Header Only - DO NOT REMOVE - Extreme Networks
Solved

users connected to the VX9000 and AP7522 cannot connect to the internet

  • 24 September 2019
  • 18 replies
  • 407 views

Hi All,

For the last 362 days, users can connect to the wireless and everything is fine. My hardware is the VX9000 and the AP7522. They are getting IP addresses, but cannot connect out. The wireless AP are connected through VLAN16. The switch port is tagged VLAN16. I plug in my laptop into the switch port, and I get internet traffic. It's the APs that cannot communicate out.
icon

Best answer by boy141 27 September 2019, 22:08

Folks, updating you on the case. We found that 1 of the APs was faulty and decided to reserve the IP addresses. I factory reset it, hung it back up, let the controller control it and it happened again. Will DOA it now.
View original

18 replies

Userlevel 6
So obviously something changed.
have you made any configuration changes on the controller that coincide with this new behavior?
If not, something changed somewhere else then.

Are the WLANs tunneled or locally bridged?
Do wireless clients have a default gateway as part of their DHCP lease?
Can the wireless clients see (PING) other systems internally?
Can they PING their default gateway?
Do they have DNS resolution?
Userlevel 4
In addition I Would also ensure that you have the best practice default firewall policy configured.
AP can potentially drop traffic if policy is too strict.

How to apply the best practices firewall policy to WiNG APs and controllers from CLI?
Hey Chris,

The WLANs are tunnel to the datacenter where the VX9000 resides.
The wireless clients have "no connection" and cannot ping the gateway and cannot ping other internal servers. The VX9000 does not a have a DNS entry. The palo alto has is the firewall and has DNS.
Userlevel 5
Hi,

Don't you want to have WLAN bridged locally instead of tunneled to VX, what is officialy a no-go? Or is it tunneled to another endpoint device?
If your traffic is tunneled, the switch the controller/gateway is plugged into has to comply with the VLAN settings. Hypervisor virtual switch VLAN settings, and the DC switch underneath.
If you go for bridging mode local then it will make sense to test Internet connection from VLAN 16 on the AP-plugged switch.
Isn't that something you might want to adjust?

Hope that helps,
Tomasz

Edit: I see you wrote clients are getting IP address though, sorry for maybe introducing some confusion.
Userlevel 6
Okay...so if you do an ipconfig /all on one of the wireless clients when they connect, what is the output?
I've applied the firewall rules. I used the wrong terminalolgy. The VX9000 and APs are bridged. No tunneling. Use case #01425990
Userlevel 6
So you've opened a ticket with GTAC at this point?
How can you tell if the APs are tunneled to the controller?

I'm working on this same issue. VLAN 16 is tagged on the AP switchport as well as on the SSID. This was working fine and just stopped. The APs are not forwarding DHCP to the clients. They end up getting a self assigned IP.

DHCP is handed out by the firewall which is connected to the switch in a "router on stick" setup with subinterfaces for each VLAN. Each sub-interface has it's only DHCP server and intrazone traffic is not being blocked.

I assigned a switchport to VLAN 16 and had the client plug in a laptop and he was able to get an IP and Internet access, no problem. So this does not indicate a DHCP issue or DNS issue. It's only when trying to connect on the same VLAN over wireless.

The WLC is setup in an offsite DC connected with a VPN tunnel. As far as I can tell from this setup, the APs are not tunneled back to the WLC. They merely sit on a trunk port with tagged VLANs.
I tried to open a ticket but the person is not under maintenance (even though I/we are partners). We were going to redo the maint contract after getting this customer back online.
Userlevel 6
j-crockett - The bridging mode is configured as part of the WLAN configuration. It's either Tunneled or Local.
Bridging Mode is set to Local
Userlevel 6
If bridging mode is Local, then user traffic is bridge directly at the AP to the VLAN assigned to the WLAN.
As a test, try statically assigning an IP to a client device and see if the device can then use the network as expected. If so, then it would seem to be a DHCP related issue.
Hi Chris. I assigned a static IP address to a device (MC9200). They are connected to the WIFI, but still cannot reach the internet or the Telnet server.
Userlevel 6
Can the MC9200 PING *anything* on the network?
If not, then it would seem that the VLAN's traffic either isn't making it off the AP or past the switch.
Userlevel 6
Also, to rule out any issues with the current Fusion drivers on the MC's, can you try taking some other non-MC device and try associating the same WLAN and see if you get the same behavior.
Folks, updating you on the case. We found that 1 of the APs was faulty and decided to reserve the IP addresses. I factory reset it, hung it back up, let the controller control it and it happened again. Will DOA it now.
Userlevel 6
Very strange failure mode, but glad you got it figured out.
In addition I Would also ensure that you have the best practice default firewall policy configured.
AP can potentially drop traffic if policy is too strict.

How to apply the best practices firewall policy to WiNG APs and controllers from CLI?

hello,

thanks for your help and sharing this link this is really helpfull or informative for me this helps me to solved my issue

thanks and regards

Reply