Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 23 replies
  • Subscribers 28 subscribers
  • Views 3016 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WiFi devices not getting IP, WiFi Interface "unplugged", vxlan interfaces missing

LHerzog

We updated WiFi AP Firmware 3 days ago. on one location with some AP55c clients connecting to a WiFi will not get IP addresses. I cannot even see the DHCP requests with packet capture.

I noticed the WiFi interface is shown as unplugged. When I noticed the issue, the Interface did not even have a MAC address (00:00:00:00:00:00).

So I edited, disabled, enabled the SSID and the interface. It remains in unplugged status. No luck, at least it got MAC address again by those changes.

Unplugged and no MAC Address:

After changing and re-applying settings back to original values:


XXX_Guests Link encap:Ethernet  HWaddr F2:EE:67:B9:E3:EA
          inet addr:172.xxx.xxx.1  Bcast:172.xxx.252.255  Mask:255.255.255.0
          inet6 addr: fe80::a86d:xxxxxxxxxxxxxx:1bb1/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:6326211 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6022720 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5041929744 (4.6 GiB)  TX bytes:4307225067 (4.0 GiB)

any help on this please?

update 7.7.2021: noticed missing vxlan adapters on the HA nodes that came up after reboot of the nodes. See comments below.



This thread was automatically locked due to age.
Parents
  • 0

    The wireless is actually connected to a AP or does no Access Point broadcast this wireless? Can you redo the link between SSID and AP. 

  • 0 in reply to LuCar Toni

    we've some APs broadcasting this.

    I deleted this WiFi in particular and recreated it. Stays in status unplugged. Tried an other name, stays unplugged.

    After recreateion, I created an other dummy WiFi network and it comes as new interface also unplugged.

    The initial problem we have, is that clients are not getting IP address from DHCP on XG. I did a packet capture on the WiFi interface during client connects but no packets have been captured.

    Is it even possible to capture packet of those special WiFi interfaces?

  • 0 in reply to LuCar Toni

    from my experience, it's better to keep things simple with Sophos. So why not use the separate zone isolation function. Until Saturday it worked smoothly and required way less work on our infrastructure. For large WiFis we use VLAN bridge. For small locations Zone Isolation did a good job in the past.

    Hope Support will honor the "simple" Setup by quickly fixing it.

  • 0 in reply to LHerzog

    my boss noticed in the daily reports of the XG (HA Cluster) that there are some networks (SSID) and APs that are shown as managed on the secondary node.

    Maybe that is the reason - the traffic is pushed to the secondary by the APs... will need more time to analyse this.

    Primary node:

    Secondary node:

    Strange, today the WiFi interface shows as connected again, issue remains.

  • 0 in reply to LHerzog

    I guess its a HA + Linux + VXLAN Issue. That seems not to be a simple setup? You have 30 Access points? I would rather move to VLAN anyway, if you have VLAN available. 

  • 0 in reply to LuCar Toni

    And i forget to mention: 

    You actually stressing the Linux "a lot". 

    Go to the advanced shell, do a ifconfig. 

    You should notice a VXLAN Interface per Access Point and per SSID: This means you have 30x8 Interfaces, resulting in 240 Interfaces on a system. This is quite a lot. (PS: UTM did the same). 

    Thats the reason to go VLAN, as VLAN will decrease this setup to 8 Interfaces (per SSID one VLAN). 

  • 0 in reply to LuCar Toni

    Thanks four your tips!

    I counted the managed and active APs that are shown in GUI: currently 37

    so there are some missing compared to the reports and I 'm quite sure, i will find those on the secondary node.

  • 0 in reply to LHerzog

    so, we have vxlans:

    vxlan19.116 is one of the interfaces, we have issues with. There the Hotspot portal isn't working.

    on the primary:

      new 1 (12 hits)
        Line 802: vxlan19   Link encap:Ethernet  HWaddr 0E:B5:F4:54:36:6B
        Line 810: vxlan19.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
        Line 818: vxlan29   Link encap:Ethernet  HWaddr 9A:6A:4D:3F:8E:7C
        Line 826: vxlan29.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
        Line 834: vxlan33   Link encap:Ethernet  HWaddr 3E:0A:FE:A6:99:5A
        Line 842: vxlan33.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
        Line 850: vxlan41   Link encap:Ethernet  HWaddr D2:B4:02:11:11:A8
        Line 858: vxlan41.109 Link encap:Ethernet  HWaddr F2:EE:67:B9:E3:EA
        Line 866: vxlan42   Link encap:Ethernet  HWaddr CE:D2:8B:BC:25:53
        Line 874: vxlan42.109 Link encap:Ethernet  HWaddr F2:EE:67:B9:E3:EA
        Line 882: vxlan43   Link encap:Ethernet  HWaddr 56:FB:A8:8B:85:54
        Line 890: vxlan43.109 Link encap:Ethernet  HWaddr F2:EE:67:B9:E3:EA

    on the secondary:

      new 3 (10 hits)
        Line 421: vxlan29   Link encap:Ethernet  HWaddr D6:24:0B:DB:71:B2
        Line 429: vxlan29.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
        Line 437: vxlan38   Link encap:Ethernet  HWaddr 32:46:E5:B2:E5:C1
        Line 445: vxlan38.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
        Line 453: vxlan41   Link encap:Ethernet  HWaddr 16:4E:F9:C1:13:2A
        Line 461: vxlan41.109 Link encap:Ethernet  HWaddr F2:39:FF:CE:62:08
        Line 469: vxlan42   Link encap:Ethernet  HWaddr 0A:10:CD:2F:8F:14
        Line 477: vxlan42.109 Link encap:Ethernet  HWaddr F2:39:FF:CE:62:08
        Line 485: vxlan43   Link encap:Ethernet  HWaddr C2:0A:03:DF:EC:2A
        Line 493: vxlan43.109 Link encap:Ethernet  HWaddr F2:39:FF:CE:62:08

    I wrote it somewhere above, that we use isolation only for small usage SSIDs. Our larger SSIDs with some dozend APs have bridge to VLAN settings.

  • 0 in reply to LHerzog

    So if you already have VLAN, why even mix this? I mean, there is no real use case of using separate zone anymore. It only complicates things in your network. 

    It will not remove this issue, but it is something to fix in the future, as you can easily deploy both VLANs to the switch and use bridge to VLAN instead. 

  • 0 in reply to LHerzog

    after reboot of the secondary node it's still not working. Devices not getting IP or it takes 5-10 minutes until it gets an IP and then it will not get any answer to DNS requests because the XG cannot ARP the WiFi client.

    I found that after reboot of secondary node, this node has now 20 vxlan interfaces. before the reboot it was only 10.

    Maybe the issue is "resolved" by restarting also the primary node. But I will not do that during working hours.

    secondary node after reboot now with 20 interfaces:

    vxlan19   Link encap:Ethernet  HWaddr FA:4A:B6:9A:DA:83
    vxlan19.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
    vxlan20   Link encap:Ethernet  HWaddr 02:56:86:E6:B2:64
    vxlan20.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
    vxlan27   Link encap:Ethernet  HWaddr 66:9B:49:5C:4F:4F
    vxlan27.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
    vxlan29   Link encap:Ethernet  HWaddr A2:9F:CF:95:60:18
    vxlan29.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
    vxlan31   Link encap:Ethernet  HWaddr 32:95:A2:7F:46:BE
    vxlan31.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
    vxlan33   Link encap:Ethernet  HWaddr E2:3B:F6:EC:6A:06
    vxlan33.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
    vxlan38   Link encap:Ethernet  HWaddr 82:71:8C:FA:15:CB
    vxlan38.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
    vxlan41   Link encap:Ethernet  HWaddr 66:85:8D:F7:DE:A5
    vxlan41.109 Link encap:Ethernet  HWaddr F2:EE:67:B9:E3:EA
    vxlan42   Link encap:Ethernet  HWaddr 42:38:AE:BB:93:BD
    vxlan42.109 Link encap:Ethernet  HWaddr F2:EE:67:B9:E3:EA
    vxlan43   Link encap:Ethernet  HWaddr AE:A9:62:7A:B3:20
    vxlan43.109 Link encap:Ethernet  HWaddr F2:EE:67:B9:E3:EA

    Btw: the other SSIDs broadcasted by the same APs are working. Only those with Hotspot and or Isolation enabled are causing trouble.

  • 0 in reply to LHerzog

    I counted: we have 10 APs that are broadcasting a WiFi with setting "Client traffic ->Separate Zone".

    So I guess we need and want 20 vxlan Interfaces on each Cluster HA node.

    Wonder why they started to disappear. Just an other XG weirdness.

Reply
  • 0 in reply to LHerzog

    I counted: we have 10 APs that are broadcasting a WiFi with setting "Client traffic ->Separate Zone".

    So I guess we need and want 20 vxlan Interfaces on each Cluster HA node.

    Wonder why they started to disappear. Just an other XG weirdness.

Children
  • 0 in reply to LHerzog

    Seems like the APX is still talking to the Aux instead switching to the primary. That should be investigated by support, what is going on. Personally i moved most customers to Central wireless and VLAN for different matters. 

  • +1 in reply to LuCar Toni

    I found a workaround for the issue without booting both HA appliances finally:

    remove it from the AP group, then add again. From CLI output below you can see that the missing 8 vxlan adapters were only added after this change. Same would have happened when rebooting the primary HA node.

    XG430_WP02_SFOS 18.0.5 MR-5-Build586# ifconfig | grep vxlan

    status before unassigning the SSID from the AP group:
    12 vxlan's

    vxlan19   Link encap:Ethernet  HWaddr 0E:B5:F4:54:36:6B
    vxlan19.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
    vxlan29   Link encap:Ethernet  HWaddr 9A:6A:4D:3F:8E:7C
    vxlan29.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
    vxlan33   Link encap:Ethernet  HWaddr 3E:0A:FE:A6:99:5A
    vxlan33.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
    vxlan41   Link encap:Ethernet  HWaddr D2:B4:02:11:11:A8
    vxlan41.109 Link encap:Ethernet  HWaddr F2:EE:67:B9:E3:EA
    vxlan42   Link encap:Ethernet  HWaddr CE:D2:8B:BC:25:53
    vxlan42.109 Link encap:Ethernet  HWaddr F2:EE:67:B9:E3:EA
    vxlan43   Link encap:Ethernet  HWaddr 56:FB:A8:8B:85:54
    vxlan43.109 Link encap:Ethernet  HWaddr F2:EE:67:B9:E3:EA



    status after unassigning and reassigning the SSID to the AP group:
    20 vxlan's

    vxlan19   Link encap:Ethernet  HWaddr 5A:D6:26:B2:BC:9C
    vxlan19.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
    vxlan20   Link encap:Ethernet  HWaddr DE:F9:EB:F6:D4:51
    vxlan20.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
    vxlan27   Link encap:Ethernet  HWaddr 66:60:D8:1D:D1:35
    vxlan27.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
    vxlan29   Link encap:Ethernet  HWaddr 6E:64:6F:92:8F:94
    vxlan29.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
    vxlan31   Link encap:Ethernet  HWaddr AA:FD:60:52:79:99
    vxlan31.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
    vxlan33   Link encap:Ethernet  HWaddr 56:48:90:FA:6A:36
    vxlan33.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
    vxlan38   Link encap:Ethernet  HWaddr 9E:A5:10:1E:F5:88
    vxlan38.116 Link encap:Ethernet  HWaddr F2:A5:26:30:94:7B
    vxlan41   Link encap:Ethernet  HWaddr D2:B4:02:11:11:A8
    vxlan41.109 Link encap:Ethernet  HWaddr F2:EE:67:B9:E3:EA
    vxlan42   Link encap:Ethernet  HWaddr CE:D2:8B:BC:25:53
    vxlan42.109 Link encap:Ethernet  HWaddr F2:EE:67:B9:E3:EA
    vxlan43   Link encap:Ethernet  HWaddr 56:FB:A8:8B:85:54
    vxlan43.109 Link encap:Ethernet  HWaddr F2:EE:67:B9:E3:EA

  • 0 in reply to LHerzog

    both SSIDs that were not working are working now again. Clients get DHCP and Hotspot will appear. Web-Surfing is working either.