no (limited) internet on guest wifi: how to troubleshoot?

Solved
cabricharme
Getting noticed

no (limited) internet on guest wifi: how to troubleshoot?

Is there a troubleshooting checklist for a WiFi network that has next to no internet connectivity? I.e. steps to run through to isolate or eliminate specific potential root causes, from bad DNS configuration, to misconfigured firewall or content filtering settings, to APs acting up, etc.?

 

run a trace route on a random web destination, see what it shows, where it takes me? 🙂 (Haven't tried that yet.)

 

Context:

  • 20 retail locations each with similarly configured Guest WiFi - yet only one location has the issue
  • 4 MR42 APs (v.30.6), MX64 (v.18.107.10) at this location (similar to others)
  • this is a Guest WiFi, isolated from the rest of the network, with mostly default settings (from what I could tell)
  • no red flags or warnings in "Wireless Health" or elsewhere (from what I could tell)
  • it does not appear to be any sort of a DHCP exhaustion issue (10.0.0.0/8 DHCP pool with one IPv4 client successfully connected at the time of testing)
  • when I say "next to no internet connectivity" for this specific Guest SSID, I mean:
    • no errors on this WiFI network like "no internet" on Android or iOS devices
    • Google.com shows up fine, with the usual search bar and the newsfeed
    • trying to run Chrome's built-on "speed test": "looks like the speed test is too busy" or something like that
    • some other random sites (e.g. Ookla speed test): "cannot be loaded", "connection reset" errors
    • seemingly most sites don't work
    • MS Outlook and MS Teams messages sometimes go through, sometimes hang for hours and days before getting through on a cellular network or a different SSID - i.e. there seems to be some connectivity, especially given that google.com come up
    • there was a bunch of changes and activity on the wired network across all locations setting up site-to-site VPNs and static routes - possibly something went haywire there
      • (I managed to fix a "no internet" issue for a different SSID after tracking it down to SSID-specific traffic "deny" rule blocking traffic to local DNS servers - which apparently was in place forever but only started blocking that traffic after some other change on the network. That "some other" change like to do with that flurry of S2S VPN and static route changes and updated)

 

What I've tried:

  • checking all tabs in "Wireless Health", going through "connection log" with a fine-tooth comb hunting for any errors - seeing nothing.
    • "Overview" - all green
    • "Connection log" - a few association errors (wrong passphrase) - common for a fairly well trafficked location with random devices trying to connect w/o knowing the passphrase. But otherwise - nothing there.

 

cabricharme_0-1727120743647.png

cabricharme_1-1727120800135.png

 

Thanks!

1 Accepted Solution
cabricharme
Getting noticed

Turns out, "Blocked URL list" under "URL filtering" under "Content Filtering" had '*' for the entire network (not just this specific SSID, not any specific VLAN or device group). Not just on that network, either.

 

Removing it resolved the problem.

 

I'll have to dig around a little more to see why all the other SSIDs (4+) and wired devices across several VLANs worked, or why that particular SSID was working up until a few weeks ago, yet the root cause seems to be a bad case of misconfiguration with multiple rules and policies in different places stepping on each other where which rule takes precedence is unclear.

 

(While troubleshooting this, I was wishing for something like Active Directory's "resultant set of policy" tool that gives me a prioritized list of rules and policies applied to a specific entity or a set of them. Makes it much easier to troubleshoot issues, especially when multiple rules with overlapping scopes and restrictions are scattered across OUs. (In Meraki's case, it's firewall, group policies, SSID-specific policies and rules, content filtering, port configuration - which can all step on each other and where the result can be quite unclear - like in our case.) That, and better log aggregation and querying. Is this too much to wish for?)

View solution in original post

3 Replies 3
rhbirkelund
Kind of a big deal
Kind of a big deal

What DNS do the guest users use? What's being assigned by the DHCP server? Is this location by any chance in Europe, specifically France or Spain?

 

What L7 rules are being applied to the Guest Users?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
cabricharme
Getting noticed

Thank you, appreciate the comment.

 

The DNS was internal servers (and working) via DHCP (i.e. no manually set DNS specific to this SSID), the location is in the US, no L7 rules.

 

Turns out it was content filtering ("blocked URLs") set to * for the entire network (not just WiFI, or a specific SSID. The entire network with lots of internet-accessing wired and wireless clients.)

cabricharme
Getting noticed

Turns out, "Blocked URL list" under "URL filtering" under "Content Filtering" had '*' for the entire network (not just this specific SSID, not any specific VLAN or device group). Not just on that network, either.

 

Removing it resolved the problem.

 

I'll have to dig around a little more to see why all the other SSIDs (4+) and wired devices across several VLANs worked, or why that particular SSID was working up until a few weeks ago, yet the root cause seems to be a bad case of misconfiguration with multiple rules and policies in different places stepping on each other where which rule takes precedence is unclear.

 

(While troubleshooting this, I was wishing for something like Active Directory's "resultant set of policy" tool that gives me a prioritized list of rules and policies applied to a specific entity or a set of them. Makes it much easier to troubleshoot issues, especially when multiple rules with overlapping scopes and restrictions are scattered across OUs. (In Meraki's case, it's firewall, group policies, SSID-specific policies and rules, content filtering, port configuration - which can all step on each other and where the result can be quite unclear - like in our case.) That, and better log aggregation and querying. Is this too much to wish for?)

Get notified when there are additional replies to this discussion.