Cannot ping wireless clients

[GoldenWonder]

Got a curious one here I can't seem to resolve.

We have lots of wireless laptops connecting using Dlink APs and WPA/TKIP/PEAP to authenticate using a Radius server.

This works fine, the laptop authenticates as the machine name, then the user authenticates and has a normal login and network environment.

However, I've noticed that I can't ping/manage/VNC/etc any of these laptops - UNTIL that laptop makes a connection to my PC (or whatever one I'm using), then I can ping/VNC/etc OK until a reboot/logout.

This is a bit frustrating and I've tried everything I can think of! Disabling the firewall makes no difference (XP SP2)

Its a bit bizarre that PC A cannot ping Laptop A until Laptop A has pinged PC A - then they will commuincate fully!

For a quick test I reset the AP/laptop back to simple WEP and everything worked,so it must be tied into the Radius/WPA security?

[Geoff]

Do the DLink AP's have any firewall features enabled?

[GoldenWonder]

Nope, they're pretty basic (DWL-7000AP) models that only have security options on for authentication (WEP/WPA etc)

[spc-rocket]

Nope, they're pretty basic (DWL-7000AP) models that only have security options on for authentication (WEP/WPA etc)

Hi There,

Have you checked the filters section (In advanced tab) of the appropriate radio i.e. G. Then go into the filters tab and check the WLAN Partition and make sure the settings are correct.

Make sure you are editing/viewig the correct band's settings in the partition i.e. IEEE 802.11g

we have the following settings as:

Internal Station Connection Enabled
Ethernet to WLAN Access Enabled

HTH,

Ash.

[GoldenWonder]

Cheers for the info guys but I'm still stuck!

The APs are setup Ok - pretty much as ashok has described. We don't have MAC filtering enabled - theres not enough room in the tables!

What seems bizarre is that the laptop has to establish the connection (on a one to one basis) before two way communication works.

It seems to be at a lower level, ARP requests not being answered etc?

For example, if laptop pings PC then PC can ping laptop - if I then clear the ARP cache on the PC (arp -d) then the PC can no longer ping the laptop (until the laptop pings the PC again)!!

Edit: forgot to mention - tried on a different laptop connecting to a Zyxel AP and get the same problem.

[powdarrmonkey]

It seems to be at a lower level, ARP requests not being answered etc?

That was my first thought. I'd put it down to your access points (or a switch in between) dropping inbound arp packets before there's been an outbound one first.

[GoldenWonder]

Just done another little test.

Running a packet sniffer shows that the laptop is receiving the ping requests from the RADIUS server, and sending the Echo(ping) reply back to the Radius server, even though the pink originated from my admin PC. This may be correct - I'm not sure how this works right down at the packet level!

Is there a way I have to route these packets in the same way as I had to route DHCP requests using RRAS on the RADIUS server?

Another test - manually added the laptop NICs mac address manually into the PCs ARP table using arp -s, and I then get full connectivity!

Now, I am really confused.

[PiqueABoo]

I am really confused.

Me too - although it working when you manually add the arp entry to your admin box makes sense..

..and that strongly implies everything is on the same subnet. So I don't get the RRAS DHCP routing part. Why do you need that?

[SYNACK]

Sounds like the AP or one of the switches is killing of broadcast packets (ARP) going outbound onto the wireless network. I think that the AP software may be blocking this by default. Are the APs running the latest firmware and is there an option to block broadcasts or cache MAC addresses?

Heres some extra info on ARP.

[Michael]

It does sound like an AP behaviour I have to agree. If you open up a command prompt and type:

Code:

tracert workstationname

or

Code:

tracert workstationIP

Is it successful or not?

[GoldenWonder]

Sorry for the delay in replying - busy week!

In answer to suggestions:

- tracert fails with 'timed out' error
- rras dhcp is user because the radius server needs to pass the laptops dhcp requests to our dhcp server (seperate from the radius server)
- the APs don't seem to have anything to block arp requests etc (i've tested both types, DLink DWL7000 and Zyxel G1000)

Bizarre!

[DMcCoy]

I have a dwl (something, forget the exact model) and have issues with remote managment not working, no pings and various other issues. Mostly it seems to forget it's routes and ignore the default gateway. Just have the one as it's a pile of junk imo :P

Goes missing for hours at a time, wireless clients work fine still. It's just a very temporary box at least

[GoldenWonder]

Must be the APs - I dug out an old Dlink DWL2000AP and set this up and I could fully manage/ping the laptop connected to it without any problems!

Funny how both the DWL7000 and the Zyxels (which are a lot newer) cause the same problem, but the DWL2000 (which is as old as the DWL7000) seems to work OK, even though they are a 'basic' model!

[bizzel]

We have a DWL7000 kicking around that we can't use because, when you change the settings and save them, they go right back to defaults!