cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2871
Views
0
Helpful
25
Replies
stealthmode
Cisco Employee

Wireless endpoint cannot communicate with default gateway

Hardware used: 

Cisco WLC 5508
Cisco LWAP AIR-CAP3502I-K-K9

Windows Laptop

 

This is what the topology looks like.

 

 

 

This is a complicated scenario involving ISE with the wireless services. The client can connect with the SSID, but no meaningful traffic is being sent. The client, being in the same broadcast domain, cannot even ping its default gateway. There is NO ACL blocking this. The IP addresses are properly configured. NOTE: STATIC ADDRESSES ARE BEING DEFINED. THERE IS NO DHCP.

 

In the WLC GUI, we can even see the client as listed, connected to the LWAP.

 

 

As you can see from the topology, the WLC is connected to the AP via the switch. The WLC is configured with the appropriate VLANs and as you can see there is a trunk link that allows the traffic to flow to and from the WLC to the AP.

 

There is also an ISE box. Let me save a massive amount of time by simply stating that the ISE Box, is properly configured, the WLC, and the AP are also configured according to the numerous guides, and even cross checked across the BYOD book from Aaron W. An ACL which literally allows all traffic is being pushed. Let me assure you that the ACL isn’t an issue here.

The configs are double and triple checked. Authentication and Authorization is NOT an issue, since the ISE box is able to properly profile and authorize the endpoint (DOT1X, MAB, etc) and allow access. But the client, cannot even ping the default gateway which is an SVI on the switch. VLANs aren’t an issue. Security side of things isn’t an issue either.

 

This is a problem with the wireless side of things.

Here is a wireshark capture when the client is continuously trying to ping the default gateway. This traffic is captured FOR the port connected from the switch to the AP (in other words, the AP's traffic).

http://1drv.ms/1mQNCw5

 

 

 

 

25 REPLIES 25
Leo Laohoo
VIP Community Legend

Why is the link to your AP a dot1q trunk?

 

That should only be an access port.

There are multiple SSIDs. Each SSID is assigned a VLAN. Hence, a trunk. 

Leo Laohoo
VIP Community Legend

No it's not.  :P

 

Maybe you need to read the WLC deployment guide.  This could be your problem.  

 

Your AP should be an access port by it's own VLAN.  A VLAN, DHCP scope for APs alone.  This act as a "management" IP address range.  

 

You can have 16 SSIDs, as an example and not as a recommendation, but your switchport to your AP is an access port.  

Okay, I just made the switchport connected to the AP as an access port, and tested, but I still don't get any replies to my pings to the default gateway. 

 

Just read that the AP encapsulates the packets from the clients in Lightweight AP Protocol (LWAPP)/CAPWAP, and then passes the packets on to the WLC.

Leo Laohoo
VIP Community Legend

From the switch, post the output to the command "sh cdp n AP_interface det". 

I want to see the interface VLAN configuration of the access port VLAN of the AP.  Did you create a VLAN database instance for the AP?

POD2-Core-SW#sh cdp neighbors fa 1/0/33 detail 
-------------------------
Device ID: AP0006.f6ee.51d0
Entry address(es): 
  IP address: 192.168.1.50
Platform: cisco AIR-CAP3502I-K-K9   ,  Capabilities: Trans-Bridge 
Interface: FastEthernet1/0/33,  Port ID (outgoing port): GigabitEthernet0
Holdtime : 135 sec

Version :
Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 12.4(25e)JA, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Fri 27-Jan-12 21:51 by prod_rel_team

advertisement version: 2
Duplex: full
Power drawn: 15.400 Watts
Power request id: 21017, Power management id: 1
Power request levels are:0 0 0 0 0 
Power Available TLV:

    Power request id: 0, Power management id: 0, Power available: 0, Power management level: 0
Management address(es): 

POD2-Core-SW#

 

EDIT1:

 

The management interface is in the 192.168.1.X range. The default gateway is an SVI, with the IP 192.168.1.10. This is the show run int AP_interface

interface FastEthernet1/0/33
 switchport mode access

 swithcport access vlan 910
end

 

The VLAN is in the database. I wouldn't have a trunk else. :-)

 

Just a FYI, the SSID, I'm trying to connect to is on another VLAN altogether. (192.168.3.X range). Hence it also has an SVI on the same switch as 192.168.3.10. 

 

 

EDIT2:

So, let's get a few things sorted out. 

The AP-Manager Interface IP is 192.168.1.1 (where I access the web GUI from)

The AP acquires a 192.168.1.50 IP via DHCP. 

The client SSID is in the VLAN that has an SVI as the default gateway on the switch as 192.168.3.10

The client itself is statically configured with the IP 192.168.3.55.

 

EDIT3:

ALSO, FORGOT TO ADD, the AP WAS ALWAYS ABLE TO COMMUNICATE WITH THE DEFAULT GW IN QUESTION. EVEN BEFORE I CHANGED IT TO AN ACCESS PORT.

 

It was only the wireless clients connected to the AP that couldn't communicate. I believe that the AP is communicating with the default gw via the 192.168.1.50 IP, but the SSID in question are in the broadcast domain of 192.168.3.X, therefore, the client is statically assigned a 192.168.3.55 IP, and I try to ping the default gateway 192.168.3.10, which fails. 

 

 

Leo Laohoo
VIP Community Legend

It was only the wireless clients connected to the AP that couldn't communicate. I believe that the AP is communicating with the default gw via the 192.168.1.50 IP, but the SSID in question are in the broadcast domain of 192.168.3.X, therefore, the client is statically assigned a 192.168.3.55 IP, and I try to ping the default gateway 192.168.3.10, which fails. 

What happens if your SSID is OPEN authentication?  If your client can authenticate with this setup, put your authentication mechanisms back.  Then run this debug command, "debug client <WIRELESS client MAC address>".  Run this debug when the client attempts to authenticate with their credentials and post /attach the output.

Here's a pastebin of the debug command you asked.

 

http://pastebin.com/f4UVCqGi

 

 

The client MAC is 00:24:d7:f0:dc:b8

please let me know how did u fix this issue? Thaks!

Leo Laohoo
VIP Community Legend

I don't see your wireless client getting an IP address. 

That's because, like I've stated numerous times, I'm assigning the IP address statically. :-) :P I've assigned 192.168.3.55 to the client in question.

Okay, since you've asked for the DHCP, I've configured the DHCP scope on the WLC according to the VLAN broadcast domain, and turned the debugging on for another client. 

 

Here's another paste of the debug. Not getting IP from the internal DHCP server.

 

http://pastebin.com/NY19njpD

okay. Just sorted DHCP out. Got a DHCP IP address. 

 

Entered the WLAN interface to use 192.168.1.1 as the DHCP server, and enabled DHCP Proxy. Got an IP.

 

EDIT1: 

 

Here's a DHCP paste of getting an IP address succesfully. 

 

http://pastebin.com/VBrGmkCW

 

Very weirdly, I still can't ping my default gateway. 

 

EDIT2:

 

Here's a capture of the switchport that the AP is connected to. The client is continuously pinging 192.168.3.10, the default gw. And, the 192.168.3.42 was the DHCP assigned IP.

 

http://1drv.ms/1gipq7w

Leo Laohoo
VIP Community Legend

Ok.  Now your clients get a valid IP Address.  What's the status?

Create
Recognize Your Peers
Content for Community-Ad