Mobile devices won't connect to internet will connect to intranet

  • 2
  • Question
  • Updated 4 years ago
  • Answered
Ruckus ZD1106
9.6.1.0 build 15
APs (2): zf7363

Client has two locations, VPN between both locations.
One AP is on the 192.168.1.x subnet, one AP is on the 192.168.10.x subnet.
Issue is with the 192.168.10 AP. Laptops and mobile devices connect fine and are able to access the internal network. Laptops are also able to access the internet without restriction, meaning they behave in the way you would expect devices would on a typical wireless network.

Mobile devices (iOS and Android) can access the internal network just fine but cannot access the internet. There is no ACL, no subnet restriction (they're not connecting through guest access anyway), no web filtering, etc.

Mobile devices connect and have internal and internet access from the 192.168.1 AP, and work as you would expect. Both APs are in the same group, same WLAN, no VLANs or other custom settings.

DHCP is from the network, not the ZD, and there's no problem with obtaining IP addresses and the scope options (DNS servers, etc.).

Odder still, you can ping out from a 192.168.10 mobile device to the internet but cannot access HTTP, etc. (routing = okay). I would assume there might be a restriction somewhere in a network not allowing internet access, but that's not the case. Laptops have no issue.

Rebooting of the ZD, mobile devices, APs has no effect.

Does anyone know of a specific issue with mobile devices that might cause this behavior?
Photo of Chris Weis

Chris Weis

  • 2 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 2
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 51 Reply Likes
This sounds like maybe an MTU/Fragmentation (or rather Do Not Fragment) issue. The fact a VPN is involved lends credence. Web servers try to use the biggest packet possible and they generally set DNF (Do Not Fragment) bit (instead they expect to negotiate MTU via ICMP PMTU discovery).

So, it's likely something in your network is preventing PMTU from reaching the source web servers. They are sending too-large packets which are getting dropped at the tunnel.
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 51 Reply Likes
I was afraid you were going to ask that :) Nothing I can think of, but the symptoms are classic PMTU blackhole.

But I wonder if the PC operating systems are maybe doing some PMTU probing of their own and adjusting accordingly.
Photo of Chris Weis

Chris Weis

  • 2 Posts
  • 0 Reply Likes
Genius! it was the MTU. Well done Keith.
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 51 Reply Likes
Very old and near-dead braincells at work.. Glad to hear it!