Get with it Cisco. You obviously have a big problem with Mobility Express. I have another two deployments of these 1832i systems that are going wrong. Each has a different issue, but the latest one is the EXACT problem I mentioned as this thread's OP in 2017. Now running 188.8.131.52 - absolutely CANNOT get 2 SSIDs with 2 two VLANs to work. With the WLC uplink switchport configured 1U, 222T and with one SSID set to VLAN 222 (Native VLAN 1) I get DHCP from VLAN 1 rather than VLAN 222. As one poster mentioned, I tried the config dhcp proxy-mode thing, but that command was rejected by the WLC. So I tried what another poster suggested - TAGGING both VLANs (VLAN 1 for the corp SSID and VLAN 222 for the Guest SSID) even though that makes absolutely no sense to me - how can that work if you leave the uplink switchport as 1U and 222T? Well, after rebooting the WLC/AP, I found that it didn't work. But then I found that the blasted thing set the native VLAN to 222 for both WLANs. I know I had them set to VLAN 1. So I changed them both back to VLAN 1 and rebooted again. My Phone (my test client) actually connected to the Guest WLAN and got the right address via DHCP! (VLAN 222). I then tried connecting to the corp SSID and no go. No IP via DHCP. A look back at the WLAN settings on the WLC showed that it changed the native VLAN back to 222 for both WLANs. I can't see how this is still an issue. Cisco responding back with "unable to reproduce" is pretty useless. How many posters now have the SAME issue? Obviously not an isolated incident. I will say that I have been successful in deploying ME systems, and every time it works, I end up having the corporate WLAN untagged (native VLAN is 1) and the guest VLAN tagged with the proper VLAN ID and a native VLAN set to 1. My switch/trunk configuration is always the same, and I most often use either Cisco Catalyst or Cisco SMB switches like the SG200/300/250/350. Some work and some do not - with IDENTICAL configurations. I think the real problem is potentially the issue of this native VLAN that seems to bounce back and forth. What is the native VLAN configuration even for (in the context of WLAN configuration)? Why would the native VLAN ever change between WLANs?
... View more
So you bought $20k worth of switches and didn't bother to cover the investment with a SMARTnet contract? Doesn't seem very smart to me... In truth you probably spent $400 on ebay and CAN'T cover them.
... View more
Hi Rajat, I didn't actually open a TAC case on this one, since I was coming off the other failed deployment a few days before with similar issues. My configuration is pretty much identical to what you have above. Let's face it, this is not a very complicated setup. Interestingly, I was able to get this working recently, and without any configuration changes. All I did was that I configured another port on the 2960 as a trunk with identical configuration as the former, same as yours. I connected the 1832i to the new port and waited for it to fully boot. Tried connecting a wireless client to both WLANs as before and ran into the same problem. I reconnected the WAP321 to the first switch port and tried connecting - it worked fine as before for both WLANs. Then I swapped the 1832i back over to the first port again, and found that I could suddenly connect to both WLANs properly. It has been running a couple days now without a hiccup. I really wish I had done packet captures throughout all of this to get a sense of what was not working, but I figured it would be a waste of time since I was planning on doing another RMA for this unit as well. I am very much in the trenches with this stuff, and don't have a lot of time to spend trying to fix things that should just work in the first place. I also have a couple deployments using these APs that were very successful, so I know the product can work well and does have potential. Perhaps I got a few APs from a bad batch, maybe it's an issue with 8.4.100, I will probably never know. The TAC engineer I had on the previous deployment issue was going to report the problem I had as a bug when she could find nothing wrong with the configuration of any of the devices or CLI output form the WLC/AP. She told me later that Cisco's "BU team does not support 8.4.100" so I guess that means they know that version to be flaky for this or other reasons. The proposed solution was to downgrade the WLC and AP software. But I had to cut my losses on time and opted for a more reliable product, at least out of the box. I have been using these 1832s as a relatively low cost solution to replace aging SOHO-style autonomous APs with customers who won't pay the price for a a proper controller-based lightweight AP deployment. For now I'm rolling out Ubiquity UniFi systems for this segment. They have their issues, but they do seem to work with less fuss out of the box. But I'm a real fan of the 2504 and the 2700/2800 series APs for more serious implementations.
... View more
Hello all, I've had a second deployment failure with Cisco AIR-AP-1832i WLC/APs running Mobility Express. The issue is that I can't seem to get off VLAN1, or I suppose it would be more accurate to say the native VLAN. Scenario is that I have two WLANs as follows: WLAN1: SSID: Corporate VLAN: 1 WLAN2: SSID: Corporate-Guest VLAN: 100 I can connect to either WLAN/SSID successfully with a client. But only the Corporate WLAN gets me to the proper DHCP server and gives me the ability to pass traffic successfully. Connecting to Guest fails to locate a DHCP server, so I get an APIPA address and nothing works. Configuring a static IP on the proper subnet does not allow traffic to pass. In this deployment, I am using a Cisco Catalyst 2960 switch with the WLC/AP port being a trunk with dot1q. Here's the best part: I replaced a Cisco WAP321 (yeah, small business) AP with the same WLAN/VLAN/SSID configuration that was connected to the very same switch port. The WAP321 handled the two SSIDs and VLANs perfectly. No issues whatsoever connecting, getting IP addresses on either network or passing traffic. I made no changes to the switch configuration. The previous failed deployment I had was a bit different in symptoms: The VLAN configuration was the same, a corporate network and guest network, corporate was on VLAN1 and Guest was VLAN 10. This time, I could connect to either SSID, but I would always get an IP address from the DHCP server on VLAN 1. It's like the VLAN 10 tag was completely ignored. I had a TAC case on that one that became a nightmare when Cisco could find nothing wrong with my configuration of the WLC/AP, switch, or ASA (DHCP server for VLAN 10). They could offer no explanation, even though I provided a pcap from the WLC's switchport (mirrored to my laptop running Wireshark) to TAC. I opted to RMA the 1832s in that case after TAC failed to resolve the situation. I haven't deployed the new APs (different vendor) yet. Anyway, my question to anyone familiar with these 1832i series units is, what am I missing, or is there a known problem with these things? I don't have these issues with real Cisco WLCs (2504 for example) or even the small business line, although Cisco's new crop is terrible and I won't buy them. By the way, these last 1832i's shipped with 8.4.100. Thanks
... View more
Apologies if I placed this in the wrong forum - this is more of a FirePOWER general inquiry. I have implemented TAMC on an ASA 5506 and I'm managing FirePOWER services on the ASA itself via ASDM. I have the balanced IPS policy in place, as well as a couple manual URL filtering rules and AMP running. While I can see that the system is doing its job for the most part, I find the reporting to be woefully inadequate. A couple examples:
If I look at the Reporting dashboard - Network Overview, under applications I see the protocols using the most bandwidth. For instance, I see BitTorrent listed and I want more info, so I click on that link and am taken to those details where I can see the list of users and their transaction and data usage (I do have LDAP AD integration and the agent installed on a machine on my network). But the vast majority of transactions fall under the user NotAvailable(0). Some of this I understand, as not everyone on my LAN is a domain member and thus not authenticating with AD credentials. Where I have a problem is that I can't see even rudimentary information concerning this traffic - such as the IP address of the offending hosts. Even when I do see a user associated with certain interesting traffic, I cannot identify the machine on the network that the user might be operating from. This leads me to the next example:
Apparently AMP is blocking some malicious traffic from a PC on my network as it has identified a threat and states that it is outbound traffic ( "MALWARE-CNC Win.Trojan.Gh0stRAT variant outbound connection") , but that seems to be as far as the reporting goes. I cannot determine for instance the source or destination hostname or IP address. This is obviously not very helpful information. I can see that there are threats on or to my network, but I'm flying blind as if comes to mitigating them.
So this brings me to my questions. What am I missing? I realize that the logging necessary and thus the memory required to store detailed reports is asking a lot from a 5506, and I assume that is the problem, but what are my options? I am aware of the separate VM-based Defense Center and/or FireSIGHT box and/or FirePOWER Management Center, but I must say the subject is incredibly murky. Even Cisco TAC seems confused with all the different terms, products, and options. I assume I would need to buy a license for it, which is no problem, but my Cisco partner/reseller tells me that Cisco is actually going to in-box management even on the larger ASAs (I asked about the 5515/5516 specifically).
Will DC/FireSIGHT give me the intelligence/visibility I'm seeking, assuming it will not be discontinued shortly? Or is there an in-box tool that I have overlooked?
I really love the concept of FirePOWER on an ASA, and coupled with AMP for Endpoints which I'm trying to learn more about seems to make for a very powerful solution. However, so far the reporting has been so lacking that I don't know if I should continue investing resources and time with the product.
Thanks for your time and any insight you may be able to provide.
... View more