Poor Wifi Performance with Meraki and Zebra

Had Customer getting poor performance between Meraki AP and Zebra Scanner.   The new custom app would freeze and lockup.

I checked the Wifi installation and apart from some AP mounting issues the wireless was good.

Speed tests from the device to the WLAN PI  were showing 400 Mbps  and using Wifi Scanners there were very few retransmission's.

Next was a WIFI Capture using Air-check G2.  Make sure you capture the connection to the network (4 ways handshake)  so you decrypt the packets later in wireshark.

Analysis in wireshark showed a lot of TCP retransmission's  but why ?

Pings from the network to the wireless device were rock solid and were < 1ms   and this is where I should have realised  something was wrong.   It was too good for a wireless network., but I did not pick this up.

Meraki are great  you can do packet captures on the wireless and wired side of the AP.

A capture on the wireless side showed the same as the Air-check G2 capture   a lot of TCP re transmission and resets.

I do not know why but I did a capture on the WIRED side and I was glad I did.

This show another MAC using the same IP address  (A Printer !)

Was the issue as simple as a duplicate IP.  After checking the DHCP scope the printers static IP was exactly in the DHCP range !

Changing the printer to be a DHCP reservation  and rebooting the wireless device   the device got a new IP and all was working fine....

This was good new as the customer was going to get another scanner to test with and it would have worked perfectly and then might have wrongly assumed that the other scanner was faulty.

After talking to the IT support dept they had received calls with issues with the printer but they thought was resolved as the scanner was not used over the last 2 weeks (till I came in !)

Contributing to this was the LONG DHCP least time so the scanner kept getting the same IP address from DHCP.


So a wireless issue was a simple duplicate IP.  

I should have picked up at the PING stage,    I was pining the printer on the LAN not the wireless device. !!!

But did resolve AP install issues  and optimised the wireless for these devices.

Disable 365 Azure Directory Windows Hello

Microsoft 365 Azure Directory is  great way to manage corporate Machines

By default Windows HELLO is enabled


This if fine if there is ONLY 1 user on the PC and it is NOT shared


Do disable you need to go to IN TUNE console

https://portal.azure.com/#blade/Microsoft_Intune_Enrollment/EnrollmentMenu/windowsEnrollment

now here...

https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesEnrollmentMenu/windowsEnrollment

then 

New Cisco AP Fails to Join Controller

Field Notice: FN - 70479 - Out-Of-The-Box AP Fails to Join Controller or Joins with Single Radio Due to Country Mismatch - Replace on Failure

https//www.cisco.com/c/en/us/support/docs/field-notices/704/fn70479.html



A newly installed Access Point (AP) fails to join its controller or it joins the controller, but is only able to bring up one radio due to a manufacturing mismatch between the AP's domain and the radio's domain.

On a Mobility Express (ME) AP, the 2.4GHz radio will come up in Day 0 mode; however, after you configure the correct country code, the internal AP might fail to rejoin or might bring up only one radio.


AP28xx
AP38xx
AP48xx
AP18xx


You can use this URL to check the serials

http://serialnumbervalidation.com/70479/cgi-bin/index.cgi




NOTE:  if using a BARCODE SCANNER  to read the serial numbers off the BOX  Cisco prepends a "S" to the Serial and the "S" needs to be removed.

Meraki WiFi Cameras

Meraki WiFi Cameras Gen 2

Are 1x1 Dual Band 802.11AC   2.4Ghz and 5Ghz Client.

Can have 3 SSID  Primary  and Secondary  and backup

(I connect the backup to Phone Hot Spot for config)

Small Patch Antenna  (in MV32)  has 2 antennas to pick from  (remember it is a client) hard for a camera of this quality with all metal chassis to make wireless work but they did.

Outdoor Cameras have the antennas hidden under plastic dome


Another handy power feature for Camera  or (other POE device)  You need this to power if  Wireless ONLY.  or other POE adapter.  this is good if there is existing 12V power from old camera.

Remember Meraki Cameras record ONBOARD  so the wireless will have little use unless viewing footage.

The Meraki Device

AUTO Voltage and AUTO Polarity Sensing

12Vdc 2.75A    24V AC 2.2A

POE 54V 23W  (not quite POE Plus but more than POE.)

MA-PWR-MC-LV    or  called the "Eyepatch" power supply

Active Directory, Azure Directory Sync

You Need

DirectorySyncClientCmd.exe

Force a SYNC to office 365 NOW  (if you don't want to wait for 30 min for the sync)

From Power Shell (Admin)

Import-Module "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1"


Start-ADSyncSyncCycle -PolicyType Delta   (whats changed)

Or

start-ADSyncSyncCycle -PolicyType Initial    (total resync)

Enable ADSI Editior (if registry is corrupt and not showing in MMC)

regsvr32 /u adsiedit.dll     (remove)

regsvr32 adsiedit.dll     (add)

Making missing fields visible 

http://activedirectoryfaq.com/2014/10/ad-attribute-editor-missing-make-search-visible/

List Domain Information

Ldifde –f domaindump.ldf

Connecting Power Shell to office 365 account

Connect-Msolservice

Get-MsolUser -UserPrincipalName joe@fred.onmicrosoft.com | fl

ADSL 10/1 to NBN FTTC 50/20 Change over

Changed a customer over from ADSL 10/1   to NBN FTTC  50/20

FTTC   Fibre to the Curb

Fibre to the PIT outside and VDSL over copper to inside modem


Did you know that the customer modem supplies power to the PIT equipment !   (you are paying to power telco equipment !)

 

Certainly an improvement 

Latency went from 60ms to google to 20ms   And so far the loss is 0%

Win10 Wifi SSID and Password you have saved

This is handy to see the PSK for already connected to Wifi Networks

run command prompt as ADMIN

netsh wlan show profile

show the profiles

 
netsh wlan export profile folder=c:\  key=clear

Saves the password in .xml files in c:\

DeBloat Fresh Windows 10 for Corporate

 When you get Windows 10 Pre installed on New PC  a lot of non used apps

This is a great tool

https://www.pcdecrapifier.com/

For 3rd party apps

But for MS apps I use this script.

Open a ADMIN Power shell

and Paste in between the lines.


===================================================================

#   Description:
# This script removes unwanted Apps that come with Windows. If you  do not want
# to remove certain Apps comment out the corresponding lines below.

Import-Module -DisableNameChecking $PSScriptRoot\..\lib\take-own.psm1
Import-Module -DisableNameChecking $PSScriptRoot\..\lib\force-mkdir.psm1

Write-Output "Elevating privileges for this process"
do {} until (Elevate-Privileges SeTakeOwnershipPrivilege)

Write-Output "Uninstalling default apps"
$apps = @(
    # default Windows 10 apps
    "Microsoft.3DBuilder"
    "Microsoft.Appconnector"
    "Microsoft.BingFinance"
    "Microsoft.BingNews"
    "Microsoft.BingSports"
    "Microsoft.BingWeather"
    #"Microsoft.FreshPaint"
    "Microsoft.Getstarted"
    "Microsoft.MicrosoftOfficeHub"
    "Microsoft.MicrosoftSolitaireCollection"
    #"Microsoft.MicrosoftStickyNotes"
    "Microsoft.Office.OneNote"
    #"Microsoft.OneConnect"
    "Microsoft.People"
    "Microsoft.SkypeApp"
    #"Microsoft.Windows.Photos"
    "Microsoft.WindowsAlarms"
    #"Microsoft.WindowsCalculator"
    "Microsoft.WindowsCamera"
    "Microsoft.WindowsMaps"
    "Microsoft.WindowsPhone"
    "Microsoft.WindowsSoundRecorder"
    #"Microsoft.WindowsStore"
    "Microsoft.XboxApp"
    "Microsoft.ZuneMusic"
    "Microsoft.ZuneVideo"
    "microsoft.windowscommunicationsapps"
    "Microsoft.MinecraftUWP"
    "Microsoft.MicrosoftPowerBIForWindows"
    "Microsoft.NetworkSpeedTest"
   
    # Threshold 2 apps
    "Microsoft.CommsPhone"
    "Microsoft.ConnectivityStore"
    "Microsoft.Messaging"
    "Microsoft.Office.Sway"
    "Microsoft.OneConnect"
    "Microsoft.WindowsFeedbackHub"


    #Redstone apps
    "Microsoft.BingFoodAndDrink"
    "Microsoft.BingTravel"
    "Microsoft.BingHealthAndFitness"
    "Microsoft.WindowsReadingList"

    # non-Microsoft
    "9E2F88E3.Twitter"
    "PandoraMediaInc.29680B314EFC2"
    "Flipboard.Flipboard"
    "ShazamEntertainmentLtd.Shazam"
    "king.com.CandyCrushSaga"
    "king.com.CandyCrushSodaSaga"
    "king.com.*"
    "ClearChannelRadioDigital.iHeartRadio"
    "4DF9E0F8.Netflix"
    "6Wunderkinder.Wunderlist"
    "Drawboard.DrawboardPDF"
    "2FE3CB00.PicsArt-PhotoStudio"
    "D52A8D61.FarmVille2CountryEscape"
    "TuneIn.TuneInRadio"
    "GAMELOFTSA.Asphalt8Airborne"
    "TheNewYorkTimes.NYTCrossword"
    "DB6EA5DB.CyberLinkMediaSuiteEssentials"
    "Facebook.Facebook"
    "flaregamesGmbH.RoyalRevolt2"
    "Playtika.CaesarsSlotsFreeCasino"
    "A278AB0D.MarchofEmpires"
    "KeeperSecurityInc.Keeper"
    "ThumbmunkeysLtd.PhototasticCollage"
    "XINGAG.XING"
    "89006A2E.AutodeskSketchBook"
    "D5EA27B7.Duolingo-LearnLanguagesforFree"
    "46928bounde.EclipseManager"
    "ActiproSoftwareLLC.562882FEEB491" # next one is for the Code Writer from Actipro Software LLC
    "DolbyLaboratories.DolbyAccess"
    "SpotifyAB.SpotifyMusic"
    "A278AB0D.DisneyMagicKingdoms"
    "WinZipComputing.WinZipUniversal"


    # apps which cannot be removed using Remove-AppxPackage
    #"Microsoft.BioEnrollment"
    #"Microsoft.MicrosoftEdge"
    #"Microsoft.Windows.Cortana"
    #"Microsoft.WindowsFeedback"
    #"Microsoft.XboxGameCallableUI"
    #"Microsoft.XboxIdentityProvider"
    #"Windows.ContactSupport"
)

foreach ($app in $apps) {
    Write-Output "Trying to remove $app"

    Get-AppxPackage -Name $app -AllUsers | Remove-AppxPackage -AllUsers

    Get-AppXProvisionedPackage -Online |
        Where-Object DisplayName -EQ $app |
        Remove-AppxProvisionedPackage -Online
}

# Prevents "Suggested Applications" returning
force-mkdir "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Cloud Content"
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Cloud Content" "DisableWindowsConsumerFeatures" 1

====================================================================

Show Hidden Devices in Windows

When a device is NOT connected to windows computer you can not see it in device manager

This can be a pain when you want to remove old drivers for a device that is not working.

People also do not realise that installing the same device in a different USB port installs new device instance.

This is why when you have NO  Serial ports but when you install one it sets up as COM9 as you have 8 hidden com ports in  device manager.

to see hidden devices you need to set environment variable "devmgr_show_nonpresent_devices"   equal to 1

you could do at command prompt  (run as admin)

Type:

set devmgr_show_nonpresent_devices=1
devmgmt. msc



 or if you want it permanent then add to a system environment variable

In device manager   go to VIEW  and select  SHOW hidden devices.

you can then see them grey...  and you can edit and remove them

Also good for removing old devices when you upgrade a motherboard or graphic card

Meraki Client VPN (Windows 10)

Meraki Client VPN has always been tricky to setup on windows 10.

To make matters worse Microsoft introduced a BUG in windows 10 latest builds that the GUI stops the VPN connecting if you use the standard VPN connection method of clicking on the network icon in the bottom right.

Go get around this bug  you need to right click on the network icon "Open Network and Internet Settings"

and select VPN here

Then select the VPN connection and press connect.   The advantage of doing it this way is you see the connection progress and errors.

Users find this particularly hard to remember.

Also setting up the VPN requires going into OLD GUI  (as new GUI does not have this setting)  to turn on PAP Authentication.

 

This is not easy to get to either requiring over 6  menus and mouse clicks.

 Windows 10 Still has the old RASPHONE program   I have discovered this is a much better way to do the client VPN

This always works from experience, and is easy way to check the VPN properties to make sure the only protocol checked is "Unencrypted password (PAP)" by clicking the properties button ,   You then always connect using the rasphone client.

 You create a shortcut on Desktop (or push one out within GPO) to target: C:\Windows\System32\rasphone.exe

Much Easier !!  (You can even change the ICON if you want too)

**NOTE** 

 Also be aware that if the CLIENT gets an IP V6 Address  due to a Meraki Bug  the VPN will not connect.   This some times happens when clients are hot spotting with there phones.  The fix here is do disable IPV6 on the interface that is connecting to the host spot.   The event log will log the message, "msg: unsupported ID type 5." If the identification field value is 5 in the identification payload, this means the payload is carrying the ID type 'ID_IPV6_ADDR.' Meraki does not currently support ID type 5, so an error will appear for these ISAKMP messages. 

A question for you group policy experts out there.

I have been trying to put the Meraki L2TP VPN Client config in Group Policy.  I have done it all except the  L2TP preshared key.    if you know how to so this PLEASE let me know in the comments.

Additional Links

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN

Cisco WiFi Links that I use regularly

Wireless LAN Compliance Lookup

Country Codes Lookup too

https://www.cisco.com/c/dam/assets/prod/wireless/wireless-compliance-tool/index.html

Cisco Aironet Antennas and Accessories Reference Guide

https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-antennas-accessories/product_data_sheet09186a008008883b.html

Cisco Wireless Solutions Software Compatibility Matrix

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

Cisco Access Point and Wireless Controller Selector

https://www.cisco.com/c/en/us/products/wireless/access-point-controller-selector.html

DHCP OPTION 43 for Lightweight Cisco Aironet Access Points

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/97066-dhcp-option-43-00.html

All POE Splitters are not the same

There is an great device called the WLANPI   is it very use full in all aspects of  WLAN testing.

https://www.wlanpi.com/

I will do a another blog on this later......

This device has a GIG Ethernet network and can do IPERF  speed testing.    Sometimes the only hassle is powering the device  (USB Micro). 

POE is generally 48V  way to much for the WLANPI 5v    but I saw a device that splits out the power and converts to 5V micro USB


I bought one  and it worked fine but could only get 100Meg    I then realised the the network cable ONLY had 2 pairs.

You need all 4 Pairs for GIG Ethernet.     Got another one  from


https://www.iot-store.com.au/products/gigabit-poe-splitter


and this one is GIG.


if you compare the 100Meg one and the 1000Meg one they look the same

the only difference you can see is there is ONLY 2 PAIRS in the 100 Meg one

Connectors in WIFI

Generally if you use one vendors access points and external antennas  you may not notice that the plugs and sockets are special.


 I have been working with Cisco Access Points  for years and they use the Reverse Polarity TNC connector.

On your BBQ they have a special reverse thread so the general public cannot just use general plumbing parts to connect gas and need specialized parts.

The same was applied to WIFI,   So users could not just plug in the biggest antenna they could get at the local shop  the connectors needed to special so the vendor could try and control the MAX power output of their APs


Most AP vendors use the Reverse Polarity connector approach 



Standard Connector

 


Reverse Polarity Connector

A reverse polarity coax connector is a variation of a standard polarized connector in which the gender of the interface has been reversed. The term “reverse polarity” refers to the gender of the center contact pin.




I got caught today  I was using a radio receiver and need a  2.4Ghz antenna.  I just grabbed one off a access-point I had laying around and thought all was good.


What looked like a good connection was not.   No signal to antenna.


   

Looked tight  and good.

no center pin

You can get all sorts of adapters on EBAY !

one with 2 pins

Fixed....

NBN

Love that CAT5E cable need to be compatible with the National Broadband Network ! All cat5e cables are compatible even old ones.  So many scams due to miss information. 

  You MUST upgrade you PABX so NBN compatible.   They don't tell you all PBX can work on NBN you just need the right converter box.

SPA8000  8 Line Converter box

Types Of NBN

• Fibre to the premises (FTTP) 
• Fibre to the node (FTTN)
• Fibre to the basement (FTTB) 
• Fibre to the curb (FTTC)
• Hybrid Fibre-Coaxial (HFC) 
• Fixed Wireless. ...
• Satellite (Sky Muster)

https://www.gizmodo.com.au/2017/02/giz-explains-every-nbn-technology-compared/


 Generally you can get 100/40 speeds on  FTTP, FTTB, FTTC and HFC

 But FTTN speed depends on cable length   (VDSL2)





 So you need to know how far your node is.

Nodes physically looks like this  (without the sign !)