Meraki MR WAPs running 28.X code are supposed to have Path MTU Discovery (PMTUD) running on the management interfaces. However, it was not working for me. (There are multiple reasons why PMTUD may not work in all circumstances.) I'm putting this information, and the steps to troubleshoot, out in hopes of saving someone else the time and aggravation.
This is what I was seeing for MR56 WAP connectivity to/from the Meraki cloud running 28.6.1 code. The 27.7.1 code did not show this behavior. The WAPs running 28.6.1 could not stay connected to the cloud for more than 5-10 minutes at a time.
From the Dashboard, this is what we were seeing:
So - What changed from 27.X to 28.X? This did:
- https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Meraki_Device_to_Clou...
- Relevant summary: Communication from the WAP to the Meraki cloud changed to SSL on TCP/443 in 28.X.
Hints at the problem:
- Upstream firewall was showing no long-lived SSL sessions from the WAPs to the Meraki cloud. Sessions were lasting less than 90s. Also, the SSL sessions were being reset by the client, which while legal, is unusual.
- Packet capture in the upstream firewall showed a lot of TCP retransmissions of larger packets with the DF (don't fragment) flag set between the WAPs and the Meraki cloud.
Finding and verifying the issue:
- Inserted a macOS laptop into the same VLAN/Subnet as the WAPs.
- Started doing Pings with a 1500 byte packet size to each L3 device upstream of the WAP, starting with the default gateway and ending at the Internet.
- ping -c 2 -D -s 1472 <insert destination here>
- Generates a 1500 byte packet - 28 bytes of ICMP overhead and 1472 bytes of payload.
- ping -c 2 -D -s 1472 <insert destination here>
- More help: https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Trouble...
The Fix:
- It turns out that our new Internet link had a configuration problem. The MTU was misconfigured to 1496 bytes. Configuration was corrected to 1500 bytes.
- Once the MTU was corrected, WAP connectivity issues were resolved.
In short, make sure you test your network's MTU size to make sure its 1500 bytes all the way from the WAPs to the Internet.
Related threads:
