08-03-2020 11:14 AM - edited 07-05-2021 12:21 PM
Last Thursday (7/30/2020), our tier 1 Internet provider went offline due to severed fiber. After access was restored, we began receiving reports of users not being able to connect to the Internet via our corporate WiFi network; however, they could connect through our guest network. This is completely random and is affecting Windows, Mac OS, and iOS clients. Multiple WiFi adapter makes and models are affected, as well, so we are unable to narrow the problem down to a single product line or set of drivers. Not all clients are affected. In fact, most of them connect just fine.
We have seven Cisco WAP371 access points running firmware version 1.3.0.7, all of which connect through a Juniper switch stack to a Palo Alto PA-500 network appliance. We run both 2.4 GHz and 5 GHz networks, and each is configured with two SSIDs, one for guests and the other for corporate. Guest network runs through VLAN 1, corporate runs through VLAN 6. The latter is the problem. When certain clients try to connect, they get a "No internet access" error and are unable to ping the default gateway; however, they are receiving an IP address from the DHCP server and the default gateway appears in ipconfig. DNS settings are correct. Network shows up in Windows network settings as "Unidentified."
We made no changes to any of our network layers before or after the outage, implemented no new firewall rules, etc. Everything was exactly the same after service was restored. All clients who connect to the guest network are able to access the Internet, and there doesn't appear to be any difference between the network settings, apart from the guest network being on a different VLAN and having fewer permissions for internal assets. We've tried disabling security software temporarily on the affected clients, to no avail. The Palo Alto firewall does not show any network activity for those clients who cannot connect over the corporate (VLAN 6) network. It does show their DHCP leases.
I can provide logs from the access points and other sources, if needed. We have never encountered this problem before, so we are unsure how to approach it.
Solved! Go to Solution.
08-03-2020 12:13 PM
08-03-2020 12:13 PM
08-04-2020 05:00 AM
Not sure why that didn't occur to us. Professional myopia. Anyway, we tested a known good client and a known bad client on wired Ethernet for that VLAN, and the bad client never linked up, so it looks like a layer 2 problem. We're investigating the switches. Thanks for the boost.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide