Review a Capture - Newbie Question



  • I would love your education and pointers on a situation.  I noticed that all of the waps attached to one of my switches were not responding to a ping.  Each wap was configured to get their ip from DHCP.  I have pfsense set up to give each of those waps a certain ip address based on the mac.  Everything works fine and then there is a time were the waps get like this.  It then requires a power recycle of the waps and/or switch.  When I hit this situation again, I turned on capture for 10.255.0.11 and then issued a ping. I got this in the capture

    07:55:31.548877 ARP, Request who-has 10.255.0.11 tell 10.255.0.1, length 28
    07:55:32.565552 ARP, Request who-has 10.255.0.11 tell 10.255.0.1, length 28
    07:55:33.567293 ARP, Request who-has 10.255.0.11 tell 10.255.0.1, length 28

    that is it.  After I did the brute force, power cycle switch and all WAPs (probably didn't need to do both) BUT nothing to pfsense box or software.  I did a ping and got this.

    13:23:09.682124 IP 10.255.0.11.49718 > 239.255.255.250.1900: UDP, length 333
    13:23:09.791562 IP 10.255.0.11.49718 > 239.255.255.250.1900: UDP, length 333
    13:23:09.901625 IP 10.255.0.11.49718 > 239.255.255.250.1900: UDP, length 342
    13:23:10.011565 IP 10.255.0.11.49718 > 239.255.255.250.1900: UDP, length 342
    13:23:10.121631 IP 10.255.0.11.49718 > 239.255.255.250.1900: UDP, length 397
    13:23:10.231572 IP 10.255.0.11.49718 > 239.255.255.250.1900: UDP, length 397
    13:23:10.341885 IP 10.255.0.11.47110 > 239.255.255.250.1900: UDP, length 407
    13:23:10.451572 IP 10.255.0.11.47110 > 239.255.255.250.1900: UDP, length 407
    13:23:13.329904 IP 10.255.0.1 > 10.255.0.11: ICMP echo request, id 3210, seq 0, length 64
    13:23:13.330132 IP 10.255.0.11 > 10.255.0.1: ICMP echo reply, id 3210, seq 0, length 64
    13:23:14.331051 IP 10.255.0.1 > 10.255.0.11: ICMP echo request, id 3210, seq 1, length 64
    13:23:14.331306 IP 10.255.0.11 > 10.255.0.1: ICMP echo reply, id 3210, seq 1, length 64
    13:23:15.348359 IP 10.255.0.1 > 10.255.0.11: ICMP echo request, id 3210, seq 2, length 64
    13:23:15.348620 IP 10.255.0.11 > 10.255.0.1: ICMP echo reply, id 3210, seq 2, length 64

    Please educate me on what this implies and what you'd try the next time I hit this.

    Thanks so much!
    Rob


  • LAYER 8 Global Moderator

    Its telling you that your not getting arp.  You are asking hey whats the guy that has IP address 10.255.0.11, tell me your mac address so I can talk to you.  If you never get an answer to your arp, then no your never going to be able to ping.

    On the second section there is your pings and answers - are you asking what thet 239 stuff is?  That is multicast, to put 1900 would suggest SSDP

    http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol

    This is used to find UPnP devices - your machine 0.11 is looking UPnP devices.  That traffic has nothing to do with your failure to arp in the first section.

    Its quite possible that your lease expired on your dhcp..  Check your dchp server is the lease still active.  A dhcp client will try and renew its IP around the 50% mark in the lease time - if does not renew it will continue to try more and more often.  When the time expires and it could not renew then it will not have an IP and will not answer to arps for its old IP, etc.  So check if that is the problem - or just connectivity went bad on the wap nic?  Does this happen to all your aps or just 1 of them?



  • Dotdash, thanks so much for your explanation for this newbie.  My private waps (separate switch but same make of wap and switch) don't hit this.  All WAPs tend to hit this on a regular basis (weekly but not under any load or repeatable pattern).  All the waps spin for users that are trying to connect; if I try to ping any one of them, it never gets an ARP.  All are configured as AP and to get IP from server (DHCP).  A reboot (or power cycle)  of pfsense doesn't resolve it.  I have to  power down all WAPS.  I do have static IP for each WAP MAC defined.  can I tell it to never expire?

    Thanks for pointers on next steps I can take.

    BTW,    To date, I've replaced the cabling, the switch and now the actual server box with new cards.    Having Captive Portal on causes it to happen more often but it still happens when I disable it.



  • The default lease time is 7200 seconds (2 hours). You can increase that on the DHCP server GUI page. But it sounds like the WAPs are going a lot longer than 2 hours at a time already. That means their firmware must be capable of renewing their lease.
    It sounds like the WAPs are "going to sleep" on their ethernet port (since you say power-cycling the switch can help wake them up). Maybe unplugging and plugging the cable to a WAP will also wake it up?
    If so, then there is some hardware/firmware issue with the WAPs - I would be looking for a new version of firmware that stays awake!



  • Is there a way to get pfsense to "keep it awake" :-)  Like a msg, of some sort, within its default sleep period?  Thanks so much for all the info, very educational for me.

    Rob



  • You could try a real misuse of the gateway function in pfSense. System->Routing, Gateways tab. Add a gateway for each WAP. pfSense will ping it and keep a status of if it is up or down.
    That will let you know on the dashboard if a WAP stops responding. And who knows, the ping every second might keep its interface awake.


Log in to reply