It looks like a Mac problem, but...

Kelly

This is a weird one. Yesterday I switched over our gateway hardware by changing the IP addresses on them, so [old gateway] is now X.X.X.254 and [new gateway] is X.X.X.1. Today, about 75% of our Macs cannot connect. They are running from OS X 10.9.X through current versions, nothing consistent there. We have some connecting via TB2 to ethernet dongles, some through Thunderbolt displays, both ones that work and ones that do not. 100% of the tested 2016/2017 MBPs work. 100% of the Windows and Linux machines work. Reboots do not seem to fix the issue. I haven't tried clearing the ARP table, but that is next.

Any thoughts?

dafyre

I would definitely start with clearing the arp tables.

scottalanmiller

Can they ping locally? Can they ping the gateway?

Kelly

@scottalanmiller said in It looks like a Mac problem, but...:

Can they ping locally? Can they ping the gateway?

Yes to both. Changing gateway to x.x.x.254 works (so old gateway).

JaredBusch

@kelly said in It looks like a Mac problem, but...:

@scottalanmiller said in It looks like a Mac problem, but...:

Can they ping locally? Can they ping the gateway?

Yes to both. Changing gateway to x.x.x.254 works (so old gateway).

Are they properly getting the updated DHCP? I have had major issues with my MBP on an older OS version with it not accepting new DHCP info when setting up a new router.

Did you set one up static and does it fail?

Kelly

@jaredbusch said in It looks like a Mac problem, but...:

@kelly said in It looks like a Mac problem, but...:

@scottalanmiller said in It looks like a Mac problem, but...:

Can they ping locally? Can they ping the gateway?

Yes to both. Changing gateway to x.x.x.254 works (so old gateway).

Are they properly getting the updated DHCP?

Did you set one up static and does it fail?

So the gateway address did not change, just the device that has that address. DHCP release/renew makes no difference. Changing to static address with x.x.x.1 as the gateway does not work.

Dashrender

OK if the IP didn't change, but the MAC address did, sounds like an ARP cache issue.

JaredBusch

@kelly said in It looks like a Mac problem, but...:

@jaredbusch said in It looks like a Mac problem, but...:

@kelly said in It looks like a Mac problem, but...:

@scottalanmiller said in It looks like a Mac problem, but...:

Can they ping locally? Can they ping the gateway?

Yes to both. Changing gateway to x.x.x.254 works (so old gateway).

Are they properly getting the updated DHCP?

Did you set one up static and does it fail?

So the gateway address did not change, just the device that has that address. DHCP release/renew makes no difference. Changing to static address with x.x.x.1 as the gateway does not work.

No clue then. I have never had a problem when setting one statically.

My problems always occurred when setting up a new ERL or such and the MBP kept refusing to come online with the new IP from the ERL's DHCP server.

Dashrender

Is the new firewall blocking those machines for some reason? i.e. the new firewall see them as an attack? Anything in the logs?

Kelly

@dashrender said in It looks like a Mac problem, but...:

OK if the IP didn't change, but the MAC address did, sounds like an ARP cache issue.

Clearing the cache didn't fix it.

Kelly

@dashrender said in It looks like a Mac problem, but...:

Is the new firewall blocking those machines for some reason? i.e. the new firewall see them as an attack? Anything in the logs?

I'll take a look.

Dashrender

@kelly said in It looks like a Mac problem, but...:

@dashrender said in It looks like a Mac problem, but...:

OK if the IP didn't change, but the MAC address did, sounds like an ARP cache issue.

Clearing the cache didn't fix it.

after clearing it, did you look at the cache to see if the IP matched the desired MAC address?

Kelly

Well, the solution was no less peculiar. In my firewall config I had specified authenticated users for LAN to WAN in my work to set up VPN. This setting affects all outbound traffic. The Macs that were affected are the ones that have not yet been joined to Active Directory. This is a really cool setting that I'll be turning back on when we're actually ready for it.

Dashrender

@kelly said in It looks like a Mac problem, but...:

Well, the solution was no less peculiar. In my firewall config I had specified authenticated users for LAN to WAN in my work to

What firewall?

Kelly

@dashrender said in It looks like a Mac problem, but...:

@kelly said in It looks like a Mac problem, but...:

Well, the solution was no less peculiar. In my firewall config I had specified authenticated users for LAN to WAN in my work to 

What firewall?

Juniper SRX.

dafyre

Nice to know it was working as intended, right? lol.

Dashrender

@kelly said in It looks like a Mac problem, but...:

@dashrender said in It looks like a Mac problem, but...:

@kelly said in It looks like a Mac problem, but...:

Well, the solution was no less peculiar. In my firewall config I had specified authenticated users for LAN to WAN in my work to 

What firewall?

Juniper SRX.

I'm guessing some big money for that UTM.

Kelly

@dashrender said in It looks like a Mac problem, but...:

@kelly said in It looks like a Mac problem, but...:

@dashrender said in It looks like a Mac problem, but...:

@kelly said in It looks like a Mac problem, but...:

Well, the solution was no less peculiar. In my firewall config I had specified authenticated users for LAN to WAN in my work to 

What firewall?

Juniper SRX.

I'm guessing some big money for that UTM.

About $2k for each node. We have an HA pair.

Dashrender

@kelly said in It looks like a Mac problem, but...:

@dashrender said in It looks like a Mac problem, but...:

@kelly said in It looks like a Mac problem, but...:

@dashrender said in It looks like a Mac problem, but...:

@kelly said in It looks like a Mac problem, but...:

Well, the solution was no less peculiar. In my firewall config I had specified authenticated users for LAN to WAN in my work to 

What firewall?

Juniper SRX.

I'm guessing some big money for that UTM.

About $2k for each node. We have an HA pair.

What was the reasoning behind the purchase?

Kelly

@dashrender said in It looks like a Mac problem, but...:

@kelly said in It looks like a Mac problem, but...:

@dashrender said in It looks like a Mac problem, but...:

@kelly said in It looks like a Mac problem, but...:

@dashrender said in It looks like a Mac problem, but...:

@kelly said in It looks like a Mac problem, but...:

Well, the solution was no less peculiar. In my firewall config I had specified authenticated users for LAN to WAN in my work to 

What firewall?

Juniper SRX.

I'm guessing some big money for that UTM.

About $2k for each node. We have an HA pair.

What was the reasoning behind the purchase?

I'm not sure what you're getting at.