9 Replies Latest reply on Apr 29, 2010 6:25 PM by JGurnett

    SG580 Slows to a stop with Guest VLAN

      We lately installed a Wireless Access Point for customer use in our office. I enabled Port-based VLANs on our device and configured port A2 in the guest firewall class. The SG580 acts as the DHCP server on the network, while the Access point just allows wireless access. The WAP is directly connected to port A2, no switches in between. What we've noticed is that when the WAP is connected our internet traffic slows down and then eventually stops. Disconnecting the WAP instantly resolves this problem. Visual observation of the activity lights don't seem to indicate that the wireless is flooding the connection. During the last issue, I managed to take some packet captures and it looks like packets sent to the firewall aren't arriving, as they show up leaving my laptop in Wireshark, but a tcpdump on the LAN connection doesn't show the corresponding packet arriving. The only thing beween my laptop and the LAN connection is a Cisco switch.

       

      At first, I thought it was due to the WAP, but I've been able to recreate the problem using both a DLink and Cisco device. While it could be a switching issue, I'm not entirely convinced of that as it only occurs when the WAP is plugged in. The Port-Based VLAN should stop the Guest Port from affecting traffic through the LAN.

       

      Has anyone seen this issue before or know how to resolve it? I'm currently getting a grant number to raise a case with McAfee but thought I should ask here as well.

        • 1. Re: SG580 Slows to a stop with Guest VLAN

          Sounds like an ethernet issue.

           

          if you navigate to system -> diagnostics -> system tab you will find a section titled

           

          Interface Configuration

           

          does this show any errors ?

           

          post the details here if you want me to check them.

          • 2. Re: SG580 Slows to a stop with Guest VLAN

            Thanks, here's what's on the page. I'm not seeing any errors there besides some routes not being accessible because the other party's end of an IPSec tunnel is down. The VPN VLan was an experiment to see if the problem was with the other two ports i the switch being undefined. There's nothing connected to it at the moment.

             

             

            Internet

            Gateway: 203.49.144.113

            DNS: 203.49.144.113

            Connections
            NamePortDetailsIP AddressSpeedState
            LANA1LAN, Static, 192.168.24.1192.168.24.1N/Aup
            Port A2A2Guest, Static, 192.168.23.1192.168.23.1N/Aup
            VPNA3, A4LAN, Static, 192.168.30.1192.168.30.1N/Aup
            Port BBInternet, Static, 203.49.144.115203.49.144.115N/Aup
            High Availability

            High Availability: Disabled

            Interface Configuration
            eth0      Link encap:Ethernet  HWaddr 00:D0:CF:04:A9:52  
                      inet6 addr: fe80::2d0:cfff:fe04:a952/64 Scope:Link
                      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                      RX packets:5563346 errors:0 dropped:0 overruns:0 frame:0
                      TX packets:6187396 errors:0 dropped:0 overruns:0 carrier:0
                      collisions:0 txqueuelen:256 
                      
            eth0.2    Link encap:Ethernet  HWaddr 00:D0:CF:04:A9:52  
                      inet addr:192.168.24.1  Bcast:192.168.24.255  Mask:255.255.255.0
                      inet6 addr: fe80::2d0:cfff:fe04:a952/64 Scope:Link
                      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                      RX packets:5486025 errors:0 dropped:0 overruns:0 frame:0
                      TX packets:6125045 errors:0 dropped:0 overruns:0 carrier:0
                      collisions:0 txqueuelen:0 
                      
            eth0.3    Link encap:Ethernet  HWaddr 00:D0:CF:F2:6D:BB  
                      inet addr:192.168.23.1  Bcast:192.168.23.255  Mask:255.255.255.0
                      inet6 addr: fe80::2d0:cfff:fef2:6dbb/64 Scope:Link
                      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                      RX packets:77322 errors:0 dropped:0 overruns:0 frame:0
                      TX packets:62352 errors:0 dropped:0 overruns:0 carrier:0
                      collisions:0 txqueuelen:0 
                      
            eth0.15   Link encap:Ethernet  HWaddr 00:D0:CF:F2:6D:BC  
                      inet addr:192.168.30.1  Bcast:192.168.30.255  Mask:255.255.255.0
                      inet6 addr: fe80::2d0:cfff:fef2:6dbc/64 Scope:Link
                      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
                      TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
                      collisions:0 txqueuelen:0 
                      
            eth1      Link encap:Ethernet  HWaddr 00:D0:CF:04:A9:53  
                      inet addr:203.49.144.115  Bcast:203.49.144.119  Mask:255.255.255.248
                      inet6 addr: fe80::2d0:cfff:fe04:a953/64 Scope:Link
                      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                      RX packets:3431958 errors:0 dropped:0 overruns:0 frame:0
                      TX packets:2575248 errors:0 dropped:0 overruns:0 carrier:0
                      collisions:0 txqueuelen:256 
                      
            eth1:0    Link encap:Ethernet  HWaddr 00:D0:CF:04:A9:53  
                      inet addr:203.49.144.116  Bcast:203.49.144.119  Mask:255.255.255.248
                      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            
            eth1:1    Link encap:Ethernet  HWaddr 00:D0:CF:04:A9:53  
                      inet addr:203.49.144.117  Bcast:203.49.144.119  Mask:255.255.255.248
                      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            
            eth1:2    Link encap:Ethernet  HWaddr 00:D0:CF:04:A9:53  
                      inet addr:203.49.144.118  Bcast:203.49.144.119  Mask:255.255.255.248
                      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            
            ipsec0    Link encap:Ethernet  HWaddr 00:D0:CF:04:A9:53  
                      inet addr:203.49.144.115  Mask:255.255.255.255
                      inet6 addr: fe80::2d0:cfff:fe04:a953/64 Scope:Link
                      UP RUNNING NOARP  MTU:16260  Metric:1
                      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
                      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
                      collisions:0 txqueuelen:10 
                      
            lo        Link encap:Local Loopback  
                      inet addr:127.0.0.1  Mask:255.0.0.0
                      inet6 addr: ::1/128 Scope:Host
                      UP LOOPBACK RUNNING  MTU:16436  Metric:1
                      RX packets:265 errors:0 dropped:0 overruns:0 frame:0
                      TX packets:265 errors:0 dropped:0 overruns:0 carrier:0
                      collisions:0 txqueuelen:0 
                      
            
            Ethernet Speed
            A1: using the specified MII index 0.
            eth0: negotiated 100baseTx-FD, link ok
            
            A2: using the specified MII index 1.
            eth0: no link
            
            A3: using the specified MII index 2.
            eth0: no link
            
            A4: using the specified MII index 3.
            eth0: no link
            
            B: eth1: negotiated 100baseTx-FD, link ok
            
            • 3. Re: SG580 Slows to a stop with Guest VLAN

              no errors.

               

              I assume this was taken at a time when the issue was occurring or had occurred and no reboot had then taken place ?

              • 4. Re: SG580 Slows to a stop with Guest VLAN

                This was taken shortly after the issue occurred this morning and was resolved by unplugging the WAP. We had another incident with the same symptoms yesterday that left the unit requiring a reboot, as the Squid SMBMount wasn't working and users connected to the PPTP VPN had no connectivity. I also managed to collect a Technical Support Report at that time.

                • 5. Re: SG580 Slows to a stop with Guest VLAN

                  the further symptoms you descibe again indicate an ethernet issue.

                   

                  how many ethernet cables are plugged into the wireless bridge in total (Wireless access point ) ?

                   

                  It sounds like there is a network loop, which is affecting the ability to get arp resolutions, hence the squid issue.

                  • 6. Re: SG580 Slows to a stop with Guest VLAN

                    The TSR will have a section headed

                     

                    /proc/net/arp

                     

                    can you post that section and tell me the relevance of the IP addresses listed in this section ?

                    • 7. Re: SG580 Slows to a stop with Guest VLAN

                      The network loop issue is what I've been thinking as well, but I'm at a bit of a loss to explain it. Our switches are configured with RSTP, though I haven't been able to add the SG580 into that mix. There is a single cable running into the WAP, which plugs directly into port A2 on the SG580. Most

                       

                      Here's the /proc/net/arp section:

                       

                      /proc/net/arp Information
                      FILE:/proc/net/arp
                      IP address       HW type     Flags       HW address            Mask     Device
                      192.168.23.165   0x1         0x2         00:1a:92:9b:0d:5e     *        eth0.3
                      192.168.24.85    0x1         0x2         00:11:25:9c:0f:da     *        eth0.2
                      192.168.24.231   0x1         0x2         00:11:25:9c:56:02     *        eth0.2
                      192.168.24.118   0x1         0x2         00:0c:29:27:a1:3c     *        eth0.2
                      192.168.24.35    0x1         0x2         00:1f:d0:24:5d:c1     *        eth0.2
                      192.168.24.157   0x1         0x2         00:16:76:c7:d8:df     *        eth0.2
                      192.168.24.133   0x1         0x2         00:22:68:12:7d:eb     *        eth0.2
                      192.168.24.132   0x1         0x2         00:11:11:0a:2c:34     *        eth0.2
                      192.168.23.163   0x1         0x2         00:1b:fc:d2:c1:7e     *        eth0.3
                      192.168.24.36    0x1         0x2         00:1c:c0:e2:3b:a5     *        eth0.2
                      192.168.24.184   0x1         0x2         00:03:47:32:3d:37     *        eth0.2
                      192.168.24.30    0x1         0x2         00:03:22:01:3b:cb     *        eth0.2
                      192.168.24.82    0x1         0x2         00:11:25:9c:20:a1     *        eth0.2
                      192.168.24.60    0x1         0x2         aa:aa:bb:bb:cc:cc     *        eth0.2
                      192.168.24.57    0x1         0x2         00:1c:c0:e2:3b:a8     *        eth0.2
                      192.168.24.161   0x1         0x2         00:11:11:25:1a:aa     *        eth0.2
                      192.168.24.178   0x1         0x2         00:0c:29:2d:b0:b5     *        eth0.2
                      192.168.24.108   0x1         0x2         00:1f:d0:24:fa:ec     *        eth0.2
                      192.168.24.146   0x1         0x2         00:1f:d0:24:5d:b4     *        eth0.2
                      192.168.24.45    0x1         0x2         00:07:e9:23:6d:fc     *        eth0.2
                      192.168.24.232   0x1         0x2         00:11:25:9c:56:03     *        eth0.2
                      192.168.24.38    0x1         0x2         00:1c:c0:e2:3c:32     *        eth0.2
                      203.49.144.114   0x1         0x2         00:07:e9:23:6d:12     *        eth1
                      192.168.24.59    0x1         0x2         00:1b:38:fa:c7:c0     *        eth0.2
                      192.168.24.200   0x1         0x2         00:16:76:d1:65:8e     *        eth0.2
                      203.49.144.113   0x1         0x2         00:04:ed:1e:3f:6e     *        eth1
                      192.168.24.150   0x1         0x2         00:03:47:be:fa:39     *        eth0.2
                      192.168.24.79    0x1         0x2         00:11:25:9c:56:02     *        eth0.2
                      192.168.24.10    0x1         0x0         00:00:00:00:00:00     *        eth0.2
                      192.168.24.68    0x1         0x2         00:13:20:50:65:39     *        eth0.2
                      192.168.24.63    0x1         0x2         00:04:23:bb:ee:fa     *        eth0.2
                      192.168.24.84    0x1         0x2         00:11:25:9c:54:fb     *        eth0.2
                      192.168.24.140   0x1         0x2         00:1c:23:1e:56:6c     *        eth0.2
                      192.168.24.37    0x1         0x2         00:22:68:12:81:a4     *        eth0.2
                      192.168.24.71    0x1         0x2         00:11:25:9c:20:a0     *        eth0.2
                      192.168.24.61    0x1         0x2         00:1f:d0:22:4e:88     *        eth0.2
                      192.168.24.124   0x1         0x2         00:04:23:af:03:1a     *        eth0.2
                      192.168.24.113   0x1         0x2         00:0e:0c:4e:37:b4     *        eth0.2
                      192.168.24.141   0x1         0x2         00:1b:21:56:18:41     *        eth0.2
                      192.168.24.39    0x1         0x2         00:04:0d:6e:6a:17     *        eth0.2
                      192.168.24.155   0x1         0x2         00:0e:0c:4f:0e:ee     *        eth0.2
                      192.168.24.147   0x1         0x2         00:1c:c0:e2:3c:1a     *        eth0.2
                      192.168.24.189   0x1         0x2         00:19:d1:5e:e3:2c     *        eth0.2
                      192.168.24.72    0x1         0x2         00:11:25:9c:54:fa     *        eth0.2
                      192.168.24.74    0x1         0x2         00:11:25:9c:57:87     *        eth0.2
                      192.168.24.114   0x1         0x2         00:11:11:0a:2c:32     *        eth0.2
                      192.168.24.70    0x1         0x2         00:04:23:b8:a2:42     *        eth0.2
                      192.168.24.254   0x1         0x2         00:1d:a2:b6:53:bd     *        eth0.2
                      192.168.24.117   0x1         0x2         00:0e:0c:4f:0d:7b     *        eth0.2
                      192.168.24.87    0x1         0x2         00:11:25:9c:57:86     *        eth0.2
                      192.168.24.81    0x1         0x2         00:11:25:9c:20:a0     *        eth0.2
                      192.168.24.96    0x1         0x2         00:0e:0c:30:9c:72     *        eth0.2
                      192.168.23.164   0x1         0x2         00:21:5c:7d:ab:7d     *        eth0.3
                      192.168.24.156   0x1         0x2         00:11:11:0a:2c:38     *        eth0.2
                      192.168.24.148   0x1         0x2         00:13:20:50:66:09     *        eth0.2
                      192.168.24.191   0x1         0x2         00:16:76:c2:4f:97     *        eth0.2
                      192.168.24.115   0x1         0x2         00:1c:c0:e2:3d:4a     *        eth0.2
                      192.168.23.139   0x1         0x2         00:1e:65:c5:d4:16     *        eth0.3
                      192.168.24.109   0x1         0x2         00:22:68:12:7e:b7     *        eth0.2
                      192.168.24.88    0x1         0x2         00:11:25:9c:57:87     *        eth0.2

                       

                      192.168.24.0/24 is our LAN, there are a few small segments inside this:

                       

                      192.168.24.10-192.168.24.19 is for PPTP VPN Clients

                      192.168.24.20-192.168.24.30 is for L2TP VPN Clients

                      192.168.24.70-192.168.24.80 are statically assigned to our Blade Servers (Dual Broadcomm NICs, teamed)

                      192.168.24.80-192.168.24.88 are statically assigned to the individual NICs for the Broadcomm teaming LiveLink (Each NIC polls the router to determine which NIC in the team is connected to the network)

                      192.168.24.90-192.168.24.99 are statically assigned to internal servers (90,91,92,95 & 96 are the same server)

                      192.168.24.211-192.168.24.254 are statically assigned to some devices that don't work well with DHCP (Security system, Routers to customer sites, etc)

                       

                      192.168.23.0/24 is the wireless network

                      The SG580 assigns DHCP addresses in the 192.168.23.100 - 192.168.23.200 range.

                       

                      203.49.144.113 is our ADSL Modem/Router, which doesn't NAT

                      203.49.144.114 is the router into our managed service, an ISA 2000 server

                      • 8. Re: SG580 Slows to a stop with Guest VLAN

                        no unresolved entries there.

                         

                        If you remove the RSTP controlled network, and simply have the UTM device and the Wireless bridge and a single laptop connected, do you get the issue ?

                        • 9. Re: SG580 Slows to a stop with Guest VLAN

                          Hmmm, that's a good idea. I'll have to do it sometime outside hours as it will take the company offline. I'll let you know how it goes.