You will not see udp 5247 until the connection is made. So if you see an entry from the broadband connection trying to connect on udp 5246, then you need to see how that connection is hitting your other FW. That traffic needs to pass to you internal FW then to the WLC. Your doing a NAT translation on your outside FW, but how is the traffic being allowed back in? Can you see if the FW is dropping the packet.

Thanks,

Scott Fella

Sent from my iPhone

bascially i am doing a NAT translation on the perimiter firewall and on the internal firewall i am NAT back that address to the WLC DMZ controller. also on the dmz controller i have to the public ip on the management.

if i do sh nat on the permiter firewall i can see untranslated hits as 10000 but translated as 0. and the access list that allows port 5246 and 5247 shows 0 packets allowed. so something wrong here. i have allowed 5246 and 5247 on the inside firewall as well but cant see any traffic of 5246 and 5247 hitting it. so i think its the permiter firewall NAT thats stopping it

should the source and dest port be 5246  and 5247 ( or only 5246 and 5247 as the source and dest any )

Okay... If you are consoled into the ap and you enter the public up address, do you see in the log that the ap is trying to connect to your public ip address.

Thanks,

Scott Fella

Sent from my iPhone

nope not really it just says

Translating "CISCO-CAPWAP-CONTROLLER.Aeronet.uk"...domain server (192.168.1.254)
*Apr  8 18:59:39.476: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

Translating "CISCO-LWAPP-CONTROLLER.Aeronet.uk"...domain server (192.168.1.254)
*Apr  8 18:59:41.568: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.Aeronet.uk

*Apr  8 18:59:43.655: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER.Aeronet.uk
*Apr  8 19:00:23.659: %CAPWAP-5-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.

i have added capwap ap controller ip xxx and capwap ap primary-base (controler name)

But on the perimet firewall i can untraslated hits on port 5246.

That doesn't look right. What I see on my 1131 was that it was doing a broadcast to my public ip and then the internal if the public fails. You have another ap to try.

Thanks,

Scott Fella

Sent from my iPhone

yes will try this tomorrow. but the fact i can see hits on 5246 makes me puzzle

I have pasted the config above . can you have a look at let me know the if the public ip is in the correct location of the config?

this is the output and i dont think it looks lits trying to connect to public ip

Translating "CISCO-CAPWAP-CONTROLLER.abc.uk"...domain server (192.168.1.254)
*Apr  8 19:29:03.040: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

Translating "CISCO-LWAPP-CONTROLLER.abc.uk"...domain server (192.168.1.254)
*Apr  8 19:29:05.945: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.abc.uk

*Apr  8 19:29:08.040: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER.abc.uk
*Apr  8 19:29:48.044: %CAPWAP-5-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
Not in Bound state.
*Apr  8 19:29:57.550: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.
*Apr  8 19:29:57.550: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 10.151.63.116, mask 255.255.255.0, hostname AP6400.f14d.b6ba

Translating "CISCO-CAPWAP-CONTROLLER.abc.uk"...domain server (192.168.1.254)
*Apr  8 19:30:04.549: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

Translating "CISCO-LWAPP-CONTROLLER.abc.uk"...domain server (192.168.1.254)
*Apr  8 19:30:06.644: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.abc.uk

Yeah... The thing is, you should see this getting passed to your other FW then to the WLC.

Thanks,

Scott Fella

Sent from my iPhone

hi scott,

sorted this one out as apparantly on the perimeter firewall the permit 5246 and 5247 was after the deny statemetns silly me and hence it was not allowing

But now i can see packets hitting the firewall on 5246 and allowing to the inside firewall . but cant see the ap on the dmz wlc. also i cant see the return traffic from the inside firewall

on the perimet firewall i can see packets of 12223 hitting the firewall from the AP. should that be allowed as awell ?

any debug commands on the wlc to see whats happenening ?

You can try that.. Allow also udp 12222 & 12223.

Thanks,

Scott Fella

Sent from my iPhone

looks like packets are hitting the wlc on 5246 but the wlc is not responding to those (As per packet capture on the fireall interface wlc is connected)

is there any settings that need to be enabled on the wlc ? the wlc is using the firewall as gateway . i have added the public address in the nat of the management interface

That is really all you need. Do you see anything in the wlc log. What do you see on the ap?

Thanks,

Scott Fella

Sent from my iPhone

ap still comes up with the same message. trying to find controller ( think that happens if i cant speak to the controller  ont he public address as its happening to another AP (not used) as well)

strangely enough i cant ping the default gateway (firewall) - sometime it does and sometime it doesnt?

where can i see the logs for the wlc?

On the monitor page on the lower right is the log. There is a link to open up the log page too. You can also try to do some debug in the ap mac address but if it's not hitting the wlc you will not see anything.

Thanks,

Scott Fella

Sent from my iPhone

Is your inside FW rules setup okay? You see hits on those ports?

Thanks,

Scott Fella

Sent from my iPhone