Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1478
Views
0
Helpful
8
Replies

AP cannot join vWLC over VPN

Go to solution
Jamesits
Level 1
Level 1

‎01-11-2019 11:35 PM - edited ‎07-05-2021 09:41 AM

I'm using vWLC 8.5.140.0 in a Hyper-V VM. The simplified network setup is:

Snipaste_2019-01-12_15-14-47.png

 

I've configured DNS and DHCP discovery for AP. I can ping both 192.168.3.2 and 192.168.4.2 from 192.168.100.2. The vWLC can ping other hosts in the 192.168.200.x range. All firewall rules are disabled. However:

 

1. AP discovery packets can reach WLC (will show on WLC as status REG for a while then disappear after a timeout), but WLC reply seems to be lost on the way. 

2. When I'm trying to open http://192.168.4.2, the website is loading but TCP connection is randomly stalled. http://192.168.3.2 do not have this problem. Also I found that the vWLC's service port have no outbound packets, which probably infers it is sending all packets from the management port.

 

Is this a bug or I've configured something wrong?

 

related system log:

 

0 Sat Jan 12 07:22:32 2019 AP Disassociated. Base Radio MAC:c8:f9:f9:xx:xx:xx ApName - ap-rack-top
1 Sat Jan 12 07:22:32 2019 AP's Interface:1(802.11a) Operation State Down: Base Radio MAC:c8:f9:f9:xx:xx:xx Cause=AP_IF_TRAP_ECHO_TIMEOUT: Radio reset due to (112) Heartbeat Timeout Status:NA
2 Sat Jan 12 07:22:32 2019 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:c8:f9:f9:xx:xx:xx Cause=AP_IF_TRAP_ECHO_TIMEOUT: Radio reset due to (112) Heartbeat Timeout Status:NA

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jamesits
Level 1
Level 1

‎01-12-2019 09:52 PM

I got this working- it seems the AP has joined a different WLC and hasn't been cleared, so the discovery process works but DTLS connection fails due to some authentication issues. 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-12-2019 01:46 AM

As per decription for now i can think of routing  and ACL, make sure both reachable from each network and required port open in the ACL if any.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Jamesits
Level 1
Level 1

‎01-12-2019 05:42 AM

Sir can you please read the description? I've disabled all firewall and ACL and verified everything can ping everything.
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Jamesits

‎01-12-2019 11:23 AM - edited ‎01-12-2019 11:24 AM

I may be over looked, if the ping working, ACL not applied or disabled.

 

Then you need to wireshark and capture the packets and see where the packet lost in the path.

 

apart from above test, is there any AP joined thios vWLC ? ( vWLC generally installed over VMWARE what kind of Esxi environment, what switch you have under esxi vSwitch dSwitch ?)

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Jamesits
Level 1
Level 1

‎01-12-2019 09:52 PM

I got this working- it seems the AP has joined a different WLC and hasn't been cleared, so the discovery process works but DTLS connection fails due to some authentication issues. 

0 Helpful

Go to solution
pieterh
VIP
VIP
In response to Jamesits

‎01-16-2019 12:45 AM

good job, you got this working.

but... 

Cisco documentation on the service port (physical device) says:

The service port can obtain an IPv4 address using DHCP, or it can be assigned a static IPv4 address,

but a default gateway cannot be assigned to the service-port interface

and also:

You must not use the service-port for continuous SNMP polling and management functions except when  the management interface of the controller is unreachable

=> traffic to the service port ip address will most likely be routed via the management port address

+ you better place the service port interface in a vlan that is not accessible from other vlans

and use the management interface for day-to-day management

only if the management port is not reachable you connect a device in the service-port vlan to access the service-port ip-address

0 Helpful

Go to solution
Jamesits
Level 1
Level 1
In response to pieterh

‎01-16-2019 01:04 AM

I don't have any physical device; but the virtual one seems to be a little different. The service port can be set to use DHCP but it never gets a lease; static IP address works.

Yes, the traffic to the service port IP will be routed via the management port unless a static route is set up, and this problem confused my stateful firewall.

I acknowledge that Cisco made the assumption that every network has a dedicated Layer 2 accessible service (or management, whatever) LAN; but in the case of a virtualized appliance, it is sometimes hard to get direct L2 connectivity into a VM. Another problem is if I add a virtual port to the WLC, all computers on the same L2 of the port will be unable to access WLC (even with mgmt-via-dynamic-interface enabled).
0 Helpful

Go to solution
pieterh
VIP
VIP
In response to Jamesits

‎01-16-2019 01:52 AM - edited ‎01-16-2019 01:54 AM

in your virtual environment did you create two different virtual switches ?

as per Virtual Wireless LAN Controller Deployment Guide  

never mind the version (8.2 here), switch setup will be the same for all vWLC versions.

 

Virtual Controller Virtual Interfaces

 

  • Management Interface
  • Virtual Interface
  • Dynamic Interface
  • AP Manager Interface

0 Helpful

Go to solution
Jamesits
Level 1
Level 1
In response to pieterh

‎01-16-2019 01:57 AM

Yes, I did create 2 switches. It's just:

1. The service port switch is not very easy to access from wired clients
2. The wired clients are originally wired to a VLAN which some wireless clients would also be in, so I created a dynamic interface and assigned it some IP and my wired desktop is unable to access it :(
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card