Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
386
Views
0
Helpful
1
Replies

External Web auth conversation exiting wrong interface

pematthe
Level 1
Level 1

‎02-20-2017 11:50 AM - edited ‎07-05-2021 06:35 AM

All,  I have two very similar configurations, one works, the other doesn't.

As the title says I am dealing with WLC web auth to an external server.  I have a guest network and management network on different VLANs (100 and 88 respectively) in the WLC and to the router, an ASA.  The ASA is the default router for both.

The client connects and a redirection attempt takes place but the web page is not served. 

The WLC has a virtual interface of 1.1.1.1 and a name with associated DNS entry.  Certificates are not the issue.  All I can currently debug is the connection status from the ASA and I see an attempted connection between client and external web server via the interface connected to VLAN100 and then I see an error saying no connection between the client and the external web server from the ASA management interface (VLAN88)  There should be no interaction with VLAN88!  I know there is an intercept and redirection with https://1.1.1.1/login.html but that should be handled by the WLC.

ASA log output

6    Feb 20 2017    19:45:13    302013    172.16.100.28    62477    155.56.x.x    443    Built outbound TCP connection 296160 for outside:155.56.210.43/443 (155.56.x.x/443) to INSIDE_VLAN100:172.16.100.28/62477 (192.168.50.56/62477)

Followed by.....

6    Feb 20 2017    19:45:13    106015    172.16.100.28    62477    155.56.x.x    443    Deny TCP (no connection) from 172.16.100.28/62477 to 155.56.x.x/443 flags RST  on interface INSIDE_VLAN88

As I said, I have an almost identical set-up on another controller.

Not working - WLC 2504 with 8.2.110.0

Working - WLC 5508 with 8.3.102.0

ASA is also mostly identical with same OS and minor variations in the config.  I have tried making the VLANs the same security level but it makes no difference.  I'm not convinced it is an ASA problem as the errors are seen referring to the VLAN88 - management interface of the WLC.

Ideas and debug options?

rgds

Labels:
0 Helpful
1 Reply 1

pematthe
Level 1
Level 1

‎02-21-2017 03:09 AM

I'll answer my own question as I fixed it. It might help someone else who stumbles with similar symptoms.

I should have known this as I've done the config many times.  I didn't add the pre-auth ACLs incorrectly.

The ACLs need to be added in both directions even though the config has it's own switch to state "direction  = any" 

Adding a second set of ACLs with the source and destination reversed made all the difference and, by jingo, it worked.

Preview file
51 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card