Clients behind WGB not reachable

pavel.mr4 · ‎12-18-2017

Hi Everyone,

We have 30 AP 1532E as WGB and other 1532 AP as root in the WLC, the bridge looks fine and the AP is reachable all the time.

Under de WGB we have some not managed moxa switches and connected to the switches other few devices (cameras, gps, etc) the issue is that the clients under de WGB sometimes are reachable and some other times are not. Locally on the WGB are always reachable but beyond the wgb (LAN on the root side) they are not.

here goes the configuration of the AP

Building configuration...

Current configuration : 4672 bytes
!
! Last configuration change at 11:09:03 MEXICO Mon Dec 18 2017 by Cisco
version 15.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname WGB-Apcliente-21
!
!
logging rate-limit console 9
enable secret
!
no aaa new-model
clock timezone MEXICO -6 0
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
clock save interval 8
no ip source-route
no ip cef
no ip domain lookup
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid
authentication open eap PEAP
authentication network-eap PEAP
authentication key-management wpa version 2 cckm
dot1x credentials PEAP
dot1x eap profile PEAP
infrastructure-ssid
!
!
!
eap profile PEAP
method peap
!
no ipv6 cef
!
crypto pki trustpoint
enrollment terminal
subject-name CN=Wireless-CA
revocation-check none
rsakeypair manual-keys 1024
!
!
crypto pki certificate chain WGB-PEAP
certificate ca

dot1x credentials PEAP
username
password
pki-trustpoint
!
username password 7
username privilege 15 password 7
!
!
lldp run
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
antenna gain 0
packet retries 64 drop-packet
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption mode ciphers aes-ccm
!
ssid TERNET
!
antenna gain 0
peakdetect
packet retries 64 drop-packet
station-role workgroup-bridge
mobile station period 10 threshold 85
bridge-group 1
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
!
interface GigabitEthernet1
no ip address
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
mac-address 2c5a.0fa0.9824
ip address 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
!
ip default-gateway
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
bridge 1 address accc.8e84.ea99 forward GigabitEthernet0
bridge 1 address 0003.2d38.0b72 forward GigabitEthernet1
!
!
!
line con 0
logging synchronous
line vty 0 4
login local
transport input all
line vty 5 15
login local
transport input all
!
sntp server
end

Please Help!!!

Freerk Terpstra · ‎01-01-2018

I highly recommend to remove the username and password information in your initial post and to remove the default Cisco username from your production configuration.

Since the end-point information no longer seems to exists on at least one side of the bridge, you should look into the bridge aging-time configuration. You can verify if this indeed the issue by comparing the output of "show bridge" command on both the root and WGB when the issue occurs. In case there is a mismatch the entry has been removed due to inactivity in traffic send by the end-point. You can safely configure a higher aging-time with the "bridge bridge-group-number aging-time seconds" command, you should do that on both sides.

Please rate useful posts... :-)