Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2065
Views
0
Helpful
15
Replies

Cisco WLC 5508 WebGui and SSH not available in routed network

markus.bock
Level 1
Level 1

‎01-08-2020 02:43 AM - edited ‎07-05-2021 11:30 AM

Hello,

we have moved internal vlan routing from core switch to cisco asa. 

Since the routing is moved I cannot access the web gui and ssh of our wireless controller 5508 over the management interface which is placed in another vlan where my client is.

I can ping it and in the internal firewall (ASA5545X) in the log a SSL or SSH session has been created successfully. But in my webbrowser is shown that the webinterface is not reachable.

When I put my client in the management VLAN where the wlan controller is pleaced in, I can access the controller via web or ssh.

 

Does anybody know a solution for this?

Labels:
0 Helpful
15 Replies 15

marce1000
VIP
VIP

‎01-08-2020 03:59 AM

 

 - Well clearly you need to review the ASA policy so that the client can get access to the management VLAN and or the controller-only if you want to narrow things down. All routing tables should be correct too.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni

‎01-08-2020 04:06 AM

Well,

If just trough ASA it doesnt work.. certainly it is a policy that need be reviewed.
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

markus.bock
Level 1
Level 1
In response to Jaderson Pessoa

‎01-08-2020 04:30 AM

I have tried it with an ANY rule but it still does not work.

In the management vlan i have several switches and the access is working via https and ssh.

Routing should be ok because I got response via icmp and the gateway is correctly configured on the wlc.

I have configured the service ports on the wlc cluster and I can access the service ports, which are configured in other vlans too, without problem. But I need webGUI access on the management interface

 

 

 

 

0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to markus.bock

‎01-08-2020 04:35 AM

please, share here the configuration of wlc.
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

markus.bock
Level 1
Level 1
In response to Jaderson Pessoa

‎01-08-2020 04:54 AM

Here is the config

Thanks and kind regards

Preview file
18 KB
0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to markus.bock

‎01-08-2020 05:13 AM

config interface address management 192.168.0.120 255.255.0.0 192.168.0.1 this is the management network used to access your controller.

if you is connected directly to this network, works.. right? but when you want access it trough an other network using your ASA, it doesn't work, right?

share asa configuration here... please.
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

markus.bock
Level 1
Level 1
In response to Jaderson Pessoa

‎01-08-2020 05:18 AM

Yes, 192.168.0.120 is the management IP Address

 

It could not be a problem or config missmatch on the asa because all Switches in 192.168.0.0 network using the same gateway and access via https and ssh is working. 

The problem must be by the controller because I have enabled telnet and it does not work too.

0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to markus.bock

‎01-08-2020 05:37 AM

well.. i cant see any problem in your wlc configuration.. if you can post asa configuration.. certainly it will help us.

from controller, please... ping it own gateway 192.168.0.1 and trace route to a device from where you are trying accesst web gui.
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

markus.bock
Level 1
Level 1
In response to Jaderson Pessoa

‎01-08-2020 05:41 AM

In the screenshot attached you can see from asa log the successful https connection to the controller

Ping and traceroute are shown correctly. Same like a traceroute to a switch

Preview file
47 KB
0 Helpful

markus.bock
Level 1
Level 1
In response to markus.bock

‎01-08-2020 05:44 AM

I can ping the gateway from controller cli. 

But when I do a ping to another network, the controller uses his service ports ip address

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to markus.bock

‎01-08-2020 07:07 AM

The service port should not be connected to the network. If it is connected to the network, then there should be no routing between the service port and the management interface of the controller. It does seem like the issue is with the asa as that was the only change.
-Scott
*** Please rate helpful posts ***
0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to markus.bock

‎01-08-2020 08:06 AM

you need put your service port in other network "non routeable" or different network from your corporate network. as our friend said @Scott Fella
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to Jaderson Pessoa

‎01-10-2020 07:12 AM

If all of this doesn't help, you don't do any NAT on the ASA, right?
0 Helpful

markus.bock
Level 1
Level 1
In response to Jaderson Pessoa

‎01-11-2020 11:45 AM

As far as I know it is not possible to put the service port into the same network as the management port.

My service port is in a different network and I do no NAT between the networks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card