Hi Francesco,

Yes, i am trying using WIFI, I have selected the checkbox on the wlc to do that.

When I am connected to a local AP I can access the wlc without problem, but when i move to a branch office with Flex AP I cant. I wanna know if that is a normal behavior or is there any misconfiguration.

BR!

Yup, mgmt-via-wireless capability activated.

There are no Firewalls between offices, they communicate with the sw cores

I have never tried that, from the wlc i can not ping the gw in the branch office.

Could be a routing issue ?

Cab you check any acl and routing ?

Can you share a traceroute from branch and from your central site?

this is the output.

192.168.2.11 is the wlc

192.168.2.2 is the sw core in central office

192.168.102.6 is the sw core in branch

from central to gw, wlc and branch

SWACCESS13-MCS#ping 192.168.2.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/14 ms
SWACCESS13-MCS#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/6/14 ms
SWACCESS13-MCS#traceroute 192.168.2.2
Type escape sequence to abort.
Tracing the route to swcore (192.168.2.2)
VRF info: (vrf in name/id, vrf out name/id)
1 swcore (192.168.2.2) 4 msec * 3 msec

SWACCESS13-MCS#traceroute 192.168.2.11
Type escape sequence to abort.
Tracing the route to 192.168.2.11
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *

Tracing the route to 192.168.102.6
VRF info: (vrf in name/id, vrf out name/id)
1 swcore (192.168.2.2) 3 msec 4 msec 3 msec
2 172-10-25-4.lightspeed.rlghnc.sbcglobal.net (172.10.25.4) 3 msec 4 msec 4 msec
3 192.168.102.6 3 msec * 7 msec

from branch to cetral core and wlc

SWCORE-MCS-INFRA#traceroute 192.168.2.11

Type escape sequence to abort.
Tracing the route to 192.168.2.11

1 192.168.102.2 0 msec 0 msec 8 msec
2 172.10.25.1 9 msec 59 msec 17 msec
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

SWCORE-MCS-INFRA#traceroute 192.168.2.2

Type escape sequence to abort.
Tracing the route to 192.168.2.2

1 192.168.102.2 0 msec 0 msec 0 msec
2 172.10.25.1 8 msec 0 msec *

When i change Flex AP to local mode, then I can reach the WLC.

BR

I am probably responding late to this but I an tell you I have the same issue

Local Mode no issue, Flexconnect cannot get to WLC Mgmt

I am not behind a firewall as my WLCs are internal and so is my MGMT interface, My firewalls along with most are at the parimeter so the request to reach the MGMT interface doesn't ever reach the Firewall

in short, this should NOT be a firewall issue clearly stated by the fact that simply moving the AP from Flexconnect mode to Local mode allows access and the MGMT interface or the implementation doesn't change, in both cases we still need to access the Same IP Address. What happens in Local vs Flexconnect mode is where my mind is trying to solve along with many others scratching heads wondering what's the traffic doing in both modes during the request to reach the MGMT

When you're connect to a local or a flexconnect AP, if you have enabled management access, you should be able to access your WLC.

The difference is your traffic is being switched locally on the switch at the branch. Are you trying to access the management interface or a dynamic interface? Can you run a wireshark and try again please? share the wireshark capture if you can please.