Re: WLC 2504 access problem.

sn00p · ‎03-26-2021

Hi.

I have two WLC2504 controllers working in HA N + 1.
There are several SSIDs and vlans on them.

A few days ago, after changing the addresses of the management interfaces (and vlans) on both i've lost access to the WebGUI from my current vlan.

Now I cannot access the WebGui address which is in Vlan55.
My PC is in Vlan99 and i can successfully pinging WLC's addresses.
Interestingly, i can access WebGui from other vlans (ex. Vlan2, Vlan100).

Any ideas?

balaji.bandi · ‎03-26-2021

This looks for me 2 problems.

1. either it could be a routing issue somewhere.

2. or could be ACL on WLC for VLAN 99

Interestingly, i can access WebGui from other vlans (ex. Vlan2, Vlan100). ( with same device you using in VLAN 99 ?)

check and compare your path vlan 2/100 vs vlan 99

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

sn00p · ‎03-26-2021

Can it be a routing issue if ping works well?

Path is the same for all vlans:

host -> gateway -> WLC

I don't recall any ACL's on WLC...

Whwrebto check it?

MHM Cisco World · ‎03-26-2021

As I know all

RMI PRMI And management interface must be in same subnet for HA SSO.

sn00p · ‎03-27-2021

Cisco 2504 WLC don't support real full HA.

They only can be configured as PRIMARY and SECONDARY, so there's no something such RMI.

Both devices have their own mgmt addresses.

Or did i miss something?

Scott Fella · ‎03-27-2021

The 2504 doesn't support SSO and or have RMI. So don’t worry about that. You changed the management ip so what you should do is validate https in the same vlan as the new management. If that is successful, then validate that you don’t have any cpu acl in place or if you do, make sure it’s not blocking any subnet. If that is verified and or not enabled, try a few different subnets to see which has access and not. Like what was mentioned already, there can be an acl somewhere that is blocking access to that subnet.

-Scott
*** Please rate helpful posts ***

joyaljp · ‎03-29-2021

This seems to be a policy issue. Check if there is any policy configured for your VLAN99 and VLAN55 where your gateway is located. If the gateway is a firewall check if HTTPS is allowed and if it's in a switch, check the access lists for both VLANs.

sn00p · ‎03-29-2021

Ok it's getting funnier.

I can't access my WLC's from VLAN99 via ethernet cable (192.168.99.5), but i can from VLAN99 (192.168.99.6) via WiFi...

I guess that problem is caused by some rules on my FortiGate (gateway).

However, there's no ACL on WLC.

I'll hit you up guys with the solution.

Scott Fella · ‎03-30-2021

By default, the controller will not allow access if the subnet is part of any of the interfaces. So for an example, if the subnet your device is on trying to access the controller is on one of the dynamic interfaces, the controller will reject access. If you need access from your management or dynamic interfaces, then you need to allow that.

config network mgmt-via-dynamic-interface enable

-Scott
*** Please rate helpful posts ***

sn00p · ‎04-19-2021

This command didn't resolve the problem.

Still can't access management.