Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
222
Views
0
Helpful
7
Replies

Cisco vWLC new WLAN issue

Igor Filatov
Level 1
Level 1

‎06-05-2025 05:41 AM - edited ‎06-05-2025 07:04 AM

Hi Community.

We faced a strange issue when doing a pretty straightforward config.

We have a vWLC v8.10.151.0 and the following topology for Guest WiFi with web/mac authentication:

1) Small sites without local WLC

[Client]--->[Remote Site WAP]--->[CAPWAP tunnel]--->[vWLC]--->[DC Catalyst 9200]--->[FW+DHCP]--->[Internet]

2) Big sites with local WLC

[Client]--->[Remote Site WAP]--->[Foreign WLC]--->[Anchor vWLC]--->[DC Catalyst 9200]--->[FW+DHCP]--->[Internet]

Everything works just fine.

The problem started when we deployed an additional WLAN to refresh laptops. The config is the same as for guest: same dynamic interface, same DHCP pool, same FW rules, but WPA3 instead of Web. Everything in configuration is absolutely the same except of security. 

Symptoms:

1) Users from small sites can connect and obtain DHCP lease, that means L2 works, but cannot reach or ping anything: dynamic interface of vWLC or FW (default GW).

We tried to configure the same security as for Guest (web/mac) but the web portal doesn't work (unreachable), only mac authentication works with the same result: L2 only.

2) Users from large sites (mobility anchor) can connect, but cannot obtain DHCP lease, L2 doesn't work.

3) The guest and new network configs are the same, show client detail are the same including the same DHCP IP address.

No any ACLs anywhere.

I suspect the problem might be because of mobility anchoring with shared WLC dynamic interface, however it is not prohibited.

 

I have a Cisco TAC case and they ask to collect SPANs of traffic from Core switch (vWLC and Firewall) without explaining what they want to find there if the client can't ping vWLC interface itself. 

 

 

 

 

 

 

 

 

 

 

 

0 Helpful
7 Replies 7

Scott Fella
Hall of Fame
Hall of Fame

‎06-05-2025 06:52 AM

So if you revert back, everything works again correct?  So the only change is when you changed security from WPA2 to WPA3 only?

-Scott
*** Please rate helpful posts ***
0 Helpful

Igor Filatov
Level 1
Level 1
In response to Scott Fella

‎06-05-2025 07:02 AM

Sorry if I didn't make it clear. We have two WLANs: old "Guest" which works fine and new "Refresh" which doesn't work despite the same settings. We didn't reconfigure Guest, but added Refresh.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Igor Filatov

‎06-05-2025 07:13 AM - edited ‎06-05-2025 07:14 AM

Start simple.... with your new SSID, test with an open SSID, then PSK, then 802.1x if that is what you are using.  The issue can be with your WPA3, which I would test with a WPA2 not WPA2/WPA3 to see what happens. Anchoring to the same controller is fine, but why do you want to anchor your new SSID to the same interface on the anchor controller.  That would place clients on the same network.  Just make sure that your new test SSID is configured for open and it works.  If it doesn't, then you have to troubleshoot from there.

-Scott
*** Please rate helpful posts ***
0 Helpful

Igor Filatov
Level 1
Level 1
In response to Scott Fella

‎06-05-2025 07:33 AM - edited ‎06-05-2025 07:35 AM

Please read the problem description carefully.

1) I want to place my clients in the same network. I want to reuse VLAN, DHCP pool and firewall rules for new WLAN. 

2) Clients can connect and obtain dhcp ip address. No, it doesn't work with open or any other kind of authentication (web portal/mac). The symptom is the same: no L3, can't ping WLC interface or FW (default GW).

Here is the piece of sh client detail output:

AP MAC Address................................... 4c:e1:76:18:00:00
AP Name.......................................... XXXX
AP radio slot Id................................. 1
Client State..................................... Associated
User Authenticated by ........................... Local Database
Client User Group................................
Client NAC OOB State............................. Access

Policy Manager State............................. RUN

 

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Igor Filatov

‎06-05-2025 07:49 AM

What I see.... your foreign controller is an appliance and your anchor is a vWLC.  Using a vWLC as an anchor is not supported which they will probably mention to you eventually.

[Client]--->[Remote Site WAP]--->[Foreign WLC]--->[Anchor vWLC]--->[DC Catalyst 9200]--->[FW+DHCP]--->[Internet]

https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn810mr11.html#wlc-vwlc

-Scott
*** Please rate helpful posts ***
0 Helpful

Igor Filatov
Level 1
Level 1
In response to Scott Fella

‎06-05-2025 08:09 AM

That's great. No, they didn't pay attention to it.

And it is interesting how the old Guest works because vSwitch in ESXi doesn't support dynamic learning of MAC Addresses on vNICs according to the docs.

Thank you so much, I will accept it as a solution as soon as I have final confirmation from TAC.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Igor Filatov

‎06-05-2025 09:11 AM

Well... I didn't pay attention to it until I read your initial post again.  The problem is we tend to assume, which is bad:)

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card