Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos APX causes network loop

Hello everyone, 

unfortunately I have to open a thread. See the old one: Sophos APX causes network loop
It has worked fine for a few months, the problem shows up again. 

One of the APX is inactive
and no PC or notebook get´s an IP address from the DHCP server.

The solution is to disconnect the access points from the network. After that it works fine again.
I deleted the entire WLAN configuration, reset the Access Points and reconfigured it, but nothing helped.

Have anyone an idea?
If not i will open a ticket.

Thanks a lot :)
 


This thread was automatically locked due to age.
Parents
  • Are you controlling the APX from the XGS? When you say "the DHCP server" do you mean on the XGS or are you running a DHCP server on the APX? When you say "one APX is inactive" and "no PC or notebook ..." do you mean that all WiFi devices have problems even though one APX is still apparently working?

    You're not running the two APXs on the same channels are you? (Or allowing them to run on automatically-chosen channels?) If they have the same SSID, they must be on different channels so as not to interfere with each other.

Reply
  • Are you controlling the APX from the XGS? When you say "the DHCP server" do you mean on the XGS or are you running a DHCP server on the APX? When you say "one APX is inactive" and "no PC or notebook ..." do you mean that all WiFi devices have problems even though one APX is still apparently working?

    You're not running the two APXs on the same channels are you? (Or allowing them to run on automatically-chosen channels?) If they have the same SSID, they must be on different channels so as not to interfere with each other.

Children
  • Are you controlling the APX from the XGS? When you say "the DHCP server" do you mean on the XGS or are you running a DHCP server on the APX?

    - Yes, it is controlled via XGS. We have a DHCP Server running on the XGS for the Clients. The APXs also using it and getting a IP from it.

    When you say "one APX is inactive" and "no PC or notebook ..." do you mean that all WiFi devices have problems even though one APX is still apparently working?

    - All devices have problems getting an IP from the DHCP. Not only WiFi devices.

    You're not running the two APXs on the same channels are you? (Or allowing them to run on automatically-chosen channels?) If they have the same SSID, they must be on different channels so as not to interfere with each other.

    -Different Channels. Automatic mode.

    Maybe the APs trying to get the same IP address? Should i try to make a fix reservation for the APs?

    Thanks

  • I'm not positive how the APX's work in automatic channel mode, but I'm not aware that there's any "don't choose the same channel" restriction of the algorithm. I would fix them to two different channels. The two APX's have different MAC addresses and you should be able to see two different IP addresses in your XGS' DHCP table. Does this change when the one APX is inactive? (And does it go inactive at the DHCP lease renewal time?)

    Are you bridging your SSID into your LAN, or are you using VLANs for the WiFi devices? (In the case of XGS control, you'd be using VXLANs, actually.) That is, is there one DHCP server entry on the XGS and you have one big subnet -- WiFi and non-WiFi) or do you have multiple subnets and therefore multiple DHCP server entries? If it's the latter, do all subnets go out, or just the one on which the APX resides?

    When you say that disconnecting the APXs and then reconnecting them fixes the problem, how are they connected (directly into the XGS' ports, via a switch, etc) and have you tried only disconnecting the one that goes inactive rather than both? Also, is it the same one each time or is each APX likely to go inactive? Also, I think you mentioned PoE, so when you say "disconnect" that really amounts to rebooting them, right?

    Have you checked any logs for error messages? (I can't remember the details of XGS control, but I think there are options to connect directly to the APX to see its logs, too.) Are you using DOS-prevention on the XGS and is it triggering around the problem time? (I.e. the APX or some other device having dropped packets because DOS thresholds were exceeded?)

    In a prior thread, you seemingly had the same problem before with an XG and AP's that you replaced with the XGS and APX's, which suggests things like:

    • Another device on your network that floods your network (or just your DHCP server) or has a rogue DHCP server, or is connected on both APXs or is both wired and WiFi and its forwarding packets. And perhaps when you disconnect your APX you are cutting that device off and it resets or settles down.
    • Something wonky in your configuration that you carried over to the new hardware when you reloaded your saved configuration. Which, since you manage your AP's from there might be reflected in their configuration as well. Could be something that interferes with DHCP renewals, which I believe have a different handshake than the initial DHCP request. (This sounds strangely familiar, like there's been a thread on it or I experienced it... something about how DHCP renewals work that was being blocked.)
    • Another device on your network is adopting the same IP address as your APX. If you disconnect your PoE APX, it'll reboot and might come up with a new IP address, moving away from the conflict for a while?

    Have you checked the network for other strange behavior -- packet floods, lots of errors or drops, etc? Or is this purely DHCP and perhaps one of your APXs not being able to renew its DHCP lease, or perhaps a device (maybe an APX) with a self-assigned IP address that conflicts with the AP? Right now, you're describing just a DHCP issue but if there's other wonky stuff going on, the DHCP issue could just be a symptom.