Cisco 1130 AP devices – From Ecstacy to Agony

February 11, 2010 · 2 comments

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 3.67 out of 5)

We have gone through a few Cisco wireless devices which originated from their acquisition of Aironet.  The first AP-350 devices had a simple GUI for configuration  and were extremely reliable.  Unfortunately, they were only using 802.11b and had problems with some of the early 3rd party WLAN cards.  The move to Cisco IOS later in it’s life was OK, but we had to move on.

We upgraded to a Cisco 1200 which lasted for a year or two, but it just did not work in our environment.  I don’t really know why, since I knew a number of users that were successful with that device.

The next stop was the Cisco 1130.  We were ready to use 802.11G and really liked the ceiling mount kits, PoE (Power over Ethernet) support, security and authentication features.  The device was easy to set up and we mounted two of them to cover our facility.  We had to use the AIR-PWRINJ3 devices since the PoE cards in our 6500 switches were old and did not provide sufficient power to meet the new standards for 802.3af.

In our environment, we use mostly Centrino notebooks and have a few Cisco wireless VoIP  telephones.  We placed these on separate SSIDs and VLANs with QoS (Quality of Service).  The configuration was easy to build and it seemed to work at first.

The first problems occurred with the phones as they became impossible to use.  Calls would get dropped and the phones would constantly lose their association with the 1130’s.  Even if the phone was within 100′ and line-of-sight of the 1130, it would drop out.  We worked with Cisco TAC until it became clear that this was just not going to work and we abandoned the wireless phones all together.

The 1130’s ran flawlessly as WAPs (Wireless Access Points) for our notebooks and smartphones for over two years without a problem.  It was a true set-it-and-forget-it environment with little to no management required.

Then, one day out of the blue, we started having problems with one device not authenticating our users and the clients were indicating that they were not getting a DHCP address.  We use PEAP authentication to a Cisco ACS (Access Control Server) for RADIUS.  We immediately checked the RADIUS logs and saw no attempts at authorization.  Setting some debug commands in the 1130 showed that it thought it was attempting to authenticate users, but a sniffer confirmed that no RADIUS traffic was being generated.  A call to Cisco TAC resulted in them telling us that with two devices and PEAP, we should use WDS (Wireless Domain Services) and the engineer proceeded to configure it on our units.  Things looked good after that and we dropped the case.  However, the good feeling did not last very long and within a couple weeks we were back to where we started.

I realized that I did not have sufficient tools to debug the situation  and decided that I needed a wireless network analyzer to really understand what I was facing.  We knew that a number of new companies had entered our building and perhaps there was some interference or congestion or other issues.  So, we purchased an AirMagnet WiFi Analyzer from Fluke.  Not a cheap purchase, but one that we were confident could better our understanding.  As soon as the system was up and running, we could see immediate problems.  The SSIDs that we had configured were getting corrupted as random 8-bit characters were being appended to them.  We would see something like “SSID1” which would have been correct, but we would also see “SSID1õ♣¬” and other variations.  So, another priority call to Cisco TAC.  After explaining our results, we had the engineer get on the console of the AirMagnet system and after seeing the data, he asked if we had better tools available like Wireshark.  I could not believe what I heard and asked him to repeat it.  I asked him if he was seriously asking me to replace a multi-thousand dollar commercial product with a free open-source product.  Now, don’t get me wrong, I use Wireshark all the time and have used it for years when it was Ethereal.  It is a good product.  However, we needed focused detailed information and we had everything we needed to debug the situation.  He insisted that we didn’t have the right tools and I asked for another engineer.  After a few hours of detailed dialog, the engineer disabled WDS despite what we had been told.  Then, they tried to blame the drivers on the PC’s that we owned and then blamed the ACS server.  We reiterated all the data we had collected and how we pinpointed the 1130 as the problem.  We even had three other network detectors identify the corrupted SSID’s as well as the PC’s.  The AirMagnet showed that these SSID’s were coming from one of the 1130’s.  Cisco refused to consider them a problem.

We had no choice at this point, since it was a production day and nothing was working.  Since WDS was disabled now, I decided to turn off the 1130 that AirMagnet identified as the problem device.  That immediately cleared up the problem and users were associating with the one remaining device.  I asked for an RMA, but they refused.  I had another spare unit and told Cisco that if I replace the defective one with that and it solves the problem, then I want one year of free SMARTnet (Cisco support) for my company.  They refused, of course, and I subsequently refused to try my spare unit.

Well, things went along for about a week and sure enough, I come in one day to find irate users unable to get on our wireless network.  Debugging the 1130 showed that it was not sending RADIUS packets to the ACS.  Further debugging showed that the AAA (Authentication, Authorization and Accounting) module was getting a malloc (memory allocation) error.  Cisco TAC could not assist, so I simply did a power reset on the device to clear it.  Again, we were up and running, but getting very skeptical that we could proceed with this product.  It was just too flakey and support was non-existent.

At this point, I was thinking; hey, I bought a couple of $40 Netgear wireless routers for my daughters when they went to college and they have worked perfectly fine for them and their roommates for years.  What about going to  Fry’s and fixing this for less than $100.  Seems possible, but we need the additional security capabilities of an enterprise device.  But, it might work in a pinch.

The final straw came about a week later.  Users complained and I had the CEO and CFO telling me to get this fixed now!  We powered up the AirMagnet and sure enough, the corrupted SSID’s were back and plaguing the network.  A power reset did not fix it this time.  A frantic call to Cisco TAC and they immediately started asking about the device drivers on the PC’s and the configuration of the ACS.  My tech continued to talk with them and I walked away in disgust.  Needing an immediate short-term answer, I powered up the old 1130 and turned off the production one.  Usersr started to authenticate and executive meetings went on without an error.

I know this will only last for another few days before it breaks again and Cisco wireless is doomed at the company.  It has proven to be incredibly difficult to maintain and manage and the lack of knowledgeable support is unacceptable.  New devices are on their way, so stay tuned as we try to find an enterprise solution that works.

Reblog this post [with Zemanta]

Article by Steve Van Domelen

Steve has written 47 awesome articles.

2 Pingbacks/Trackbacks

Previous post:

Next post: