IdentiFi: wireless client can ping EWC, but can't ping gateway

  • 0
  • 1
  • Problem
  • Updated 2 weeks ago
  • Solved
  • (Edited)
Hello, everybody,

At last, I've configured my clients to get correct IPs from DHCP server using relay.

Everything looks fine, but I can't ping outside world from clients, (while could ping EWC).

From EWC I can ping outside networks and can ping wireless clients.

How could I allow wireless clients to reach their gateways?

Access mode for all Roles is "Containment VLAN", all WLAN Topologies are EWC.

Many thanks in advance,

Ilya
Photo of Ilya Semenov

Ilya Semenov

  • 4,384 Points 4k badge 2x thumb

Posted 11 months ago

  • 0
  • 1
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,004 Points 20k badge 2x thumb
Please provide a network diagram.
Photo of Ilya Semenov

Ilya Semenov

  • 4,384 Points 4k badge 2x thumb
Hi, Ronald,

is it OK?
(Edited)
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,004 Points 20k badge 2x thumb
Are you able to ping the core = 10.10.32.1 from the client 10.10.32.6 ?
Photo of Ilya Semenov

Ilya Semenov

  • 4,384 Points 4k badge 2x thumb
No, I am not able to ping a client from the Core.

Wireless clients ping EWC and each other only.

EWC could ping Core and wireless clients.

This is my controller configuration:
https://cloud.mail.ru/public/BYKk/4JdF7rZen
(Edited)
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,004 Points 20k badge 2x thumb
Check the MAC table on the X670, did the switch learn the client MAC on the port that is connected to ESA0 in VLAN38 or is the MAC learned in another VLAN?
Photo of Ilya Semenov

Ilya Semenov

  • 4,384 Points 4k badge 2x thumb
I did - these are MACs of esa0:

VR-Default    10.11.32.2       00:15:5d:0d:a6:1d   11      NO  Vlan39        39    45
VR-Default    10.10.32.2       00:15:5d:0d:a6:1d    0      NO  Vlan38        38    45


esa000:15:5D:0D:A6:1D  V22(u), V38, V39 (this is copypaste from EWC)
(Edited)
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,004 Points 20k badge 2x thumb
Ok,so the switch doesn't learn the client MAC.

Could you post a screenshot of the role settings for VLAN38 and also the rule config for that role.
Photo of Ilya Semenov

Ilya Semenov

  • 4,384 Points 4k badge 2x thumb
Yes, it doesn't.

Please, see the attached screenshots below.

There are no Policy Rules configured for any Roles.



Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,004 Points 20k badge 2x thumb
I think there it's a configuration issue on the HyperV.

The thing is from the above posts it's not clear what IPs you ping = what is working.

Could you please run the following and let me know the result..
- from the X670 ping 10.10.32.2 and 10.11.32.2
- from the controller, in the GUI with the ping utility checkmark the advanced option and select topology VLAN 38 as the ping source interface and ping 10.10.32.1 (the IP of the X670 in VLAN38).
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
I believe the VM environment was the issue in Ilia's case . Vince - what topology you are using - is that tunneling back to controller or bridging to AP? And second question (in case the firs answer will be : tunneling) - what controller do you use - hardware or VM . If VM - what type of VM - VmWare or HyperV. 
Photo of Vince Hoon

Vince Hoon

  • 160 Points 100 badge 2x thumb
I'm using VM ESXi ver5.5

There is a problem while configuring AP and Virtual Controller, here’s model details:

Controller: Virtual Controller V2110

AP: WS-AP3935i-ROW


Scenario:

-admin port: 192.168.18.X/24

-physical port: 10.0.0.X/24, vlan 101

-test_topology: 10.10.10.X/24,

  Gateway: 10.10.10.251
  vlan 10 [Mode: Bridge traffic at EWC]

 

Problem:

-AP is detected on controller.

-Client connected to AP, but unable to access internet.

 

Action Taken:

-Verified on network, no issue.

-Trace route from client to internet was timeout at controller.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,004 Points 20k badge 2x thumb
Is promiscuous mode enabled as instructed in the V2110 Installation guide.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,004 Points 20k badge 2x thumb
Are you able to ping the controller IP 10.10.10.x to the default GW
Photo of Vince Hoon

Vince Hoon

  • 160 Points 100 badge 2x thumb
Hi Ronald,

The issue resolved. I found that not only promiscuous mode need to be enable, the rest of security need to be enabled and accept also.
Thanks for your help.