cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3810
Views
15
Helpful
18
Replies

Can not reach the WLC using Flexconnect AP

pavel.mr4
Level 1
Level 1

Hi,

 

I am trying to reach the WLC using GUI, SSH and telnet in a Flex Connect environment but i can't, tho i can ping it. 

 

Does anybody have had any similar issue ?

 

BR!

18 Replies 18

Francesco Molino
VIP Alumni
VIP Alumni
Hi

What do you mean you can't access the wlc? Are you connected over wifi when accessing it?
Do you have local AP from which you can able to access it ?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco,

 

Yes, i am trying using WIFI, I have selected the checkbox on the wlc to do that.

 

When I am connected to a local AP I can access the wlc without problem, but when i move to a branch office with Flex AP I cant. I wanna know if that is a normal behavior or is there any misconfiguration.

 

BR!

Ok that means you have activate mgmt-via-wireless capability.
When in Flexconnect, you said you can ping right?
If so, are there any firewalls in the path?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Yup, mgmt-via-wireless capability activated.

 

There are no Firewalls between offices, they communicate with the sw cores

Just dumb question. You're trying to access the management interface right?
From the wlc, can you access remote branch devices (ping)?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

I have never tried that, from the wlc i can not ping the gw in the branch office.

 

Could be a routing issue ?

Cab you check any acl and routing ?

 

Can you share a traceroute from branch and from your central site?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Also, what you can do, to validate that your issue is from your branch, is to create on this ap group a ssid centrally switched and try to access the gui or ssh. Normally it should work because when you're in your central site you said you can access your wlc.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

this is the output.

192.168.2.11 is the wlc

192.168.2.2 is the sw core in central office

192.168.102.6 is the sw core in branch

 

 

from central to gw, wlc and branch

 

SWACCESS13-MCS#ping 192.168.2.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/14 ms
SWACCESS13-MCS#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/6/14 ms
SWACCESS13-MCS#traceroute 192.168.2.2
Type escape sequence to abort.
Tracing the route to swcore (192.168.2.2)
VRF info: (vrf in name/id, vrf out name/id)
1 swcore (192.168.2.2) 4 msec * 3 msec


SWACCESS13-MCS#traceroute 192.168.2.11
Type escape sequence to abort.
Tracing the route to 192.168.2.11
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *

 

Tracing the route to 192.168.102.6
VRF info: (vrf in name/id, vrf out name/id)
1 swcore (192.168.2.2) 3 msec 4 msec 3 msec
2 172-10-25-4.lightspeed.rlghnc.sbcglobal.net (172.10.25.4) 3 msec 4 msec 4 msec
3 192.168.102.6 3 msec * 7 msec

 

from branch to cetral core and wlc

 

SWCORE-MCS-INFRA#traceroute 192.168.2.11

Type escape sequence to abort.
Tracing the route to 192.168.2.11

1 192.168.102.2 0 msec 0 msec 8 msec
2 172.10.25.1 9 msec 59 msec 17 msec
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

 

SWCORE-MCS-INFRA#traceroute 192.168.2.2

Type escape sequence to abort.
Tracing the route to 192.168.2.2

1 192.168.102.2 0 msec 0 msec 0 msec
2 172.10.25.1 8 msec 0 msec *

 

 

When i change Flex AP to local mode, then I can reach the WLC.

 

BR

 

Ok based on outputs, you should have a firewall between branch and head office.
I guess there's a VPN built between those sites. After checking your firewalls, can you validate if there are some acl filters that would filter your WLC gui and ssh access?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

I am probably responding late to this but I an tell you I have the same issue

 

Local Mode no issue, Flexconnect cannot get to WLC Mgmt

 

I am not behind a firewall as my WLCs are internal and so is my MGMT interface, My firewalls along with most are at the parimeter so the request to reach the MGMT interface doesn't ever reach the Firewall

 

in short, this should NOT be a firewall issue clearly stated by the fact that simply moving the AP from Flexconnect mode to Local mode allows access and the MGMT interface or the implementation doesn't change, in both cases we still need to access the Same IP Address. What happens in Local vs Flexconnect mode is where my mind is trying to solve along with many others scratching heads wondering what's the traffic doing in both modes during the request to reach the MGMT

When you're connect to a local or a flexconnect AP, if you have enabled management access, you should be able to access your WLC.

The difference is your traffic is being switched locally on the switch at the branch. Are you trying to access the management interface or a dynamic interface? Can you run a wireshark and try again please? share the wireshark capture if you can please.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Saravanan Lakshmanan
Cisco Employee
Cisco Employee
don't think remote-client coming from flex-local switching enabled will have any effect on setting "network mgmt-via wireless" - As it will be considered as wired and not w.less client and its data path/acl are different from local-mode AP implementation.

Yeah you're right, however i asked that to be sure because he can have a flexconnect ap with a central switched ssid. This is just to eliminate that part of the config

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: