This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Central Wireless RADIUS: Roaming Clients between APX320 and APX530 lose connection when on APX530

Hi,

we notice a strage issue for a while now when WiFi clients are connected to a 802.1X RADIUS WiFi that contains APX320 and APX530 APs that are managed in Sophos Central. Occasionally it happens, when they move in the office and roam between the two models, that they lose network connectivity and the new AP is not authenticating the roamed client against the RADIUS Server. At the RADIUS server we see no authentication - neither failed or success - happening.

We have the feeling that is is only related to the APX530 - The clients have no connection, when they are connected to APX530 with 5GHz. Central still shows an IP Address for the client device, but the device actually has no IP on it's network adapter. When we reboot the APX, it usually works again. Fast roaming is enabled.
The users help themselves by turning their WiFi adapter of and on when they face the issue. It will not workaround immediately, they usually need some attempts until it may fix the issue. When it finally works, they are still connected to the APX530 as it is the nearest AP then. On the RADIUS we will then also see that authentication happened and was successful.

WiFi AP have Central firmware v2.3.4-5

There are only a few clients connected. No real load for the machines.

I'd like to know if there are known issues with that or if you have a hot idea how to debug on this.



Added TAGs
[edited by: Erick Jan at 5:02 AM (GMT -8) on 12 Jan 2024]
Parents
  • it was worth a try. I opened a support case and hope they can figure it out 06845353 

    we noticed it happens also when roaming between APX320.

  • I spent some time in digging into the debug files and dumps I provided to Sophos

    A continous Ping was running from the client 192.168.1.68  to 193.99.144.80. Malformed Packet is probably a Wireshark issue.

    this in the APX packet capture is the point, where the problem is happening - Client roaming from one APX to an other:
    30051   2023-07-20 21:53:25,682674      IntelCor_27:eb:5b          Sophos_3c:7c:15 802.11 46771   37008   313            Reassociation Request, SN=8, FN=0, Flags=........, SSID="mySSID"[Malformed Packet]

    That is then the last communication in the client tcp dupmp:
    80        2023-07-20 21:53:22,027795      192.168.1.68     193.99.144.80   ICMP                            74         Echo (ping) request  id=0x0001, seq=6505/26905, ttl=128 (no response found!)
    then here the client decided to fail over to the APIPA address the first time:
    343       2023-07-20 21:54:02,161397      169.254.186.89 224.0.0.22         IGMPv3                        54         Membership Report / Leave group 224.0.0.251

    The times do not match 100% but are near enough to see what happens.

Reply
  • I spent some time in digging into the debug files and dumps I provided to Sophos

    A continous Ping was running from the client 192.168.1.68  to 193.99.144.80. Malformed Packet is probably a Wireshark issue.

    this in the APX packet capture is the point, where the problem is happening - Client roaming from one APX to an other:
    30051   2023-07-20 21:53:25,682674      IntelCor_27:eb:5b          Sophos_3c:7c:15 802.11 46771   37008   313            Reassociation Request, SN=8, FN=0, Flags=........, SSID="mySSID"[Malformed Packet]

    That is then the last communication in the client tcp dupmp:
    80        2023-07-20 21:53:22,027795      192.168.1.68     193.99.144.80   ICMP                            74         Echo (ping) request  id=0x0001, seq=6505/26905, ttl=128 (no response found!)
    then here the client decided to fail over to the APIPA address the first time:
    343       2023-07-20 21:54:02,161397      169.254.186.89 224.0.0.22         IGMPv3                        54         Membership Report / Leave group 224.0.0.251

    The times do not match 100% but are near enough to see what happens.

Children
No Data