Issue with Unifi AP-LR

dominickirby · 2014-10-02T14:42:19.000Z

Happy almost Friday, SpiceHeads

We just put in a new Unifi AP-LR at one of our customers to replace sonicwall wireless (we plan on disabling the radio).

The AP powered up great, and we were able to provision it with the controller and everyone is happy and talking with one another. I can authenticate to the new SSID fine. I even get an IP from the DHCP server. But, I cannot access anything on the network or the internet. It’s as if AP isolation is enabled, but it really shouldn’t be.

I have done the following:

Made sure the SSID isn’t in guest mode
Forgotten and readopted the AP
Forgotten he AP, re installed the controller, readopted to AP
Pulled out hair, cussed a little
Renamed SSID from “Joe” to “George”

@Ubiquiti_Inc

tim2649 · 2014-10-02T14:45:23.000Z

Are you using a VLAN separate from the one your controller resides on for your actual wireless clients? If so, did you make sure the SSID is tied to that VLAN, the port the AP connects to is tagged for it, and the ports leading back to your core are all tagged for it? Are you getting the correct DHCP address, or any address at all? Have you run any packet captures downstream to see if DHCP requests are making it past the AP?

dominickirby · 2014-10-02T14:48:32.000Z

Everything is on the same LAN (no VLAN here). Same switch. I get a good DHCP on my laptop when I connect (in the correct range). The DHCP lease shows up on the sonicwall even.

tim2649 · 2014-10-02T14:54:31.000Z

What’s the result of traceroute -d w.x.y.z (your gateway)? If your network is that simple, it should work, pretty literally, without any intervention other than configuring the SSID, so that’s very odd that it’s not.

jim4232 · 2014-10-02T14:55:01.000Z

Set it to a static IP and make sure the subnet, gateway, and DNS are correct. I have fat-fingered more than one.

dominickirby · 2014-10-02T15:07:17.000Z

OK, I did tracert to the gateway and got this:

1 192.168.132.71 reports: Destination host unreachable

It’s probably worth noting that when you connect with a windows machine, windows says its limited.

tim2649 · 2014-10-02T15:11:32.000Z

Apologies for the triple post, Spiceworks is going crazy right now.

Okay, please post the output of the following commands (with any sensitive domain info removed):

ipconfig /all

netstat -r -n

Also, what version of the Unifi software are you running? And are you using any authentication method (such as WEP) on the SSID? There was a bug I found a lot of versions back which would not let you do anything if you had a letter in the WEP key. Really, you should be on the newest beta if you’re not already - it’s rock solid.

jim4232 · 2014-10-02T15:15:19.000Z

Just out of curiosity did you ever do a hard reset on it using the button on the unit?

dominickirby · 2014-10-02T15:20:31.000Z

OK, here is the ipconfig

Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : PWZwin8LT
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : xxxx
 
Wireless LAN adapter Local Area Connection* 5:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 68-5D-43-8E-0D-10
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Local Area Connection* 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hosted Network Virtual Adapter
   Physical Address. . . . . . . . . : 6A-5D-43-8E-0D-0F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Wi-Fi:
 
   Connection-specific DNS Suffix  . : [DOMAIN NAME]
   Description . . . . . . . . . . . : Intel(R) Centrino(R) Wireless-N 2230
   Physical Address. . . . . . . . . : 68-5D-43-8E-0D-0F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1170:cfb3:7bb2:5abd%21(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.132.71(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, October 2, 2014 11:14:32 AM
   Lease Expires . . . . . . . . . . : Friday, October 3, 2014 11:14:32 AM
   Default Gateway . . . . . . . . . : 192.168.132.1
   DHCP Server . . . . . . . . . . . : 192.168.132.1
   DHCPv6 IAID . . . . . . . . . . . : 409492803
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-46-FF-0C-68-5D-43-8E-0D-0F
   DNS Servers . . . . . . . . . . . : 192.168.132.3
                                       209.244.0.4
                                       8.8.8.8
   Primary WINS Server . . . . . . . : 192.168.132.3
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Ethernet adapter Bluetooth Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 68-5D-43-8E-0D-13
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Ethernet adapter Ethernet:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : AC-16-2D-4D-54-27
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Local Area Connection* 25:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.domain.local:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : [DOMAIN NAME]
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #12
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Netstat

NETSTAT
 
===========================================================================
Interface List
23...68 5d 43 8e 0d 10 ......Microsoft Wi-Fi Direct Virtual Adapter
22...6a 5d 43 8e 0d 0f ......Microsoft Hosted Network Virtual Adapter
21...68 5d 43 8e 0d 0f ......Intel(R) Centrino(R) Wireless-N 2230
16...68 5d 43 8e 0d 13 ......Bluetooth Device (Personal Area Network)
  3...ac 16 2d 4d 54 27 ......Realtek PCIe GBE Family Controller
  1...........................Software Loopback Interface 1
  5...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
66...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #12
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.132.1   192.168.132.71     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    192.168.132.0    255.255.255.0         On-link    192.168.132.71    281
   192.168.132.71  255.255.255.255         On-link    192.168.132.71    281
  192.168.132.255  255.255.255.255         On-link    192.168.132.71    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    192.168.132.71    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    192.168.132.71    281
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
 1    306 ::1/128                  On-link
21    281 fe80::/64                On-link
21    281 fe80::1170:cfb3:7bb2:5abd/128
                                    On-link
  1    306 ff00::/8                 On-link
21    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

I also gave the AP a static address.

dominickirby · 2014-10-02T15:20:53.000Z

I did not hard reset with the button.

jim4232 · 2014-10-02T15:24:03.000Z

Was just reading another post about not being able to connect if IPv6 was active on a Win8 machine. I would suggest turning off IPv6 on the machine and WINS on the DHCP server. That will at least cut down on the directions to look.

tim2649 · 2014-10-02T15:28:56.000Z

If you have the capability to do so, I’d highly suggest mirroring the port the AP is connecting to and sniffing the traffic going through while you’re running the ping. If DHCP requests are getting through, methinks it’s not completely the fault of the AP - but without knowing more about your topology it’s hard to guess where else the problem would be. I’m assuming you’re able to perform the same tests successfully while connected to the wired network. You say it’s the same LAN, but is it the same subnet? If not, make sure your firewall is actually allowing traffic from your wireless subnet to pass through.

dominickirby · 2014-10-02T15:29:13.000Z

Disabled IPv6 - no change

Unifi controller is 3.2.1, WPA2 authentication on the SSID with AES only

dominickirby · 2014-10-02T15:32:04.000Z

timthetortoise:

If you have the capability to do so, I’d highly suggest mirroring the port the AP is connecting to and sniffing the traffic going through while you’re running the ping. If DHCP requests are getting through, methinks it’s not completely the fault of the AP - but without knowing more about your topology it’s hard to guess where else the problem would be. I’m assuming you’re able to perform the same tests successfully while connected to the wired network. You say it’s the same LAN, but is it the same subnet? If not, make sure your firewall is actually allowing traffic from your wireless subnet to pass through.

Everything is on the same subnet. I’ll put a hub on the switchport and wireshark it to see what happens.

tim2649 · 2014-10-02T15:34:03.000Z

Last question before I’m out of ideas, you HAVE updated the firmware on the AP via the controller interface, right? If the AP is running old firmware with a newer controller version, that could cause some issues. I assume you did though, seems like you’ve tried most of the logical steps.

dominickirby · 2014-10-02T15:34:58.000Z

Yeah, did a firmware update on install.

jim4232 · 2014-10-02T15:42:05.000Z

I would suggest the hard reset then re-adopt at this point.

Try the re-adopting from an ssh session.

timneedham9515 · 2014-10-02T15:44:49.000Z

Just curious but how far away from the WAP are you? I also recommend a factory reset.

dominickirby · 2014-10-03T13:17:28.000Z

Sorry for the delay, getting dragged in 10 different directions. My boss actually had a spare AP-LR in his vehicle, so we installed that one, same symptom.

Here is the weird thing. My boss can now hook up his lappy to “George” no problem. But anyone else continues to get the same problem.

We’re about 20ft from the WAP.

jim4232 · 2014-10-03T13:27:55.000Z

From here my guess would be an issue with the switch or the firewall. I don’t think the issue is with the AP if it happens with 2 of them.

One last thing, try hooking up both AP’s to different switches/hubs and see if it has the same issue. If you only have the one switch try different ports, after that move to the firewall.