Hi Everyone, Please need your help..
Customer's corporate laptop associated to CORP SSID, with tagged vlan, gets an IPaddress, gateway IP and DNS ip all good, but it is unable to ping the gateway IP, but when i connect my personal laptop to the same SSID, works smoothly.. Initially it was associated to AP4 and i saw it DNS and DHCP failures, but after doing a multiple reboots, i see now it is connected to AP2, still cant ping the gateway and i dont see DNS and DHCP failure in the LAN tab of this AP2...
So it's just the one client that is having troubles pinging its gateway? Are you sure that you are not fat fingering the default gateway IP? Is there any firewall rules which would block ICMP?
Have you tried taking a packet capture from the Wireless AP it's associated with on the wireless/wired interfaces and look to see if an ICMP reply is being provided?
There is no Firewall in between, Gateway is in the directly connected router, Meraki Switch in between where AP is connected.. after spending too much time, i just removed all access point from the network and added back again [not rebooted], and now it works fine for corporate laptop, with radius authentication SSID and one more created for testing Without Radius authentication[Pre-shared Key]
I suspect this is something to do with firmware itself..
@Zakir wrote:
I suspect this is something to do with firmware itself..
not to heap Pelion upon Ossa
Is the machine running a firewall? Windows Firewall? Some antivirus firewall?
Problem seems to be mostly related to DHCP lease from DHCP servere, It has other two SSID[Guest and BYOD], and the dhcp lease for it is in the firewall Mx100, connected with a separate Internet link to isolate non-corporate traffic, This is achieved by using MX84 as a VPN concentrator, one-armed concentrator.. And for CORP SSID, internet fllow is via MPLS link and exits from DC
Now for CORP SSID, DHCP lease is from customer's corp DHCP server. while troubleshooting saw issue was temporarily resolved, when i had removed all the AP's from the network and put it back[not rebooted], it somewhat cleared all whatever junk it had in its memory, and the same laptop with "corp WIFI" SSID started working. but when the user moves from one AP to another in the same SSID/Vlan roaming, it loses connectivity and gets a yellow triangle,, and the test computer can't ping the subnet gateway.
This DHCP server and AP is directly connected to the same switch and uplink connects to MPLS router from that switch.
Customer to do firmware upgrade tonight, will see how it goes tomorrow..
Also worth checking if your computer is whitelisted in the dashboard. Many restrictions are not applied to whitelisted computers vs a standard policy machine.
I actually tried with four computers, two corporate and two personal, Its funny how the issue was causing.
-two Personal laptops no issue at all, works with corp-SSID[only preshared-key]
-Corporate laptop, gives issue connecting to CORP-SSID[Radius Authentication] and CORP-SSID[PSK]
-removed all 6 AP from the network and put it back after 5 minutes, corporate laptop started to work, after 30 minutes, when AP started moving user from one AP to other, issue again.
-deleted the IP lease from the DHCP server, cleared Ip from windows[ipconfig /release], i see User machine is getting dummy IP[169.254.XX.XX]
-got the meraki support in the call, he started doing a packet capture on the uplink of the meraki Switch connecting wan router, in less than a minute, whole site Internet Access and Phone went off the air. Including connectivity of all Meraki Devices from that main site to the dashboard
-DNS server which was directly connected to the same Meraki Switch was dropping external DNS return packets, and Internet wasn't working for all the users in the network, as that is the primary DNS server, another strange thing internal DNS was working
-i proved customer that from PaloAlto which is in DC and MPLS internet link is not dropping DNS packets, DNS server in the DC itself was able to resolve external FQDN from it.
-after one hour of troubleshooting, narrowed problem is no where else but the meraki distribution switch, customer agreed to reboot distribution meraki Switch from which Meraki Support engineer did a packet capture. service was restored as soon the switch was power cycled.
-Now old issue re-surfaces, IP phones locked out, when rebooted it stops at 40% as it is waiting for DHCP servers to assign IP address
- last year around October, Meraki engineering team found this as a bug, and applied a temporary fix, seems they had informed customer that rebooting may remove that fix from the switch.
-customer increases the DHCP scope from 100-200 to 100-250, couple of phones immediately restored as it gets the new IP, but the DHCP statistics in the DHCP server shows instantly, 0% IP address available[somewhere this IP is being assigned or Switch sucking up all the IP address from that Phone Vlan and dropping it]
-ringed Meraki support, this engineer checks the switch and confirms code is still in the rebooted switch but good idea to upgrade the firmware and check if that fixes the problem.
===================
This was a kind of whole story yesterday...