Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1309
Views
0
Helpful
1
Replies

Palo Alto FW - DMZ Anchor

craiglebutt
Level 4
Level 4

‎04-03-2019 07:36 AM - edited ‎07-05-2021 10:11 AM

Have a Anchor WLC 5520 running 8.5.0.140 and Foreign WLC running 8.0.152

Running a 1 legged solution, Anchor is in a DMZ on a Pall Alto, the mobility anchor is up and working.

Traffic is breaking out on a layer 2 connection to a 3rd party web filtering solution.

A client PC will get the 172.16.*.* address from the DHCP server running on the 3rd part servers, so all DNS and DHCP is working.

Windows devices seem to work, issue is android and apple devices.

I’ve put an AP on the anchor WLC and tested, all traffic flows as should, android and apple open a web portal which is on the 3rd party devices.

I reconfigure this to 2 legged solution, removed LAG port 2 to dmz switch and port 1 to distribution.

Created the anchors again and tested.

This was the same for Prime, policies to allow Prime to talk to wlc and return policy, with all services and apps available just to get to work, didn't work.  Soon as on a 2 legged build, worked no issue.

 

No issues, android and apple worked as should, issues seemed to be with Palo Alto.

 

Issue is the customer doesn’t want a 2 legged solution, they want all behind the Palo Alto.

Capwap tunnel was up, seemed to be time out issue, for android and apple.


Anyone seen this before, can’t see it being a WLC issue

0 Helpful
1 Reply 1

patoberli
VIP Alumni
VIP Alumni

‎04-04-2019 05:39 AM

Can the clients ping the primary gateway? Can they ping the NAT device?
Can they ping each other?
Do the phones get the same policy as the working Windows clients?
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card