Flapping port between firewall MAC-address and access point?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2024 02:21 AM - edited 02-22-2024 03:15 AM
Hi team,
We have a strange issue.
We have noticed that when a specific client connect to an access point, and stays connected some time, the AP and uplink starts flapping, making the AP unusable. Only way to resolve this is to restart the access point.
What's strange with this, however, is that the MAC address that is flapping, is the MAC address of the firewall. So for example below:
Feb 22 11:41:13.036: %SW_MATM-4-MACFLAP_NOTIF: Host dc0b.09d7.6649 in vlan 20 is flapping between port Gi1/0/24 and port Gi1/0/7.
The access point is connected to port 7, while the switch uplink is port 24. The mac address dc0b.09d7.6649 is the firewalls mac address on SVI 1.2, the interface connected to the switch:
Interface Ethernet1/2 "", is up, line protocol is up
Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
Full-Duplex(fullDuplex), 1000 Mbps(1gbps)
Available but not configured via nameif
MAC address dc0b.09d7.6649, MTU not set
IP address unassigned
3286840218 packets input, 3071697766043 bytes, 0 no buffer
Received 502601348 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
2572997387 packets output, 14995922512835 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
The flapping is happening every 10th second when it starts, and it's hard to troubleshoot since it's the mac address of the firewall.
Any idea what could be causing this issue?
Edit, clarification:
Topology:
AP connected to trunk port on switch port 7.
Switch connected via trunk port 24 (uplink) to the firewall.
Client (Windows PC) connects to AP, and causes the flapping as described earlier.
- Labels:
-
LAN Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2024 02:50 AM
- It's a bit unclear what the network topology is here : note that APs should always be terminated on switches , not on the firewall (?)
M.
-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2024 03:12 AM - edited 02-22-2024 03:13 AM
Yes of course.
Sorry for the confusion. The topology is simple:
AP connected to trunk port on switch port 7.
Switch connected via trunk port 24 to the firewall.
Client (Windows PC) connects to AP, and causes the flapping as described earlier.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2024 03:31 AM
- Check AP and firewall logs (too) ; or even better configure a common syslog server on : AP - switch - firewall ; and examine the logging arriving on the syslog server ; better insights may be obtained.
Some aside questions : what is the AP model , how is it used : controller or standalone (e.g.)
M.
-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2024 06:17 AM
There is no reason we see the AP move from one port to other port (we do aware client roaming you see this logs, but not the AP)
make sure there is no other loops in the network where the MAC learning from different sources ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2024 07:27 AM
I made sure several times. I also created a new SSID on the AP with only one AP broadcasting the SSID with the only client connecting to the SSID is the one causing the issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2024 06:22 AM
this FW is transparent mode ?
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2024 07:26 AM - edited 02-22-2024 08:20 AM
No, its in routed mode, but configured with SVI's which is not showed in the description
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2024 12:38 AM
Router mode are you config BDI in FW?
The mac is pass only in case of bridging' in routing the mac is change from hop to hop
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2024 06:45 AM - edited 02-22-2024 06:56 AM
It’s possible that specific WiFi client is spoofing the MAC address of the default gateway (or causing a loop over the air?). Take a look at the client’s drivers, OS, non-physical network adapters (such as for VPNs or virtual machines), antivirus, installed software, do a malware scan, etc.
Is the client also hardwired, and if so, is the hardwire VLAN the same VLAN the client is in when in WiFi?
This is assuming the AP is in FlexConnect mode and clients are terminated at the switch since you mentioned the switch port to the AP is a trunk.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2024 07:29 AM
Yes that's possible but i can not find any traces of the MAC addresses at all besides in the switch. When the issue is happening, i cant see the MAC address in the AP, or at the client. I only see it flapping in the switch. Makes no sense at all.
There is VPN installed on the client but no references to the MAC address.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2024 09:15 AM
I was also going to suggest the hard-wired possibility.
Presume you are using flexconnect local switching for this SSID?
Make sure nothing (particularly the firewall) has proxy ARP enabled?
Make sure your WLC software is up to date (as per TAC recommended link below) just to eliminate known bugs that might have been fixed. Although this could just as easily be a firewall bug.
Make sure the WiFi driver and OS on the Windows PC are fully up to date and that it doesn't have any kind of bridging enabled, or software that might replay network traffic (some security/hacker tools). Also consider the possibility that the PC has been compromised and is running some kind of malware which is trying (for example) to do a box-in-the-middle attack with the firewall.
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
