cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
394
Views
0
Helpful
7
Replies
Highlighted
Beginner

Using Cisco WLC 3505 Anchor with 5520 as Foreign

Hi All,

Setup:

2 x 5520 (SSO) 8.10.121 = Foreign WLC (using 9100 series AP's)

2 x 3505 (HA) 8.10.121= Anchor WLC

Solution Requirement- Guest WLAN anchored to 3505's in DMZ (Over WAN link).

Firewall rules are correct, mobility tunnel up (EoIP) and tested with eping and mping. WLANs are identical with interface settings differing accordingly (management interface and guest subnet interface).

ISSUE: Client associates to foreign WLC and is tunnelled to the WLC in the DMZ. 

The DMZ WLC (3505) shows client associated and offers IP from internal DHCP server, client doesn't receive offer? 

Have tried moving DHCP service to a Cisco switch in the DMZ and see exactly the same issue, switch binds MAC to IP offer but client doesn't receive offer? 

Tried a static IP on the wireless client, DMZ WLC sees the IP address but unable to ping DFG or WLAN interface?   

No drops on the firewall (only see UDP 16666 and EoIP tunnel creation).

Tried a 2504 WLC locally (local test subnet-SVI on a switch stack) using the Foreign WLC and this works perfectly (As it should) with no issues, EoIP tunnel up and clients are issued IP addresses and can ping the SVI on the local switch. This eliminates the foreign 5520 and 9100 AP's from the issue and points to the WAN/FW's. I can only assume the FW is blocking/dropping something? 

Any suggestions would be most welcome.  

 

7 REPLIES 7
Highlighted
VIP Mentor

I would suggest try 3504 with a different AireOS version. When you tried 2504, assume it was running 8.5.x, I would go with that version and see.

If that works, you know it is an issue with 8.10.121.0.

If that does not work probably I would pay more attention to 3504 configs

 

HTH

Rasika

*** Pls rate all useful responses ***

 

Highlighted

Hi Rasika,
Great recommendation, I have just down graded the Anchor to AIR-CT3504-K9-8-5-161-0.aes (code running on the 2504) and still get the same issue.
Minimum config on the 3505, I have wiped/reset the config several times. Not sure what else to check??? May need to call TAC!
Highlighted

Try with single 3504, if that is possible and check. In that way, you can narrow it down to SSO related or not.

if possible attach your 2504 and 3504 configs (removing sensitive info), if you would like us to have a quick look. I believe you use same wlan-id on both anchor & foreign.

 

HTH

Rasika

 

Highlighted

Hi Rasika,
The 3505's are not in SSO, utilising HA so the foreign WLC can round robin client connections.

Highlighted
Beginner

In these cases, I always like to register an AP directly to the anchor controller to validate that part of the system.  It doesn't sound like a problem in the DMZ, but it's a good way to rule that out. 

 

I assume also that you are familiar with the mobility group configuration on each controller.  Make sure your mobility tunnels are up.  Occasionally, I can solve an issue by tearing the tunnel down and bringing it back up.

 

 

Highlighted

All,

Forgot to mention that the Foreign WLC is part of a CTS domain, the anchor is not configured for CTS and has minimum radius configuration for MAC filtering via Cisco ISE.

 

Cheers,  

 

Highlighted

Hi All,

Got the solution working, turned out to be SGT settings relating to trust on the WAN links. Remote site to DC/DMZ trusted over the WAN link, however, return traffic (even over the EoIP tunnel) was not permitted.

Changed ISE matrix and resolved/added SGT for unknown traffic to and from the WAN link to DC/DMZ