Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5107
Views
35
Helpful
15
Replies

WLC2504 - Dynamic interface problem

Go to solution
Pavel Segec
Level 1
Level 1

‎03-15-2013 04:06 AM - edited ‎07-03-2021 11:44 PM

Hi,

I have problem with my WLC2504. My WLC is  connected through two ports (1 and 2 of four) to my distro switch, where  I have dot1q trunks configured. WLC is configured with Management interface  (IP address 192.168.255.9/24), over which my  LAPs are correctly joined.  However, once I'm trying to add additional Dynamic WLC interface, which  has VLAN TAG 10 and which I'd like to associate with my WLANS, my WLC  stop responding through GUI and SSH, but pings on the management and dynamic interface IP addresses are sucesfull. Just as a note, dynamic AP management is not enabled on mentioned dynamic interface. In a case when I enable dynamic AP management on the dynamic interface (activated also on management interface), GUI and SSH work, but I can not associated WLAN to the dynamic interface, only to the management one

Thanks for soon answer

palo73

1 person had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎03-22-2013 08:28 AM

Gentlemen,

Thank you all for your responses. Pavel and I are colleagues at the same department and I suggested to Pavel to ask here on CSC for ideas about this pesky problem after we were unable to solve it ourselves after several days of experimenting.

We have eventually solved this and we'd like to share the solution. The problem actually wasn't directly caused by the WLC but rather by a couple of unfortunate coincidences.

To reiterate on the problem, we were faced with a loss of all but ICMP connectivity with the WLC immediately after we configured a dynamic interface on the WLC and placed it into 192.168.10.0/24 network on VLAN 10. This network is our internal departmental network - our idea was to have an SSID for wireless department clients that would be bridged onto the wired VLAN 10 into a single department network, hence the same IP network space. As we were configuring the WLC, we were accessing it under its management IP 192.168.255.9/24 in VLAN 255 from a PC in our 192.168.10.0/24 network. Routing between the 192.168.10.0/24 and 192.168.255.0/24 is done by an ASA box sitting on both these networks (VLANs). The logical topology resembles the following diagram:

The cause of the problem probably now starts to be obvious. The PC 192.168.10.222 was accessing the WLC at 192.168.255.9 while the WLC was configured with both 192.168.255.9/24 and 192.168.10.9/24. The PC was communicating with the WLC via the ASA box as its default gateway while the WLC responded to the PC directly, as it indeed was on the same subnet with the PC. The ASA saw the first TCP SYN from the PC towards the WLC but never saw the TCP SYN/ACK from the WLC back to the PC. When the TCP ACK from the PC towards the WLC arrived at the ASA box, it dropped it, preventing the TCP 3-way handshake from ever completing.

If the ASA was replaced with a common router not performing stateful firewalling, this issue would not have occured despite the asymmetrical routing. I have also verified that an IOS-based router running IP Inspect (CBAC) would cause the same connectivity issue.

It is interesting that if the WLC responds to ICMP ECHO messages in particular, it responds through the same interface through which the ICMP ECHO arrived, regardless of the source. In other words, pinging 192.168.255.9 from 192.168.10.9 worked because the WLC sent the reply via the ASA box 192.168.255.1 and not directly to 192.168.10.9. This fact was quite confusing during the troubleshooting, as it diverted our attention. Actually, we first started to suspect a problem in routing and reachability only after we moved the management PC from VLAN10 to VLAN255 and regained the IP connectivity with the WLC.

The easiest solution appears to be to simply bridge the wireless SSID onto a different VLAN than the one that will be (occassionally) used to manage the WLC, to force the WLC to always respond through the ASA when being managed.

I would like to sincerely thank to everyone that has joined this thread. Your effort is very much appreciated! It's almost a shame that the problem was this silly..

Thank you!

Best regards,

Peter

View solution in original post

0 Helpful
15 Replies 15

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎03-16-2013 01:29 AM

Where do you map the dynamic interface you create? to which physical port?

You have same issue with only one physical port connected?

What is the default vlan on the neighbor switch? what is the VLAN tag for the management interface on the WLC?

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to Amjad Abdullah

‎03-16-2013 04:41 AM

Are you in VLAN 10?

The WLC by default does not respond on dynamic interfaces for management.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Go to solution
Pavel Segec
Level 1
Level 1
In response to Amjad Abdullah

‎03-20-2013 03:52 AM

Hi,

management is mapped to potr 1 and dynamic to port 2 of the WLC

palo73

0 Helpful

Go to solution
Pavel Segec
Level 1
Level 1
In response to Amjad Abdullah

‎03-20-2013 10:23 AM

Amjad, I've just tried port 1 and 2, no others. On the switch side as the native vlan is vlan 1, on the wlc I do not know how to check this. I've assigned both interface to use right vlan tags, 255 for management respectively 10 for dynamic port

palo73

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni

‎03-16-2013 11:03 AM

Can you post the switch config and the WLC show run-config

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Go to solution
Pavel Segec
Level 1
Level 1
In response to George Stefanick

‎03-20-2013 05:34 AM

Hi,

here are the files

palo73

15356741-core-b-kis-confg.txt.zip
0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎03-20-2013 06:06 AM

Palo73,

If your inning v7.4 in the 2504, you can enable LAG and configure the two switch ports in an etherchannel. If you don't have v7.4 then you have to define the primary port and the backup port on the 2504. Then on the trunk port you have to allow only the vlans you have for that port. So if you have your management using port 1 as primary and port 2 as backup and then your dynamic interface has port 1 as backup and port 2 as primary it should work. You have to define port 2 for something. Usually if you don't have v7.4 you only need one port connected to the switch. If you want to use more than one port, you need to define the primary and backup and only allow the vlans.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Go to solution
Pavel Segec
Level 1
Level 1
In response to Scott Fella

‎03-20-2013 07:23 AM

Scott,

I'm running 7.3. However...configuring backup port is just an optional feature, right? It should but also does need to be used...anyway, I tried, see show, and no answer

>show interface detailed management

Interface Name................................... management

MAC Address...................................... 3c:ce:73:d8:40:80

IP Address....................................... 192.168.255.9

IP Netmask....................................... 255.255.255.0

IP Gateway....................................... 192.168.255.1

External NAT IP State............................ Disabled

External NAT IP Address.......................... 0.0.0.0

VLAN............................................. 255

Quarantine-vlan.................................. 0

Active Physical Port............................. 1

Primary Physical Port............................ 1

Backup Physical Port............................. 2

Primary DHCP Server.............................. 158.193.152.2

Secondary DHCP Server............................ Unconfigured

DHCP Option 82................................... Disabled

ACL.............................................. Unconfigured

AP Manager....................................... Yes

Guest Interface.................................. No

L2 Multicast..................................... Enabled

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎03-20-2013 07:25 AM

It is optional but there is no need to connect port 2 of the WLC if your not defining it to be used.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Go to solution
Pavel Segec
Level 1
Level 1
In response to Scott Fella

‎03-20-2013 10:05 AM

Well, i've associate both interfaces, management and dynamic, to the same physical port, did not work. I was deleted dynamic interface...web management become available :-(

When I'll create a new dynamic interface with enabled  Dynamic AP Management, GUI works, but I can not associate WLAN with the dynamic imterface.

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Pavel Segec

‎03-20-2013 10:13 AM

Post your show run-config... its something either configured on the WLC or your switch.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Go to solution
Pavel Segec
Level 1
Level 1
In response to Scott Fella

‎03-20-2013 10:20 AM

look above...there are text files with wlc and 3560 running configs

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎03-22-2013 08:28 AM

Gentlemen,

Thank you all for your responses. Pavel and I are colleagues at the same department and I suggested to Pavel to ask here on CSC for ideas about this pesky problem after we were unable to solve it ourselves after several days of experimenting.

We have eventually solved this and we'd like to share the solution. The problem actually wasn't directly caused by the WLC but rather by a couple of unfortunate coincidences.

To reiterate on the problem, we were faced with a loss of all but ICMP connectivity with the WLC immediately after we configured a dynamic interface on the WLC and placed it into 192.168.10.0/24 network on VLAN 10. This network is our internal departmental network - our idea was to have an SSID for wireless department clients that would be bridged onto the wired VLAN 10 into a single department network, hence the same IP network space. As we were configuring the WLC, we were accessing it under its management IP 192.168.255.9/24 in VLAN 255 from a PC in our 192.168.10.0/24 network. Routing between the 192.168.10.0/24 and 192.168.255.0/24 is done by an ASA box sitting on both these networks (VLANs). The logical topology resembles the following diagram:

The cause of the problem probably now starts to be obvious. The PC 192.168.10.222 was accessing the WLC at 192.168.255.9 while the WLC was configured with both 192.168.255.9/24 and 192.168.10.9/24. The PC was communicating with the WLC via the ASA box as its default gateway while the WLC responded to the PC directly, as it indeed was on the same subnet with the PC. The ASA saw the first TCP SYN from the PC towards the WLC but never saw the TCP SYN/ACK from the WLC back to the PC. When the TCP ACK from the PC towards the WLC arrived at the ASA box, it dropped it, preventing the TCP 3-way handshake from ever completing.

If the ASA was replaced with a common router not performing stateful firewalling, this issue would not have occured despite the asymmetrical routing. I have also verified that an IOS-based router running IP Inspect (CBAC) would cause the same connectivity issue.

It is interesting that if the WLC responds to ICMP ECHO messages in particular, it responds through the same interface through which the ICMP ECHO arrived, regardless of the source. In other words, pinging 192.168.255.9 from 192.168.10.9 worked because the WLC sent the reply via the ASA box 192.168.255.1 and not directly to 192.168.10.9. This fact was quite confusing during the troubleshooting, as it diverted our attention. Actually, we first started to suspect a problem in routing and reachability only after we moved the management PC from VLAN10 to VLAN255 and regained the IP connectivity with the WLC.

The easiest solution appears to be to simply bridge the wireless SSID onto a different VLAN than the one that will be (occassionally) used to manage the WLC, to force the WLC to always respond through the ASA when being managed.

I would like to sincerely thank to everyone that has joined this thread. Your effort is very much appreciated! It's almost a shame that the problem was this silly..

Thank you!

Best regards,

Peter

0 Helpful

Go to solution
Pavel Segec
Level 1
Level 1

‎03-22-2013 09:06 AM

I would like thanks to all too

palo73

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card