Reply
New Member
Posts: 28
Registered: ‎04-22-2017

Re: Everything is great - not so much - Blocked by access control is out of control

Do you have any blocked clients? - None (now - had one but it wasn't even in the country!)

 

Cache the firmware on the controller and upgrade after the firmware has been cached. - Yes but 4.0.21 does not show for my device.....there is no firmware for AP-LR.

New Member
Posts: 28
Registered: ‎04-22-2017

Re: Everything is great - not so much - Blocked by access control is out of control

Do you have any blocked clients?

 

None (now - had one but it wasn't even in the country as per my earlier post!)

 

Re firmware: Yes but 4.0.21 does not show for my device.....there is no firmware for AP-LR.

Senior Member
Posts: 16,465
Registered: ‎08-04-2017
Kudos: 3006
Solutions: 810

Re: Everything is great - not so much - Blocked by access control is out of control

Hello @richardjpalmer,

 

Could you for giggles unblock that client?

My bad 4.0.21 was skipped for GEN1 UAPs..

 

Check the UAP logs and see if clients are being blocked.

 

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-VoIP Installation Scripts
USG-4-PRO • USG
USW-48-500W • USW-24-POE-250W 2x • USW-16-POE-150W 3x • USW-24 • USW-8-150W • USW-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M
UCK-G2-PLUS • UCK-G2 • UCK
New Member
Posts: 28
Registered: ‎04-22-2017

Re: Everything is great - not so much - Blocked by access control is out of control

I unblocked the client this morning.....numbers dropping since. No way it could have been connected hence I am sure it is a bug.

 

Also the difference between the app and controller is striking (0 v 90!)

Senior Member
Posts: 16,465
Registered: ‎08-04-2017
Kudos: 3006
Solutions: 810

Re: Everything is great - not so much - Blocked by access control is out of control

Hello @richardjpalmer,

 

So the IOS app reports 0 and the controller itself reports 90?

Could you PM me the controller logs?

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-VoIP Installation Scripts
USG-4-PRO • USG
USW-48-500W • USW-24-POE-250W 2x • USW-16-POE-150W 3x • USW-24 • USW-8-150W • USW-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M
UCK-G2-PLUS • UCK-G2 • UCK
New Member
Posts: 28
Registered: ‎04-22-2017

Re: Everything is great - not so much - Blocked by access control is out of control

How do I do that?

Senior Member
Posts: 16,465
Registered: ‎08-04-2017
Kudos: 3006
Solutions: 810

Re: Everything is great - not so much - Blocked by access control is out of control

Hello @richardjpalmer,

 

Follow this article and set putty to log all the output.

Keep the tail running for a few minutes.

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-VoIP Installation Scripts
USG-4-PRO • USG
USW-48-500W • USW-24-POE-250W 2x • USW-16-POE-150W 3x • USW-24 • USW-8-150W • USW-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M
UCK-G2-PLUS • UCK-G2 • UCK
New Member
Posts: 28
Registered: ‎04-22-2017

Re: Everything is great - not so much - Blocked by access control is out of control

Will do later when at home

New Member
Posts: 29
Registered: ‎10-19-2017

Re: Everything is great - not so much - Blocked by access control is out of control


@mathieuh wrote:

I have the same issue. Above 1 million "association failures" with most on the "Blocked by access control" category.

 

The "anomalies" event section seem to indicate only 2 of my APs are subject to those, they both have an IoT specific SSID enabled that whitelists a set of MAC. All the APs carry other SSIDs, none of which have any MAC filtering.

 

I disabled the MAC filter on the IoT SSID and the "anomalies" seems to have stopped.

 

I don't think there are actually association failures, but maybe the AP sees packets from devices on the other SSID and thinks those were not allowed?

Currently my other SSIDs and the IoT SSID are all on the same tagged VLAN. This will be changing soon once I finally setup MAC RADIUS dynamic VLAN assignment.


There must actually have been something the APs really didn't like with the MAC filtering on my IoT SSID. After disabling it I noticed that the CPU usage dropped from a steady 20-30% back to a normal 2%.

 

I went back into my history and I noticed this started on October 8th when I upgraded the firmware of my APs from "3.9.42.9152" to "3.9.54.9373". Interestingly this is also when the "Wifi experience" stat is starting to show.

 

If anyone at UBNT wants me to provide my DB for historical data, feel free to ping me.

 

Regular Member
Posts: 441
Registered: ‎09-28-2017
Kudos: 121
Solutions: 31

Re: Everything is great - not so much - Blocked by access control is out of control

@mathieuh White listing is tantamount to "blocking" every client (MAC) not on the list and will increase the "Blocked by access control" counter.  The log will show you which AP(s) performed the block and which MAC it blocked.

Emerging Member
Posts: 82
Registered: ‎12-12-2016
Kudos: 101
Solutions: 1

Re: Everything is great - not so much - Blocked by access control is out of control

[ Edited ]

Same here hundredes of thousends "Blocked by access control" errors on CK 5.10.12 with multiple HD and Pro APs all 4.0.21, guest portal on guest SSID enabled and MAC filter for "internal" SSID. 

 

But no single client found following the link to "known clients"....?!?!?Mad2

 

Would be very interessting where this rejects are comming from guest or internal SSID and what device. Btw the number is always in this range, sometimes it was even twice as high. Having this issue already since view releases back.

 

image.pngimage.png

New Member
Posts: 29
Registered: ‎10-19-2017

Re: Everything is great - not so much - Blocked by access control is out of control


@nc2kft wrote:

@mathieuh White listing is tantamount to "blocking" every client (MAC) not on the list and will increase the "Blocked by access control" counter.  The log will show you which AP(s) performed the block and which MAC it blocked.


Well obviously! But the Mac filtering is only enabled on the IoT SSID. It shouldn't impact other SSIDs on the same AP! That's what i was saying.

It used to be fine, and only started having an impact when upgrading the firmware back in October.

Senior Member
Posts: 16,465
Registered: ‎08-04-2017
Kudos: 3006
Solutions: 810

Re: Everything is great - not so much - Blocked by access control is out of control

Hello @marbl,

 

Can you send me the UAP logs?

 


Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-VoIP Installation Scripts
USG-4-PRO • USG
USW-48-500W • USW-24-POE-250W 2x • USW-16-POE-150W 3x • USW-24 • USW-8-150W • USW-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M
UCK-G2-PLUS • UCK-G2 • UCK
Emerging Member
Posts: 82
Registered: ‎12-12-2016
Kudos: 101
Solutions: 1

Re: Everything is great - not so much - Blocked by access control is out of control

Hello @AmazedMender16 

 

Just could follwo a client on the guest SSID which was not authenticating on the portal.

 

Found the following logs on the desired UAP:

Thu Feb  7 20:33:57 2019 daemon.info hostapd: ath0: STA b0:72:bf:ee:89:2a IEEE 802.11: sta_stats
Thu Feb  7 20:33:57 2019 daemon.info hostapd: ath0: STA b0:72:bf:ee:89:2a IEEE 802.11: disassociated
Thu Feb  7 20:33:57 2019 user.info libubnt[9209]: wevent.ubnt_custom_event(): EVENT_STA_LEAVE ath0: b0:72:bf:ee:89:2a /1

Thu Feb  7 20:34:07 2019 user.info libubnt[9209]: wevent.ubnt_handle_custom_alert_sta_assoc(): EVT_AP_STA_ASSOC_TRACKER_DBG: event_id: 1 event_type: failure vap: ath1 sta_mac: 02:c0:48:05:81:c5 auth_ts: 84127.827509 auth_delta: -1 assoc_delta: -1 wpa_auth_delta: -1 radius_auth_delta: -1 radius_auth_status: N/A ip_delta: -1 disassoc_count: 0 ip_assign_type: N/A auth_failures: 0 assoc_failures: 0 wpa_auth_failures: 0 ip_failures: 0 acl_status: blocked arp_status: N/A dns_status: N/A

Found also that the MAC in the los are relating to the guest client under CLIENTS page for the time it was connected on the SSID but still nothing to be found under INSIGHTS > Known Clients.... so the point seams to be that the know clients page does not show the relevant information for sone reason

Senior Member
Posts: 16,465
Registered: ‎08-04-2017
Kudos: 3006
Solutions: 810

Re: Everything is great - not so much - Blocked by access control is out of control

Hello @marbl,

 

That client is blocked...

Are you sure you filtered on ALL and blocked?

 

Have you tried restarting the UAP?

 

 

Regards,
Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-VoIP Installation Scripts
USG-4-PRO • USG
USW-48-500W • USW-24-POE-250W 2x • USW-16-POE-150W 3x • USW-24 • USW-8-150W • USW-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M
UCK-G2-PLUS • UCK-G2 • UCK
Emerging Member
Posts: 82
Registered: ‎12-12-2016
Kudos: 101
Solutions: 1

Re: Everything is great - not so much - Blocked by access control is out of control

only internal SSID has MAC filter enabled guest SSID does not.

 

Could find the blocked guest by selecting filters under known clients by guest but not by locked so looks like the entries are somewhere in the database but may not flagged correctly as blocked or someting seams to be wrong with the blocked filter... Anyway I don't understand why this sort of clients should be tagged as blocked anyway.

 

image.pngimage.png

Senior Member
Posts: 16,465
Registered: ‎08-04-2017
Kudos: 3006
Solutions: 810

Re: Everything is great - not so much - Blocked by access control is out of control

Hello @UBNT-MikeD,

 

You might want to take a look at this..

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-VoIP Installation Scripts
USG-4-PRO • USG
USW-48-500W • USW-24-POE-250W 2x • USW-16-POE-150W 3x • USW-24 • USW-8-150W • USW-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M
UCK-G2-PLUS • UCK-G2 • UCK
Emerging Member
Posts: 82
Registered: ‎12-12-2016
Kudos: 101
Solutions: 1

Re: Everything is great - not so much - Blocked by access control is out of control

Found plenty of such logs on the UAPs but non of the MAC addresses can be found as guests or internal devices:

 

 

Regular Member
Posts: 441
Registered: ‎09-28-2017
Kudos: 121
Solutions: 31

Re: Everything is great - not so much - Blocked by access control is out of control

[ Edited ]

"only internal SSID has MAC filter enabled guest SSID does not"

 

Any MAC being filtered will increase the counter every time it tries to connect to an SSID with the filtering enabled.

 

The Insights page only shows those clients which have been outright blocked on the controller.  Any other clients being "blocked" by MAC filtering will not show up there, only in the logs.  I think this is the way I prefer it too.  You are upset at seeing the count, I don't want a possible massive list of such (MAC) blocked clients.  

 

Maybe a seperate page of those clients being MAC filtered, but for those of us using Cloud Keys, I want to use as little storage as possible.  Remote syslog is where they belong.

 

Just my 2 cents.

New Member
Posts: 29
Registered: ‎10-19-2017

Re: Everything is great - not so much - Blocked by access control is out of control

[ Edited ]

@nc2kft I don't think this issue has anything to do with Guest control or blocked clients.

 

I think the issue is with MAC Filtering being enabled on one SSID and triggering association failures logs (but not actions) when a client connects to another SSID which has no MAC filtering.

 

While @marbl  has guest control enabled, he also has MAC filtering on his internal SSID, and I'm guessing it's a whitelist.

 

In my case, no stations besides a couple IoT devices attempt to connect to the IoT dedicated SSID. No association failures should occur, yet millions per day do if I have the Mac filtering enabled on the IoT SSID.

Reply