2 x 5520 (SSO) 8.10.121 = Foreign WLC (using 9100 series AP's)
2 x 3505 (HA) 8.10.121= Anchor WLC
Solution Requirement- Guest WLAN anchored to 3505's in DMZ (Over WAN link).
Firewall rules are correct, mobility tunnel up (EoIP) and tested with eping and mping. WLANs are identical with interface settings differing accordingly (management interface and guest subnet interface).
ISSUE: Client associates to foreign WLC and is tunnelled to the WLC in the DMZ.
The DMZ WLC (3505) shows client associated and offers IP from internal DHCP server, client doesn't receive offer?
Have tried moving DHCP service to a Cisco switch in the DMZ and see exactly the same issue, switch binds MAC to IP offer but client doesn't receive offer?
Tried a static IP on the wireless client, DMZ WLC sees the IP address but unable to ping DFG or WLAN interface?
No drops on the firewall (only see UDP 16666 and EoIP tunnel creation).
Tried a 2504 WLC locally (local test subnet-SVI on a switch stack) using the Foreign WLC and this works perfectly (As it should) with no issues, EoIP tunnel up and clients are issued IP addresses and can ping the SVI on the local switch. This eliminates the foreign 5520 and 9100 AP's from the issue and points to the WAN/FW's. I can only assume the FW is blocking/dropping something?
Any suggestions would be most welcome.
I would suggest try 3504 with a different AireOS version. When you tried 2504, assume it was running 8.5.x, I would go with that version and see.
If that works, you know it is an issue with 184.108.40.206.
If that does not work probably I would pay more attention to 3504 configs
*** Pls rate all useful responses ***
Try with single 3504, if that is possible and check. In that way, you can narrow it down to SSO related or not.
if possible attach your 2504 and 3504 configs (removing sensitive info), if you would like us to have a quick look. I believe you use same wlan-id on both anchor & foreign.
In these cases, I always like to register an AP directly to the anchor controller to validate that part of the system. It doesn't sound like a problem in the DMZ, but it's a good way to rule that out.
I assume also that you are familiar with the mobility group configuration on each controller. Make sure your mobility tunnels are up. Occasionally, I can solve an issue by tearing the tunnel down and bringing it back up.
Forgot to mention that the Foreign WLC is part of a CTS domain, the anchor is not configured for CTS and has minimum radius configuration for MAC filtering via Cisco ISE.
Got the solution working, turned out to be SGT settings relating to trust on the WAN links. Remote site to DC/DMZ trusted over the WAN link, however, return traffic (even over the EoIP tunnel) was not permitted.
Changed ISE matrix and resolved/added SGT for unknown traffic to and from the WAN link to DC/DMZ