Re: WGB attached devices are not reachable from root

pavel.mr4 · ‎09-19-2018

Hi everyone,

I have the following scenario, one 2602 AP as root with Version 15.2(2)JA, and two 1532 as WGB, all of the AP are autonomous. so, we have AP Hook, with Version 15.3(3)JH1 and AP Cab with Version 15.3(3)JD, both of the WGB have unmanaged moxa switches attached to its gigabitethernet 0, AP Hook has some cameras and an RFID reader, and AP Cab only has the cameras, please find attached a drawing.

The thing is some times the devices attached are not reachable even from the WGB, other times they are but i can not reach them from the Root and other times i can reach only one of the two devices (camera or rfid). I set the bridge 1 address h.h.h forward gi 0, static arp entries, bridge 1 aggin time maximum, and other things that always work for me with passive clients but not this time.

APHook#sh bridge

Total of 300 station blocks, 298 free
Codes: P - permanent, S - self

Bridge Group 1:

Address Action Interface Age RX count TX count
00d0.5502.3566 forward Gi0 P 20 19
accc.8e9b.85f1 forward Gi0 P 59 3

RootAP#sh bridge

Total of 300 station blocks, 295 free
Codes: P - permanent, S - self

Bridge Group 1:

Address Action Interface Age RX count TX count
500f.803b.3f1c forward Dot11Radio0 P 1039 999
00d0.5502.3566 forward Dot11Radio0 P 4 0
accc.8e9b.85f1 forward Dot11Radio0 P 34 2
500f.803b.41ee forward Dot11Radio0 P 23 25
7892.9cc3.b74c forward Dot11Radio0 P 19521 20471

trying to reach the cameras:

trying to reach the rfid:

here are the configs resumed:

AP Root#sh run
Building configuration...

Current configuration : 2386 bytes

dot11 ssid WMSNAVEMB2AP10
authentication open
guest-mode
infrastructure-ssid

crypto pki token default removal timeout 0

interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 40bit 7 xxxxxxxxxxxxxx transmit-key
encryption mode wep mandatory
!
ssid WMSNAVEMB2AP10
!
antenna gain 0
stbc
channel 2437
station-role root
payload-encapsulation dot1h
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
shutdown

interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
ip address 10.197.154.136 255.255.254.0
no ip route-cache
!
ip default-gateway 10.197.154.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
bridge 1 aging-time 1000000
!
!
!
line con 0
line vty 0 4
exec-timeout 0 0
login local
transport input all
!
sntp server 10.190.2.50
end

APCab#sh run

dot11 ssid WMSNAVEMB2AP10
authentication open
guest-mode

interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 40bit 7 0E78330C1A84 transmit-key
encryption mode wep mandatory
!
ssid WMSNAVEMB2AP10
!
antenna gain 0
packet retries 64 drop-packet
station-role workgroup-bridge
payload-encapsulation dot1h
infrastructure-client
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
shutdown

interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
!
interface GigabitEthernet1
duplex auto
speed auto
!
interface BVI1
mac-address 500f.803b.41ee
ip address 10.197.154.137 255.255.254.0
no ip route-cache
!
ip default-gateway 10.197.154.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
arp 10.197.155.253 accc.8e98.4325 ARPA GigabitEthernet0
!

bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
transport input all
!
sntp server 10.190.2.50
end

APHook#sh run
Building configuration...

dot11 ssid WMSNAVEMB2AP10
authentication open
guest-mode

interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 40bit 7 xxxxxxxxxxxxx transmit-key
encryption mode wep mandatory
!
ssid WMSNAVEMB2AP10
!
antenna gain 32
packet retries 64 drop-packet
station-role workgroup-bridge
payload-encapsulation dot1h
infrastructure-client
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
shutdown

interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
!
interface GigabitEthernet1
duplex auto
speed auto
!
interface BVI1
mac-address 500f.803b.3f1c
ip address 10.197.155.210 255.255.254.0
no ip route-cache
!
ip default-gateway 10.197.154.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
arp 10.197.155.239 accc.8e9b.85f1 ARPA GigabitEthernet0
arp 10.197.155.225 00d0.5502.3566 ARPA GigabitEthernet0
!
bridge 1 route ip
bridge 1 address 00d0.5502.3566 forward
bridge 1 address accc.8e9b.85f1 forward
bridge 1 aging-time 1000000
!
!
!
line con 0
line vty 0 4
login local
transport input all
!
sntp server 10.190.2.50
end

Best Regards!

Rasika Nayanajith · ‎09-19-2018

Post "show dot11 association <root_ap_mac>" output from those two WGBs

Pls stay away from WEP encryption. Use AES-CCMP instead under radio interfaces

Also can we get all these 3 APs onto a same code (something like ap3g2-k9w7-tar.153-3.JD16.tar)

Remember below command added to both WGBs.

bridge 1 aging-time 86400

HTH

Rasika

*** Pls rate all useful responses ***

pavel.mr4 · ‎09-20-2018

Hi Rasika,

Here goes the outputs:

APHook#sh dot11 associations 580a.20ca.e130
Address : 580a.20ca.e130 Name : APRoot
IP Address : 10.197.154.136 IPv6 Address :
Gateway Address : 0.0.0.0
Netmask Address : 0.0.0.0 Interface : Dot11Radio 0
Bridge-group : 0
reap_flags_1 : 0x0 ip_learn_type : 0x0 transient_static_ip : 0x0
Device : ap3600-Parent Software Version : 15.2
CCX Version : 5 Client MFP : Off

State : Assoc Parent : -
SSID : WMSNAVEMB2AP10
VLAN : 0
Hops to Infra : 0 Association Id : 1
Tunnel Address : 0.0.0.0
Key Mgmt type : NONE Encryption : WEP
Current Rate : 54.0 Capability : WMM ShortHdr ShortSlot
Supported Rates : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates : disabled Bandwidth : 20 MHz
Signal Strength : -44 dBm Connected for : 4582 seconds
Signal to Noise : 53 dB Activity Timeout : 15 seconds
Power-save : Off Last Activity : 0 seconds ago
Apsd DE AC(s) : NONE

Packets Input : 69276 Packets Output : 606
Bytes Input : 9147488 Bytes Output : 94860
Duplicates Rcvd : 11 Data Retries : 50
Decrypt Failed : 0 RTS Retries : 0
MIC Failed : 0 MIC Missing : 0
Packets Redirected: 0 Redirect Filtered: 0
IP source guard failed : 0 PPPoE passthrough failed : 0
DAI failed : IP mismatch : 0 src MAC mismatch : 0 target MAC mismatch : 0
Existing IP failed : 0 New IP failed : 0
Client Vlan : 0
11w Status : Off
Client SGT : 0

APCab#sh dot11 associations 580a.20ca.e130
Address : 580a.20ca.e130 Name : APRoot
IP Address : 10.197.154.136 IPv6 Address : ::
Gateway Address : 0.0.0.0
Netmask Address : 0.0.0.0 Interface : Dot11Radio 0
Bridge-group : 0
reap_flags_1 : 0x0 ip_learn_type : 0x0 transient_static_ip : 0x0
Device : ap3600-Parent Software Version : 15.2
CCX Version : 5 Client MFP : Off

State : Assoc Parent : -
SSID : WMSNAVEMB2AP10
VLAN : 0
Hops to Infra : 0 Association Id : 1
Tunnel Address : 0.0.0.0
Key Mgmt type : NONE Encryption : WEP
Current Rate : 54.0 Capability : WMM ShortHdr ShortSlot
Supported Rates : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates : disabled Bandwidth : 20 MHz
Signal Strength : -45 dBm Connected for : 59022 seconds
Signal to Noise : 51 dB Activity Timeout : 15 seconds
Power-save : Off Last Activity : 0 seconds ago
Apsd DE AC(s) : NONE

Packets Input : 8808251 Packets Output : 10711757
Bytes Input : 851579393 Bytes Output : 2641640529
Duplicates Rcvd : 3638 Data Retries : 662074
Decrypt Failed : 0 RTS Retries : 0
MIC Failed : 0 MIC Missing : 0
Packets Redirected: 0 Redirect Filtered: 0
IP source guard failed : 0 PPPoE passthrough failed : 0
DAI failed : IP mismatch : 0 src MAC mismatch : 0 target MAC mismatch : 0
Existing IP failed : 0 New IP failed : 0
11w Status : Off

-Pls stay away from WEP encryption. Use AES-CCMP instead under radio interfaces

I was thinking the same, but i need a window because there are some other devices connected wirelessly to the root (tablet and pc). Probably i could do this tomorrow morning

-Also can we get all these 3 APs onto a same code (something like ap3g2-k9w7-tar.153-3.JD16.tar)

same for this

-Remember below command added to both WGBs.

bridge 1 aging-time 86400

Done

BR!

pavel.mr4 · ‎09-21-2018

There is a discrepancy in the sh version of the root

APRoot#sh ver
Cisco IOS Software, C3600 Software (AP3G2-K9W7-M), Version 15.2(2)JA, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Thu 23-Aug-12 02:59 by prod_rel_team

ROM: Bootstrap program is C3600 boot loader
BOOTLDR: C3600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JAY, RELEASE SOFTWARE (fc1)

cisco AIR-SAP2602E-A-K9 (PowerPC) processor (revision A0) with 180214K/81920K bytes of memory.
Processor board ID FTX1809J5UM
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: B8:38:61:BA:83:7D
Part Number : 73-14511-03
PCA Assembly Number : 800-37898-01
PCA Revision Number : B0
PCB Serial Number : FOC18046640
Top Assembly Part Number : 800-38357-01
Top Assembly Serial Number : FTX1809J5UM
Top Revision Number : A0
Product/Model Number : AIR-SAP2602E-A-K9

Configuration register is 0xF

Could this missmatch cause the troubles?

BR!