cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2178
Views
0
Helpful
7
Replies

Access point disconnected from WLC when ACL is applied

harrypandian
Level 1
Level 1

Got into a strange situation yesterday. I was trying to lock down an access point to restrict access to our internal applications only and it dropped off from WLC in 5 secs. These are in flexconnect mode, I used the flexconnect ACL and applied to one of the access points. Access point had a statically assigned IP and when it dropped off, I could not ping it too. This is in a warehouse and I was working in remote, so could not confirm the status of it.

 

I have ACL to allow any and requested to reboot the AP to see if it is getting associated again. The AP is not in a easily accessible position, it will require a fork to reach out to that. Is there any other option to remove the ACL from the AP? When I applied the rules from WLC, will it be saved with in the AP or will be always refer to WLC for rules?

 

Can someone shed some light or direct me to the correct method to bring this AP up?

7 Replies 7

jmanzanera
Level 1
Level 1

Hello

Can you confirm which WLC version are you running?

I understand you applied the ACL into the FlexConnect group and the AP is associated with that FlexConnect group.

 

Can you confirm if you applied the ACL into ingress or egress? Did you try to remove the ACL from the Flexconnect group?

 

As your AP is not associated to your WLC seems you are blocking the CAPWAP traffic (strange if you have Flexconnect mode). Can you confirm if you are able to see the AP form the switch perspective via CPD?

The ACL was applied to the AP level VLAN and not to the flexconnect group. I can remove the ACL from WLC but that will not make any difference as the AP is not connected to it now.

 

I could not ping or it shows in CDP. A person in that location confirmed there is a blue/green light blinking in the AP.

WLC 2504, software version 8.5.131.0

Hello,

 

Regarding the CDP maybe I was wrong as depends if you have the CDP enable or not. Can you double check if you see the MAC address of the AP on the switch port? Is the switch port on the correct VLAN?

 

For me is strange the AP is blinking in green / blue as I can't see that combination on that in the Cisco doc: https://www.cisco.com/c/en/us/td/docs/wireless/access_point/3600/quick/guide/ap3600getstart.html (see Table 1 LED Status Indications ).

 

I think the color  code is the same for all the AP , but maybe I'm wrong. According with your code seems there is a problem with the boot of the AP.

 

 

If the ACL is why you cannot access the AP, and you had SSH enabled for the APs at the WLC, try doing an ssh session from the WAN router using the outside interface as source. As it should have a public IP.

If that's it, you can recover it from the AP SSH Session either by factory resetting the AP or by manually removing the ACL.

** Please rate helpful posts **

CCIE #58023

This is deployed in a remote location and it uses Meraki. So, that possibility is ruled out.

harrypandian
Level 1
Level 1

Posting this as it might help someone with a similar situation.

 

I modified the Flexconnect ACL in the WLC to allow everything and then rebooted the AP. AP re-joined the WLC when it came up. I think it automatically gets the update when it connects to the WLC. 

 

Problem is solved now.

 

Thanks to everything who replied to this post.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: