Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Corporate laptop associated to corporate tagged Vlan SSID cannot ping its gateway IP.

Zakir
Comes here often
‎Feb 20 2018 4:13 PM
‎Feb 20 2018 4:13 PM

Corporate laptop associated to corporate tagged Vlan SSID cannot ping its gateway IP.

Hi Everyone, Please need your help..  

Customer's corporate laptop associated to CORP SSID, with tagged vlan, gets an IPaddress, gateway IP and DNS ip all good, but it is unable to ping the gateway IP, but when i connect my personal laptop to the same SSID, works smoothly.. Initially it was associated to AP4 and i saw it DNS and DHCP failures, but after doing a multiple reboots, i see now it is connected to AP2, still cant ping the gateway and i dont see DNS and DHCP failure in the LAN tab of this AP2...

 

 

0 Kudos
Subscribe
7 Replies 7
MilesMeraki
Head in the Cloud
‎Feb 20 2018 7:55 PM
‎Feb 20 2018 7:55 PM

So it's just the one client that is having troubles pinging its gateway? Are you sure that you are not fat fingering the default gateway IP? Is there any firewall rules which would block ICMP?

 

Have you tried taking a packet capture from the Wireless AP it's associated with on the wireless/wired interfaces and look to see if an ICMP reply is being provided?

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
Subscribe
In response to MilesMeraki
Zakir
Comes here often
‎Feb 20 2018 8:00 PM
‎Feb 20 2018 8:00 PM

There is no Firewall in between, Gateway is in the directly connected router, Meraki Switch in between where AP is connected.. after spending too much time, i just removed all access point from the network and added back again [not rebooted], and now it works fine for corporate laptop, with radius authentication SSID and one more created for testing Without Radius authentication[Pre-shared Key]

 

I suspect this is something to do with firmware itself..

0 Kudos
Subscribe
In response to Zakir
Uberseehandel
Kind of a big deal
‎Feb 20 2018 10:53 PM
‎Feb 20 2018 10:53 PM

@Zakir wrote:

 

I suspect this is something to do with firmware itself..

not to heap Pelion upon Ossa

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 21 2018 12:02 AM
‎Feb 21 2018 12:02 AM

Is the machine running a firewall? Windows Firewall? Some antivirus firewall?

0 Kudos
Subscribe
In response to PhilipDAth
Zakir
Comes here often
‎Feb 21 2018 1:16 AM
‎Feb 21 2018 1:16 AM

Problem seems to be mostly related to DHCP lease from DHCP servere, It has other two SSID[Guest and BYOD], and the dhcp lease for it is in the firewall Mx100, connected with a separate Internet link to isolate non-corporate traffic, This is achieved by using MX84 as a VPN concentrator, one-armed concentrator.. And for CORP SSID, internet fllow is via MPLS link and exits from DC 

 

Now for CORP SSID, DHCP lease is from customer's corp DHCP server. while troubleshooting saw issue was temporarily resolved, when i had removed all the AP's from the network and put it back[not rebooted], it somewhat cleared all whatever junk it had in its memory, and the same laptop with "corp WIFI" SSID started working. but when the user moves from one AP to another in the same SSID/Vlan roaming, it loses connectivity and gets a yellow triangle,, and the test computer can't ping the subnet gateway.

 

This DHCP server and AP is directly connected to the same switch and uplink connects to MPLS router from that switch.

 

Customer to do firmware upgrade tonight, will see how it goes tomorrow..

 

0 Kudos
Subscribe
In response to Zakir
Adam
Kind of a big deal
‎Feb 21 2018 7:33 AM
‎Feb 21 2018 7:33 AM

Also worth checking if your computer is whitelisted in the dashboard.  Many restrictions are not applied to whitelisted computers vs a standard policy machine.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
Subscribe
In response to Adam
Zakir
Comes here often
‎Feb 21 2018 3:05 PM
‎Feb 21 2018 3:05 PM

I actually tried with four computers, two corporate and two personal, Its funny how the issue was causing.

 

-two Personal laptops no issue at all, works with corp-SSID[only preshared-key]

-Corporate laptop, gives issue connecting to CORP-SSID[Radius Authentication] and CORP-SSID[PSK]

-removed all 6 AP from the network and put it back after 5 minutes, corporate laptop started to work, after 30 minutes, when AP started moving user from one AP to other, issue again.

-deleted the IP lease from the DHCP server, cleared Ip from windows[ipconfig /release], i see User machine is getting dummy IP[169.254.XX.XX] 

-got the meraki support in the call, he started doing a packet capture on the uplink of the meraki Switch connecting wan router, in less than a minute, whole site Internet Access and Phone went off the air. Including connectivity of all Meraki Devices from that main site to the dashboard

-DNS server which was directly connected to the same Meraki Switch was dropping external DNS return packets, and Internet wasn't working for all the users in the network, as that is the primary DNS server, another strange thing internal DNS was working 

-i proved customer that from PaloAlto which is in DC and MPLS internet link is not dropping DNS packets, DNS server in the DC itself was able to resolve external FQDN from it.

-after one hour of troubleshooting, narrowed problem is no where else but the meraki distribution switch, customer agreed to reboot distribution meraki Switch from which Meraki Support engineer did a packet capture. service was restored as soon the switch was power cycled.

-Now old issue re-surfaces, IP phones locked out, when rebooted it stops at 40% as it is waiting for DHCP servers to assign IP address

- last year around October, Meraki engineering team found this as a bug, and applied a temporary fix, seems they had informed customer that rebooting may remove that fix from the switch.

-customer increases the DHCP scope from 100-200 to 100-250, couple of phones immediately restored as it gets the new IP, but the DHCP statistics in the DHCP server shows instantly, 0% IP address available[somewhere this IP is being assigned or Switch sucking up all the IP address from that Phone Vlan and dropping it]

-ringed Meraki support, this engineer checks the switch and confirms code is still in the rebooted switch but good idea to upgrade the firmware and check if that fixes the problem.

 

 ===================

This was a kind of whole story yesterday... 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.