06-04-2012 07:09 AM - edited 11-18-2020 02:58 AM
There can be various issues why a client (wired or wireless) is unable to reach the controller management interface.
Access to the controller can be in the form of telnet, ssh, http or https. Through this document I have tried to list the things to check to troubleshoot such a problem.
1). Wired Client for WLC Management Access:
a. Check controller configuration for network access-
(Cisco Controller) > show network summary Web Mode.................................... Enable Secure Web Mode............................. Enable Secure Web Mode Cipher-Option High.......... Enable Secure Web Mode Cipher-Option SSLv2......... Enable Secure Shell (ssh).......................... Enable Telnet...................................... Disable
Telnet is disabled by default. To enable:
(Cisco Controller) > config network telnet enable
To enable https to the controller:
(Cisco Controller) >config network secureweb enable
You must reboot for the change to take effect.
b. Service Port addressing issues.
"Note If the service port is in use, the management interface must be on a different supernet from the service-port interface. "
Move the service port to a class B or class C address instead of using the same supernet as the management interface (assuming it is on class A address).
c. Make sure there is no CPU acl applied on the controller.
(Cisco Controller) >show acl cpu CPU Acl Name................................ NOT CONFIGURED Wireless Traffic............................ Disabled Wired Traffic............................... Disabled
CPU acls regulate traffic to and from the controller. This could definitely block access to the controller mgmt.
d. Web Admin Certificate issues.
If invalid site certificate errors are displayed when attempting to access a controller via web browser https, the local Web Admin certificate may need to be regenerated.
(Cisco Controller) config certificate generate webadmin
Creating a certificate may take some time. Do you wish to continue? (y/n) y
Web Administration certificate has been generated
e. Verify Basic IP Connectivity
Check basic ip connectivity from the client to the WLC mgmt interface. Ping the wlc mgmt interface. If that fails, check for any access control that may be configured along the path- between the client and the controller mgmt that could be blocking this traffic.
If the client is on a different vlan than the wlc, check for inter vlan routing.
Move the client to the same vlan as the controller and then try to access the WLC to rule out inter vlan routing issues.
f. Capture a Sniffer Trace.
Assuming that the controller is attached to a switch, it will likely be necessary to configure a monitor (span) session to capture a sniffer trace of the controller's traffic. This will tell us what packets are going to the controller and how (if at all) the controller responds.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml
g. Debug Packet Logging
This debug allows capturing packets coming to the controller:
debug packet logging acl ip 1 permit <WLC mgmt ip> any debug packet logging acl ip 2 permit any <WLC mgmt ip> debug packet logging enable all 1-65535 C:\Program Files\Wireshark> C:\Program Files\Wireshark>text2pcap.exe Must specify input and output filename Text2pcap 1.0.99CAPWAP_0.0.1 Generate a capture file from an ASCII hexdump of packets.
See http://www.wireshark.org <http://www.wireshark.org/> for more information.
Usage: text2pcap [options] <input-filename> <output-filename>
h. Check the controller syslog and trap logs for any suspicious behaviour.
show msglog
show traplog
i. In some corner cases, we did spot only https access broken while ssh and http worked fine.
Saw the following in the bootup log-
-> "Starting portmap deamon"
Warning!!!: You don't seem to have internal USB storage for lic/cert
Please request for one and add to the system
-> "Starting "VPN-Services"
Unable to load system certificate!!! Contact your Cisco Systems Inc. technical support representativeok
-> "Starting Management Services:
Web Server: ok
CLI: ok
Secure Web: Web Admin Certificate not found (error).
License Agent: ok
This issue requires hardware replacement for resolution.
j. LAG and switch channel distribution method
If LAG is enabled on the controller, check the load balancing algorithm enabled on the controller.
Use only ip-src or ip-src ip-dst load balancing options in the switch EtherChannel configuration. Some switch models might use incompatible load balancing mechanisms by default, so it is important to verify.
This is how to verify the EtherChannel load balancing mechanism:
switch#show etherchannel load-balance EtherChannel Load-Balancing Configuration: src-dst-ip EtherChannel Load-Balancing Addresses Used Per-Protocol: Non-IP: Source XOR Destination MAC address IPv4: Source XOR Destination IP address IPv6: Source XOR Destination IP address
This is how to change the switch configuration (IOS):
switch(config)#port-channel load-balance src-dst-ip
k. FIPS configuration
After FIPS is enabled on a controller, sometimes users are unable to https into the controller when using IE6 or IE7.
Prior to enabling FIPS they did not experience any problems.
The issue is specific to IE7 and IE6+, firefox does not appear to have this issue.
l. Management Access Priority Order configuration
If Tacacs or Radius is the primary management access method, confirm that the management user credentials are present on the authentication server. If the Tacacs or Radius server is unavailable or unreachable, the controller will revert to locally configured credentials.
(Cisco Controller) >show aaa auth
Management authentication server order:
1............................................ radius
2............................................ local
2) Wireless Client for WLC Management Access:
a. Access to the controller interface from a wireless client is disabled by default.
(Cisco Controller) >show network summary
Mgmt Via Wireless Interface................. Disable
Mgmt Via Dynamic Interface.................. Disable
To enable:
(Cisco Controller) >config network mgmt-via-wireless enable
b. Additionally, you can use the following command to access the controller via the dynamic interface mapped to the ssid/wlan the wireless client is connecting on:
(Cisco Controller) > config network mgmt-via-dynamic-interface enable
(Cisco Controller) >show network summary
Mgmt Via Wireless Interface................. Disable
Mgmt Via Dynamic Interface.................. Enable
c. Verify Basic IP Connectivity
Ping the dynamic interface ip from the wireless client. Does that work? Check for any acls along the path.
d. Compare with same Vlan Wired Client
Place a WIRED client on the same vlan as the dynamic interface and have that wired client http and/or telnet to the controller both via management and dynamic interface.
This will isolate if the problem is with wired or just wireless client.
Telnet /SSH to the WLC management fails if the client from which we are starting the session is in same subnet as of Service port .
This is documented in Cisco WLC config guide as well .
Cisco 4400 and Cisco 5500 Series Controllers also have a 10/100/1000 copper Ethernet service port. The service port is controlled by the service-port interface and is reserved for out-of-band management of the controller and system recovery and maintenance in the event of a network failure. It is also the only port that is active when the controller is in boot mode.. Use of the service port is optional.
Caution Do not configure wired clients in the same VLAN or subnet of the service port on the network. If you configure wired clients on the same subnet or VLAN as the service port, you will not be able to access the management interface.
Cisco Wireless LAN Controller Configuration Guide, Release 7.0 - Configuring Ports and Interfaces
Very Nicely documented .
Would like to add some information to the same .
Telnet /SSH to the WLC management fails if the client from which we are starting the session is in same subnet as of Service port .
This is documented in Cisco WLC config guide as well .
Cisco 4400 and Cisco 5500 Series Controllers also have a 10/100/1000 copper Ethernet service port. The service port is controlled by the service-port interface and is reserved for out-of-band management of the controller and system recovery and maintenance in the event of a network failure. It is also the only port that is active when the controller is in boot mode.. Use of the service port is optional.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: