Guest Access issue

mrshabbs · ‎12-02-2011

I am trying to configure Guest Access. I have a 5508 wlc inside the LAN (wlc01) and a dedicated 5508 guest access wlc (wlc02) behind the firewall in the dmz. My Mobility group status is showing as control path down data down. I have therefore performed some tests to confirm IP connectivity between controllers. IP connectivity fails in one direction. It is here where I am seeing strange results.. Below is the ipconfig of the controllers and the results:-

wlc01 ip 10.106.1.90

mgmt interface 10.106.1.90, 255.255.255.0, gateway 10.106.1.5

wlc02 ip 192.168.1.250,

mgmt interface 192,168.1.250, 255.255.255.0, gateway 192.168.1.254

firewall 10.106.4.10

1) I can ping wlc02 to wlc01 (dmz to lan)

2) I can ping wlc01 to firewall (lan to fw)

3) I cannot ping wlc01 to wlc02 (lan to dmz), however see (4) below

4) I have configured a client with IP 10.106.1.94, 255.255.255.0, gateway 10.106.1.5. I can ping wlc02 from this client. (lan to dmz).

So in a nutshell I cannot ping the dmz controller from the LAN controller, but I can ping the DMZ controller from a client on the same subnet as the LAN controller.

Before I can confirm the protocol 97 and udp 16666, 16667 are flowing between controllers I wanted to confirm basic IP connectivity.

Any sugestions welcome!!!!

Scott Fella · ‎12-02-2011

Do you see the FW dropping packets? Try to open up everything form wlc01 and wlc02 first or do an eping or mping.

Make sure that the DMZ and local WLC in the wired network are reachable. Use mobility pings (eping and mping) to test.

Mobility ping over UDP—This test runs over mobility UDP port 16666 and tests whether the mobility control packet can be reached over the management interface.mping mobility_peer_IP_address
Mobility ping over EoIP—This test runs over EoIP - IP port 97 and tests the mobility data traffic over the management interface.eping mobility_peer_IP_address

Note: Only one mobility ping test per controller can be run at a given time.

If there is a firewall present, make sure that the UDP port 16666 and IP port 97 are opened for communication between the WLCs.

-Scott
*** Please rate helpful posts ***

mrshabbs · ‎12-02-2011

Hi

Thanks for the reply.

No, when i ping from wlc01 to wlc02 the packets do not reach the fw. I cannot see where the packets are dropped. Neither can i understand why i can ping wlc02 from a client on the same subnet as wlc01

Date: Fri, 2 Dec 2011 15:33:05 -0700

From: supportforums-donotreply@jivesoftware.com

To: shaneorrell@hotmail.com

Subject: - Re: Guest Access issue

Home

Re: Guest Access issue created by Scott Fella in Other Wireless - Mobility Subjects - View the full discussion

Doyou see the FW dropping packets? Try to open up everything form wlc01 and wlc02 first

Reply to this message by going to Home

Start a new discussion in Other Wireless - Mobility Subjects at Home

Scott Fella · ‎12-02-2011

Check your management interface configuration again and also your switchport configuration.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎12-02-2011

You can ping wlc01 from any other subnet in your internal LAN?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

mrshabbs · ‎12-03-2011

Yes wlc1 is pingable from anywhere inside the lan and from guest wlc2 (dmz). wlc1 can ping the fw but not guest wlc2 behind the firewall. Is it not possible to traceroute from wlc1? mgmt interface configured o.k. (I can ping this from anywhere inside the lan and from guest wlc2 dmz). To confirm no packets reaching fw from wlc1 but packets reaching fw from client (same gateway as mgmt interface) on same subnet as wlc1. Mobility Group created (dmz guest wlc2 anchored to itself, wlc1 anchored to guest wlc2 in dmz). Control path down data path down on mobilty group

Get your widget or badge - JustGiving

Date: Fri, 2 Dec 2011 15:55:53 -0700

From: supportforums-donotreply@jivesoftware.com

To: shaneorrell@hotmail.com

Subject: - Re: Guest Access issue

Home

Re: Guest Access issue

created by Scott Fella in Other Wireless - Mobility Subjects - View the full discussion

You can ping wlc01 from any other subnet in your internal LAN? Sent from Cisco Technical Support iPhone App

Reply to this message by going to Home

Start a new discussion in Other Wireless - Mobility Subjects at Home

Scott Fella · ‎12-03-2011

So your mping and eping fails then. You can't traceroute from the WLC. You don't have any acl's in place that might be blocking and have you tried to open the FW up between the two WLC's.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

mrshabbs · ‎12-03-2011

eping & mping fails.

no acl's in place.

fw has been opened up

in wcs there is an option when configuring controller to run a ping. I have just run this ping repeatedly from wlc1 (lan) to the guest wlc2 (dmz), at the same time i rebooted guest wlc2. My ping was successful before, during and after rebooting guest wlc2. How can this be?

The wlc1 is plugged directly into the core router. From this core router i cannot ping guest wlc2. So why is it that i can ping guest wlc2 from within wcs but from nowhere on the lan, including the core?

Date: Sat, 3 Dec 2011 11:40:12 -0700

From: supportforums-donotreply@jivesoftware.com

To: shaneorrell@hotmail.com

Subject: - Re: Guest Access issue

Home

Re: Guest Access issue created by Scott Fella in Other Wireless - Mobility Subjects - View the full discussion

So your mping and eping fails then. You can't traceroute from the WLC. You don't have any acl's in place that might be blocking and have you tried to open the FW up between the two WLC's.

Sent from my iPhone

Reply to this message by going to Home

Start a new discussion in Other Wireless - Mobility Subjects at Home

Scott Fella · ‎12-03-2011

Did you reboot wlc1?

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

mrshabbs · ‎12-03-2011

yes just after. the fw guys are adamant that this issue is due to the config on wlc1 because i can ping guest wlc2 from a client configured with same mask/gateway as wlc1. i am stumped!

Date: Sat, 3 Dec 2011 12:04:56 -0700

From: supportforums-donotreply@jivesoftware.com

To: shaneorrell@hotmail.com

Subject: - Re: Guest Access issue

Home

Re: Guest Access issue created by Scott Fella in Other Wireless - Mobility Subjects - View the full discussion

Did you reboot wlc1?

Sent from my iPhone

Reply to this message by going to Home

Start a new discussion in Other Wireless - Mobility Subjects at Home

Scott Fella · ‎12-03-2011

If you take wlc2 off the network and you can still ping the ip, then you have a duplicate address somewhere. It goes the same for wlc1.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎12-03-2011

You must have a duplicate ip address.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

mrshabbs · ‎12-03-2011

have looked at the static routes on the core and nothing resembling the guest wlc2 address

Date: Sat, 3 Dec 2011 12:06:44 -0700

From: supportforums-donotreply@jivesoftware.com

To: shaneorrell@hotmail.com

Subject: - Re: Guest Access issue

Home

Re: Guest Access issue created by Scott Fella in Other Wireless - Mobility Subjects - View the full discussion

You must have a duplicate ip address.

Sent from my iPhone

Reply to this message by going to Home

Start a new discussion in Other Wireless - Mobility Subjects at Home

Scott Fella · ‎12-03-2011

It can be a device. What about your dhcp pool, you excluded the wlc ip? If you look at your switch log, you would see duplicate address errors.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

weterry · ‎12-03-2011

If you don't want to take wild stabs at what the problem could be, just go get a wired port span of the switchport the WLC connects to. Same for the DMZ. Just go track down where your packets are or are not making it. This beats the hell out of guessing what your problem is, if you can go prove where your packet is and isn't making it.

If you want to capture "debug mobility keepalive enable " (from both WLCs) and attach it here, we can at least determine who is or is not hearing who. You'd like still need wired captures to track it down, but at least it lets you know which direction your problem lies.

Honestly, almost every case I've worked where a firewall was involved, the packets would hit the FW and not go out the other end, even though the security team was adament it wasn't their issue. If you can prove the packets hit the FW and don't come out, thats something the FW will have to explain the reason for.