Google Issue and Access Points

Twitch
Building a reputation

Google Issue and Access Points

Is anyone else experiencing strange issues with their wifi this morning? We have been unable to get mobile devices connected to wifi this morning. Devices would receive a "Connected without internet" status.

 

What's bizarre, is we temporarily removed the block on Hong Kong, and now mobile devices can use wireless over our network just fine. We can (as expected without Hong Kong blocked) ping Google as well, but what in the Sam Hill does a geoblock on Hong Kong have to do with our access points being able to pass traffic to the rest of non-Google internet? 

 

The wired network is working just fine, and our wireless devices receive DHCP from the same server that the wired clients get addresses from, so DNS should work just as well as it currently is for wired clients.

 

How would a geoblock on Hong Kong prevent wireless clients from accessing the Internet? Is anyone experiencing this issue?????

 

 

16 REPLIES 16
AndyWettersten
Here to help

Google's geolocating accidentally identified Google as coming from Hong Kong.  We had the same issue here.  If your layer 7 rule was made at the access point level and not the security appliance level, it would only impact your wireless clients and not the wired clients.

Twitch
Building a reputation

Hey Andy, good morning - we have everything firewall-related at the MX level. I could understand the geolocation issue impacting wireless clients if they were trying to reach Google services. It doesn't make sense that they would not be able to connect to the internet as a whole while a block on Hong Kong was in place, unless the issue is specific to how it is impacting Meraki devices, including access points in particular. 

I suppose if you are using Google DNS for your resolution that would kill all Internet access for you.  When things were down, I was unable to ping 8.8.8.8.

bnorrell
New here

We have the same issue.  I allowed Hong Kong and everything came up normally.  @Twitch You may have a separate WLAN firewall rule blocking layer 7 traffic that is not on your layer 7 rules on your MX. 

 

@AndyWettersten It seems we are still having the issue and I dont feel comfortable enough to allow traffic from HK while Google fixes their problem. Thanks for the information though!

 

-Brad

Twitch
Building a reputation

@bnorrell  -Good morning. No separate layer 7 firewall rules for wireless clients. Everything firewall-related runs on the MX.

 

 

@bnorrell  Initially I removed the country block (we only allow about 10 countries and block all others) entirely and things came up.  Later when I found that it was Hong Kong, I allowed traffic to it and loaded our regular countries back and things continued to load correctly.  I figured the risk off allowing one more country was a more acceptable risk than allowing them all.

 

Would be nice if there was an event log for geoblocked events or to have a lookup tool, similar to what they have for content filtering.

If you don't mind me asking, where did you see the report that Google is reporting their services are coming from Hong Kong?  I cant seem to find that status page anywhere.

https://community.meraki.com/t5/Security-SD-WAN/Google-com-incorrectly-Geolocated/m-p/129810

 

"Please be aware that there seems to be an issue with the geolocalization of the Google.com IP address and it is now showing as moved to Hong Kong"

Paul421
Conversationalist

This had me going crazy all morning!  I'm in a school where we are exclusively Google Workspace.  Same issue- WiFi down, No google Services until the Hong Kong rule was deleted.  The only thing I can think of for the AP's was using Google DNS? Even though it's not my primary DNS?  Unsure how the HK rule impacted AP's

Do you use the umbrella protection service in your APs?

I do!  Here's what's even more peculiar.  The WiFi status on laptops, etc. Would have the standard, connected, no internet message, but...if you actually open a browser and type in any url that wasn't Google related, you could reach it.  Mobile phones would also have the connected, no internet but would only connect to the cellular network. 

 

I'm really unsure.

Twitch
Building a reputation

@Paul421- that's the exact issue we have been having as well. Our wireless clients get the same DHCP as the wired clients - same DNS as well - but the wireless mobile devices could not connect to wifi and reach the internet. Only mobile devices, though, which is even stranger. I could connect to wifi on my laptop and it worked okay. My cell phone, however, and other user's phones, and iPads - no joy. Connected without internet.

 

Truly bizarre.

Paul421
Conversationalist

@Twitch It was really bizarre!  Eventually I would like Hong Kong back as a rule, bit we really depend on Google to function.  Fingers crossed for now nothing malicious from HK comes out way!

Twitch
Building a reputation

@AndyWettersten- we are not using the umbrella protection.

This was a problem for a couple of our customers with MX's.  So not just an AP issue.

 

Boy wouldn't be nice if the country blocks would actually be logged. Novel idea, I know....

Paul421
Conversationalist

This would have saved so much time!  +1

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels