cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6152
Views
1
Helpful
6
Replies

Unable To access WLC management GUI from another WLC Dynamic interface.

Eugene Ng
Level 1
Level 1

I have two WLC 5508 running 8.0x firmware, and they are in the same mobility group.The second WLC was only installed recently.

the management IP is in 192.168.x.x/24 for both WLC. Both have Mgmt via Wireless turned on.

 when i try accessing the first  WLC GUI is it is ok,and i am  associated with a AP that joins to First WLC.

Then i noticed i could not access the second WLC GUI, not even SSH but i can ping.

The problem also occurs vice versa. Eg: Connected to AP thats joins to Second WLC, can access Second WLC GUI, cannot access first WLC GUI.

For both cases, i am connected to an SSID that is from a dynamic interface. Eg: 10.10.x.x/16 .

Any idea if i am missing out  any extra configuration?

6 Replies 6

Eugene Ng
Level 1
Level 1

I got this from cisco 4400 Controller, however does this applies in the 5508 controller?

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/69561-wlc-faq.html

Q. With the Management via Wireless feature enabled on wireless LAN controllers (WLCs) in a mobility group, I can only access one WLC from that mobility group, but not all. Why?

A. This is an expected behavior. When enabled, the Management via Wireless feature allows a wireless client to reach or manage only the WLC to which its associated access point is registered. The client cannot manage other WLCs, even though these WLCs are in same mobility groups. This is implemented for security, and recently was tightened down to just the one WLC in order to limit exposure.

The Cisco WLAN Solution Management over Wireless feature allows Cisco WLAN Solution operators to monitor and configure local WLCs using a wireless client. This feature is supported for all management tasks, except uploads to and downloads from (transfers to and from) the WLC.

This can be enabled through the WLC CLI with the config network mgmt-via-wireless enable command.

On the GUI, click Management; from the left-hand side click Mgmt Via Wireless, and check the box Enable Controller Management to be accessible from Wireless Clients.

Note: When you enable this option, you can expose the data. Ensure that you have enabled a proper authentication and encryption scheme.

Guy's, I don't think this is still the case and honestly I can't remember that being the case, but could have been? Am leaving for vacation as we speak, so a short answer will have to do.

Management via Wireless is not a feature that's updated with as part of Mobility Messaging, and it's best practice to use ACL's, to prevent users from accessing any network management interface due to this feature only working if clients are associated to an AP, managed by the WLC, with this feature enabled.

So in your scenario really you should be able to manage WLC2 from a client on WLC1 even if mgmt via wireless is not enabled on WLC2, because that feature is controller dependent. This is why it's best practice to use ACL's to prevent untrusted users from accessing management networks.

Be sure to check any Wired/Wireless ACL's, that's a large subnet /16 you have identified, maybe something is blocking part of it? When the mgmt via wireless feature is disabled it's common to be able to ping, but not SSH, or HTTPS so check your association is the correct WLC and feature is enabled. Remember wireless ACLs can be applied at several locations, WLAN level, Interface level, Pre-Auth (if web auth), CPU ACL (where you want to apply to prevent users accessing the box), and AAA Override, etc.

Also What if you associate to AP on WLC2, can you access WLC2 via management?

Hope this helps.

Nope No ACL, i took it all out on the dynamic interface and management interface, both sides.

Yes AP associate to WLC2, i can access WLC2 via mgmt.

I even bring down the mobility group to test if i can manage both, and i still can't.

Disabling/enabling the Management via Wireless does not help.

the reason why i am accessing the management via a dynamic interface is for convenience, i just want to check if anyone face the same issue as me.The  8.0.121.0 release notes does not mention anything about this.

Sandeep Choudhary
VIP Alumni
VIP Alumni

As per my experience.. you can only access the WLC from which your AP(Client connected AP) is connected.

Regards

Don't forget to rate helpful posts

I know this is an old post, but I wanted to share what I recently found while troubleshooting management from wireless issues.  The behavior I was seeing was this.  I have several controllers with management interfaces all on the same vlan, say vlan100. I have wireless user vlans configured on several controllers, say vlan200,201,202, etc. All controllers are configured to allow management from wireless.  There is a firewall between the wlan controllers and the rest of the LAN, and the firewall is the default gateway for all controller vlan interfaces. The WLAN controllers are running 8.5.135.0 code.

 

When associated to an AP on Controller 1, on vlan201, I can access controller 1 management interface via HTTPS and ssh, no problem.  However, I could not access Controller 2 management interface via HTTPS or ssh, but I could ping it. I don't believe the reason is that Cisco "locked down" the ability to manage a different controller from wireless other than the one the wireless client is associated to.

 

What I found is that when my client machine sent packets to controller 2 mgmt interface, the path was from wifi adapter thru AP thru Controller 1 to FW on vlan201, then out FW on vlan100 to controller 2 mgmt.  The return path from controller 2 to client was from controller vlan201 dynamic interface directly to controller vlan201 dynamic interface to the AP and to the client.

 

For ping (ICMP) echo and echo reply traffic, this will work just fine even though the forward path was thru the firewall and the reverse was not.  For TCP traffic however, the behavior of the firewall caused the communication to fail.  In this case, the firewall used TCP randomization to change the sequence numbers on the client and server sides as the packets passed thru it. This is a security feature that protects against attackers trying to predict future sequence and acknowledgement numbers and intercept/hijack communications. The FW was a Cisco ASA running 9.3 code.

 

The result was a TCP connection attempt where the client sent SYN with seq "abc", the FW changed it to seq "jki", and forwarded on to controller. The controller sent ACK with seq"pqr" and ack "jki" (acknowledging the SYN packet) directly to client via the common vlan201 path between the controllers, bypassing the firewall. The client received the ACK with ack "jki", when it was expecting and acknowlegement for "abc", and immediately sent a RST back to the controller.

 

The same behavior was seen with both ssh and HTTPS management traffic as they both use TCP.  The reason the asymmetric path was taken, is for the return path, controller 2 broadcast an ARP request for the mac address for my client machine, on vlan201. The arp request is directed to my client by the wireless infrastructure (the controller or the AP, I have not confimed which yet) and my client replies with it's mac back to controller 2. So before controller 2 sent the SYN ACK, it inserted the client MAC into the frame and forwarded it out the vlan201 dynamic interface, directly through controller 1 and up to the AP, instead of inserting the FW mac address for the mgmt vlan100 gateway and sending the packet out vlan100.

 

I believe this issue would still exist even if the firewall did not use TCP randomization, as long as the firewall tracked state in the flows. Without TCP randomization, my client would have accepted the SYN ACK instead of sending a RST, and sent the final ACK in the handshake, thru the firewall, but the firewall would have blocked the ACK since it never saw the SYN ACK, and the RST would likely have come from the firewall as it killed the invalid connection.  If there were no firewall, or if the "firewall" was really just ACL=based and not stateful, then I do not think this asymmetry would prevent the management the same way.

 

I am still trying to think of a scenario where this behavior might break communication other than Administration of the controllers from wireless vlans, which is more of a nuisance than an issue for us, as we can either connect via ethernet or remote into another machine when trying to manage a different controller than the one you are associated to.  It seems this might cause issues if one roams from an AP on one controller to an AP on another controller if the controllers share the same dynamic vlans, and if there is TCP traffic traversing a firewall between clients on either controller.  However, in well-designed wireless networks, I don't think this would commonly occur. In our case, we are preparing to migrate from three 5508 controllers to an HA pair of 5520's, so that is why we have shared dynamic vlans between the controllers. Once migrated, we will not have the old 5508's to manage and this will not be an issue any more.

Maybe this is the solution? Connect to the closest IP address of the WLC.

Configuring Management using Dynamic Interfaces (CLI) Dynamic interface is disabled by default and can be enabled if needed to be also accessible for most or all of management functions. Once enabled, all dynamic interfaces are available for management accessto controller. You can use access control lists (ACLs) to limit this access as required. 

Enable or disable management using dynamic interfaces by entering this command:

config network mgmt-via-dynamic-interface {enable | disable}

Review Cisco Networking for a $25 gift card