Monday, October 21, 2019

Meraki Secure Wifi Clients "Filtered" by 10.128.128.128

Hi,

I've just deployed a network infrastructure whose access layer and wifi are running on Meraki devices. I'm seeing a really weird effect that doesn't make networking sense to me. On my secure wireless SSID, most clients are able to function normally, both traversing VLANs to access local resources (such as office printers) and accessing the Internet. About 10% of them, however, are not able to ping the wireless gateway or access any local resources; yet they're able to route out to the Internet.

This is the message I see when the problem occurs. I think this IP is a dynamic Meraki internal device. (10.X.X.X here is a local VLAN gateway IP.)

Pinging 10.X.X.X with 32 bytes of data:
Reply from 10.128.128.128: Destination net unreachable.
Reply from 10.128.128.128: Destination net unreachable.

I'm told by our managed services provider that there are no firewall rules or traffic-shaping policies that would produce this effect. I do think there are some QA problems with the deployment; for example, DNS resolver IPs handed out by our firewalls for the SSID VLANs might differ from the configs on the WAPs themselves. (Investigating that.)

NB: This is not a guest SSID I'm talking about. If experienced across the board by all clients, then what I described would be expected behavior on an insecure wireless network.

Does anyone have any leads I can explore? This is maddening. Thanks!



No comments:

Post a Comment