STAs Cannot Communicate with Each Other

WLAN Troubleshooting Guide (V200)

About This Document
Using eDesk Pro for Network Inspection and Troubleshooting
Using Troubleshooting Insights
Risky Operations
- Hardware-Related Risky Operations
- Software-Related Risky Operations
Routine Maintenance
- Routine Maintenance Overview
- Before You Start
- Checking the Device Environment
  - Checking the Equipment Room Environment
  - Checking the Cable Status
- Checking Basic Device Information
  - Checking the Indicator Status
  - Checking for Critical or Major Alarms on an AC
- Checking the Device Running Status
- Checking Interface Information
- Checking Services
  - Checking the User Status
- Fault Information Collection and Feedback
Troubleshooting: Hardware
- Hardware Overview
- Troubleshooting Guidelines for Hardware
- Troubleshooting Cases for Hardware Faults
- Hardware FAQs
Troubleshooting: STA Experience Faults
- Troubleshooting Guidelines for STA Experience Faults
- Troubleshooting Cases for STA Experience Issues
- STA Experience FAQs
Troubleshooting: AP Joining Faults
- Troubleshooting Guidelines for AP Joining Faults
  - An AP Fails to Go Online on the AC
  - An AP Goes Offline Unexpectedly
- Troubleshooting Cases for AP Onboarding Issues
- AP Onboarding FAQs
Troubleshooting: STA Onboarding Faults
- Troubleshooting Guidelines for STA Onboarding Faults
- Troubleshooting Cases for STA Onboarding Issues
- STA Onboarding FAQs
Troubleshooting: Wireless Access Authentication Issues
- 802.1X Authentication Failures
- HTTP-based External Portal Authentication Failures
- Failures in External Portal Authentication Using the Portal Protocol
- Portal Redirection Failures
- Built-in Portal LDAP or AD Authentication Failures
- Failure to Access the Built-in Portal Page
  - Key Configuration Check
  - Common Built-in Portal Page Access Failures
- Troubleshooting Cases for STA Authentication Failures
- WLAN Authentication FAQs
Troubleshooting: Device Login Faults
- Troubleshooting Guidelines for Device Login Faults
- Device Login FAQs
Troubleshooting: Device Upgrade Faults
- Troubleshooting Guidelines for Device Upgrade Faults
- Troubleshooting Cases for Device Upgrade Failures
  - Case Study: Intelligent Upgrade Fails Because the CA Certificate on the AC Does Not Match That on the HOUP Server
  - Case Study: AP5030DN Upgrade and Mode Switching Are Abnormal Because the AP5030DN Enters the Assistant Package Mode
- Device Upgrade FAQs
Troubleshooting: Device Management Faults
- Troubleshooting Guidelines for Device Management Faults
- Device Management FAQs
Troubleshooting: Reliability Faults
- Troubleshooting Guidelines for Reliability Faults
- Troubleshooting Cases for Reliability Issues
- Reliability FAQs
Troubleshooting: Wireless Bridge Service Faults
- Troubleshooting Guidelines for Wireless Bridge Service Faults
- Wireless Bridge FAQs
Troubleshooting: Radio Management Service Faults
- Troubleshooting Guidelines for Radio Management Service Faults
  - Radio Calibration Does Not Take Effect
  - AI Roaming Does Not Take Effect
- Radio Management FAQs
Troubleshooting: Cloud Management Faults
- Troubleshooting Guidelines for Cloud Management Faults
- Troubleshooting Cases for Cloud Management Faults
  - Case Study: Fit APs Managed by a Cloud AC Fail to Go Online Due to Insufficient License Resources on the Cloud Management Platform
  - Case Study: In a VRRP Backup Scenario, a Loop Occurs on the Network When ACs Connect to the Cloud in PnP Auto-Negotiation Mode
Troubleshooting: CPE Service Faults
- Troubleshooting Guidelines for CPE Service Faults
- Troubleshooting Cases for CPE Service Faults
  - Case Study: When a CPE Roams Repeatedly, Terminals Connected to the CPE Are Intermittently Disconnected
  - Case Study: An Exception Occurs on a CPE Tunnel Due to EoGRE Configuration Changes
- CPE Service FAQs
  - How Can I Know the CPE Connected to a Wired Terminal and Its Uplink AP?
  - How Do I Collect CPE Fault Information by One Click?
Troubleshooting: Others
- Troubleshooting Guidelines for Other WLAN Service Faults
  - User Rate Limiting Does Not Take Effect
- Troubleshooting Cases for Other WLAN Service Issues
  - Case Study: Two STAs Connected to the Same SSID on the Same AP Cannot Communicate with Each Other Because the traffic-optimize bcmc deny all Command Is Executed on the Device
- FAQs About Other WLAN Services
TechNotes
- WLAN Network Optimization
- How an AP Joins an AC and Troubleshooting Any Join Failures
- How to Log In to WLAN ACs and APs
- Troubleshooting WLAN Password Issues
- AP Mode Switching - Overview, Configuration Examples, and Troubleshooting
- TechNotes: Mapping Between WACs and APs
- TechNotes: Wireless Packet Obtaining
- VLAN Deployment Guide for WLAN
- WLAN Performance Test Guide
- How to Configure Option 43 When Huawei APs Are Connected to DHCP Servers of Different Vendors
- Common WLAN Configuration Errors
Appendix: Common Information Collection and Fault Diagnostic Commands
- Information Collection
- Typical Fault Information Collection
- System Maintenance Methods
- Common Fault Diagnostic Commands
Appendix: Indicators
Contacting Huawei Technical Support

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

STAs Cannot Communicate with Each Other

Symptom

STAs cannot communicate with each other.

Possible Causes

The possible causes are as follows:

User isolation or port isolation is enabled.
The VLAN configuration on the interface is incorrect or a loop occurs on the network.
The security policy on the firewall of the STA prohibits mutual access between STAs.

Troubleshooting Procedure

Click to enlarge

Check whether user isolation is enabled.
- In V200R006 and later versions, check whether the user-isolate all or user-isolate l2 command is configured in the traffic profile bound to the VAP of current STAs. If such user isolation configuration exists, STAs cannot communicate with each other.
```
<Huawei> system-view 
[Huawei] wlan 
[Huawei-wlan-view] traffic-profile name default 
[Huawei-wlan-traffic-prof-default] display this 
#
  user-isolate all 
# 
```
  In this case, run the undo user-isolate command to disable user isolation.
```
[Huawei-wlan-traffic-prof-default] undo user-isolate
Warning: This action may cause service interruption. Continue?[Y/N]y
```
- In V200R005 and earlier versions, check whether the port-isolate enable command is configured in the WLAN-ESS interface and whether the user-isolate command is configured in the service set view. If user isolation is enabled, STAs cannot communicate with each other.
```
<Huawei> system-view
[Huawei] interface wlan-ess 1
[Huawei-Wlan-Ess1] display this 
# 
interface Wlan-Ess1
  port hybrid untagged vlan 100
  port-isolate enable
# 
retrun
[Huawei-Wlan-Ess1] quit
[Huawei] wlan 
[Huawei-wlan-view] service-set name test
[Huawei-wlan-service-set-test] display this
#
  forward-mode tunnel
  wlan-ess 1
  ssid test
  user-isolate
  traffic-profile id 1
  security-profile id 3
  service-vlan 100
#
retrun
```
  In this case, disable user isolation.
  1. Run the undo port-isolate enable command in the WLAN-ESS interface view to disable port isolation.
  2. Run the undo user-isolate command in the service set view to disable user isolation.
  3. Run the commit { all | ap ap-id } command in the WLAN view to commit the configurations.
In practice, to prevent transmission of broadcast packets in VLANs and improve network stability, it is recommended that user isolation be enabled.
Check whether port isolation is enabled.
Run the display port-isolate group all command on the AC or switch to check the configuration of port isolation groups. If port isolation is enabled, STAs may fail to communicate with each other.
```
<Huawei> display port-isolate group all
  The ports in isolate group 3:
GigabitEthernet0/0/1 
GigabitEthernet0/0/2
  The ports in isolate group 4:
GigabitEthernet0/0/3 
GigabitEthernet0/0/4
```
In this case, run the undo port-isolate enable [ group group-id ] command in the interface view to disable port isolation.

In practice, to prevent transmission of broadcast packets in VLANs and improve network stability, it is recommended that port isolation be enabled.

Check whether the intermediate network is faulty.

If user isolation and port isolation are both disabled but STAs still cannot communicate with each other, the intermediate network may be faulty, causing incorrect MAC address entries and ARP entries.

Run the display mac-address command on the device to check whether the learned MAC addresses, the interfaces on which the MAC addresses are learned, and the VLANs to which the MAC addresses belong are correct.

<Huawei> display mac-address 
------------------------------------------------------------------------------- 
MAC Address       VLAN/VSI                Learned-From               Type        
-------------------------------------------------------------------------------  
1047-80ac-cc60    120/-                   GE0/0/1                    dynamic     
60de-4474-9640    120/-                   GE0/0/1                    dynamic     
------------------------------------------------------------------------------- 
Total items displayed = 2

If a MAC address entry is incorrect, check whether the VLAN configuration on the interface is correct and whether a loop occurs.

<Huawei> system-view
[Huawei] interface GigabitEthernet 0/0/1
[Huawei-GigabitEthernet0/0/1] display this
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 120
#

If the VLAN configuration is incorrect, modify the VLAN configuration based on the actual service requirements.

If STAs communicate with each other at Layer 3, check whether ARP entries on the gateway are correct and whether incorrect static ARP entries are configured.

<Huawei> display arp                                                   
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE  
                                          VLAN/CEVLAN PVC         
------------------------------------------------------------------------------  
169.254.1.1     0200-0000-007a            I -         MEth0/0/1                 
192.168.111.1   0200-0000-007a            I -         Vlanif1                   
192.168.0.1     0200-0000-007a            I -         Vlanif10                  
192.168.1.254   9404-9ce1-59e0  7         D-0         GE0/0/20                  
                                            10/-                                
192.168.10.1    0200-0000-007a            I -         Vlanif100                 
192.168.2.24    0200-0000-007a            I -         Vlanif192                 
113.78.190.236  0200-0000-007a            I -         Vlanif1000                
------------------------------------------------------------------------------  
Total:7         Dynamic:1       Static:0     Interface:6

If the displayed ARP entries are incorrect, run the display arp static command to view all static ARP entries.

<Huawei> display arp static
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE  
                                          VLAN/CEVLAN PVC                        
------------------------------------------------------------------------------  
10.1.1.1        0200-0000-00e0            S--                                   
                                            10/-                                
10.102.0.1      0e00-fc01-0000            S--                                   
10.0.0.1        aa00-fcc0-1200            S--                                   
                                             3/-                                
------------------------------------------------------------------------------  
Total:3         Dynamic:0       Static:3    Interface:0

If static ARP entries are incorrectly configured, run the arp static command in the system view to configure static ARP entries correctly.
```
<Huawei> system-view
[Huawei] arp static 10.1.1.1 aaaa-fccc-1212
```

If ARP entries are correct, collect and check traffic statistics on interfaces to locate the fault.

Assume that 10.74.1.46 and 10.74.1.41 are the IP addresses of two STAs.

Configure an ACL.

[Huawei] acl 3000
[Huawei-acl-adv-3000] rule 5 permit icmp source 10.74.1.46 0 destination 10.74.1.41 0
[Huawei-acl-adv-3000] rule 10 permit icmp source 10.74.1.41 0 destination 10.74.1.46 0

Configure an ACL-based traffic classifier.

[Huawei] traffic classifier tc1
[Huawei-classifier-tc1] if-match acl 3000 
[Huawei-classifier-tc1] quit

Configure a traffic behavior.

[Huawei] traffic behavior tb1
[Huawei-behavior-tb1] statistic enable 
[Huawei-behavior-tb1] quit

Configure a traffic policy.

[Huawei] traffic policy tp1
[Huawei-trafficpolicy-tp1] classifier tc1 behavior tb1
[Huawei-trafficpolicy-tp1] quit

Apply the traffic policy.

[Huawei] interface gigabitethernet 0/0/2
[Huawei-GigabitEthernet0/0/2] traffic-policy tp1 inbound
[Huawei-GigabitEthernet0/0/2] quit

Check traffic statistics.

<Huawei> display traffic policy statistics interface gigabitethernet 0/0/2 inbound

 Interface: GigabitEthernet0/0/2
 Traffic policy inbound: tp1
 Rule number: 1
 Current status: OK!
Item                           Sum(Packets/Bytes)
-------------------------------------------------------
Matched                                       0/
                                              0 
  +--Passed                                   0/
                                              0 
  +--Dropped                                  0/
                                              0 
    +--Filter                                 0/
                                              0 
    +--CAR                                    0/
                                              0 
-------------------------------------------------------
  +--Car                                      0/
                                              0 
    +--Green packets                          0/
                                              0 
    +--Yellow packets                         0/
                                              0 
    +--Red packets                            0/
                                              0

In practice, collect traffic statistics on devices as required.

If the Passed value does not meet your requirement, contact technical support personnel.

From V200R019C10, you can also run the np-trace-pkt command to trace and collect packet statistics.

Currently, this command is available only for the AirEngine 9700-M, AC6805, AirEngine 9700-M1, AirEngine9700D-M, and AirEngineX760 series APs.
A maximum of eight filtering rules can be configured.
You can specify the parameter inner to filter packets encapsulated over the CAPWAP tunnel.
Common IP protocol values are TCP (6), UDP (17), and ICMP (1). For other protocol values, visit List of IP protocol numbers - Wikipedia.

Configure filtering conditions of np-trace-pkt.

[AirEngine9700-M-diagnose] np-trace-pkt 1 src-ip 192.168.1.2 protocol 1 //Filter out ICMP packets with the source IP address of 192.168.1.2.

Trigger the traffic that meets the filtering conditions, check packet statistics in the inbound and outbound directions of the device.

[AirEngine9700-M-diagnose] display np-trace-pkt 1 statistics
Index: 1
Configuration:
------------------------------------------------------------------------------------------
SIP             DIP             SMAC           DMAC           SPORT DPORT Protocol Inner
------------------------------------------------------------------------------------------
192.168.1.2     --              --             --             --    --    1        No
------------------------------------------------------------------------------------------

-------------------------------------------
CPU Statistics
-------------------------------------------
Inbound(from NP)  :                 0
Inbound(from CP)  :                 0
Outbound(to NP)   :                 0
Outbound(to CP)   :                 0
-------------------------------------------
NP Statistics
-------------------------------------------
Inbound(from Port):                 0
Inbound(from FWD) :                 0
Outbound(to Port) :                 0
Outbound(to FWD)  :                 0
-------------------------------------------

Check whether the fault is caused by other factors.
1. Check whether the firewall is disabled on the STAs.
2. Check whether a security device (such as an online behavior management device) exists between the STAs, and whether an ACL is configured on the intermediate device to restrict communication between the STAs.

Collect fault information.

Version information
```
[Huawei-diagnose] vrbd
```
Patch information
```
<Huawei> display patch-information
```

Configuration information
```
<Huawei> display current-configuration
```

Log information

[Huawei-diagnose] display logfile buffer
[Huawei-diagnose] display diag-logfile buffer
[Huawei-diagnose] display diagnostic-information

Symptom
Possible Causes
Troubleshooting Procedure

Translation

简体中文

Download

Updated: 2023-12-01

Document ID: EDOC1000060368

Downloads: 6032

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate

Symptom

Possible Causes

Troubleshooting Procedure

Related Version

Related Documents

Digital Signature File