Flexconnect over Internet, possible?

Dave Anthony David · ‎09-15-2012

I can't use Officeextend because i'm using vWLC.

vWLC is sitting at DMZ, CAPWAP Data + Control Port allowed in FW.

vWLC is configured with NATted public ip address

3500 AP at other side of internet is associated to vWLC

Flexconnect with Local Switching is doing fine.

I'm having problem with Central Switching, wireless client can see the SSID (open auth) but can't connect.

No logs seen vWLC GUI Monitor > Clients

So I'm thinking if this is possible?

Dave

Dave Anthony David · ‎09-15-2012

Just to add, latency is 23ms (min) and 90ms (max) from AP to vWLC

Scott Fella · ‎09-15-2012

Well never tried it with the vWLC, but I have tested APs connecting in local mode, FlexConnect and OfficeExtend with no issues using local or centrally switched. What does the client show in the monitor tab? Are they in the run state and in the correct vlan?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Dave Anthony David · ‎09-15-2012

No client. Not even attempt.

Scott Fella · ‎09-15-2012

Have you tried it locally with an ap joined with the vWLC instead of over the Internet.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Dave Anthony David · ‎09-15-2012

within my local network via Flexconnect mode, yes and its woking properly.

Scott Fella · ‎09-15-2012

Try to issues this command, but your APs does join just an issue with your clients. Have you tested with more than one FlexConnect ap or just one.

config network ap-discovery nat-ip-only disable

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Dave Anthony David · ‎09-15-2012

Already tried that command.. Enabling and disabling.. Still doesn't work.

I have 3500/3600 AP over the net.

Sent from Cisco Technical Support iPhone App

Scott Fella · ‎09-15-2012

Are you anchoring the SSID to another vWLC or a WLC? You mentioned that the vWLC is in the dmz, so the question is, where is the vlan the centrally switched SSID is mapped to, is it in the dmz.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Dave Anthony David · ‎09-15-2012

I have two vWLC, 1 is foreign and the other one is anchor.

But this specific SSID is not anchored.

SSID settings is mapped to VLAN 120 which reside at my core switch. I can ping the gateway of the VLAN120 from my anchor vWLC.

I have another 1131 AP terminated locally (within my network) and joined to this anchor vWLC.

Wireless client can connect to this SSID without any problem (whether Centrally or Locally Switched)

Sent from Cisco Technical Support iPhone App

Scott Fella · ‎09-15-2012

I'm just trying to understand your setup. The only difference from local located APs and over the internet is the up the ap joins. so the FlexConnect ap joins a vWLC in the dmz and the SSID that is centrally switched is allowed through the firewall to the inside network. This ssid is not anchored to the other foreign wlc. So on the vWLC in the dmz you can't see any client info from that SSID. I would do a debug mac address of the client. Can you make sure that there is nothing specified in the mobility anchor of the SSID and also if your using ap groups verify the setting there.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Peter Nugent · ‎09-16-2012

vWLC does not support anchor controller. Its in the release notes as unsupported.

http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn73.html#wp973325

Dave Anthony David · ‎09-17-2012

Hi Scott, you understand my setup correctly. By the way, is there a change if you can try this with your LAB?

Still I can't make it work. I'm just curious if this will work in your LAB.

vWLC (inside) <-> ASA outside <-> internet <-> any home based internet router <-> AP (could be 1131, 3500, 3600.. etc)