Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Wireless endpoint cannot communicate with default gateway

Hardware used: 

Cisco WLC 5508
Cisco LWAP AIR-CAP3502I-K-K9

Windows Laptop

 

This is what the topology looks like.

 

 

 

This is a complicated scenario involving ISE with the wireless services. The client can connect with the SSID, but no meaningful traffic is being sent. The client, being in the same broadcast domain, cannot even ping its default gateway. There is NO ACL blocking this. The IP addresses are properly configured. NOTE: STATIC ADDRESSES ARE BEING DEFINED. THERE IS NO DHCP.

 

In the WLC GUI, we can even see the client as listed, connected to the LWAP.

 

 

As you can see from the topology, the WLC is connected to the AP via the switch. The WLC is configured with the appropriate VLANs and as you can see there is a trunk link that allows the traffic to flow to and from the WLC to the AP.

 

There is also an ISE box. Let me save a massive amount of time by simply stating that the ISE Box, is properly configured, the WLC, and the AP are also configured according to the numerous guides, and even cross checked across the BYOD book from Aaron W. An ACL which literally allows all traffic is being pushed. Let me assure you that the ACL isn’t an issue here.

The configs are double and triple checked. Authentication and Authorization is NOT an issue, since the ISE box is able to properly profile and authorize the endpoint (DOT1X, MAB, etc) and allow access. But the client, cannot even ping the default gateway which is an SVI on the switch. VLANs aren’t an issue. Security side of things isn’t an issue either.

 

This is a problem with the wireless side of things.

Here is a wireshark capture when the client is continuously trying to ping the default gateway. This traffic is captured FOR the port connected from the switch to the AP (in other words, the AP's traffic).

http://1drv.ms/1mQNCw5

 

 

 

 

Everyone's tags (4)
24 REPLIES
Hall of Fame Super Gold

Why is the link to your AP a

Why is the link to your AP a dot1q trunk?

 

That should only be an access port.

New Member

There are multiple SSIDs.

There are multiple SSIDs. Each SSID is assigned a VLAN. Hence, a trunk. 

Hall of Fame Super Gold

No it's not.  :P Maybe you

No it's not.  :P

 

Maybe you need to read the WLC deployment guide.  This could be your problem.  

 

Your AP should be an access port by it's own VLAN.  A VLAN, DHCP scope for APs alone.  This act as a "management" IP address range.  

 

You can have 16 SSIDs, as an example and not as a recommendation, but your switchport to your AP is an access port.  

New Member

Okay, I just made the

Okay, I just made the switchport connected to the AP as an access port, and tested, but I still don't get any replies to my pings to the default gateway. 

 

Just read that the AP encapsulates the packets from the clients in Lightweight AP Protocol (LWAPP)/CAPWAP, and then passes the packets on to the WLC.

Hall of Fame Super Gold

From the switch, post the

From the switch, post the output to the command "sh cdp n AP_interface det". 

I want to see the interface VLAN configuration of the access port VLAN of the AP.  Did you create a VLAN database instance for the AP?

New Member

POD2-Core-SW#sh cdp neighbors

POD2-Core-SW#sh cdp neighbors fa 1/0/33 detail 
-------------------------
Device ID: AP0006.f6ee.51d0
Entry address(es): 
  IP address: 192.168.1.50
Platform: cisco AIR-CAP3502I-K-K9   ,  Capabilities: Trans-Bridge 
Interface: FastEthernet1/0/33,  Port ID (outgoing port): GigabitEthernet0
Holdtime : 135 sec

Version :
Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 12.4(25e)JA, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Fri 27-Jan-12 21:51 by prod_rel_team

advertisement version: 2
Duplex: full
Power drawn: 15.400 Watts
Power request id: 21017, Power management id: 1
Power request levels are:0 0 0 0 0 
Power Available TLV:

    Power request id: 0, Power management id: 0, Power available: 0, Power management level: 0
Management address(es): 

POD2-Core-SW#

 

EDIT1:

 

The management interface is in the 192.168.1.X range. The default gateway is an SVI, with the IP 192.168.1.10. This is the show run int AP_interface

interface FastEthernet1/0/33
 switchport mode access

 swithcport access vlan 910
end

 

The VLAN is in the database. I wouldn't have a trunk else. :-)

 

Just a FYI, the SSID, I'm trying to connect to is on another VLAN altogether. (192.168.3.X range). Hence it also has an SVI on the same switch as 192.168.3.10. 

 

 

EDIT2:

So, let's get a few things sorted out. 

The AP-Manager Interface IP is 192.168.1.1 (where I access the web GUI from)

The AP acquires a 192.168.1.50 IP via DHCP. 

The client SSID is in the VLAN that has an SVI as the default gateway on the switch as 192.168.3.10

The client itself is statically configured with the IP 192.168.3.55.

 

EDIT3:

ALSO, FORGOT TO ADD, the AP WAS ALWAYS ABLE TO COMMUNICATE WITH THE DEFAULT GW IN QUESTION. EVEN BEFORE I CHANGED IT TO AN ACCESS PORT.

 

It was only the wireless clients connected to the AP that couldn't communicate. I believe that the AP is communicating with the default gw via the 192.168.1.50 IP, but the SSID in question are in the broadcast domain of 192.168.3.X, therefore, the client is statically assigned a 192.168.3.55 IP, and I try to ping the default gateway 192.168.3.10, which fails. 

 

 

Hall of Fame Super Gold

It was only the wireless

It was only the wireless clients connected to the AP that couldn't communicate. I believe that the AP is communicating with the default gw via the 192.168.1.50 IP, but the SSID in question are in the broadcast domain of 192.168.3.X, therefore, the client is statically assigned a 192.168.3.55 IP, and I try to ping the default gateway 192.168.3.10, which fails. 

What happens if your SSID is OPEN authentication?  If your client can authenticate with this setup, put your authentication mechanisms back.  Then run this debug command, "debug client <WIRELESS client MAC address>".  Run this debug when the client attempts to authenticate with their credentials and post /attach the output.

New Member

Here's a pastebin of the

Here's a pastebin of the debug command you asked.

 

http://pastebin.com/f4UVCqGi

 

 

The client MAC is 00:24:d7:f0:dc:b8

New Member

please let me know how did u

please let me know how did u fix this issue? Thaks!

Hall of Fame Super Gold

I don't see your wireless

I don't see your wireless client getting an IP address. 

New Member

That's because, like I've

That's because, like I've stated numerous times, I'm assigning the IP address statically. :-) :P I've assigned 192.168.3.55 to the client in question.

New Member

Okay, since you've asked for

Okay, since you've asked for the DHCP, I've configured the DHCP scope on the WLC according to the VLAN broadcast domain, and turned the debugging on for another client. 

 

Here's another paste of the debug. Not getting IP from the internal DHCP server.

 

http://pastebin.com/NY19njpD

New Member

okay. Just sorted DHCP out.

okay. Just sorted DHCP out. Got a DHCP IP address. 

 

Entered the WLAN interface to use 192.168.1.1 as the DHCP server, and enabled DHCP Proxy. Got an IP.

 

EDIT1: 

 

Here's a DHCP paste of getting an IP address succesfully. 

 

http://pastebin.com/VBrGmkCW

 

Very weirdly, I still can't ping my default gateway. 

 

EDIT2:

 

Here's a capture of the switchport that the AP is connected to. The client is continuously pinging 192.168.3.10, the default gw. And, the 192.168.3.42 was the DHCP assigned IP.

 

http://1drv.ms/1gipq7w

Hall of Fame Super Gold

Ok.  Now your clients get a

Ok.  Now your clients get a valid IP Address.  What's the status?

New Member

Like I said, I can't still

Like I said, I can't still ping my default gateway which is an SVI on the switch, and I've uploaded a packet capture. 

New Member

Any help here, Leo? 

Any help here, Leo?

 

Hall of Fame Super Gold

Any help here, Leo?

Any help here, Leo?

Dude, gimme a break!  I gotta sleep!  

The default gateway is an SVI, with the IP 192.168.1.10. 

May I see the configuration of the VLAN?   So the wireless client can't ping this IP address.

 

Question though, why would you want the wireless client ping the default-gateway for the APs'?  Normally, I would ping the default-gateway of the IP address of the wireless client.  

 

What do you get when you run a traceroute?

New Member

Sorry, didn't mean to be a

Sorry, didn't mean to be a pain. Thanks for helping me out. :-)

 

The sh run for the VLAN in question is:

vlan 910
 name POD4-WLC-MGMT

 

POD2-Core-SW#sh vlan id 910     

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
910  POD4-WLC-MGMT                    active    Fa1/0/33, Fa1/0/46, Gi1/0/4

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
910  enet  100910     1500  -      -      -        -    -        0      0   

Remote SPAN VLAN
----------------
Disabled

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

 

Let me make it more clear. The mgmt VLAN for the WLC is on this VLAN - 910. The SSID is in VLAN 930. VLAN 910 and 930 have SVIs (default gw) on the switch.

 

VLAN 910 SVI IP - 192.168.1.10

VLAN 930 SVI IP - 192.168.3.10

 

Client has received the IP  - 192.168.3.40

 

I'm trying to ping 192.168.3.10. Which is the default gw of it's broadcast domain.

 

traceroute fails. 

 

Hall of Fame Super Gold

Sorry, didn't mean to be a

Sorry, didn't mean to be a pain.

I'm just joking.  laugh

VLAN 930 SVI IP - 192.168.3.10
Client has received the IP  - 192.168.3.40
I'm trying to ping 192.168.3.10. Which is the default gw of it's broadcast domain.
traceroute fails. 

I'm trying to ping 192.168.3.10. Which is the default gw of it's broadcast domain.

Stupid question, but any other subnet can ping  192.168.3.10?    Can the WLC ping 192.168.3.10?  Can the WLC ping 192.168.3.40?

New Member

Yup, other subnets can ping.

Yup, other subnets can ping. Like I said, the AP itself has a 192.168.1.X IP, and it can ping 192.168.3.10

 

WLC canNOT ping 192.168.3.10. WLC can ping 192.168.1.10 (mgmt)

 

WLC canNOT ping 192.168.3.40

New Member

Bump.

Bump.

New Member

Bump 2.

Bump 2.

Hall of Fame Super Gold

Another stupid question ...

Another stupid question ... Say you put a wired laptop into the same VLAN and subnet as the WLC, can you replicate the behaviour of the WLC from the laptop?

New Member

Problem solved.  I had

Problem solved. 

 

I had assigned different PORTS for all of the interfaces. Changed it to management port and everything worked like a charm. Such a trivial issue. 

762
Views
0
Helpful
24
Replies
CreatePlease to create content