Issues with tcp connections between VLANs on the same AP

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
123...

Issues with tcp connections between VLANs on the same AP

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
52 Reply
Re:Issues streaming cameras across VLANs
2022-06-07 19:35:07

  @treas 

 

Ok, perhaps it's an MTU/fragmentation problem.  Try setting your router's LAN MTU to 1492 or lower (default is 1500) to account for the extra headers used for 802.1q VLANs.  You will need to power cycle your router or reboot it after making this change.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#12
Options
Re:Issues streaming cameras across VLANs
2022-06-07 23:12:45

  @d0ugmac1 I am 99% sure the issue is in the firmware of the EAP650s.  When I connect back to a client on the same AP I end up with tons of tcp retransmission errors after the initial connection starts off OK.

 

See this example of trying to SSH to another computer on a different VLAN on the same EAP

 

 

 

or this one trying to run IPERF between the same two PCs

 

 

 

the connection clearly works -- my router is routing the traffic appropriately, but the APs seem to be losing the packets.  I can see the server sending the packets in my router but they never make it to the end device

 

tcpdump of my router during ssh connection: 192.168.92.99 is the server

 

19:11:17.688227 IP (tos 0x0, ttl 128, id 28327, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.77.78.60855 > 192.168.92.99.ssh: Flags [S], cksum 0x3292 (correct), seq 1805499679, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
19:11:17.688799 IP (tos 0x0, ttl 127, id 28327, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.77.78.60855 > 192.168.92.99.ssh: Flags [S], cksum 0x3292 (correct), seq 1805499679, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
19:11:17.698097 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [S.], cksum 0x4d09 (correct), seq 2934780542, ack 1805499680, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0
19:11:17.698389 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [S.], cksum 0x4d09 (correct), seq 2934780542, ack 1805499680, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0
19:11:17.704006 IP (tos 0x0, ttl 128, id 28328, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.77.78.60855 > 192.168.92.99.ssh: Flags [.], cksum 0x8ad8 (correct), ack 1, win 513, length 0
19:11:17.704273 IP (tos 0x0, ttl 127, id 28328, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.77.78.60855 > 192.168.92.99.ssh: Flags [.], cksum 0x8ad8 (correct), ack 1, win 513, length 0
19:11:17.705072 IP (tos 0x0, ttl 128, id 28329, offset 0, flags [DF], proto TCP (6), length 73)
    192.168.77.78.60855 > 192.168.92.99.ssh: Flags [P.], cksum 0x4793 (correct), seq 1:34, ack 1, win 513, length 33
19:11:17.705181 IP (tos 0x0, ttl 127, id 28329, offset 0, flags [DF], proto TCP (6), length 73)
    192.168.77.78.60855 > 192.168.92.99.ssh: Flags [P.], cksum 0x4793 (correct), seq 1:34, ack 1, win 513, length 33
19:11:17.713030 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [.], cksum 0x7cb9 (correct), ack 34, win 4095, length 0
19:11:17.713152 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [.], cksum 0x7cb9 (correct), ack 34, win 4095, length 0
19:11:17.746037 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 61)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xb5f3 (correct), seq 1:22, ack 34, win 4095, length 21
19:11:17.746207 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 61)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xb5f3 (correct), seq 1:22, ack 34, win 4095, length 21
19:11:17.763290 IP (tos 0x0, ttl 128, id 28330, offset 0, flags [DF], proto TCP (6), length 1432)
    192.168.77.78.60855 > 192.168.92.99.ssh: Flags [P.], cksum 0x894b (correct), seq 34:1426, ack 22, win 513, length 1392
19:11:17.763782 IP (tos 0x0, ttl 127, id 28330, offset 0, flags [DF], proto TCP (6), length 1432)
    192.168.77.78.60855 > 192.168.92.99.ssh: Flags [P.], cksum 0x894b (correct), seq 34:1426, ack 22, win 513, length 1392
19:11:17.770099 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 1096)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0x0f17 (correct), seq 22:1078, ack 1426, win 4074, length 1056
19:11:17.770318 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 1096)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0x0f17 (correct), seq 22:1078, ack 1426, win 4074, length 1056
19:11:17.779013 IP (tos 0x0, ttl 128, id 28331, offset 0, flags [DF], proto TCP (6), length 88)
    192.168.77.78.60855 > 192.168.92.99.ssh: Flags [P.], cksum 0x5f46 (correct), seq 1426:1474, ack 1078, win 509, length 48
19:11:17.779171 IP (tos 0x0, ttl 127, id 28331, offset 0, flags [DF], proto TCP (6), length 88)
    192.168.77.78.60855 > 192.168.92.99.ssh: Flags [P.], cksum 0x5f46 (correct), seq 1426:1474, ack 1078, win 509, length 48
19:11:17.788007 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [.], cksum 0x72e4 (correct), ack 1474, win 4095, length 0
19:11:17.788070 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [.], cksum 0x72e4 (correct), ack 1474, win 4095, length 0
19:11:17.926059 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 596)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:17.926205 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 596)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:18.170173 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 596)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:18.170386 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 596)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:18.453150 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 596)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:18.453370 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 596)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:19.348159 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 596)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:19.348278 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 596)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:20.207375 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 596)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:20.207535 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 596)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:21.366199 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 596)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:21.366429 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 596)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:23.487444 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 596)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556
19:11:23.487742 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 596)
    192.168.92.99.ssh > 192.168.77.78.60855: Flags [P.], cksum 0xf5f3 (correct), seq 1078:1634, ack 1474, win 4096, length 556

 

  0  
  0  
#13
Options
Re:Issues streaming cameras across VLANs
2022-06-07 23:44:56 - last edited 2022-06-09 19:35:14
I installed an old netgear AP in the same location and it works fine. The issue is the tp-link EAPs 100%.
  3  
  3  
#14
Options
Re:Issues streaming cameras across VLANs
2022-06-08 03:40:38

Dear @treas,

 

treas wrote

I installed an old netgear AP in the same location and it works fine. The issue is the tp-link EAPs 100%.

 

Different brands may have different VLAN strategy. May I know the model number of your Router and Netgear AP?

 

To make the wireless VLAN work properly for Omada EAP including the EAP650, both the Router and the Switch should be VLAN capable.

If the network topology is like "Router (Port1) ----(Port2) Switch (Port3) ---- EAP )))((( SSID1 vlan10, SSID2 vlan20",

Then the Port1, Port2, and Port3 should all have VLAN10 & VLAN20 tagged.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#15
Options
Re:Issues streaming cameras across VLANs
2022-06-08 04:09:05

  @Fae the model of my router is Firewalla gold.  The net gear AP I tested was the Orbi Pro AX6000 (SXK80).

 

My router supports 802.1q vlans.  I'm using the tp link jet stream SG200P which has the vlan profiles correctly applied to each port.  The issue is exclusively regarding tcp connections which originate and are routed back to the same access point.  They get dropped by the AP

  0  
  0  
#16
Options
Re:Issues with tcp connections between VLANs on the same AP
2022-06-09 19:12:52 - last edited 2022-07-18 02:04:19

I purchased an EAP 660 HD to test whether it was specific to the EAP650.

 

I can confirm that everything works fine with the EAP660 HD instead of the EAP650s.  They are running firmware 1.0.5

 

The EAP650s CPU utilization hits about 70% when I try to access the stream, the EAP660 HD hits 3%.  I know the 660 is a high density AP but that's an extreme difference.  It would seem something about this connection is causing huge CPU usage on the 650 specifically.

 

Its disappointing because I much prefer the dimensions of the 650 but it simply does not work for this use case.

  2  
  2  
#17
Options
Re:Issues with tcp connections between VLANs on the same AP
2022-06-09 19:34:27

  @treas 

 

I wouldn't have believe it, but ok, firmware it is!  Hopefully they issue a BUG ticket for you and get this resolved. 

 

FWIW I just had my SG2008P beta firmware delivered last night, took about 2 weeks to deliver my fixes...testing now.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#18
Options
Re:Issues with tcp connections between VLANs on the same AP
2022-06-09 19:35:55 - last edited 2022-07-18 02:04:25

  @d0ugmac1 Check out these CPU resource graphs between the 650 and 660 hd

 

 

650:

 

 

660 HD:

 

  1  
  1  
#19
Options
Re:Issues with tcp connections between VLANs on the same AP
2022-06-11 20:35:00

  @treas I purchased a few more models

 

620 HD does not appear to have this issue

 

670 does have this issue, you can see the CPU gets pegged to the max:

 

  0  
  0  
#20
Options
Re:Issues with tcp connections between VLANs on the same AP
2022-06-12 07:55:42

  @treas @Fae 

 

Fae, do you know if this issue is being tracked as a possible bug?

<< Paying it forward, one juicy problem at a time... >>
  1  
  1  
#21
Options