If a Meraki gateway AP is having problems contacting the Meraki Cloud through your firewall, content filter, or proxy server, you will experience the following issues and alerts on your Meraki network and Dashboard:
- "This device has poor connectivity to the Meraki controller, possibly due to an asymmetric firewall or NAT issue." is reported on the AP details page in Dashboard.
- Yellow AP icon on the Monitor > Access Points page and AP detail page.
- Orange bars on the connectivity graph.
- "Gateway warning (bad connectivity to controller, possible firewall or NAT issue)" appears when you place your pointer over the connectivity graph on the AP detail page.
- You see your wireless network appended with "g-bad-gateway".
- The radio light on your AP is solid orange and the green signal lights are flashing on and off.
- Wireless clients cannot connect to your wireless network.
This is caused by an upstream firewall not using stateful packet inspection. In this instance, the AP's TCP SYN packet is reaching the Cloud. When the Cloud responds to the AP with a TCP SYN/ACK, it is dropped by the firewall. The AP waiting on the TCP SYN/ACK never receives it. Therefore an acknowledgement TCP ACK from the AP is never sent back to the controller to establish the TCP connection. This is called one-way traffic.
This issue can also be caused when you have two different routers connected to your LAN segment to route traffic to different networks. In this instance traffic from remote network enters the LAN from one router's interface and is sent to a LAN device. When the LAN device replies, it sends the reply to the other router's interface. The router receiving the frame discards the packet because it only sees half of the connection.
To isolate and potentially remedy these issues and alerts please try the following:
- Move your AP to a different network segment where other APs are working and then analyze the difference in the path to the internet.
- Verify that your firewall or any other security devices within your network are not modifying the AP traffic.
- Allow your AP to bypass your firewall, content filter, proxy server or any other security devices.
- Make sure your firewall is performing stateful packet inspection which allows incoming packets if they are part of an ESTABLISHED connection.
- Make sure you only have a single entry and exit interface on your LAN segment.
For more information on configuring your firewall to support the Meraki Cloud, please review this KB:
Firewall Rules for Cloud Connectivity