03-15-2013 04:06 AM - edited 07-03-2021 11:44 PM
Hi,
I have problem with my WLC2504. My WLC is connected through two ports (1 and 2 of four) to my distro switch, where I have dot1q trunks configured. WLC is configured with Management interface (IP address 192.168.255.9/24), over which my LAPs are correctly joined. However, once I'm trying to add additional Dynamic WLC interface, which has VLAN TAG 10 and which I'd like to associate with my WLANS, my WLC stop responding through GUI and SSH, but pings on the management and dynamic interface IP addresses are sucesfull. Just as a note, dynamic AP management is not enabled on mentioned dynamic interface. In a case when I enable dynamic AP management on the dynamic interface (activated also on management interface), GUI and SSH work, but I can not associated WLAN to the dynamic interface, only to the management one
Thanks for soon answer
palo73
Solved! Go to Solution.
03-22-2013 08:28 AM
Gentlemen,
Thank you all for your responses. Pavel and I are colleagues at the same department and I suggested to Pavel to ask here on CSC for ideas about this pesky problem after we were unable to solve it ourselves after several days of experimenting.
We have eventually solved this and we'd like to share the solution. The problem actually wasn't directly caused by the WLC but rather by a couple of unfortunate coincidences.
To reiterate on the problem, we were faced with a loss of all but ICMP connectivity with the WLC immediately after we configured a dynamic interface on the WLC and placed it into 192.168.10.0/24 network on VLAN 10. This network is our internal departmental network - our idea was to have an SSID for wireless department clients that would be bridged onto the wired VLAN 10 into a single department network, hence the same IP network space. As we were configuring the WLC, we were accessing it under its management IP 192.168.255.9/24 in VLAN 255 from a PC in our 192.168.10.0/24 network. Routing between the 192.168.10.0/24 and 192.168.255.0/24 is done by an ASA box sitting on both these networks (VLANs). The logical topology resembles the following diagram:
The cause of the problem probably now starts to be obvious. The PC 192.168.10.222 was accessing the WLC at 192.168.255.9 while the WLC was configured with both 192.168.255.9/24 and 192.168.10.9/24. The PC was communicating with the WLC via the ASA box as its default gateway while the WLC responded to the PC directly, as it indeed was on the same subnet with the PC. The ASA saw the first TCP SYN from the PC towards the WLC but never saw the TCP SYN/ACK from the WLC back to the PC. When the TCP ACK from the PC towards the WLC arrived at the ASA box, it dropped it, preventing the TCP 3-way handshake from ever completing.
If the ASA was replaced with a common router not performing stateful firewalling, this issue would not have occured despite the asymmetrical routing. I have also verified that an IOS-based router running IP Inspect (CBAC) would cause the same connectivity issue.
It is interesting that if the WLC responds to ICMP ECHO messages in particular, it responds through the same interface through which the ICMP ECHO arrived, regardless of the source. In other words, pinging 192.168.255.9 from 192.168.10.9 worked because the WLC sent the reply via the ASA box 192.168.255.1 and not directly to 192.168.10.9. This fact was quite confusing during the troubleshooting, as it diverted our attention. Actually, we first started to suspect a problem in routing and reachability only after we moved the management PC from VLAN10 to VLAN255 and regained the IP connectivity with the WLC.
The easiest solution appears to be to simply bridge the wireless SSID onto a different VLAN than the one that will be (occassionally) used to manage the WLC, to force the WLC to always respond through the ASA when being managed.
I would like to sincerely thank to everyone that has joined this thread. Your effort is very much appreciated! It's almost a shame that the problem was this silly..
Thank you!
Best regards,
Peter
03-16-2013 01:29 AM
Where do you map the dynamic interface you create? to which physical port?
You have same issue with only one physical port connected?
What is the default vlan on the neighbor switch? what is the VLAN tag for the management interface on the WLC?
Rating useful replies is more useful than saying "Thank you"
03-16-2013 04:41 AM
Are you in VLAN 10?
The WLC by default does not respond on dynamic interfaces for management.
Steve
Sent from Cisco Technical Support iPhone App
03-20-2013 03:52 AM
Hi,
management is mapped to potr 1 and dynamic to port 2 of the WLC
palo73
03-20-2013 10:23 AM
Amjad, I've just tried port 1 and 2, no others. On the switch side as the native vlan is vlan 1, on the wlc I do not know how to check this. I've assigned both interface to use right vlan tags, 255 for management respectively 10 for dynamic port
palo73
03-16-2013 11:03 AM
Can you post the switch config and the WLC show run-config
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
03-20-2013 05:34 AM
03-20-2013 06:06 AM
Palo73,
If your inning v7.4 in the 2504, you can enable LAG and configure the two switch ports in an etherchannel. If you don't have v7.4 then you have to define the primary port and the backup port on the 2504. Then on the trunk port you have to allow only the vlans you have for that port. So if you have your management using port 1 as primary and port 2 as backup and then your dynamic interface has port 1 as backup and port 2 as primary it should work. You have to define port 2 for something. Usually if you don't have v7.4 you only need one port connected to the switch. If you want to use more than one port, you need to define the primary and backup and only allow the vlans.
Sent from Cisco Technical Support iPhone App
03-20-2013 07:23 AM
Scott,
I'm running 7.3. However...configuring backup port is just an optional feature, right? It should but also does need to be used...anyway, I tried, see show, and no answer
>show interface detailed management
Interface Name................................... management
MAC Address...................................... 3c:ce:73:d8:40:80
IP Address....................................... 192.168.255.9
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.255.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 255
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. 2
Primary DHCP Server.............................. 158.193.152.2
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Enabled
03-20-2013 07:25 AM
It is optional but there is no need to connect port 2 of the WLC if your not defining it to be used.
Sent from Cisco Technical Support iPhone App
03-20-2013 10:05 AM
Well, i've associate both interfaces, management and dynamic, to the same physical port, did not work. I was deleted dynamic interface...web management become available :-(
When I'll create a new dynamic interface with enabled Dynamic AP Management, GUI works, but I can not associate WLAN with the dynamic imterface.
03-20-2013 10:13 AM
Post your show run-config... its something either configured on the WLC or your switch.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
03-20-2013 10:20 AM
look above...there are text files with wlc and 3560 running configs
03-22-2013 08:28 AM
Gentlemen,
Thank you all for your responses. Pavel and I are colleagues at the same department and I suggested to Pavel to ask here on CSC for ideas about this pesky problem after we were unable to solve it ourselves after several days of experimenting.
We have eventually solved this and we'd like to share the solution. The problem actually wasn't directly caused by the WLC but rather by a couple of unfortunate coincidences.
To reiterate on the problem, we were faced with a loss of all but ICMP connectivity with the WLC immediately after we configured a dynamic interface on the WLC and placed it into 192.168.10.0/24 network on VLAN 10. This network is our internal departmental network - our idea was to have an SSID for wireless department clients that would be bridged onto the wired VLAN 10 into a single department network, hence the same IP network space. As we were configuring the WLC, we were accessing it under its management IP 192.168.255.9/24 in VLAN 255 from a PC in our 192.168.10.0/24 network. Routing between the 192.168.10.0/24 and 192.168.255.0/24 is done by an ASA box sitting on both these networks (VLANs). The logical topology resembles the following diagram:
The cause of the problem probably now starts to be obvious. The PC 192.168.10.222 was accessing the WLC at 192.168.255.9 while the WLC was configured with both 192.168.255.9/24 and 192.168.10.9/24. The PC was communicating with the WLC via the ASA box as its default gateway while the WLC responded to the PC directly, as it indeed was on the same subnet with the PC. The ASA saw the first TCP SYN from the PC towards the WLC but never saw the TCP SYN/ACK from the WLC back to the PC. When the TCP ACK from the PC towards the WLC arrived at the ASA box, it dropped it, preventing the TCP 3-way handshake from ever completing.
If the ASA was replaced with a common router not performing stateful firewalling, this issue would not have occured despite the asymmetrical routing. I have also verified that an IOS-based router running IP Inspect (CBAC) would cause the same connectivity issue.
It is interesting that if the WLC responds to ICMP ECHO messages in particular, it responds through the same interface through which the ICMP ECHO arrived, regardless of the source. In other words, pinging 192.168.255.9 from 192.168.10.9 worked because the WLC sent the reply via the ASA box 192.168.255.1 and not directly to 192.168.10.9. This fact was quite confusing during the troubleshooting, as it diverted our attention. Actually, we first started to suspect a problem in routing and reachability only after we moved the management PC from VLAN10 to VLAN255 and regained the IP connectivity with the WLC.
The easiest solution appears to be to simply bridge the wireless SSID onto a different VLAN than the one that will be (occassionally) used to manage the WLC, to force the WLC to always respond through the ASA when being managed.
I would like to sincerely thank to everyone that has joined this thread. Your effort is very much appreciated! It's almost a shame that the problem was this silly..
Thank you!
Best regards,
Peter
03-22-2013 09:06 AM
I would like thanks to all too
palo73
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide