06-21-2013 03:10 AM - edited 07-04-2021 12:16 AM
Hi,
We have a setup where by we have internal WLC (cisco 5508) and a Guest WLC (cisco 4402) in the DMZ. The Gues SSID in internal wlc is anchrorded back to Guest WLC in DMZ (the guest dmz also serves as dhcp). We seem to have problems with this recently with users complaining that they get limited access or not able to get the redirection page (web page certificates - redirection to 1.1.1.1)
Does any one know if the cisco 5508 controllers / cisco 4400 running dhcp have any problems with this ?
Thanks
Solved! Go to Solution.
06-21-2013 05:38 AM
The config shows it is anchored to itself.... I'm assuming that 50.250 is the 4400 and 60.250 is the 5508?
Mobility Anchor List
WLAN ID IP Address Status
------- --------------- ------
4 192.168.50.250 Up
4 192.168.60.250 Up
How big is the dhcp scope? since this is guest, you try to lower the lease to like 4 hours or 8 hours?
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
06-21-2013 03:37 AM
Hi,
When this problem occurs, you check the DNS server that serves the guest network to see if it's down. Also you need to clarify that it's not corporate users not reporting the problem as the home page would default to your corporate page, and it's only when u open an external website that the web authentication page will show up.
Are u using the internal web authentication page or an external web server?
Sent from Cisco Technical Support Android App
06-21-2013 04:00 AM
Just to add... Also look to see if your mobility happens to go down. If it does, then the anchoring breaks and the guest will be placed in the interface that you have specified on the internal WLC for the guest SSID
Sent from Cisco Technical Support iPhone App
06-21-2013 04:15 AM
we are using internal web authentication. the DNS server is google's ip. the users are trying to use an external website and not internal one.
regarding the mobility breaking, its a good point but dont think it goes down that often as users seems to get error quite often and i cant see there are that many mobility breaks in the logs - it does happen but occationally
any other thoughts ? i read about this eap bcast-key-interval seconds - at the moment its set to 3600 sec - will this help if i increase this ?
Thanks
06-21-2013 04:17 AM
Can you post your show WLAN
Sent from Cisco Technical Support iPhone App
06-21-2013 04:44 AM
attached. also does increasing user time out help ?
06-21-2013 05:11 AM
I don't think it would... first off, the inside or foreign wlc should only anchor to the guest anchor wlc and the guest wlc should anchor to itself... Looks like the 5508 also is anchored to itself. I would also disable dhcp required for now and see if that helps.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
06-21-2013 05:12 AM
With webauth, the client has to get an ip address prior to even getting a splash page. if the client device gets an ip address but doesn't get the splash page, then its a dns issue.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
06-21-2013 05:20 AM
Thanks scott, i had a look at the can confirm that the insidewlc is anchroed to guest wlc and guest wlc is anchored to itself (local)
I have tried disabling dhcp required and no joy
06-21-2013 05:38 AM
The config shows it is anchored to itself.... I'm assuming that 50.250 is the 4400 and 60.250 is the 5508?
Mobility Anchor List
WLAN ID IP Address Status
------- --------------- ------
4 192.168.50.250 Up
4 192.168.60.250 Up
How big is the dhcp scope? since this is guest, you try to lower the lease to like 4 hours or 8 hours?
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
06-21-2013 05:40 AM
thats a different controller Scott. The internal controller ip is different from 60.250. i have increased the dhcp scope to 4 hours already
06-21-2013 05:48 AM
Okay, so what is 60.250? Why are you anchoring to that? If this is a redundant guest anchor setup, then make sure the dhcp scopes on the two wlc are split and not overlapping.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
06-21-2013 07:27 AM
That is for officeextend controller which is another wlc apart from the two in question.
We hve only 1 dhcp scope which is on 50.250
What i have noticed is that if conect to it and then disconnect and immideatly connect to it then i get limited access. but if i leave it for 60 sec or more then try connecting to it, it seems to connect sometimes (i have a client exclusion timer of 60 sec so not sure if this is causing this ?)
I also noticed that the time is bit different (internal controller is running an hour and few mins slower than dmz controller) - will this cause a problem ?
HAve you come across this unexpected behavior ?
Thanks
06-21-2013 09:40 AM
Well if your connecting to another ssid and then trying to connect to the guest ssid or vice versa, you need to enable fast ssid change or else you have to wait 60 seconds. The time should be set properly no matter what..... ntp should be used if possible.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
06-24-2013 03:15 AM
i have set it to ntp and the ntp server is running the correct time and serves to all our devies but just the internal wlc alone does not seem to pick up summer time (the time is correct but running an hour behind though it gets time from ntp server) - do i have to enable summer time from some where ?
Fast ssid was enabled on internal wlc and have enabled it now on dmz wlc
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide