Question

AP-7522 Client Bridging Isn't Working

  • 9 November 2018
  • 45 replies
  • 1599 views


Show first post

45 replies

Full config:

!
! Configuration of AP7522 version 5.9.1.4-004R
!
!
version 2.5
!
!
client-identity-group default
load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
ip snmp-access-list default
permit any
!
firewall-policy default
no ip dos tcp-sequence-past-window
no stateful-packet-inspection-l2
ip tcp adjust-mss 1400
!
!
mint-policy global-default
!
meshpoint-qos-policy default
!
wlan-qos-policy default
qos trust dscp
qos trust wmm
!
radio-qos-policy default
!
!
management-policy default
telnet
no http server
https server
ssh
user admin password 1 role superuser access all
snmp-server community 0 private rw
snmp-server community 0 public ro
snmp-server user snmptrap v3 encrypted des auth md5 0
snmp-server user snmpmanager v3 encrypted des auth md5 0
!
nsight-policy default
!
profile ap7522 default-ap7522
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
shutdown
interface radio2
rf-mode bridge
bridge ssid myWireless
bridge encryption-type ccmp
bridge wpa-wpa2 psk 0 myWirelessKey
interface ge1
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options all
interface pppoe1
use firewall-policy default
use client-identity-group default
logging on
service pm sys-restart
router ospf
adoption-mode controller
!
rf-domain default
country-code us
use nsight-policy default
!
ap7522 B8-50-01-A8-19-50
use profile default-ap7522
use rf-domain default
hostname ap7522-A81950
interface vlan1
ip address 192.168.111.102/24
no virtual-controller
rf-domain-manager capable
no adoption-mode
!
!
end
I'm going to start working on a firmware upgrade now.
Userlevel 5
This all looks correct, Aaron. Hoping that the firmware upgrade gets things going at this point.
Apparently I have to be approved before I can download the latest firmware. Do you know if anyone is monitoring that over the weekend? I don't want to sit and watch my Inbox if nobody is going to get to it until Monday.
Userlevel 5
yes, there is weekend support. Someone should be able to help you with that.
Userlevel 2
Hey Aaron,

Can you test two things:
1. Can the host AP broadcast wlan whereby wireless client like mobile phone is able to scan?
2. Are these internal antenna or external antenna AP, if external, do make sure you have the antenna installed
Hey Aaron,

Can you test two things:
1. Can the host AP broadcast wlan whereby wireless client like mobile phone is able to scan?
2. Are these internal antenna or external antenna AP, if external, do make sure you have the antenna installed
1 - Yes, AP#1 is acting as an access point. I was able to use a laptop to successfully connect to the SSID myWireless and access the network/internet. I have not attempted the same thing with AP#2. I have only attempted client bridging with AP#2.

2 - The 7522 devices have external antennas. I do not currently have the external antennas installed on either AP#1 or AP#2. Are the external antennas required for client bridging?
Userlevel 5
Hey Aaron,

Can you test two things:
1. Can the host AP broadcast wlan whereby wireless client like mobile phone is able to scan?
2. Are these internal antenna or external antenna AP, if external, do make sure you have the antenna installed
Good catch by Madeline! Aaron, not a guarantee, but this could very likely explain what you're seeing. The lack of antennas may be causing the client-bridge AP to not be able to 'hear' any of the candidates APs. Easy to test though, right?
Hey Aaron,

Can you test two things:
1. Can the host AP broadcast wlan whereby wireless client like mobile phone is able to scan?
2. Are these internal antenna or external antenna AP, if external, do make sure you have the antenna installed
Currently I only have 2 antennas, the other 2 are delayed in shipping.

Should I install them on AP#2? Or put 1 antenna on each AP?
Userlevel 5
Hey Aaron,

Can you test two things:
1. Can the host AP broadcast wlan whereby wireless client like mobile phone is able to scan?
2. Are these internal antenna or external antenna AP, if external, do make sure you have the antenna installed
At the very least, you need them installed on the client-bridge AP.
Besides AP#1, are there any close-by APs that have that SSID setup on them that the AP#2 might be able to see and connect to?

If not, then I'd just try installing 1 antenna on AP#1 and AP#2.
I received a response to my request to access the most recent firmware version. I was told I have to first purchase a support contract. Is that really the case? Client bridging is supposed to be a supported feature, and we have to purchase a support contract to access the latest firmware that might fix an existing bug in the firmware that shipped with the AP? If that is the case I think we will have to return these 7522 access points and never purchase Extreme products again. I have not found the process of troubleshooting this issue to be frustrating, especially with the great help you and Madeline have provided, but I find that very frustrating.
I attached the 2 antennas to AP#2, then I reconfigured it to use other existing and known working wireless networks in our office. Neither worked, candidate-ap still is 0 in both cases.

I changed the following:
  • en
  • config t
  • profile ap7522 default-ap7522
  • interface radio 2
  • rf-mode bridge
  • bridge ssid NEWmyWireless
  • bridge wpa-wpa2 psk 0 NEWmyWirelessKey
  • comm wr
Then:
  • en
  • config t
  • profile ap7522 default-ap7522
  • interface radio 2
  • rf-mode bridge
  • bridge ssid NEW2myWireless
  • bridge wpa-wpa2 psk 0 NEW2myWirelessKey
  • comm wr
Any other ideas?
Userlevel 5
Aaron, I'll load up a 7532 (shouldn't be different than a 7522) with the same code you're running and configure it the same way. I'll see if I replicate the issue your seeing. That should tell us if this is a bug or not.
Userlevel 5
Aaron, I've configured a 7532 with the same firmware code and with the exact config setup that I recommended earlier. The bridge sees candidate APs and connects w/o issue.

Wondering if there's a hardware issue now. Can you (if you haven't already) try configuring the other AP as a client bridge AP. The likelihood that you have two bad APs is next to nill. These APs have an extremely low failure rate.
Thanks Chris, I will try that tomorrow morning

Should I change the configuration of AP#2 to be the "host" AP instead, broadcasting the "myWireless" SSID? If AP#2 does have a hardware problem, will that also affect its ability to act as the host to the client bridge AP?

If that is a possibility then I can try other wireless networks available in our office. My worry there is that I'm introducing other variables that are causing problems, such as a mismatch in encryption settings or something like that.
Userlevel 5
You could try that...since we're dealing with an unknown issue here though, I can't say how exactly it will behave...even if it IS a hardware issue. Won't hurt to try though.

When you make the switch though, setup the PSK and SSID to match that of existing APs on other *working* network where you're at though. If the AP isn't currently close enough to those other APs to be able to see them and connect, then go ahead and implement the configurations on the AP and then carry it to where it needs to be...along with your laptop and console cable so you can run those queries to see if it now sees candidate host APs.
Ok I've made some progress. #3 is what I need the most help on right now.

1 - The client bridge is partially successful right now. I switched the roles so now AP#2 is the "host" AP that is connected to the wired LAN, and AP#1 is the client bridge. I updated to firmware version 5.9.3 on both APs. I also have 1 antenna plugged into each AP. The client bridge reports that there is 1 candidate AP, and the "host" AP reports the client bridge AP as a wireless client. I introduced several variables here. If I get a chance later I'll factory reset both APs, remove all the antennas and try to set up the client bridge again with their original roles and report back. I know others might like to know if the firmware upgrade is what fixed the problem or not.

2 - Lesson learned: For a while I had both APs connected to the wired network so I could ssh into them instead of using the console port for terminal access. But once I got the client bridge successfully configured, that created a network loop / broadcast storm and brought down the network until I unplugged the client bridge AP from the wired network. The client bridge AP is connected to the 5 port unmanaged switch again, and the only other device connected to that is the Windows 10 workstation that needs internet access.

3 - The desktop on the "client bridge" side can't reach the rest of the 192.168.111.0/24 network or the internet. It is a Windows 10 workstation with a static IP address of 192.168.111.10. When I plug it directly into the wired network (not the 5 port unmanaged switch) everything works correctly. However when I re-attach it to the unmanaged 5 port switch that the client bridge AP is connected to, it self assigns a 169.254.x.y address instead of keeping its 192.168.111.10 address. There are errors in the Windows 10 event log "The system detected an address conflict for IP address 192.168.111.10 with the system having network hardware address B8-50-01-EC-D8-B0. Network operations on this system may be disrupted as a result." B8-50-01-EC-D8-B0 is the same MAC address I was seeing in packet captures during the network loop problem. I don't know where that's coming from because it doesn't match any of the 2 MAC addresses that AP#1 reports or the 2 MAC addresses that AP#2 reports when I run "show interface brief". But "B8-50-01" is registered to Extreme Networks.

Thoughts?
Some more information: I had a packet capture running on the Windows 10 workstation for a while. I see an ARP response from that B8-50-01-EC-D8-B0 MAC address stating that it belonged to 192.168.111.10.

I figured that the arp entry for the 192.168.111.10 address was still cached from when I had the workstation directly connected to the wired network and not though the 5 port switch / wireless client bridge. So I'm restarting both APs to clear their arp tables.
Userlevel 5
Aaron, good to hear that there's at least connectivity at this point using the client-bridge. Based on your information, I'm still not sure if the AP has a hardware problem or not, but the fact that it has established a connection while operating as the host AP seems to make that unlikely.
It would be interesting to default things again and re-setup the APs again in their original positions, with the only change being the WiNG code. If it works...then that seems to implicate the WiNG code...but then I'm at a loss because in my lab, using the original same firmware, it worked. The *only* difference being that I used a 7532 and you're using a 7522.

Regarding #3 though:
Win10 apparently thinks there's an IP conflict. Guessing that's the reason it's throwing away its static address.
Need to clear out the ARP cache and try again. I think you're almost there.

Reply