Wireless Access

Dear All,

we have a few IAP-105 installed and would like to use WiFi-Calling for our mobile phones. Current FW is 6.4.2.6-4.1.3.0_54915. I think FW must be at least 6.5. Is there anything else to be considered ?

Thank you  

Hey, which implementation of Wifi Calling are you referring to? I can use the Apple Wifi Calling on my IAP105 running 6.4.4.8 without issues. You just need to allow UDP500 + UDP4500 on the assigned User Role.

Thanks,

I would like to use WiFi Calling on Apple devices. I have now created a rule "Allow any to server FW for WiFi Traffic" but on my iPhone still "WiFi calling" does not appear.

At my home all fine.

Any help is appreciated.

Hey, that should be it. The only other items which might be a problem is either an upstream device such as a firewall is blocking it, Wifi Calling isn't enabled on the device or it is not enabled by the carrier.

You can confirm if you receive a reply for the UDP4500/UDP500 packet by running the following on the CLI of the IAP. If you see a Y flag, then the 3-way hand shake has not occurred correctly.

#show datapath session | include XXXX (XXXX = IP of device)

Thanks,

WiFi Calling works fine at my home WiFi. It should be fine on the device and on carrier side.

IP of device means IP of the iPhone ? 

That's correct, the IP which is assigned to the device. Do you have any further information on your network? Is there a firewall sitting upstream from your IAP's?

thanks,

this is the "show datapath session output":

# show datapath session | include 192.168.51.35
192.168.51.35     17.252.92.30    6    49354 443   0    0    0   6   dev3        6744 SC
192.168.51.35     62.157.140.73   6    49384 443   0    0    0   11  dev3        352  SC

The IP address of the iPhone is 192.168.51.35.

Traffic from the APs will be routed to a FW. On the FW IPSec is allowed for in- and outbound traffic.

Hey, there is no UDP4500/UDP500 traffic in that output so it's not attempting to establish the Wifi Calling?

Thanks,

when my iPhone is connected to my WiFi at home I am getting an indication on the top of the screen "WiFi Calling".

I do not get this indication at the office. I assume that "WiFi" Calling is not active at the office.

If possible could you share the User Role which is assigned to the phone? We can then check the firewall rules. 

Do you even see a UDP4500/UDP500 connection on your upstream firewall?

Thanks

10.110.31.222 is the upstream firewall.

From the IAP perspective this should work, you're not blocking the traffic on the IAP. So all should work as expected. Essentially it is just a L3 connection going out. 

Sorry to ask again but do you see the traffic on your upstream firewall?

thanks,

on the FW I cannot see any IPSec traffic.

On the FW I have configured a customized service group IPsec:

UDP SRC PORT 0-65535, DST PORT 4500-4500

UDP SRC PORT 0-65535, DST PORT 500-500

I have 2 rules:

From Untrust to Trust

Any -> Service Group IPsec -> All APs and WiFi Controller

From Trust to Untrust

All APs and WiFi Controller  -> Service Group IPsec -> Any

On the firewall are you allowing the client VLAN's? That firewall rule only shows the AP and controller(?). What do you see in the firewall logs?

thanks,

FW and WiFi equipment is in the same VLAN. Is anything else reqired ?

I think it should be sufficient to allow APs and the controller only access through the FW.

You would need to allow the client VLAN access on the firewall to permit the UDP500/UDP4500 traffic. As a test, in your User Role rules on the IAP, set the traffic to be src-nat behind the IAP.

Thanks, I have changed to "src-nat" but it will not be accepted and turns back to "allow".

As all wireless clients can use HTTP/HTTPS the FW rules should be ok basically.

I am afraid that this has something to do with IPsec and NAT. 

Agreed but you still ideally need to confirm the following as this is what we know so far

- Your show datapath session on the IAP does not show any UDP500/UDP4500 traffic from the clinet.

- We do not know if your firewall logs show any UDP500/UDP4500 traffic from the client.

- The below statement does not confirm if the firewall allows UDP500/UDP4500 traffic.

"As all wireless clients can use HTTP/HTTPS the FW rules should be ok basically"

I have replicated the same in my lab. My IAP Rules allow UDP500/UDP4500, my FW rules allow UDP500/UDP4500 my firewall src-nat's the traffic behind the public IP and all works without issues :)

I could change the user rule to "Source-NAT" now.

"show datapath session" shows:

DSS-AP-3-1# show datapath session | include 192.168.51.35
192.168.51.35     17.173.254.222  17   16403 16384 0    0    0   1   dev3        7a   FSC
192.168.51.35     17.173.254.223  17   16403 16386 0    0    0   1   dev3        7a   FSC
192.168.51.35     17.173.254.222  17   16403 16385 0    0    0   1   dev3        7a   FSC
192.168.51.35     17.252.92.82    6    52405 443   0    0    0   1   dev3        513  SC
192.168.51.35     62.157.140.73   6    52417 443   0    0    0   7   dev3        262  SC
192.168.51.35     8.8.8.8         17   52209 53    0    0    0   0   dev3        9    FSCI
DSS-AP-3-1#

BTW: thanks a lot for your continuing support and your patience

Hey, glad to help! :) 

You will need to change the rule which will match the UDP500/UDP4500t traffic, so from your previous screenshots this is your ANY ANY ANY rule. Set this one to source NAT the traffic. The reason for this is you mentioned previously that UDP500/UDP4500 traffic is only permitted from the IAP (not the client VLAN) so the traffic will now be presented with the src IP of the IAP.

However in theory all of the above shouldn't be required if the upstream firewalls are still correct.

There is still no UDP500/UDP4500 traffic in that datapath capture. Just a note, the command will only show the traffic that given moment. So you may need to keep entering the datapath session command until you see the 500/4500 traffic.

Thanks

These are the rules on the IAP:

These is the rule for traffic going to the FW:

I think this rule covers any traffic (also UDP500/4500) going to the FW.

It is has been set to source NAT this traffic.

I think the client IP address will be NATted twice. The client receives an IP through DHCP from the AP / Virtual controller. In my case it is any address from 192.168.51.0/24. The AP / Virtual Controller will NAT the address to an address within 10.110.31.0/24. The FW will NAT the 10.110.31.0/24 address to out public IP address.

Is my understanding correct so far ?

Remove the 10.110.31.222 rule and add the src-nat rule to the last rule (again this shouldn't be needed).

You still need to check if this traffic is even arriving at your firewall. If it does, what does it say in the logs?

Why don't you as a test remove all the rules from your IAP and just add an ANY ANY ANY, this way the IAP will not block the traffic.