This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setup Wireless Separate Zone when AP`s behind routing switch

Hey together,

can someone help me regarding the proper setup of the wireless protection.

Here`s our network:

AP`s [192.168.22.XXX (DHCP)]------------------ [192.168.22.1]Core Routing Switch[192.168.33.1] ---------------[192.168.33.33]Sophos UTM

 

The access points are connected to the POE CoreSwitch. They receive a DHCP address in the 192.168.22.0 network. Option 234 was set to point to 192.168.33.33, the interface of the Sophos UTM.

On the UTM I configured the following:

192.168.33.33 is entered under Access Control -> Allowed Interfaces

The wireless networks are set to "separate zone"as we want different networks for every single WLAN.

Is this the proper configuration for our constellation? Does this separate zone configuration work when APs are behind the routing switch?

We have several problems. Access points are becoming inactive over and over again. The data stream to our other internal networks (behind the rounting switch) collapses after a shot time. After that the AP`s become inactive and later active again.

Maybe you have some suggestions for me. :)

 

Thanks and best Regards,

Chris



This thread was automatically locked due to age.
Parents
  • Does your switch Route 1.2.3.4 to the UTM.?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    we did not enter a route on the switch to route 1.2.3.4 to the UTM.

    We only added DHCP option 234 to point to 192.168.33.33, the UTM`s internal ip-adress (https://community.sophos.com/kb/de-de/119131 ).
    I checked dhcp logs to find out if the AP´s got this option but unfortunately I can`t see anything there. I only see that the access points keep reregistering and rerequesting dhcp settings over and over again. 

    Edit:

    I just checked this. A tracert to 1.2.3.4 is successfully routed over 192.168.33.33 to the internet (it seems to be normal that the tracet doesn`t stop at the 192.168.33.33 but is moving on to the internet).

    I just connected one AP directly to a physical port of the UTM and after that everything is working fine. There seems to be some issue between the connection of the AP`s behind the routing switch and the UTM.

    Pings and access to shares etc. are working fine. The problem occurs when I start copying files (small files are no problem) or create load (traffic) on the wireless connection. As soon as there is load on it, the access points start becoming inactive and then reregister and so one. 

    Best Regards,
    Chris

  • Chris, it's starting to sound like your switch is the problem.  I think you should have Sophos Support look at your Wireless Protection log to confirm that the APs are having their communication with the UTM somehow slowed.  If you think you can find a section less than 100 lines that should show the problem, we can try to work on it here.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    first of all: Thanks for your help.

    Sophos support already checked a tcpdump taken on the UTM. They found out that packets are highly fragmented and fragmentation takes a long time. They advised me to check MTU`s on the UTM and the switches.

    The MTU`s for the UTM interfaces are 1500
    The MTU`s on the switch are 1500 for Ethernet 2 packets and 1492 for snap packets. 

    Switch admin is checking the switch configuration at the moment. I hope that he can find something.

    Best Regards,
    Chris

  • Hi guys,

    just wanted to let you know what the problem was.

    The access points, powered over ethernet (POE) had been wrongly classified by the POE switch. Due to that, too much power was delivered when lots of data was transferred, which led to a restart of the access points.

    The AP`s were classified correctly on the POE switch now, so that the power fits the needs of the AP´s. Since that, no more restarts occured. 

    Best Regards,
    Chris

Reply
  • Hi guys,

    just wanted to let you know what the problem was.

    The access points, powered over ethernet (POE) had been wrongly classified by the POE switch. Due to that, too much power was delivered when lots of data was transferred, which led to a restart of the access points.

    The AP`s were classified correctly on the POE switch now, so that the power fits the needs of the AP´s. Since that, no more restarts occured. 

    Best Regards,
    Chris

Children
No Data