Extreme Networks

For illustriative purposes, here's the switch logs that showed what we saw during the second event when APs were online but they dissapeared from the left panel. AP25 the device we started troubleshooting:

Controller ssh history from yesterday during the outage:
show adoption status

Adopted Devices:
---------------------------------------------------------------------------------------------------------------
DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-ADOPTION UPTIME
---------------------------------------------------------------------------------------------------------------
AP24 5.5.5.0-018R configured No RFS-SW01 0 days 00:48:51 0 days 00:51:45
AP20 5.5.5.0-018R configured No RFS-SW01 1 days 20:45:03 9 days 03:24:36
AP21 5.5.5.0-018R configured No RFS-SW01 1 days 20:45:04 2 days 02:32:49
AP23 5.5.5.0-018R configured No RFS-SW01 0 days 00:48:51 0 days 00:51:45
AP25 5.5.5.0-018R configured No RFS-SW01 0 days 00:48:50 0 days 00:51:45
AP10 5.5.5.0-018R configured No RFS-SW01 1 days 20:45:05 13 days 09:30:21
AP04 5.5.5.0-018R configured No RFS-SW01 1 days 20:45:04 13 days 08:06:49
AP02 5.5.5.0-018R configured No RFS-SW01 1 days 20:45:03 13 days 10:58:02
AP05 5.5.5.0-018R configured No RFS-SW01 1 days 20:45:03 13 days 10:58:27
AP06 5.5.5.0-018R configured No RFS-SW01 0 days 01:13:54 13 days 09:04:14
AP14 5.5.5.0-018R configured No RFS-SW01 1 days 20:45:04 13 days 10:04:16
AP11 5.5.5.0-018R configured No RFS-SW01 1 days 20:45:04 13 days 09:33:47
AP15 5.5.5.0-018R *configured No RFS-SW01 0 days 00:48:50 0 days 00:51:45
AP16 5.5.5.0-018R configured No RFS-SW01 0 days 00:48:50 0 days 00:51:45
AP07 5.5.5.0-018R configured No RFS-SW01 1 days 20:45:04 20 days 04:31:37
AP08 5.5.5.0-018R configured No RFS-SW01 1 days 20:45:04 20 days 04:31:38
----------------------------------------------------------------------------------------------------------------
Total number of devices displayed: 16

RFS-SW01#mint ping 4D.81.9D.AC
MiNT ping 4D.81.9D.AC with 64 bytes of data.
Ping request 1 timed out. No response from 4D.81.9D.AC
Ping request 2 timed out. No response from 4D.81.9D.AC
Ping request 3 timed out. No response from 4D.81.9D.AC

--- 4D.81.9D.AC ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
RFS-SW01#ping 10.200.17.35
PING 10.200.17.35 (10.200.17.35) 100(128) bytes of data.
108 bytes from 10.200.17.35: icmp_seq=1 ttl=64 time=6.74 ms
108 bytes from 10.200.17.35: icmp_seq=2 ttl=64 time=0.314 ms


AP25 Today
AP25#show mint id
Mint ID: 4D.81.9D.AC
AP25#show mint info
Mint ID: 4D.81.9D.AC
16 Level-1 neighbors
Level-1 LSP DB size 17 LSPs (3 KB)
0 Level-2 neighbors
Level-2 LSP DB size 0 LSPs (0 KB)
Level-2 gateway is unreachable
Reachable adopters: 19.6D.B7.76
Max level-1 path cost: 30 (to 19.6D.B7.76)
AP25#show mint lsp-db
17 LSPs in LSP-db of 4D.81.9D.AC:
LSP 19.6D.B7.76 at level 1, hostname "RFS-SW01", 16 adjacencies, seqnum 285509
LSP 1A.4C.44.B0 at level 1, hostname "AP10", 11 adjacencies, seqnum 280965
LSP 1A.4C.44.D8 at level 1, hostname "AP04", 11 adjacencies, seqnum 280135
LSP 1A.4C.45.2C at level 1, hostname "AP02", 11 adjacencies, seqnum 279898
LSP 1A.4C.45.A4 at level 1, hostname "AP05", 11 adjacencies, seqnum 294789
LSP 1A.4C.46.30 at level 1, hostname "AP06", 11 adjacencies, seqnum 273896
LSP 1A.7C.51.30 at level 1, hostname "AP14", 11 adjacencies, seqnum 280856
LSP 1A.7C.53.5C at level 1, hostname "AP11", 11 adjacencies, seqnum 280674
LSP 1A.7C.53.A4 at level 1, hostname "AP15", 6 adjacencies, seqnum 276869
LSP 1A.7C.53.BC at level 1, hostname "AP16", 7 adjacencies, seqnum 697568
LSP 1A.7C.71.98 at level 1, hostname "AP07", 11 adjacencies, seqnum 280219
LSP 1A.7C.71.D8 at level 1, hostname "AP08", 11 adjacencies, seqnum 280893
LSP 4D.18.47.28 at level 1, hostname "AP24", 7 adjacencies, seqnum 249678
LSP 4D.80.BD.B8 at level 1, hostname "AP20", 11 adjacencies, seqnum 223532
LSP 4D.80.BE.70 at level 1, hostname "AP21", 11 adjacencies, seqnum 547615
LSP 4D.81.9C.88 at level 1, hostname "AP23", 7 adjacencies, seqnum 247070
LSP 4D.81.9D.AC at level 1, hostname "AP25", 5 adjacencies, seqnum 354676
AP25#show mint route
Destination : Next-Hop(s)
4D.80.BE.70 : 4D.81.9C.88 via vlan-1
4D.81.9C.88 : 4D.81.9C.88 via vlan-1
1A.7C.53.A4 : 1A.7C.53.A4 via vlan-1
19.6D.B7.76 : 1A.7C.53.BC via vlan-1, 4D.18.47.28 via vlan-1
1A.7C.53.BC : 1A.7C.53.BC via vlan-1
1A.7C.71.D8 : 1A.7C.53.BC via vlan-1, 4D.18.47.28 via vlan-1
1A.4C.45.A4 : 1A.7C.53.BC via vlan-1, 4D.18.47.28 via vlan-1
1A.7C.53.5C : 4D.18.47.28 via vlan-1
1A.4C.45.2C : 1A.7C.53.A4 via vlan-1
4D.81.9D.AC : 4D.81.9D.AC via self
1A.4C.44.D8 : 1A.7C.53.BC via vlan-1
1A.7C.51.30 : 4D.18.47.28 via vlan-1, 1A.7C.53.BC via vlan-1
1A.4C.44.B0 : 4D.18.47.28 via vlan-1, 1A.7C.53.BC via vlan-1
4D.18.47.28 : 4D.18.47.28 via vlan-1
4D.80.BD.B8 : 1A.7C.53.BC via vlan-1
1A.7C.71.98 : 4D.18.47.28 via vlan-1
1A.4C.46.30 : 4D.81.9C.88 via vlan-1
AP25#

This is an important point here to expand on:
"With this more recent event (where same APs stopped communicating), is that adoption is fine, but whatever fundamental issue with the mint traffic is occurring still is occurring and blocking traffic despite the fact that they're still adopted."

Just to be clear, MINT is not normally responsible for carrying user traffic, but in your setup this comment just set off a big red flag for me. I checked your config listing and sure enough.... (I should've noticed this earlier!)



The bridging mode you have configured in this WLAN profile is set to tunnel. What this does is this encapsulates the client traffic within the MINT tunnels that are formed between the APs and the controller. Once the traffic reaches the controller, the controller then strips out the user traffic from the tunnel and drops the user traffic onto the LAN. MOST of the deployments we have are not using this mode, except for special cases, like a Guest WLAN or something like that.

I'd highly recommend changing this setting over to "local". What this does is the AP takes the client traffic and simply bridges it over to the assigned VLAN (in the WLAN Profile) and it goes straight out the AP interface tagged...to the switch. It's just treated like any other traffic. In your case though, the config is indicating that the WLAN is assigned to VLAN 1...which I'm assuming is the untagged native VLAN? If so, no big deal...the same applies.

The point to understand here though is that in "tunnel" mode, since the user traffic is placed inside a MINT tunnel and brought BACK to the controller inside the MINT tunnel, if there's any issues with MINT between the AP and controller, it means that the user traffic is ALSO affected, right? So using local bridging is a much more resilient mode of operation.

"What was interesting was in the second incedent, even though the same AP's were not communicating, it still showed all 17 online. But I noticed that the 5 in question had disappeared from the left panel."

This comment is contradictory. What you see in the tree on the left panel will only be APs that are in fact adopted/online. So WHERE in the UI were you seeing that all 17 were still online while 5 have disapeared from the tree? I'm guessing that you were simply looking in the Devices tab and seeing all the APs listed. If that's the case, seeing the APs listed there is not an indicator of their adoption status. That's just a listing of what APs the controller knows about...whether they're adopted currently or not.

And yes, if MINT traffic can't get through, that will prevent adoption and the AP icons should disappear from the tree on the left. The Dashboard widget with the pie chart will also show you the number of devices online/offline....as well as other widgets.
And....since you have the WLAN setup in tunnel mode...losing MINT comms would then also affect the user traffic from making it back to the controller and being dropped onto the LAN.

With the APs setup in 'local' mode, you can have APs lose adoption but the user traffic is completely unaffected! The APs are just simply un-managed from the controller at that point. They're operating like fat APs and just keep chugging along. 🙂

Interesting that you still have layer-3 access to the APs when this happens and can SSH in. If this ever happens again, SSH in and you can start doing some interesting diagnostics directly from the AP to determine what's wrong. It has a pretty powerful CLI toolset.

I think the magic bullet here may very likely be in switching the WLAN over to 'local' bridge mode. Unless there' s a specific reason for it being setup this way, I'd change this immediately and then sit back and see how the system operates.

For why, our first theory as to how to induce the storm was to pull the DHCP server offline and let the level of DHCP broadcast traffic increase. That didn't work for an hour and a half, but we said we were going to solve this issue tonight, so we just started trying stuff. We started DDoSing the DHCP server, and the wifi controller, and finally a device (might be a few other things in there). Sending all that traffic to a device had the effect we wanted for whatever reason, and from there we got a pretty good sense of the source and started honing in on it. Eventually found a RJ45 that was bridging two switches that also had fiber uplinks to the fiber switch. The next morning we noticed that there was a port in one of the switches that spanning tree had shut down. Thinking we had removed the loop we enabled that port and everything went down. So we knew that that port also was looped. So we figured out where that went and removed it as well. Switches were not really 'reacting' They just had loops which amplified the broadcast traffic until they were removed.

So here's my understanding (which could be wrong... But my understanding from above comments was that adoption can happen on the mint level or on 'layer 3'/ tcp/ip level. The prior event where we noticed that these devices were not adopted, the fix we came up with was to change the profile so that adoption would happen over tcp/ip instead, and reboot. This made adoption happen and communication resumed. With this more recent event (where same APs stopped communicating), adoption was fine, but whatever fundamental issue with the mint traffic is occurring still is occurring and blocking traffic despite the fact that they're still adopted. In the first incident, the dashboard showed on it's online offline graph, that 12 APs were online when there should be 17. Changing adoption setting and resetting APs brought it back up to 17 and the devices in question repopulated the left panel when you expand the RF domain. What was interesting was in the second incedent, even though the same AP's were not communicating, it still showed all 17 online. But I noticed that the 5 in question had disappeared from the left panel. So this made me think that the online/offline dashboard widget just shows devices that are adopted, but if the mint traffic can't get through, it won't show in the left panel and for whatever reason if that's the case, wifi traffic will not pass. This made me wonder if the TCP/IP traffic from the wifi clients ends up being sent to the controller via the mint protocol? I wouldn't think so. But whatever reason, if the mint ping is not able to get through, then traffic will not pass even if TCP/IP traffic has no issues (I realize this seems logically impossible). With the second event, all we did to get traffic moving on those AP's again was power cycle them individually and mint pings started working and they popped back into the left panel on the controller interface...

To address your more direct questions, we don't think there is a broadcast storm occuring now, and there wouldn't have been one before absent the loops we found. I think spanning tree protocol should have arrested those even, but the firmware on those switches with the loops is ancient and mint is proprietary so . Since we have removed the loops, and as I alluded to above, in neither case was TCP/IP communication down. We were able to SSH into them without issue at all times whether they were adopted or not and whether mint traffic was passing or not.

It definitely crossed my mind that there might be a software bug of some sort that could be causing this strange behavior. I guess I thought you had said mint traffic was normally tagged and seperated from the TCP/IP traffic. I must have misinterpreted something.

I have updated the customer on where everything stands and suggested that they get the support established so that we can get the firmware. I'm not a fan of the idea that I need support to get updates to the software that could include bug fixes, but the other stuff that goes along with it is worth it especially with the replacement plan. It wouldn't be an easy thing to just replace the controller, so I think they'd be well served to maintain that as long as they keep the controller and it's supportable, especially at the reasonable price you all are offering that service.

We're not familiar with this system, I'm just continuing the conversation so we both maybe can learn something. I certainly may be be misinterpreting the behavior of the system or your comments somewhere. You've been more than helpful in responding here and pointing us in the right direction.

~Robert