For mbox hotspot gateway to work successfully, there are a number of prerequisites and components involved, so it’s very important to understand what they are, and during troubleshooting process, we do step-by-step isolation to find out the root cause of problem.
For field installation, It is imperative that at the end of our configuration, we must verify if hotspot service is working properly on mbox itself, before trying to test on the client/user end.
Common hotspot configuration mistakes are:
No firewall-snat configured. Usually when HSG is used as a gateway, it needs to hide/PAT internal private user IP address to its interface public IP.
No radius-server configured. Most of the time we use HSG local built-in UAM/RADIUS server, so we need to configure and enable local RADIUS server. (security radius-server).
Wrong hotspot instance combination.
Wrong hotspot LAN interface, in "security hotspot <lanif>", make sure the lanif is indeed the target vlan/LAN user interface
No WAN interface configured, "hotspot-wan wanif" (default to eth0 if not explicitly configured)
Landing page problem. This is usually due to wrong template used or mistakes in landing page customization.
Below are the tests and troubleshooting steps for mbox hotspot service:
check mbox is properly connected to Internet, eg. WAN interface IP, default gateway
check local DNS resolution is working, eg. name-server
check local mbox local firewall rules (firewall-dnat and firewall-access rules)
check upstream connectivity path is clear (in case there's firewall in front of mbox)
check RADIUS working status
check hotspot instance status
check portal name and configured hotspot-portal URL
debug/tcpdump client dhcp request and access requests
show mysql running logs and URL access logs
TESTING & TROUBLESHOOTING STEPS
mbox must have good Internet connection with below prerequisites met:
Verify WAN interface has IP address (either through DHCP or static assignment, depending on ISP config).
verify default route is available
HSG-DEMO# show ip routeCodes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, P - PIM, A - Babel, > - selected route, * - FIB routeIf we don't explicitly configure client name-serve IP address, mbox will default use google name-server IP addresses to clients (8.8.8.8).
mbox#mbox# configurembox(config)# ip name-server 203.211.152.66 210.193.2.66mbox(config)# endmbox# ping www.yahoo.comPING fd-fp3.wg1.b.yahoo.com (106.10.138.240) 56(84) bytes of data.64 bytes from 106.10.138.240: icmp_req=1 ttl=52 time=5.41 ms64 bytes from 106.10.138.240: icmp_req=2 ttl=52 time=5.27 ms64 bytes from 106.10.138.240: icmp_req=3 ttl=52 time=5.37 ms64 bytes from 106.10.138.240: icmp_req=4 ttl=52 time=5.33 ms64 bytes from 106.10.138.240: icmp_req=5 ttl=52 time=5.23 ms--- fd-fp3.wg1.b.yahoo.com ping statistics ---5 packets transmitted, 5 received, 0% packet loss, time 4005msrtt min/avg/max/mdev = 5.233/5.326/5.415/0.104 msmbox#mbox#mbox# ping www.yahoo.comPING fd-fp3.wg1.b.yahoo.com (106.10.138.240) 56(84) bytes of data.64 bytes from 106.10.138.240: icmp_req=1 ttl=52 time=3.88 ms64 bytes from 106.10.138.240: icmp_req=2 ttl=52 time=3.22 ms64 bytes from 106.10.138.240: icmp_req=3 ttl=52 time=2.83 ms64 bytes from 106.10.138.240: icmp_req=4 ttl=52 time=4.01 ms^C--- fd-fp3.wg1.b.yahoo.com ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3004msrtt min/avg/max/mdev = 2.832/3.489/4.018/0.486 msmbox#HSG-DEMO# ping splash.ransnet.comPING splash.ransnet.com (2.1.2.1) 56(84) bytes of data.64 bytes from 2.1.2.1: icmp_req=1 ttl=64 time=0.096 ms64 bytes from 2.1.2.1: icmp_req=2 ttl=64 time=0.062 ms64 bytes from 2.1.2.1: icmp_req=3 ttl=64 time=0.053 ms64 bytes from 2.1.2.1: icmp_req=4 ttl=64 time=0.061 ms64 bytes from 2.1.2.1: icmp_req=5 ttl=64 time=0.053 msNOTE:
if no default gateway available, we can’t go anywhere. Check:
If WAN is using DHCP to grab IP (either from ISP connection or upstream firewall), default gateway should be auto assigned, otherwise check with ISP or upstream firewall
if WAN is using static IP, we must manually configure default gateway (eg. ip default-gateway 192.168.100.1)
if can ping out to 8.8.8.8, but can’t ping out via DNS name (www.yahoo.com), that means name-server is not working. check our dns name-server setting (eg. ip name-server 203.211.152.66 210.193.2.66)
check client source address translations (firewall-dnat). In most cases, users/clients are given private IP addresses, so when they browse Internet, their private source addresses must be hidden/translated to a public address. There are two potential scenarios:
mbox is deployed as the all-in-one gateway (router, firewall, hotspot gateway), so mbox is required to hide Internal client source IP addresses by mapping them to mbox external WAN interface address. This is done using firewall-dnat rules.
if there are other firewall or router in front of mbox, and it’s preferred by customer (for whatever reason) that mbox not perform address translations (eg. firewall needs to “see” client real IP addresses). Then there’s a need to make sure the front router or firewall has performed source address translation (PAT) and also they need to add static route for client’s subnet pointing back to mbox WAN IP as next hop.
Very firewall-dnat/PAT when mbox is deployed as all-in-one gateway.
mbox#mbox# show running-config include firewall-snatfirewall-snat 1 overload outbound eth0 <--eth0 is the WAN interface mbox# show firewall snat-listChain POSTROUTING (policy ACCEPT 189K packets, 16M bytes)pkts bytes target prot opt in out source destination 29M 2150M MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0 mbox#Sometimes, it’s not always possible to access customers’ firewall or router, use below simple command on mbox to check if upstream router/firewall is properly configured.
HSG-DEMO# show security hotspot Authentication service: running---------------------------------HotSpot service: running---------------------------------LAN TUN Server IP Client-Net Client-DHCP DHCP Issued Clients -------------------------------------------------------------------------------------------------------------vlan80 tun0 192.168.80.1 192.168.80.0/255.255.255.0 / 0 0 HSG-DEMO# HSG-DEMO# traceroute 8.8.8.8 source 192.168.80.1traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 172.16.99.1 0.528 ms 0.497 ms 0.510 ms ......<intentionally hidden> 7 203.211.159.108 5.168 ms 203.211.159.90 4.699 ms 203.211.159.108 4.626 ms 8 203.211.158.77 4.768 ms 203.211.158.79 3.885 ms 203.211.158.77 5.299 ms 9 210.193.4.254 3.724 ms 3.534 ms 3.789 ms10 108.170.254.225 5.205 ms 108.170.240.225 5.294 ms 108.170.254.225 5.520 ms11 209.85.242.121 4.734 ms 209.85.143.7 3.823 ms 108.170.237.227 3.713 ms12 8.8.8.8 3.603 ms 3.515 ms 3.402 msHSG-DEMO#NOTE:
the traceroute source (192.168.80.1) is the hotspot server IP address configured under mbox, eg. getting from “show security hotspot”
if above traceroute fails, that means the required configs on upstream router/firewall are not done properly. Check upstream firewall/router to make sure they have configured source address translation and added static route for user/client subnets
In case if there’s firewall in front of mbox, Outbound DNS query from mbox must be permitted, and outbound http and https from mbox to any common websites must be permitted. Check from mbox:
NOTE:
if any of above step fails, check upstream firewall configuration and make sure the required accesses are permitted
In most cases, mbox is also configured as a RADIUS server for it’s own access-controller service (details). Double check RADIUS configuration: make sure mbox itself is added as a local client for radius-server; make sure test authentication work and verify with logs.
NOTE:
if any of above fails, mbox will not be able to authenticate user clients therefore user login will fail.
Follow the hotspot configuration guide very closely, make sure at least all the base commands are configured and verify if hotspot access controller is running.
NOTE: one of the most common mistake is configuring wrong LAN and WAN interface. Each hotspot instance must match a correct pair of LAN and WAN interface. So do make sure "security hotspot <lanif>" and "hotspot-wan <wanif>" are correctly configured.
Use “?” to view what are the minimum/base commands required to activate a hotspot service.
mbox#mbox# configurembox(config)# security hotspot vlan10(config-hotspot-eth1)# ? ! Comments allowed-domain (optional) default allowed domains, comma seperated. allowed-url (optional) default allowed URL or networks, comma seperated. client-bandwidth (optional) Per client maximum bandwidth. ......... HSG-DEMO# show running-config begin "security hotspot"security hotspot vlan80 client-dhcp-dns 203.211.152.66 210.193.2.66 client-dhcp-helper 172.16.30.30,172.16.40.5 client-static 192.168.80.2 255.255.255.0 bypass-domain .facebook.com,.facebook.net,.akamaihd.net,fb.me,.fbcdn.net,.fbsbx.com,.twitter.com,.twimg.com,.linkedin.com,.static.licdn.com,.weibo.cn,.ransnet.com,.weibo.com bypass-dst portal.ransnet.com,splash.ransnet.com bypass-mac radius redirect-url http://status.ransnet.com radius-server localhost testing123 hotspot-portal https://splash.ransnet.com/pid/ransnet/login.php start!NOTE:
The original IP addresses for each hotspot interface (lanif) will be removed, and a virtual interface (tun0, tun1...) will be created and the respective tunnel interface will take over original lanif interface IP address.
The portal URL must match exactly the port configured on HSG. and make sure the user device is able to resolve to the portal URL also (as in step #2)
HSG-DEMO# show running-config begin "security hotspot"security hotspot vlan80 client-dhcp-dns 203.211.152.66 210.193.2.66 client-dhcp-helper 172.16.30.30,172.16.40.5 client-static 192.168.80.2 255.255.255.0 bypass-domain .facebook.com,.facebook.net,.akamaihd.net,fb.me,.fbcdn.net,.fbsbx.com,.twitter.com,.twimg.com,.linkedin.com,.static.licdn.com,.weibo.cn,.ransnet.com,.weibo.com bypass-dst portal.ransnet.com,splash.ransnet.com bypass-mac radius redirect-url http://status.ransnet.com radius-server localhost testing123 hotspot-portal https://splash.ransnet.com/pid/vlan10/login.php start!Then check the portal portal (make sure the right template is used and the settings match customer requirements etc).
8. Use TCPDUMP
If all previous tests are successful, we are ready to test from client device. But many times, we still run into embarrassment that users complains it’s not working. Well, there can be many many reasons why clients can not access Internet successfully, eg. user device problem, wireless signal, LAN switch, etc etc, especially in a very large environment, many problems can happen in the WLAN/LAN side.
At minimum, to isolate if the problem is due to mbox or not, we can use tcpdump to check if user DHCP request is able to reach to mbox via mbox LAN interface, where clients' traffic is coming from.
Then from RADIUS log, check if authentication requests is coming in.
Once user is logged, "show security hotspot clients" to very the final status
NOTE:
where vlan10 is the user LAN interface, which is used in hotspot configuration, eg. "security hotspot vlan10" (if there’s only one network behind, it should be a physical interface, eg. eth1)
if we do not see any DHCP requests at all, investigate mbox connection to LAN switch and also internal wireless controller configuration, make sure it’s relaying DHCP requests to mbox.
if we see some “Requests”, observe for a few seconds or even longer, but do not see any “Reply”. That means mbox is not responding to DHCP requests, check if hotspot service is running (go back to previous hotspot service troubleshooting steps)
if we see both some requests and some reply, that means mbox DHCP is working fine; however, some users still complain not getting IP addresses. With tcpdump we can filter down to specific client mac address (eg. tcpdump interface vlan80 port 67 filter 60:f1:89:51:35:fe), if we do not see any requests from this client mac, that means client is not even connected to the WLAN network, or wireless controller is too busy (not relaying requests fast enough to mbox).