10.128.128.128 is a meraki AP ip.  any fw rules configured?

Hello Ww/Everyone

Yes theirs fw rules configured on meraki (wireless environment) is there any specific rules we need to allow or deny?

it was also working before and the issue started to occur recently. 

by the way Addressing and traffic settings is set to bridge mode and no change was made on the meraki

Hi  Coesione_srl

All of the AP's were able to connect to the internet via ping and traceroute.

and we have 10 acl rules in place but i can only show the last 2 acl rules. please see below

the 1st 8 acl rules is just to allow traffic from our ISE servers.

thank you

RJAC

Put them all on allow  and see if it works. (To check if its a fw issue)

The ise  does not push  any rules?

Hi WW/Everyone

ISE is only for authentication, we checked the logs on ISE and users are authenticated its just that once they are associated with the guest wifi theres no internet access

thank you

RJAC

Hi @RJAC 

When on the guest network can you ping your DNS servers?

Have you done a PING from your core switch from the Guest SSID VLAN SVI out to the Internet?

Do you get the same result when wired?

Hi Uccer/Everyone

ping from core router sourcing svi of guest wifi can reach the internet

wired connection can reach the internet as well

when we connect to other ssid we can reach the internet as well

the issue is just happening on guest wifi ssid. (1st hop is 10.128.128.128)

thank you

RJAC

Hi @RJAC 

Have you cHacked your firewall settings for the ssid

Wireless > Configure > Firewalling and Traffic Shaping

Theres a setting there that blocks access to the wired LAN.  This could be stopping DNS lookups and therefore internet access

Hi UCcert /Everyone

further troubleshooting results that its an issue on our ISE.

when we change the splash page settings to None (direct access), users were able to browse the internet and the 10.128.128.128 ip was cleared. 1st hop was the ISP public ip.

thank you for all of the suggestions and help

RJAC

Well done @RJAC for sticking with it and resolving the issue.

Hi @RJAC - I seem to running into a similar issue on my end as well today. We also have an ISE splash page for our guest net. 

Would you be willing to post what version of ISE you’re running? We’re at 2.3 patch 7. 

Whoa @MinnesotaKid, time to upgrade quite quickly then, 2.3 is in End of Support state since last month:

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-741...

@CptnCrnchi appreciate the note, but we’re all too familiar with that date :). Budgets, approvals, yada yada. 

On the issue at hand though, I’m curious to see if this is and issue on the ISE or meraki side. This 10.128.128.128 IP also shows up in the NAT mode documentation. 

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/NAT_Mode_with_Meraki_DHCP

Hi  @MinnesotaKid 

the problematic version of ISE on our end is version 2.6.0.156 patch 2,6 and we end up rolling it back to version 2.6.0.156 patch 2. that seems to resolve the issue for us 🙂

Cheers

RJAC