Re: WLC 2504 - Can't access CLI or GUI from a different subnet - Page 2

G3000LEE · ‎03-23-2022

Hi All,

I have read a few posts with the same issue, but none really had a solution.
I can only access WLC when connected to the same VLAN (103)

This is in a test environment and I didn't have this issue on the 2100, vWLC and other WLCs. I have noticed there isn't a Route option to configure the WLC to reach other subnets like on other models. I was thinking this is a routing issue where the WLC doesn't know a route back.

I would like to access the WLC from the LAB LAN MGMT subnet. Basically, I want the 172.16.100/24 subnet to access/manage the WLC via GUI/CLI

WLC mgmt IP = 172.16.103.100 (VLAN 103)
WLC Gateway/3850 switch = 172.16.103.253
LAN MGMT = 172.16.100.0/24

(Cisco Controller) >show interface summary
Number of Interfaces.......................... 3
Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
-------------------------------- ---- -------- --------------- ------- ------ -----
management 1 103 172.16.103.100 Static Yes No
virtual N/A N/A 192.1.2.3 Static No No
vlan104 1 104 172.16.104.100 Dynamic No No

APPLIED THE BELOW:
(Cisco Controller) >config network mgmt-via-dynamic-interface enable
(Cisco Controller) >config network mgmt-via-wireless enable
(Cisco Controller) save>config
Are you sure you want to save? (y/n) y

THE CORE SWITCH CAN PING WLC:
LAB-CORE#ping 172.16.103.100 source vlan 100
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
LAB-CORE#ping 172.16.104.100 source vlan 100
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

LAPTOP ON LAN MGMT SUBNET CAN NOT PING WLC:
MacBook-Pro ~ % ifconfig | grep 172.16.
inet 172.16.100.163 netmask 0xffffff00 broadcast 172.16.100.255

MacBook-Pro ~ % ping 172.16.103.100
PING 172.16.103.100 (172.16.103.100): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

MacBook-Pro ~ % ping 172.16.104.100
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

TRACEROUTE FAILS FROM CORE SWITCH:
LAB-CORE#traceroute 172.16.103.100
1 * * *
2 * * *

leemac18@LeeMac18s-MacBook-Pro ~ % ifconfig | grep 172.16.
inet 172.16.100.163 netmask 0xffffff00 broadcast 172.16.100.255
leemac18@LeeMac18s-MacBook-Pro ~ %
leemac18@LeeMac18s-MacBook-Pro ~ % ping 172.16.103.100
PING 172.16.103.100 (172.16.103.100): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- 172.16.103.100 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
leemac18@LeeMac18s-MacBook-Pro ~ % ping 172.16.104.100
PING 172.16.104.100 (172.16.104.100): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

I CAN PING THE GATEWAY OF THE WLC AND THE LAN MGMT FORM MACBOOK

MacBook-Pro ~ % ping 172.16.103.253
64 bytes from 172.16.103.253: icmp_seq=0 ttl=255 time=2.520 ms
64 bytes from 172.16.103.253: icmp_seq=1 ttl=255 time=2.730 ms

MacBook-Pro ~ % ping 172.16.100.253
64 bytes from 172.16.100.253: icmp_seq=0 ttl=255 time=2.925 ms
64 bytes from 172.16.100.253: icmp_seq=1 ttl=255 time=3.072 ms

balaji.bandi · ‎03-24-2022

To summarise :

From MACbook, you able to ping gateway, from WLC you able to ping Gateway.

from MACbook you able to ping Gateway of WLC (hope that SVI in the same Lan core switch)

MACbook to WLC not reachability

lab core switch.

can you provide below informaion :

show ip arp

show ip interface brief

show ip route

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

G3000LEE · ‎03-24-2022

Just to mention, I am OK when it comes to route and switching, but Wireless isn't my day-to-day job.

That's why I have this lab testing the 2504.

I have setup vWLC, 2106 and even 9800 WLC and this the only one I have had issues with.

LAB-CORE#show ip int brie
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM administratively down down
Vlan100 172.16.100.253 YES NVRAM up up
Vlan103 172.16.103.253 YES manual up up

LAB-CORE#show ip arp vlan 100
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.16.100.253 - c07b.bcd8.d4d1 ARPA Vlan100
Internet 172.16.100.6 226 00e0.8626.31e6 ARPA Vlan100
Internet 172.16.100.1 69 c4c6.0353.5142 ARPA Vlan100
Internet 172.16.100.2 64 f09e.63f6.8e41 ARPA Vlan100
Internet 172.16.100.163 3 00e0.4c69.d1ad ARPA Vlan100

LAB-CORE#show ip arp vlan 103
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.16.103.253 - c07b.bcd8.d4dd ARPA Vlan103
Internet 172.16.103.100 22 d0c2.82de.9220 ARPA Vlan103
Internet 172.16.103.30 24 00e0.4c69.d1ad ARPA Vlan103
Internet 172.16.103.48 0 7872.5df7.030e ARPA Vlan103
Internet 172.16.103.62 0 0042.68fc.0220 ARPA Vlan103

LAB-CORE#show ip route 172.16.103.100
Routing entry for 172.16.103.0/24
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Vlan103
Route metric is 0, traffic share count is 1

LAB-CORE#show ip route
171.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 171.17.109.0/24 is directly connected, Vlan901
L 171.17.109.253/32 is directly connected, Vlan901
172.16.0.0/16 is variably subnetted, 17 subnets, 2 masks
C 172.16.1.1/32 is directly connected, Loopback1
C 172.16.100.0/24 is directly connected, Vlan100
L 172.16.100.253/32 is directly connected, Vlan100
C 172.16.103.0/24 is directly connected, Vlan103
L 172.16.103.253/32 is directly connected, Vlan103
C 172.16.104.0/24 is directly connected, Vlan104
L 172.16.104.253/32 is directly connected, Vlan104
C 172.16.105.0/24 is directly connected, Vlan105
L 172.16.105.253/32 is directly connected, Vlan105
C 172.16.110.0/24 is directly connected, Vlan110
L 172.16.110.253/32 is directly connected, Vlan110
C 172.16.112.0/24 is directly connected, Vlan112
L 172.16.112.253/32 is directly connected, Vlan112
C 172.16.120.0/24 is directly connected, Vlan120
L 172.16.120.253/32 is directly connected, Vlan120
C 172.16.121.0/24 is directly connected, Vlan121
L 172.16.121.253/32 is directly connected, Vlan121

balaji.bandi · ‎03-24-2022

thank you for the information.

By the waht CORE switch is this ? post below informaiton :

show version

show ip route (again - with out editing as below more intrested to see below bold one)

#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is XXXXXXXXXX to network 0.0.0.0

You also mentioned OP "LAN MGMT = 192.178.100.0/24" what VLAN is this ?

then we can suggest what is to be done.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

G3000LEE · ‎03-24-2022

This is a lab environment so no access to the outside

LAB-CORE#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

171.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 171.17.109.0/24 is directly connected, Vlan901
L 171.17.109.253/32 is directly connected, Vlan901
172.16.0.0/16 is variably subnetted, 17 subnets, 2 masks
C 172.16.1.1/32 is directly connected, Loopback1
C 172.16.100.0/24 is directly connected, Vlan100
L 172.16.100.253/32 is directly connected, Vlan100
C 172.16.103.0/24 is directly connected, Vlan103
L 172.16.103.253/32 is directly connected, Vlan103
C 172.16.104.0/24 is directly connected, Vlan104
L 172.16.104.253/32 is directly connected, Vlan104
C 172.16.105.0/24 is directly connected, Vlan105
L 172.16.105.253/32 is directly connected, Vlan105
C 172.16.110.0/24 is directly connected, Vlan110
L 172.16.110.253/32 is directly connected, Vlan110
C 172.16.112.0/24 is directly connected, Vlan112
L 172.16.112.253/32 is directly connected, Vlan112
C 172.16.120.0/24 is directly connected, Vlan120
L 172.16.120.253/32 is directly connected, Vlan120
C 172.16.121.0/24 is directly connected, Vlan121
L 172.16.121.253/32 is directly connected, Vlan121

regarding...You also mentioned OP "LAN MGMT = 192.178.100.0/24" what VLAN is this ?

This was a typo. I have corrected this in the post now. Lan mgmt is 172.16.100.0/24

balaji.bandi · ‎03-24-2022

show version ( you missed this information)

Another quick question here is : are you able to ping any other VLAN devices (any VLAN) from MACbook for clarity (except WLC ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

G3000LEE · ‎03-24-2022

At the moment there aren't any other devices apart from a couple of switches which can be ping.

cisco WS-C3850-48T (MIPS) processor with 4194304K bytes of physical memory.
Processor board ID FOC1744U188
10 Virtual Ethernet interfaces
52 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
250456K bytes of Crash Files at crashinfo:.
1609272K bytes of Flash at flash:.
0K bytes of Dummy USB Flash at usbflash0:.
0K bytes of at webui:.

Base Ethernet MAC Address : c0:7b:bc:d8:d4:80
Motherboard Assembly Number : 73-14444-05
Motherboard Serial Number : FOC1XX37XXX
Model Revision Number : L0
Motherboard Revision Number : C0
Model Number : WS-C3850-48T
System Serial Number : FOC1744XXXX

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 56 WS-C3850-48T 03.06.03E cat3k_caa-universalk9 INSTALL

Flavio Miranda · ‎03-24-2022

This is a weird behavior. If you can ping the gateway, then you should ping the wlc and access it. When it comes to this point, I´d start to think in sniffing ports. You could enable a port span on the WLC trunk port and put a wireshark just to see if ping comes and goes or not.

If you see ping coming to the WLC port and not being replied, I´d start to thing in upgrade it to a newer version or maybe start from zero again..

G3000LEE · ‎03-24-2022

The WLC is on the latest software.

WLC 2504 - Can't access CLI or GUI from a different subnet

AP Join Profile 編 - Catalyst 9800 シリーズ WLC 設定 GUI/CLI の対応

WLAN Profile 編 - Catalyst 9800 シリーズ WLC 設定 GUI/CLI の対応

RF Profile 編 - Catalyst 9800 シリーズ WLC 設定 GUI/CLI の対応

Policy Profile 編 - Catalyst 9800 シリーズ WLC 設定 GUI/CLI の対応

Flex Profile 編 - Catalyst 9800 シリーズ WLC 設定 GUI/CLI の対応