Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2225
Views
0
Helpful
7
Replies

WLC 5508 not working with Small Business security Appliance SA 520

Go to solution
zeeshan iqbal
Level 1
Level 1

‎09-26-2015 02:31 PM - edited ‎07-05-2021 04:00 AM

Cisco 5508 is new Wireless LAN Controller supporting new 802.11ac Giga bit Wireless. this has been plugged into LAN port of Small-Business Security Appliance SA 520 LAN port (trunk). Default vlan 1 works fine which is for management but data vlan does not work.

 

however i can ping from WLC to SA 520 on data vlan but no ping from SA 520. Also Wireless clients connected to AP 2702 cannot connect to SA 520 on data vlan as their gateway?

 

both have latest firmwares. are these devices compatible?

 

Any suggestion?

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
LJ Gabrillo
Level 5
Level 5

‎09-27-2015 07:03 PM

Hi

I am assuming that your DATA VLAN is another VLAN that you have configured on the WLC.

Please make sure of the ff.
1. You have configured the correct WLAN interface
2. You have assigned the correct WLAN interface on your SSID
3. The DHCP of your users (Where is it located btw?) if on the WLC, verify if it's on the correct subnet and is enabled
 

Also considering that is a security appliance, verify the ff:
1. You have configured the necessary policies to and fro the AP and WLC
     -Note that CAPWAP traffic should be allowed, to avoid any issues, just allow to and fro communication between WLC and AP e.g., two policies one WLC->AP and another AP->WLC

2. Of course, the necessary policies to allow traffic

PS: Compatibility is not an issue, note that your SMB appliance servers as a connection of the WLC. you should have no issues integrating the two

If it's not much, kindly rate helpful posts :)

View solution in original post

0 Helpful

Go to solution
LJ Gabrillo
Level 5
Level 5
In response to zeeshan iqbal

‎09-28-2015 04:25 AM

At the very least you should be able to get an IP Address since your DHCP is now the WLC,kindly verify your WLC settings, there must be something missing

1. Have you assigned the correct WLAN interface? AT: Controllers->Interfaces
2. Have you updated the DHCP server setting on the WLAN interface? Make sure to manually enable DHCP Proxy, instead of the 'GLobal setting' set it to 'enable' for isolation
3. Have you assigned that WLAN interface to the SSID? ->Most people miss this AT: WLAN->WLANs
 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
LJ Gabrillo
Level 5
Level 5

‎09-27-2015 07:03 PM

Hi

I am assuming that your DATA VLAN is another VLAN that you have configured on the WLC.

Please make sure of the ff.
1. You have configured the correct WLAN interface
2. You have assigned the correct WLAN interface on your SSID
3. The DHCP of your users (Where is it located btw?) if on the WLC, verify if it's on the correct subnet and is enabled
 

Also considering that is a security appliance, verify the ff:
1. You have configured the necessary policies to and fro the AP and WLC
     -Note that CAPWAP traffic should be allowed, to avoid any issues, just allow to and fro communication between WLC and AP e.g., two policies one WLC->AP and another AP->WLC

2. Of course, the necessary policies to allow traffic

PS: Compatibility is not an issue, note that your SMB appliance servers as a connection of the WLC. you should have no issues integrating the two

If it's not much, kindly rate helpful posts :)

0 Helpful

Go to solution
zeeshan iqbal
Level 1
Level 1
In response to LJ Gabrillo

‎09-28-2015 01:53 AM

Hi Gabrillo, 

Thanks for your reply.

Yes, DATA VLAN is another VLAN that you have configured on the WLC. However DHCP is sitting on Small Business SA 520 for this data VLAN. where this DHCP should be sitting ideally?

 

Also interesting point is WLC can ping firewall on Data Vlan but firewall cannot ping back to WLC. please be informed Firewall is gateway for both vlans; untagged and tagged. All devices; WLC, APS, Firewall are connected to a SMB Switch ESW-520.

I have no firewall policy for WLC -> AP and AP->WLC but Clients connected to AP can ping WLC on Data vlan. (temporary assign th client a static data vlan IP Address).

Another hint: this setup works fine for stand alone APs Cisco 541(where data vlan with tag 20 is individually defined on each access point and there is no WLC. we are just upgrading it to .11ac WLC 5508 and .11ac APs 2702i

Best Regards,

 

0 Helpful

Go to solution
LJ Gabrillo
Level 5
Level 5
In response to zeeshan iqbal

‎09-28-2015 03:59 AM

For your queries:

1. Where this DHCP should be sitting ideally?
     -It really does not matter, but make sure you have set your WLAN interface DHCP option to this IP
     ->Verify if your WLAN interface has the correct DHCP pointer AT: Controller->Interfaces-><Go to the created interface>->DHCP Servers  ---Make sure the IP of your DHCP server e.g., your SMB is pointed, also make sure WLC reaches the SMB

2. For isolation sake, I would recommend disabling DHCP on your SMB, and create te DHCP on the WLC it is siltl in the AT: COntroller->Internal DHCP Server. Again, make sure your WLAN interface is now pointing to the mgmt. IP of the WLC since well, the WLC is now the DHCP Server

If the WLC can ping the appliance but not vice-versa then something must be blocking it. Additionally, have you set the gateway IP of the WLC? Please verify

We cannot compare the standlaone deployment to WLC deployment, since again, traffic is centrally switched, while autonomous/standalone is locally switches

0 Helpful

Go to solution
zeeshan iqbal
Level 1
Level 1
In response to LJ Gabrillo

‎09-28-2015 04:16 AM

Thank you again for your suggestion. make sense to me. I am working on it but no joy.

Could it be something to do with data vlan encryption as this is WLC 5508 and APs are 2702i?

Also you mentioned to allow CAPWAP traffic through the firewall. i really dont understand this bit; is there any port to allow inbound and outbound on its LAN interface or allow the data vlan subnet?

It all works fine on management vlan which is default untagged vlan.

cheers and thanks for your time

0 Helpful

Go to solution
LJ Gabrillo
Level 5
Level 5
In response to zeeshan iqbal

‎09-28-2015 04:25 AM

At the very least you should be able to get an IP Address since your DHCP is now the WLC,kindly verify your WLC settings, there must be something missing

1. Have you assigned the correct WLAN interface? AT: Controllers->Interfaces
2. Have you updated the DHCP server setting on the WLAN interface? Make sure to manually enable DHCP Proxy, instead of the 'GLobal setting' set it to 'enable' for isolation
3. Have you assigned that WLAN interface to the SSID? ->Most people miss this AT: WLAN->WLANs
 

0 Helpful

Go to solution
zeeshan iqbal
Level 1
Level 1
In response to LJ Gabrillo

‎09-29-2015 02:41 AM

Hi Gabrillo,

I reset WLC, switch and Firewall to factory default and re-configured. All seems fine.

Thanks for your replies and I Marked you reply as Correct answer because you were right from the start; there are no compatibility issues. and also your replies were to the point, helpful and technically very strong.

Best Regards,

 

0 Helpful

Go to solution
LJ Gabrillo
Level 5
Level 5
In response to zeeshan iqbal

‎09-29-2015 02:45 AM

No Problem
Glad to be of assistance

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card