Cisco Wireless Access point having trouble contacting RADIUS server over VPN tunnel


We have a Cisco 1602i access point that is in a geographically remote office from the home office and network where the RADIUS server exists that we wish to use to authenticate to.  

The offices are joined by a VPN tunnel between an ASA 5510 (home office) where the RADIUS server lives and an ASA5505 in the remote office where the AP lives.

However, the AP, cannot contact the RADIUS server even though the tunnel is wide open, with no port restrictions.  We also cannot connect to the remote AP's GUI or SSH to it from the network where the RADIUS server lives.

The AP is up and we can manage it by using a computer on the same network as it.  SSH, GUI, Telnet all work.  It doesn't even respond to pings, even though other devices do on the same network.

So my basic question is, can a Cisco AP only contact devices on the same subnet? That would seem like a silly limitation for an enterprise device that would be deployed in a remote setting.

We have a Cisco SmartNet on the access point, but not on the firewall's, Cisco has commented that it could be a VPN tunnel issue and we should contact their VPN support group but we do not have paid Cisco SmartNet support for that.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Soulja53 6F 75 6C 6A 61 Commented:
Do the AP have a default gateway configured on it. From the AP, can you ping the gateway? Can you ping outside of it's subnet?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
paradigm_ISAuthor Commented:
I've figured it out.

We had an ip route command pointing to the wrong IP.
paradigm_ISAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for paradigm_IS's comment #a39487735

for the following reason:

The ip route command in the AP was pointing to a non exisitant address.
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Soulja53 6F 75 6C 6A 61 Commented:
My comment was in regards to checking the gateway which in turn is a route. Per the author's comment "pointed to wrong ip".
paradigm_ISAuthor Commented:
I see your point in contesting the solution.  However,  the AP did have the correct default-gateway configured for the BVI1 interface, using the following command, but it still wasn't working:

interface BVI1
 ip address
ip default-gateway

However, someone else brought it to my attention that the IP ROUTE command was incorrectly pointing to a different IP than the default-gateway, and I didn't realize that the IP ROUTE needed to be the same as the default-gateway.

Not sure why Cisco has this configured in 2 places. Nor do I know what the IP ROUTE command does, versus the DEFAULT-GATEWAY command.
Soulja53 6F 75 6C 6A 61 Commented:
You proved my point. Default gateway and the default route you changed are one in the same, but I will not harbor on it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.