Wiser over cisco anyconnect vpn on IPAD

Wireshark

This is a follow on from the previous post as I could not attach more than 5 attachments

Below are what the Laptop B gets on the screen.

Laptop B can ping Laptop A and the Wiser and the CNI

Attached are the wireshark traces from laptop A that works and Laptop B that does not work. (add a filter "ip.addr == 10.57.1.90" to filter our the other network traffic)

From what I can see the Wiser resets the TCP connection to Laptop B. (see next post)
The Laptop B keeps trying and the wiser just keeps resetting the connection

Can anyone pinpoint the problem.

 

Follow on from last 3 posts.

 

Case 21863

I am getting very frustrated with the official support system. I am being told by our account managers that we need to log faults on the official support number otherwise there is no visibility of problems and engineering resources can not be allocated. This all makes good sense. I tried to log this case today via the official channels as I have not had a response on the forum. This turned out to be difficult. I was told if it is already on the forum then the engineers already know about it and no point logging the case. It took a lot of explaining that I want to get this issue in the internal system so some resources can be allocated to it as the engineers are very good at helping on the forum but I am sure have other projects and pressures and time lines. This problem has been logged via official channels CASE 21863

 

Hi Charies,
A case number 21863 has been created on our database (Salsforce).

By reading the conversation on the C-bus Forums, you have been suggested to configure the port forwarding on the Router and link the LAN to WAN on the Wiser unit.

I understand that the site didn’t connect to Internet, but the Laptop B connects to the Router WAN, the Laptop A connects to the Router LAN, the difference between the Laptop B and is Laptop B remotely and Laptop A locally accessing to Wiser UI.

To let Laptop B accessing to Wiser, I have two suggestions for you to test.

1.Keep Wiser connection as Option B, configure the port forwarding on the Router, it is required if using the Option B connection.
Note: Wiser LAN port is 80, hence ensure no other devices use the port 80 on the same subnetwork.

2.Change Wiser connection to Option C, and configure the Router to bridge mode, then you don’t need to configure the port forwarding on the Router.

 

I have just had an update on the problem.

I have been told that WISER does not support 10.x.x.x addresses on the LAN PORT.

there are bugs when using this subnet and I should be using 192.168.x.x addresses.

I have also been told not to use a static address with a numbers over 100 as there are also know bugs with static addresses over 100.

I almost fell off my chair. These are MAJOR flaws in the product.

When I asked if the issue would be fixed I was told no. They have been there for more that 2 years. They are working on the "WISER 2" product and faults in old products are not having engineering resources spent on them.

When I asked if I could get a refund on this faulty product I was told "would you get a refund from microsoft for bugs"

Well actually you can get a refund from Microsoft. Since Jan 2011 microsoft have had to changed there licence agreement when they sell in australian that they can not wave the consumer laws rights.

http://www.accc.gov.au/content/index.phtml/itemId/1023610

Can some one please confirm what I am hearing...

 

There is a reason why you never let engineers answer emails. As clearly demonstrated above. The nett result of this exchange is to undo millions of dollars of marketing, image and brand development. It works along the same logic as a few dozen rivets popping out and sinking the titanic.

Though I am totally pleased with the discoveries of the members here. That idea that numbers above 100 are lethal is one that would never have come up in normal trouble shooting.

Though it is clear that the product limitations are
- poorly documented
- undefined

The >100 problem is not a basis for return unless you can show that the site already had ip numbers allocated and the only available number was 101 and higher.

The 10.-.-.- problem is also one that needs to be expained in the manual. There are many routers which have this problem. This is not unique. But in the other cases the information is indicated.

Perhaps if you can show that you are the department of health, who only uses 10.-.-.- then it would seem to be a case.

You cant imagine Cisco or Motorola having this problem.

 

Thanks tobex are you confirming these limitations ? I think they are major limitions as would warrent a "Field notice" or a note so you would be aware
before you bought the product if it effected you.

I agree only if it was noted on manual or in Field notice when you bought the product. Any person would not be expected to know this limitation. In my case I am using an address <100 so it is not an issue. I dont know why it was even mentioned in relation to my case. I was just anoyed that I can spent hours trouble shooting issues at my cost when they have been known for years and they are not going to be fixed anyway and not publicly documented

Can you imagine this. "We know the brakes in your car can fail if you are traveling 150km/h but you should never be going the fast so no point warning you abount the issue. We are fixing this in the next model but not the current model."

It may not be unquie but I do not expect it from "CLIPSAL" this is High quality high cost equipment. If it is known then it should be clearly documented

Yes but I need to know before hand so I can allow in the install quote
Customer would love seeing a line in their bill for 5 hours spent readdressing their existing 40 network devices. (telstra modems come standard using 10.0.0.0)

In the 15 years I have been working with cisco I have not seen it.


If I change the wiser to 192.168.0.x Will my configuration work ? Is the laptop b network 172.16 address range going to have issues ??

 

This is getting interesting, I am following this with great interest and being in the Network game myself I don't know of any Cisco, or any other major vendor, device exhibiting these limitations. Bottom line, if you play in the Network game then your product must at least do the basics right.

Ingo

 

Hi Charlie,

Sorry to hear that you're running into problems. Here is what I understand about your setup so far:
Wiser LAN IP = 10.57.1.90
Wiser WAN = unconnected
Laptop A = 10.57.1.50
Laptop B = 172.16.57.131 (via router 10.57.1.1)


Laptop A is on the LAN. Laptop B is NOT on the LAN. Can you check by going to the Wiser UI from Laptop A, to Tools->Remote Access (wait 1 minute or so), then check that Projector Control Enabled has a green light. If my understanding is correct, your Wiser will be showing Projector Control in red, ie: remote access to the projector ( port 8888 ) disabled. That is why I believe Laptop B cannot connect to C-Bus because when Laptop B (172.16.57.131), goes through your router's (10.57.1.1) dynamic NAT, its remote IP remains as 172.16.57.131 which means it is NOT on the LAN. You can see this from the wireshark trace you posted which shows the RST packet being sent to 172.16.57.131.

Hope that helps.

 

Hi Charlie

Had similar problem with 10. IP address. For 6 months or more same answers hasn't been fixed. After reading a few items & a lot of time wasting playing around found if I changed my subnet on my laptop from 255.255.255.0 to
255.0.0.0 everything worked fine, problem went away. Not good but it solve my problem. Might fix yours.

 

I think the big problem here is that it is hard to identify what the root cause of a problem is without describing the network setup of each device that is involved. For example, in above, if a change of subnet on your laptop fixed an issue, then that would indicate that the problem was for the laptop to connect to the Wiser rather than the problem Charlie is describing. In Charlies's case, the laptop is able to connect to the Wiser but the Wiser subsequently rejects the connection to the C-Bus Projector Control/ XML port (8888) (correctly so since the wireshark capture Charlie provided shows that Laptop B is coming in as a NOT-on-LAN IP address).

 

Definitions

Thanks for the help. The router is NOT doing any DYNAMIC NAT. It is a simple plain jane ROUTER ONLY not a NAT device or a FIREWALL.

Projector control is not enabled.

There seems to be come confusion over LAN and WAN mode.

My understanding in the WISER CONTEXT

WAN (wide area network)is connected to the WAN physical Port (regardless of subnet)

LAN (local area network) is connected to the LAN physical Port (regardless of subnet)

LAN does not mean one subnet. A building may have multiple subnets one for each floor and these are all considered LAN


The wiser is in LAN mode (OPTION B in the manual)
In this mode the Physical WAN port is not connected.

In the PICED project there is a special TAB LAN "Use WISER as a LAN device"
to enter the default gateway for the LAN and the DNS servers with a tick box that says "allow access from wiser LAN Ports."

Why is this TAB there if not to support exactly my configuration?

I have gone through the manual re the Projector control.

I have turned Projector Control on and rebooted.

Hey Presto all works for this example Laptop B can now connect.

Thank you

It is clear that the documentation is lacking in the LAN mode application
The documentation for projector mode needs to included the LAN mode with multiple subnets.


But unfortunatly this does not fix the initial problem

It still hangs at the "Network OK" when using over a cisco anyconnect vpn.


In this case the ip addressing is all 10.x.x.x and may be I am now hitting the 10 address problem.

Could some one please explain TECHNICALLY what the 10.x.x.x and the IP address over 100 problem actually is. Can a TECH NOTE please be written.
I think us installers need to be aware of such things.

Charles

 

My pleasure, glad to hear that Laptop B now works.

For the 2nd part, I'm not familiar with anyconnect vpn. Is the "Network OK" a message from the Wiser or something else?

 

10 addresses

The network OK is from the Wiser. The problem is the same as before initial connection, authentication then stops.

The only difference now the client is a 10 Address not a 172.16 address.

Can some one who knows please chime in on what he actual issue is with wiser and 10 addresses ?

or do I need to get wireshark out again

Charles

 

LAN and WAN IPAD/IPHONE application

After taking another wire shark trace I got it working.

ON the IPhone/ipad. I needed to put the same IP address in the WAN and LAN settings. I only had an entry in the LAN section.

So all working with 10 address range ?

Can a tech note please be written on what the actual issue is with 10 addresses and Static IP over 100 so we dont have to learn by trail and error

I noticed that with the IPAD VPN connected (VPN icon) near the wifi icon is said connecting over WAN.

Can some one please explain how the ipad network selection works?

when VPN on on the ipad/iphone is WAN selected ??

It can not be as simple as wifi LAN IP and 3G WAN IP

does it look at the IP address of the network and compare with the LAN address and if same subnet then LAN other wise WAN ??

does it try LAN first and if fails then do WAN ?

when does the "Warn over 3g come up" ?

I also think a document needs to be written which clearly explains WAN and LAN as wiser defines them and not us networking people.

Happy it is working just wish the ride was smoother...

Charles

 

Glad to hear that it is working now. What was the IP address of the iPad and what IP address did you put into the LAN and WAN on the iPad/iPhone's Wiser client config? If I base things on your picture, it is:
iPad = 10.57.11.50/255.255.255.0 = 10.57.11.x segment
Wiser = 10.57.1.90/255.255.255.0 = 10.57.1.x segment

Based on above, the Wiser is not on the iPad's LAN segment. That would explain why you needed to put the IP address into the WAN field of the iPad/iPhone client config.

Yes, it looks like you have it working properly with the 10.x.x.x address range. On the tech note question, I suspect the person who talked to you misunderstood the recommendation that Wiser is typically used only with Class C/24 networks, ie (max 255 nodes). I'm worried if that person is also expounding on vapourware products. It sounds like they gave you poor/incorrect advice and that this person hasn't taken the time to understand your setup. (By the way, nice diagrams and wireshark trace, if more people provided that level of detail, it'd be a lot easier to get things working).

I'm not that familiar with the iPhone/iPad, but here's what I believe it does:
- determine its own IP address and subnet mask
- check if Wiser's LAN IP (in iPad/iPhone apps config) is on same LAN segment as the iPhone/iPad
- if so, then connect to that IP
- if fails, then connect to WAN IP (if provided)
- if not on same LAN segment, then connect to WAN IP (if provided)

Ok, glad it is working.

 

I have been working closely with Mercedes products for almost 10 years and I know that the same issue affected 700,000 E-Class vehicles. The issue was ultimately found to be that people were making short-cuts in both workshop procedures and material costs because they didnt know and didnt have the diagnostic tools. Hence the hydraulic SBC brakes pump unit failed. I dont know if you are referring to that car but I recall that it took Mercedes a long time to figure out that it was human intervention that caused the issue.


With regards to Telstra and the default 10.0.0.0 standard. I had much joy in trying to figure out what I could do on my own. In the end I used "Cisco" based thinking and determined that I could add and delete whatever I needed to in order to bring the system back to 192.xxx.xxx.xxx - in one post I made in this forum I indicated that you have to disable DHCP in order to manipulate the parameters. Therefore you have to work off fixed ip adressing in order to maintain the laptop connection.

A really neat trick is to have the WIFI and LAN connected at the same time and have one port on the old IP addressing and one port set on the new IP addressing so that you can keep the admin screen active before and after you change all the main parameters. Just a little time saving trick.

 

On the Mercedes analogy, I'm sorry if anyone from Clipsal/Schneider gave you such an impression, it upsets me too. On the other stuff you wrote, sorry, but I couldn't follow it. Is it related to Charlie's issue? I think based on what I understood so far, Charlie's issue had to do with a difference in understanding of what the LAN field in the iPhone/iPad app config page meant.

 

Yeah Charlie was annoyed that Telstra bundles 10.0.0.0 as the default for all routers. It takes a few tips and tricks to change it because Telstra won't tell you how to do it. I think I mentioned that in the past.

Because it is the default, many installers dont want to re-invent the wheel and deal with Telstra non-support. Therefore we hit a brick wall and find that the Telstra supported default doesn't work for Wiser under certain conditions. Which is an undocumented issue.

 

Yes you are correct and yes it all makes perfect sence when LAN means "subnet on the LAN physical port" and not comming in on the "LAN physical port"

I am glad you cleared this up. This again makes perfect sence and has nothing to do with 10 addresses just subnet masks. I noticed the UI only had /24 mask options. You are making me happy and bringing back the "Clipsal quality" I wish people who dont know would realise they dont. (it can do a bit of damage) I suppose this takes years of experence. Once again thanks for your help. The wiser to date has been a reliable device.

Are ip addresses over 100 really an issue then ? (this is easy to work around just need to know it is an issue.)

Charles