topic Re: DMZ Anchor Controller in Wireless

DMZ Anchor Controller

sbeauton — Sat, 03 Jul 2021 22:27:35 GMT

I'm having trouble setting up an Anchor Controller on my DMZ. I have setup everything up and tested it out on my inside network and the Anchor Controller comes up with no problem. When I put the Anchor Controller on the DMZ the data path is up but the control path is down. I can do EPING's but MPINGS fail everytime. The DMZ is secured by a checkpoint firewall. I've made sure ports UDP 16666, 16667 and TCP 97 are open on the firewall. It looks like the traffic is going out to the Anchor controller on the DMZ but not coming back in to establish the tunnel. I've contacted Checkpoint but there support is not the best and I'm wondering if anyone has suppport for a checkpointfirewall. Thanks in advance

Re: DMZ Anchor Controller

sungy — Tue, 26 Feb 2008 21:13:08 GMT

Are you NATing inside controller management ip address?

Re: DMZ Anchor Controller

john.preves — Wed, 27 Feb 2008 05:23:00 GMT

From Chapter 10 of the Enterprise Mobility 4.1 Design Guide -

http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidance09186a00808d9330.html

The following verifications and troubleshooting tasks assume the following: â€¢The solution is using the web authentication functionality resident in the anchor controller(s). â€¢User credentials are created and stored locally on the anchor controller(s).

Before attempting to troubleshoot the various symptoms below, at the very least you should be able to ping from the campus (foreign) controller to the anchor controller(s). If not, verify routing.

Next, you should be able to perform the following advanced pings. These can only be performed via the serial console interfaces of the controllers: â€¢mping neighbor WLC ip

This pings the neighbor controller through the LWAPP control channel. â€¢eping neighbor WLC ip

This pings the neighbor controller through the LWAPP data channel.

If a standard ICMP ping goes through, but mpings do not, ensure that the default mobility group name of each WLC is the same, and ensure that the IP, MAC, and mobility group name of each WLC is entered in the mobility members list of every WLC.

If pings and mpings are successful, but epings are not, check the network to make sure that IP protocol 97 (Ethernet-over-IP) is not being blocked.

Please make sure that the mobility group names are on each other's controller.

Hope this helps

Re: DMZ Anchor Controller

jeff_groesbeck — Tue, 09 Dec 2008 22:18:18 GMT

Hello.

I am wondering if you ever got this resolved. I am running into the exact same problem you described here. I've got the local Checkpoint admins looking into it, but if you happen to have the fix for this, I'd be much appreciative!

Thank you,

Jeff

Re: DMZ Anchor Controller

sbeauton — Tue, 09 Dec 2008 23:46:28 GMT

Jeff

Yes we got this working. The problem was a NAT statement on the CheckPoint Firewall. Make sure you have nat statments for the outside Anchor Controller and also NATS for the inside networks. Hopefully you'll be able to get this issue fixed.