Issues with tcp connections between VLANs on the same AP
I'm having issues streaming some networked (WiFi) cameras across VLANs, but only when the client device is on the same AP as the camera. When my client device is connected to a different AP everything streams perfectly. But when they share an AP the stream dies before it can even start. I have 3 total APs, all EAP650. Two are directly connected to my switch, one is using wireless mesh. If the cameras are in the same VLAN as the client device it works perfectly. if the cameras are on a different VLAN AND a different AP it works perfectly. If the cameras are on a different VLAN but the SAME AP, it does not work.
I cannot figure out why this would be.
Update: This is caused because TCP connections will drop unexepectedly when connecting to the same AP from where they initiated, on a different ssid/vlan
I isolated it to the EAP 650 access points I was using. I replaced them with some netgear access points set up with the same SSIDs and VLANs and it works 100% correctly.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Ok, perhaps it's an MTU/fragmentation problem. Try setting your router's LAN MTU to 1492 or lower (default is 1500) to account for the extra headers used for 802.1q VLANs. You will need to power cycle your router or reboot it after making this change.
- Copy Link
- Report Inappropriate Content
@d0ugmac1 I am 99% sure the issue is in the firmware of the EAP650s. When I connect back to a client on the same AP I end up with tons of tcp retransmission errors after the initial connection starts off OK.
See this example of trying to SSH to another computer on a different VLAN on the same EAP
or this one trying to run IPERF between the same two PCs
the connection clearly works -- my router is routing the traffic appropriately, but the APs seem to be losing the packets. I can see the server sending the packets in my router but they never make it to the end device
tcpdump of my router during ssh connection: 192.168.92.99 is the server
19:11:17.688227 IP (tos 0x0, ttl 128, id 28327, offset 0, flags [DF], proto TCP (6), length 52)
192.168.77.78.60855 > 192.168.92.99.ssh: Flags [S], cksum 0x3292 (correct), seq 1805499679, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
19:11:17.688799 IP (tos 0x0, ttl 127, id 28327, offset 0, flags [DF], proto TCP (6), length 52)
192.168.77.78.60855 > 192.168.92.99.ssh: Flags [S], cksum 0x3292 (correct), seq 1805499679, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
19:11:17.698097 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [S.], cksum 0x4d09 (correct), seq 2934780542, ack 1805499680, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0
19:11:17.698389 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [S.], cksum 0x4d09 (correct), seq 2934780542, ack 1805499680, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0
19:11:17.704006 IP (tos 0x0, ttl 128, id 28328, offset 0, flags [DF], proto TCP (6), length 40)
192.168.77.78.60855 > 192.168.92.99.ssh: Flags [.], cksum 0x8ad8 (correct), ack 1, win 513, length 0
19:11:17.704273 IP (tos 0x0, ttl 127, id 28328, offset 0, flags [DF], proto TCP (6), length 40)
192.168.77.78.60855 > 192.168.92.99.ssh: Flags [.], cksum 0x8ad8 (correct), ack 1, win 513, length 0
19:11:17.705072 IP (tos 0x0, ttl 128, id 28329, offset 0, flags [DF], proto TCP (6), length 73)
192.168.77.78.60855 > 192.168.92.99.ssh: Flags [P.], cksum 0x4793 (correct), seq 1:34, ack 1, win 513, length 33
19:11:17.705181 IP (tos 0x0, ttl 127, id 28329, offset 0, flags [DF], proto TCP (6), length 73)
192.168.77.78.60855 > 192.168.92.99.ssh: Flags [P.], cksum 0x4793 (correct), seq 1:34, ack 1, win 513, length 33
19:11:17.713030 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [.], cksum 0x7cb9 (correct), ack 34, win 4095, length 0
19:11:17.713152 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [.], cksum 0x7cb9 (correct), ack 34, win 4095, length 0
19:11:17.746037 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 61)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xb5f3 (correct), seq 1:22, ack 34, win 4095, length 21
19:11:17.746207 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 61)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xb5f3 (correct), seq 1:22, ack 34, win 4095, length 21
19:11:17.763290 IP (tos 0x0, ttl 128, id 28330, offset 0, flags [DF], proto TCP (6), length 1432)
192.168.77.78.60855 > 192.168.92.99.ssh: Flags [P.], cksum 0x894b (correct), seq 34:1426, ack 22, win 513, length 1392
19:11:17.763782 IP (tos 0x0, ttl 127, id 28330, offset 0, flags [DF], proto TCP (6), length 1432)
192.168.77.78.60855 > 192.168.92.99.ssh: Flags [P.], cksum 0x894b (correct), seq 34:1426, ack 22, win 513, length 1392
19:11:17.770099 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 1096)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0x0f17 (correct), seq 22:1078, ack 1426, win 4074, length 1056
19:11:17.770318 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 1096)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0x0f17 (correct), seq 22:1078, ack 1426, win 4074, length 1056
19:11:17.779013 IP (tos 0x0, ttl 128, id 28331, offset 0, flags [DF], proto TCP (6), length 88)
192.168.77.78.60855 > 192.168.92.99.ssh: Flags [P.], cksum 0x5f46 (correct), seq 1426:1474, ack 1078, win 509, length 48
19:11:17.779171 IP (tos 0x0, ttl 127, id 28331, offset 0, flags [DF], proto TCP (6), length 88)
192.168.77.78.60855 > 192.168.92.99.ssh: Flags [P.], cksum 0x5f46 (correct), seq 1426:1474, ack 1078, win 509, length 48
19:11:17.788007 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [.], cksum 0x72e4 (correct), ack 1474, win 4095, length 0
19:11:17.788070 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [.], cksum 0x72e4 (correct), ack 1474, win 4095, length 0
19:11:17.926059 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 596)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:17.926205 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 596)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:18.170173 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 596)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:18.170386 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 596)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:18.453150 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 596)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:18.453370 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 596)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:19.348159 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 596)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:19.348278 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 596)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:20.207375 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 596)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:20.207535 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 596)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:21.366199 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 596)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:21.366429 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 596)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:23.487444 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 596)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:23.487742 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 596)
192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Dear @treas,
treas wrote
I installed an old netgear AP in the same location and it works fine. The issue is the tp-link EAPs 100%.
Different brands may have different VLAN strategy. May I know the model number of your Router and Netgear AP?
To make the wireless VLAN work properly for Omada EAP including the EAP650, both the Router and the Switch should be VLAN capable.
If the network topology is like "Router (Port1) ----(Port2) Switch (Port3) ---- EAP )))((( SSID1 vlan10, SSID2 vlan20",
Then the Port1, Port2, and Port3 should all have VLAN10 & VLAN20 tagged.
- Copy Link
- Report Inappropriate Content
@Fae the model of my router is Firewalla gold. The net gear AP I tested was the Orbi Pro AX6000 (SXK80).
My router supports 802.1q vlans. I'm using the tp link jet stream SG200P which has the vlan profiles correctly applied to each port. The issue is exclusively regarding tcp connections which originate and are routed back to the same access point. They get dropped by the AP
- Copy Link
- Report Inappropriate Content
I purchased an EAP 660 HD to test whether it was specific to the EAP650.
I can confirm that everything works fine with the EAP660 HD instead of the EAP650s. They are running firmware 1.0.5
The EAP650s CPU utilization hits about 70% when I try to access the stream, the EAP660 HD hits 3%. I know the 660 is a high density AP but that's an extreme difference. It would seem something about this connection is causing huge CPU usage on the 650 specifically.
Its disappointing because I much prefer the dimensions of the 650 but it simply does not work for this use case.
- Copy Link
- Report Inappropriate Content
I wouldn't have believe it, but ok, firmware it is! Hopefully they issue a BUG ticket for you and get this resolved.
FWIW I just had my SG2008P beta firmware delivered last night, took about 2 weeks to deliver my fixes...testing now.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@treas I purchased a few more models
620 HD does not appear to have this issue
670 does have this issue, you can see the CPU gets pegged to the max:
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 7739
Replies: 52