I've got the exact same problem going on.  Cox is the internet service provider.  When you resolved this do you recall what they did to fix it?  I've tried everything but can't seem to get this working when connecting my controller to the cable modem.

---

rpidcock@bankrcb.net wrote:

I've got the exact same problem going on.  Cox is the internet service provider.  When you resolved this do you recall what they did to fix it?  I've tried everything but can't seem to get this working when connecting my controller to the cable modem.

---

The "fix" is the same every single time. Cox has to clear the ARP cache on the modem & many times restart the modem. Sometimes they have to clear ARP cache twice. No changes are every needed on the controller itself.

I wish I could say that worked for me.  I can't tell you how many times I had Cox clear the arp cache yesterday; accompanied by me trying every variant of configuring an IP on my controller.  I've tried static and dhcp, on VLAN 1 vs. another vlan.  Nothing seems to work.  It works between my laptop and the cable modem, or my laptop and the controller, but not between the controller and the cable modem.

The only other thing that I've had success with is putting a cheap, dumb switch in between the modem & router. For whatever reason the Cox service remained stable for all the time that switch was in place. No idea why.

Thanks for the feedback.  I may very well give that a try.

Thanks,

Good luck! Let me know how it goes. Also, what kind of controller are you using? Mine was a 620. I have other locations using the same controller, running the same AOS and connected to Cox Business with no issues.

---

rpidcock@bankrcb.net wrote:

I wish I could say that worked for me.  I can't tell you how many times I had Cox clear the arp cache yesterday; accompanied by me trying every variant of configuring an IP on my controller.  I've tried static and dhcp, on VLAN 1 vs. another vlan.  Nothing seems to work.  It works between my laptop and the cable modem, or my laptop and the controller, but not between the controller and the cable modem.

---

You should type "show arp" after you attempt to ping the default gateway to see if the mac address for that ip address is even installed in the ARP table.  You should also make sure that there are no ACLs on that port or that interface.  Also, do not plug the ethernet port into a GBIC on the controller, because it will not negotiate anything besides 1000/full...