A routing issue was my first thought but I am able to access everything else on the same subnet

10.10.40.31 => 10.10.90.6  -  OK  (Laptop at Remote Site 1 to DC at Remote Site 2)

10.10.90.6 => 10.10.40.31  -  OK  (DC at Remote Site 2 to Laptop at Remote Site 1)

10.10.40.31 => 10.10.90.220  -  OK  (Laptop at Remote Site 1 to Switch at Remote Site 2)

10.10.90.220 => 10.10.40.31  -  OK  (Switch at Remote Site 2 to Laptop at Remote Site 1)

10.10.40.31 => 10.10.90.240  -  Time Out  (Laptop at Remote Site 1 to WAP at Remote Site 2)

10.10.90.240 => 10.10.40.31  -  Time Out  (WAP at Remote Site 2 to Laptop at Remote Site 1)

10.10.90.6 => 10.10.90.240  -  OK  (DC at Remote Site 2 to WAP at Remote Site 2)

10.10.90.240 => 10.10.90.6  -  OK  (WAP at Remote Site 2 to DC at Remote Site 2)

I am starting to wonder if this has something to do with the config on the WAP's. It's confusing...

So is there only one subnet at remote site 2? If so, I assume that when you are at remote site 2 you are in that subnet as well. Is this correct?

Additionally, are these autonomous of lightweight APs? How are they getting their IPs, static or DHCP? Would it be possible to post up a scrubbed config from one of them?

Forgive me for asking but when you say "scrubbed", does that mean removing anything revealing the company name, public IP's, etc..?

The APs were reloaded with the IOS that is not dependant on an access controller.

They have static IPs

There is only one subnet at the remote site with the exception of a VLAN created for the Guest network that is connected directly to the ASA on eth 0/2. When I am physically at the remote site (Remote Site 2), I have no problems connecting to it. When I am at my home site (Remote Site 1), I cannot connect.

BTW - I Clicked Answered somehow.... doh

Current configuration : 6161 bytes
!
! Last configuration change at 13:40:06 UTC Sat Mar 6 1993 by Cisco
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname companyname-AP2
!
!
logging rate-limit console 9
enable secret 5 *****
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.10.90.6 auth-port 1812 acct-port 1813
!
aaa group server radius rad_acct
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
ip cef
ip domain name companyname.com
!
!
!
dot11 syslog
dot11 vlan-name companyname vlan 1
dot11 vlan-name companyname-Guest vlan 16
!
dot11 ssid companyname
   vlan 1
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa version 2
   mbssid guest-mode
!
dot11 ssid companyname-Guest
   vlan 16
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 *****
!
!
dot11 network-map
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-****
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-****
revocation-check none
rsakeypair TP-self-signed-****
!
!
crypto pki certificate chain TP-self-signed-****
certificate self-signed 01
 
*****

        quit
username companyname privilege 15 password 7 *****
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption vlan 16 mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
ssid companyname
!
ssid companyname-Guest
!
antenna gain 0
stbc
mbssid
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.16
encapsulation dot1Q 16
bridge-group 16
bridge-group 16 subscriber-loop-control
bridge-group 16 spanning-disabled
bridge-group 16 port-protected
bridge-group 16 block-unknown-source
no bridge-group 16 source-learning
no bridge-group 16 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption vlan 16 mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
ssid companyname
!
ssid companyname-Guest
!
antenna gain 0
dfs band 3 block
stbc
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.16
encapsulation dot1Q 16
bridge-group 16
bridge-group 16 subscriber-loop-control
bridge-group 16 spanning-disabled
bridge-group 16 port-protected
bridge-group 16 block-unknown-source
no bridge-group 16 source-learning
no bridge-group 16 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.16
encapsulation dot1Q 16
no ip route-cache
bridge-group 16
bridge-group 16 spanning-disabled
no bridge-group 16 source-learning
!
interface BVI1
ip address 10.10.90.241 255.255.255.0
!
ip default-gateway 10.10.90.1
ip forward-protocol nd
no ip http server
ip http authentication aaa
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
snmp-server community **** RO
snmp-server community **** RW
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps entity
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps cpu threshold
snmp-server enable traps aaa_server
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.90.6 auth-port 1812 acct-port 1813 key 7 ****
radius-server deadtime 2
radius-server vsa send accounting
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
end

All of the symptoms here point to a default gateway problem on the AP. However the gateway configuration looks good in the config you posted.

Is 10.10.90.1 the address of the firewall?

Yes, 10.10.90.1 is the firewall address. It's the inside interface of the Cisco ASA.

Hi,

can you do this on the AP:

logging buffered debug

do debug ip icmp

do ping 8.8.8.8 repeat 2

do sh log

then post the output here

Regards

Alain

Don't forget to rate helpful posts.

After running the first 3 commands, I do sh log and there is nothing in the output. I am running this within Putty via an SSH session. Does this matter?

sh logging
Syslog logging: enabled (0 messages dropped, 4 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

    Console logging: level debugging, 1097 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 2 messages logged, xml disabled,
                     filtering disabled
        Logging to: vty1(2)
    Buffer logging:  level debugging, 1 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled
    Trap logging: level informational, 538 message lines logged
        Logging Source-Interface:       VRF Name:

Log Buffer (1048576 bytes):

*Mar  6 16:57:31.458: %SYS-5-CONFIG_I: Configured from console by Cisco on vty0 (10.10.90.6)

Hi,

no it doesn't matter here as you are looking at the buffer.

let's try this then:

do u all

access-list 199 permit icmp any any

do debug  ip pack detail 199

do ping 8.8.8.8 repeat 2

do sh log

Regards

Alain

Don't forget to rate helpful posts.

I think the Mar 29 19:56 is what your looking for. Thanks for your help!

do sh log
Syslog logging: enabled (0 messages dropped, 4 messages rate-limited, 0 flushes,                              0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

    Console logging: level debugging, 1134 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 4 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 38 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled
    Trap logging: level informational, 540 message lines logged
        Logging Source-Interface:       VRF Name:

Log Buffer (1048576 bytes):

*Mar  6 16:57:31.458: %SYS-5-CONFIG_I: Configured from console by Cisco on vty0 (10.10.90.6)
*Mar  6 17:17:49.409: %SYS-5-CONFIG_I: Configured from http by ergotron on 10.10.90.3
*Mar  6 17:17:49.409: %SYS-5-CONFIG_I: Configured from http by ergotron on 10.10.90.3
Mar 29 19:49:58.842: ICMP: dst (10.10.90.241) port unreachable sent to 10.10.90.6
Mar 29 19:52:41.632: ICMP: echo reply rcvd, src 10.10.90.1, dst 10.10.90.241, topology BASE, dscp 0 topoid 0
Mar 29 19:52:41.632: ICMP: echo reply rcvd, src 10.10.90.1, dst 10.10.90.241, topology BASE, dscp 0 topoid 0
Mar 29 19:52:41.632: ICMP: echo reply rcvd, src 10.10.90.1, dst 10.10.90.241, topology BASE, dscp 0 topoid 0
Mar 29 19:52:41.632: ICMP: echo reply rcvd, src 10.10.90.1, dst 10.10.90.241, topology BASE, dscp 0 topoid 0
Mar 29 19:52:41.632: ICMP: echo reply rcvd, src 10.10.90.1, dst 10.10.90.241, topology BASE, dscp 0 topoid 0
Mar 29 19:56:11.700: FIBipv4-packet-proc: route packet from (local) src 10.10.90.241 dst 8.8.8.8
Mar 29 19:56:11.700: FIBfwd-proc: Default:0.0.0.0/0 process level forwarding
Mar 29 19:56:11.700: FIBfwd-proc: depth 0 first_idx 0 paths 1 long 0(0)
Mar 29 19:56:11.700: FIBfwd-proc: try path 0 (of 1) v4-sp first short ext 0(-1)
Mar 29 19:56:11.700: FIBfwd-proc: v4-sp valid
Mar 29 19:56:11.700: FIBfwd-proc:  no nh type 8  - deag
Mar 29 19:56:11.700: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if none nh none deag 1 chg_if 0 via fib 0 path type special prefix
Mar 29 19:56:11.700: FIBfwd-proc: Default:0.0.0.0/0 not enough info to forward via fib (none none)
Mar 29 19:56:11.700: FIBipv4-packet-proc: packet routing failed
Mar 29 19:56:11.700: IP: s=10.10.90.241 (local), d=8.8.8.8, len 100, unroutable
Mar 29 19:56:11.700:     ICMP type=8, code=0
Mar 29 19:56:13.699: FIBipv4-packet-proc: route packet from (local) src 10.10.90.241 dst 8.8.8.8
Mar 29 19:56:13.699: FIBfwd-proc: Default:0.0.0.0/0 process level forwarding
Mar 29 19:56:13.699: FIBfwd-proc: depth 0 first_idx 0 paths 1 long 0(0)
Mar 29 19:56:13.699: FIBfwd-proc: try path 0 (of 1) v4-sp first short ext 0(-1)
Mar 29 19:56:13.699: FIBfwd-proc: v4-sp valid
Mar 29 19:56:13.699: FIBfwd-proc:  no nh type 8  - deag
Mar 29 19:56:13.699: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if none nh none deag 1 chg_if 0 via fib 0 path type special prefix
Mar 29 19:56:13.699: FIBfwd-proc: Default:0.0.0.0/0 not enough info to forward via fib (none none)
Mar 29 19:56:13.699: FIBipv4-packet-proc: packet routing failed
Mar 29 19:56:13.699: IP: s=10.10.90.241 (local), d=8.8.8.8, len 100, unroutable
Mar 29 19:56:13.699:     ICMP type=8, code=0