Solved: AP 1702i bug - I need a workaround...

Peter Ryznar · ‎07-19-2016

Hi community,

I found out after one week of testing:

My AP 1702i (autonomous, latest SW) doesn't allow my wireless devices (iphone, notebook) to reach some SSL/TLS sites like

https://businesswebmail.a1.net
or
https://www.bawagpsk.com

for example. Sometimes such a site can be reached once or twice after a reboot of the AP, but then it becomes unreachable. It doesn't even work with open auth and no encryption config, just primitive standard via easy setup wizzard (SSID open and no security). With another wlan ap (netgear) connected to my lan in parallel it works without any problem.

Could you please test to reach these websites (3x or 4x) and give me some feedback please... thx in advance

Peter

device:
CISCO AIR-CAP1702I-E-K9 (flashed to autonomous version)
System sw: ap3g2-k9w7-xx.153-3.JC2

patoberli · ‎07-22-2016

Now that sadly is a problem. I can't help you with that, as I don't have any 1702i here, but you might want to try a much older image (yours is the most current one).

Try: ap3g2-k9w7-tar.153-3.JBB6.tar

MD5 Checksum:

935e389017645a1baf6062ce9f2d00db

I assume it should be fixed in the successor of the ap3g2-k9w7-xx.153-3.JC2 image, but it isn't out yet. I assume it might be out in the middle of August (when the 8.2MR2 is final).

You might want to get a Smartnet contract for 1 year, it's around 50€ (assuming you're from Austria). I'm not sure if you can also get download access by registering your serial number without a Smartnet. Here is the official download link:

https://software.cisco.com/download/release.html?mdfid=286281141&flowid=71622&softwareid=284180979&release=15.3.3-JC2&relind=AVAILABLE&rellifecycle=ED&reltype=latest

View solution in original post

Philip D'Ath · ‎07-19-2016

WiFi is a layer 2 protocol. It has no knowledge of layer 3 (ip addresses) and above.

You may have an issues, but it wont be directy related to WiFi.

Perhaps you have an IP address conflict (perhaps with the other system)? Perhaps the 1702 is developing a hardware issue?

Peter Ryznar · ‎07-20-2016

Thx Philip,

I know about wifi is layer 2 but there is also some routing happening in the AP (distribution of the packets from LAN to different wifi clients.

What I found out is the fact, that the wirless device sends a packet (SYN) through the AP to the server and the server replies with a (SYN ACK) packet, which I can trace at the LAN port of the AP. But this packet is not transmitted to the wifi client in this case (mostly...). I tested also the AP on another LAN with another adresses and a fresh setup but its the same issue. I think its a software bug in the IOS of the AP and it depends on the type of the replying server. You may test it also by trying to open a telnet session with " telnet bsmtp.a1.net 587 " command. Please try it by yourself if you have some time left.

thx again

Peter

patoberli · ‎07-21-2016

The configuration of your AP could help.

In any case, you might have an MTU or Duplex issue between your AP and the device it is connected to, check if the speed is correct at 1 Gbps and that you have an MTU of 1500 on the next Layer 3 device.

Peter Ryznar · ‎07-21-2016

Thx but first: are you able to reach these websites via cisco ap?

and

I checked both MTU and 1GBits + full duplex - and checked MTU by

"ping www.yahoo.com -f -l 1472" - works and therefor MTU = 1500.

The issue is nearly identical to Cisoc Bug: CSCuc02149

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuc02149

where exactly this error shows up at the console and I sniffered the same SYN ACK packet not being transmitted to the wireless client. But I'm not sure what it has to do with ipv6...

my config (primitive standar for testing):

!
! Last configuration change at 15:47:16 UTC Thu Jul 21 2016
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
!
logging rate-limit console 9
enable secret 5 $1$Q7nI$rldmDg8kg9vCoRbrC5CRd/
!
no aaa new-model
no ip source-route
no ip cef
!
!
!
!
dot11 syslog
!
dot11 ssid MAR
   authentication open 
   guest-mode
!
!
!
no ipv6 cef
!
!
username Cisco password 7 047802150C2E
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 !
 ssid MAR
 !
 antenna gain 0
 stbc
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 shutdown
 antenna gain 0
 peakdetect
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface GigabitEthernet1
 no ip address
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 mac-address 00c1.64a4.5a3c
 ip address dhcp client-id GigabitEthernet0
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
 transport input all
!
end

patoberli · ‎07-22-2016

I can reach both URLs over a controller based Cisco AP.

You do have IPv6 enabled on your BVI1, try to disable that, if you don't use it.

Also, you have your 5 GHz band disabled, I guess that is extra?

Also check this here: https://supportforums.cisco.com/document/61936/autonomous-ap-and-bridge-basic-configuration-template

They have configured a default gateway on the AP which you lack.

Only other thing left, try a different driver on the client side, I had very weird wireshark findings in the past with Intel drivers of the years 2014 and 2015, they were horrible.

Peter Ryznar · ‎07-22-2016

thx again, very interesting that you can reach these sites. Would it be possible to get your config for comparison? There is maybe something additional when configured through a WLC...

Yes, I've tried all your hints but without success, always getting this issue and this error msg.

I tried also per iphone, android phone and per Lenovo laptop but always not reachable over cisco AP and always reachable over netgear wlan AP. I did siffing with microsoft network analyser and with wireshark, all the same.

maybe you may send me the working config per email: p.ryznar@yopmail.com

thx so much

Peter

patoberli · ‎07-22-2016

This is the config, please note that it completely lacks the SSID configuration as it's in local mode. Please note, it's a 3702i model.

3702AC-1011-1#sh run
Building configuration...
Current configuration : 21351 bytes
!
! Last configuration change at 11:11:59 UTC Fri Jul 22 2016
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 3702AC-1011-1
!
!
logging rate-limit console 9
enable secret 5 here_is_a_password
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
!
!
!
!
!
!
eap profile lwapp_eap_profile
 method fast
!
!
crypto pki trustpoint cisco-m2-root-cert
 revocation-check none
 rsakeypair Cisco_IOS_M2_MIC_Keys
!
crypto pki trustpoint Cisco_IOS_M2_MIC_cert
 revocation-check none
 rsakeypair Cisco_IOS_M2_MIC_Keys
!
crypto pki trustpoint airespace-old-root-cert
 revocation-check none
 rsakeypair Cisco_IOS_MIC_Keys
!
crypto pki trustpoint airespace-device-root-cert
 revocation-check none
 rsakeypair Cisco_IOS_MIC_Keys
!
crypto pki trustpoint Cisco_IOS_MIC_cert
 revocation-check none
 rsakeypair Cisco_IOS_MIC_Keys
!
!
crypto pki certificate chain cisco-m2-root-cert
 certificate ca 01
        quit
crypto pki certificate chain Cisco_IOS_M2_MIC_cert
        quit
 certificate ca 02
         quit

username apadmin secret 5 here_is_a_password
!
!
ip ssh version 2
lldp run
bridge irb
!
!
!
interface Dot11Radio0
 no ip route-cache
 antenna gain 0
 stbc
 ampdu transmit priority 1
 ampdu transmit priority 2
 ampdu transmit priority 3
 mbssid
 speed  6.0 9.0 12.0 basic-18.0 basic-24.0 basic-36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
 power local 4
 power client local
 packet retries 64 drop-packet
 fragment-threshold 2312
 station-role root
 no cdp enable
!
interface Dot11Radio1
 no ip route-cache
 antenna gain 0
 peakdetect
 stbc
 ampdu transmit priority 1
 ampdu transmit priority 2
 ampdu transmit priority 3
 mbssid
 speed  basic-18.0 basic-24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23. a1ss9 a2ss9 a3ss9
 power local 12
 power client local
 packet retries 64 drop-packet
 station-role root
 no cdp enable
!
interface GigabitEthernet0
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 mac-address 74a2.e63c.cd2c
 ip address dhcp client-id BVI1
 no ip route-cache
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
!
interface Virtual-WLAN0
 no ip route-cache
!
ip forward-protocol nd
no ip http server
!
!
logging trap emergencies
logging origin-id string AP:74a2.e63c.cd2c
logging facility kern
logging host 255.255.255.255
!
!
bridge 1 protocol ieee
bridge 1 route ip
parser view capwap-config-view
 secret 5 here_is_a_password
 commands configure include all capwap
 commands exec include all enable
 commands exec include configure terminal
 commands exec include configure
 commands exec include all show capwap
 commands exec include show running-config
 commands exec include show
!
!
line con 0
line vty 0 4
 transport input ssh
line vty 5 15
 transport input ssh
!
end

patoberli · ‎07-22-2016

Just found this bug while reading the release notes for the controller 8.2MR2 beta:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux92251

Description:

- AIR-CAP2702 with WLC 8.2 doesnt allow HTTPS client access
- 2702 AP using Flexconnect against a controller with 8.2.100 code, clients can't connect HTTPS sites, AP span port shows receiving GET/ACK packets, but on client capture we do not see ACK back, so client keeps on re-transmitting GETs
- Same setup with 1142 works

This might also affect your 1702 model, I think they run the same software.

Peter Ryznar · ‎07-22-2016

Wow, I think this could be the bug affecting me...

But how to come to a workaround or a solution ?

I've no service contract with Cisco...

patoberli · ‎07-22-2016

Now that sadly is a problem. I can't help you with that, as I don't have any 1702i here, but you might want to try a much older image (yours is the most current one).

Try: ap3g2-k9w7-tar.153-3.JBB6.tar

MD5 Checksum:

935e389017645a1baf6062ce9f2d00db

I assume it should be fixed in the successor of the ap3g2-k9w7-xx.153-3.JC2 image, but it isn't out yet. I assume it might be out in the middle of August (when the 8.2MR2 is final).

You might want to get a Smartnet contract for 1 year, it's around 50€ (assuming you're from Austria). I'm not sure if you can also get download access by registering your serial number without a Smartnet. Here is the official download link:

https://software.cisco.com/download/release.html?mdfid=286281141&flowid=71622&softwareid=284180979&release=15.3.3-JC2&relind=AVAILABLE&rellifecycle=ED&reltype=latest

Peter Ryznar · ‎07-22-2016

thx, I'll try the older version (download is possible for a partner of mine)

...I'll post the result here...

Peter Ryznar · ‎07-22-2016

downgrade to

ap3g2-k9w7-tar.153-3.JBB6.tar

was the solution !

This version is ok and solves my problem -

thx so much @patoberli