We have 30 AP 1532E as WGB and other 1532 AP as root in the WLC, the bridge looks fine and the AP is reachable all the time.
Under de WGB we have some not managed moxa switches and connected to the switches other few devices (cameras, gps, etc) the issue is that the clients under de WGB sometimes are reachable and some other times are not. Locally on the WGB are always reachable but beyond the wgb (LAN on the root side) they are not.
here goes the configuration of the AP
Current configuration : 4672 bytes ! ! Last configuration change at 11:09:03 MEXICO Mon Dec 18 2017 by Cisco version 15.3 no service pad service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption ! hostname WGB-Apcliente-21 ! ! logging rate-limit console 9 enable secret ! no aaa new-model clock timezone MEXICO -6 0 clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00 clock save interval 8 no ip source-route no ip cef no ip domain lookup ! ! ! ! dot11 pause-time 100 dot11 syslog ! dot11 ssid authentication open eap PEAP authentication network-eap PEAP authentication key-management wpa version 2 cckm dot1x credentials PEAP dot1x eap profile PEAP infrastructure-ssid ! ! ! eap profile PEAP method peap ! no ipv6 cef ! crypto pki trustpoint enrollment terminal subject-name CN=Wireless-CA revocation-check none rsakeypair manual-keys 1024 ! ! crypto pki certificate chain WGB-PEAP certificate ca
dot1x credentials PEAP username password pki-trustpoint ! username password 7 username privilege 15 password 7 ! ! lldp run ! bridge irb ! ! ! interface Dot11Radio0 no ip address antenna gain 0 packet retries 64 drop-packet station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio1 no ip address ! encryption mode ciphers aes-ccm ! ssid TERNET ! antenna gain 0 peakdetect packet retries 64 drop-packet station-role workgroup-bridge mobile station period 10 threshold 85 bridge-group 1 bridge-group 1 spanning-disabled ! interface GigabitEthernet0 no ip address duplex auto speed auto bridge-group 1 bridge-group 1 spanning-disabled ! interface GigabitEthernet1 no ip address duplex auto speed auto bridge-group 1 bridge-group 1 spanning-disabled ! interface BVI1 mac-address 2c5a.0fa0.9824 ip address 255.255.255.0 ipv6 address dhcp ipv6 address autoconfig ipv6 enable ! ip default-gateway ip forward-protocol nd ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ! ! bridge 1 route ip bridge 1 address accc.8e84.ea99 forward GigabitEthernet0 bridge 1 address 0003.2d38.0b72 forward GigabitEthernet1 ! ! ! line con 0 logging synchronous line vty 0 4 login local transport input all line vty 5 15 login local transport input all ! sntp server end
I highly recommend to remove the username and password information in your initial post and to remove the default Cisco username from your production configuration.
Since the end-point information no longer seems to exists on at least one side of the bridge, you should look into the bridge aging-time configuration. You can verify if this indeed the issue by comparing the output of "show bridge" command on both the root and WGB when the issue occurs. In case there is a mismatch the entry has been removed due to inactivity in traffic send by the end-point. You can safely configure a higher aging-time with the "bridge bridge-group-number aging-time seconds" command, you should do that on both sides.