topic Re: WLC2504 - Dynamic interface problem in Wireless

WLC2504 - Dynamic interface problem

Pavel Segec — Sun, 04 Jul 2021 06:44:11 GMT

Hi,

I have problem with my WLC2504. My WLC is connected through two ports (1 and 2 of four) to my distro switch, where I have dot1q trunks configured. WLC is configured with Management interface (IP address 192.168.255.9/24), over which my LAPs are correctly joined. However, once I'm trying to add additional Dynamic WLC interface, which has VLAN TAG 10 and which I'd like to associate with my WLANS, my WLC stop responding through GUI and SSH, but pings on the management and dynamic interface IP addresses are sucesfull. Just as a note, dynamic AP management is not enabled on mentioned dynamic interface. In a case when I enable dynamic AP management on the dynamic interface (activated also on management interface), GUI and SSH work, but I can not associated WLAN to the dynamic interface, only to the management one

Thanks for soon answer

palo73

Re: WLC2504 - Dynamic interface problem

Amjad Abdullah — Sat, 16 Mar 2013 08:29:27 GMT

Where do you map the dynamic interface you create? to which physical port?

You have same issue with only one physical port connected?

What is the default vlan on the neighbor switch? what is the VLAN tag for the management interface on the WLC?

Rating useful replies is more useful than saying "Thank you"

Re: WLC2504 - Dynamic interface problem

Stephen Rodriguez — Sat, 16 Mar 2013 11:41:34 GMT

Are you in VLAN 10?

The WLC by default does not respond on dynamic interfaces for management.

Steve

Sent from Cisco Technical Support iPhone App

Re: WLC2504 - Dynamic interface problem

George Stefanick — Sat, 16 Mar 2013 18:03:04 GMT

Can you post the switch config and the WLC show run-config

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

WLC2504 - Dynamic interface problem

Pavel Segec — Wed, 20 Mar 2013 10:52:16 GMT

Hi,

management is mapped to potr 1 and dynamic to port 2 of the WLC

palo73

Re: WLC2504 - Dynamic interface problem

Pavel Segec — Wed, 20 Mar 2013 12:34:33 GMT

Hi,

here are the files

palo73

Re: WLC2504 - Dynamic interface problem

Scott Fella — Wed, 20 Mar 2013 13:06:12 GMT

Palo73,

If your inning v7.4 in the 2504, you can enable LAG and configure the two switch ports in an etherchannel. If you don't have v7.4 then you have to define the primary port and the backup port on the 2504. Then on the trunk port you have to allow only the vlans you have for that port. So if you have your management using port 1 as primary and port 2 as backup and then your dynamic interface has port 1 as backup and port 2 as primary it should work. You have to define port 2 for something. Usually if you don't have v7.4 you only need one port connected to the switch. If you want to use more than one port, you need to define the primary and backup and only allow the vlans.

Sent from Cisco Technical Support iPhone App

WLC2504 - Dynamic interface problem

Pavel Segec — Wed, 20 Mar 2013 14:23:04 GMT

Scott,

I'm running 7.3. However...configuring backup port is just an optional feature, right? It should but also does need to be used...anyway, I tried, see show, and no answer

>show interface detailed management

Interface Name................................... management

MAC Address...................................... 3c:ce:73:d8:40:80

IP Address....................................... 192.168.255.9

IP Netmask....................................... 255.255.255.0

IP Gateway....................................... 192.168.255.1

External NAT IP State............................ Disabled

External NAT IP Address.......................... 0.0.0.0

VLAN............................................. 255

Quarantine-vlan.................................. 0

Active Physical Port............................. 1

Primary Physical Port............................ 1

Backup Physical Port............................. 2

Primary DHCP Server.............................. 158.193.152.2

Secondary DHCP Server............................ Unconfigured

DHCP Option 82................................... Disabled

ACL.............................................. Unconfigured

AP Manager....................................... Yes

Guest Interface.................................. No

L2 Multicast..................................... Enabled

Re: WLC2504 - Dynamic interface problem

Scott Fella — Wed, 20 Mar 2013 14:25:01 GMT

It is optional but there is no need to connect port 2 of the WLC if your not defining it to be used.

Sent from Cisco Technical Support iPhone App

Re: WLC2504 - Dynamic interface problem

Pavel Segec — Wed, 20 Mar 2013 17:05:39 GMT

Well, i've associate both interfaces, management and dynamic, to the same physical port, did not work. I was deleted dynamic interface...web management become available 😞

When I'll create a new dynamic interface with enabled Dynamic AP Management, GUI works, but I can not associate WLAN with the dynamic imterface.

Re: WLC2504 - Dynamic interface problem

Scott Fella — Wed, 20 Mar 2013 17:13:03 GMT

Post your show run-config... its something either configured on the WLC or your switch.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Re: WLC2504 - Dynamic interface problem

Pavel Segec — Wed, 20 Mar 2013 17:20:58 GMT

look above...there are text files with wlc and 3560 running configs

Re: WLC2504 - Dynamic interface problem

Pavel Segec — Wed, 20 Mar 2013 17:23:38 GMT

Amjad, I've just tried port 1 and 2, no others. On the switch side as the native vlan is vlan 1, on the wlc I do not know how to check this. I've assigned both interface to use right vlan tags, 255 for management respectively 10 for dynamic port

palo73

WLC2504 - Dynamic interface problem

Peter Paluch — Fri, 22 Mar 2013 15:28:08 GMT

Gentlemen,

Thank you all for your responses. Pavel and I are colleagues at the same department and I suggested to Pavel to ask here on CSC for ideas about this pesky problem after we were unable to solve it ourselves after several days of experimenting.

We have eventually solved this and we'd like to share the solution. The problem actually wasn't directly caused by the WLC but rather by a couple of unfortunate coincidences.

To reiterate on the problem, we were faced with a loss of all but ICMP connectivity with the WLC immediately after we configured a dynamic interface on the WLC and placed it into 192.168.10.0/24 network on VLAN 10. This network is our internal departmental network - our idea was to have an SSID for wireless department clients that would be bridged onto the wired VLAN 10 into a single department network, hence the same IP network space. As we were configuring the WLC, we were accessing it under its management IP 192.168.255.9/24 in VLAN 255 from a PC in our 192.168.10.0/24 network. Routing between the 192.168.10.0/24 and 192.168.255.0/24 is done by an ASA box sitting on both these networks (VLANs). The logical topology resembles the following diagram:

The cause of the problem probably now starts to be obvious. The PC 192.168.10.222 was accessing the WLC at 192.168.255.9 while the WLC was configured with both 192.168.255.9/24 and 192.168.10.9/24. The PC was communicating with the WLC via the ASA box as its default gateway while the WLC responded to the PC directly, as it indeed was on the same subnet with the PC. The ASA saw the first TCP SYN from the PC towards the WLC but never saw the TCP SYN/ACK from the WLC back to the PC. When the TCP ACK from the PC towards the WLC arrived at the ASA box, it dropped it, preventing the TCP 3-way handshake from ever completing.

If the ASA was replaced with a common router not performing stateful firewalling, this issue would not have occured despite the asymmetrical routing. I have also verified that an IOS-based router running IP Inspect (CBAC) would cause the same connectivity issue.

It is interesting that if the WLC responds to ICMP ECHO messages in particular, it responds through the same interface through which the ICMP ECHO arrived, regardless of the source. In other words, pinging 192.168.255.9 from 192.168.10.9 worked because the WLC sent the reply via the ASA box 192.168.255.1 and not directly to 192.168.10.9. This fact was quite confusing during the troubleshooting, as it diverted our attention. Actually, we first started to suspect a problem in routing and reachability only after we moved the management PC from VLAN10 to VLAN255 and regained the IP connectivity with the WLC.

The easiest solution appears to be to simply bridge the wireless SSID onto a different VLAN than the one that will be (occassionally) used to manage the WLC, to force the WLC to always respond through the ASA when being managed.

I would like to sincerely thank to everyone that has joined this thread. Your effort is very much appreciated! It's almost a shame that the problem was this silly..

Thank you!

Best regards,

Peter

Re: WLC2504 - Dynamic interface problem

Pavel Segec — Fri, 22 Mar 2013 16:06:53 GMT

I would like thanks to all too

palo73

Re: WLC2504 - Dynamic interface problem

Abhishek Abhishek — Mon, 25 Mar 2013 11:30:24 GMT

The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers. The management interface is also used for communications between the controller and APs. The management Interface is the only consistently "pingable" in-band interface IP address on the controller. The management interface will act like an AP manager interface by default.

The dynamic interface with the “Dynamic AP Management” option enabled on it is used as the tunnel source for packets from the controller to the AP, and as the destination for CAPWAP packets from the AP to the controller. The dynamic interfaces for AP manager must have a unique IP address. Typically, this is configured on the same subnet as the management interface, but this is not necessarily a requirement. In the case of the Cisco 2500 Series Wireless Controller, a single dynamic AP manager can support any number of APs. However, as a best practice, it is suggested to have 4 separate dynamic AP manager interfaces and associate them to the 4 Gigabit interfaces. By default, the management interface acts like an AP-manager interface as well and it is associated to one Gigabit interface. As a result, if you are using the management interface, you need to create only 3 more dynamic AP manager interfaces and associate them to the remaining 3 Gigabit interfaces.

The virtual interface is used to support mobility management, DHCP relay, and embedded layer 3 security like guest web authentication and VPN termination. The virtual interface must be configured with an unassigned and unused gateway IP address. A typical virtual interface is 1.1.1.1. The virtual interface address is not pingable and should not exist in any routing table in your network.

Dynamic interfaces are created by users and are designed to be analogous to VLANs for wireless LAN client device. The Cisco 2500 Series Wireless Controller will support up to 16 dynamic interfaces. Dynamic interfaces must be configured on a unique IP network and VLAN. Each dynamic interface acts as a DHCP relay for wireless clients associated to wireless LANs (WLANs) mapped to the interface. A WLAN associates an SSID to an interface and is configured with security, QoS, radio policies, and other wireless network parameters. There can be up to 16 WLANs configured per controller.
Guidelines for Deploying the Cisco 2500 Wireless Controller

Ethernet ports on Cisco 2500 Series Wireless Controllers do not work as Switch ports (that is, 2 machines directly connected to these ports will not be able to communicate with each other). You should not connect servers like DHCP, TFTP etc. on these ports and expect Wireless Clients and APs to receive an IP address from this DHCP server.
Ethernet ports on the Cisco 2500 Series Wireless Controller should only be used to connect/uplink to an infrastructure network configured as a data interface (management interface and dynamic interfaces) or an AP-managers interface.
If multiple Ethernet ports on a Cisco 2500 Series Wireless Controller are uplinked to an infrastructure switch, you should make sure data interfaces (management or dynamic interfaces) or AP-managers interfaces are configured for these uplinked physical ports. Physical Ethernet ports which are used as an uplink to an infra switch should not be left un-configured. This may result in unexpected behaviors.

Multicast unicast is not a supported configuration on Cisco 2500 Series Wireless Controller. As a result, HREAP APs are not able to receive multicast traffic because HREAP APs only work with multicast unicast.

For more information you can refer to the link -
http://www.cisco.com/en/US/products/ps11630/products_tech_note09186a0080b8450c.shtml