WCS alarm dashboard not flagging security issues

Unanswered Question
Jun 27th, 2007


Not sure if the topic title made much sense but basically what is happening is this:

I just finished getting installed on a fresh server with no backup restorations. My 4404 WLC's (x2) are on version

I have been receiving an influx of WPA MIC errors on both controllers, that were previously showing up on the alarm dashboard of WCS (on an older version), but ever since the upgrade, they are not appearing on the dashboard at all.

I have just added the controllers, some alarms are updating (rogue APs for one), and I have also tried refreshing the config through WCS.

I can't seem to find anything on the 4.1 WCS config guide, so if anyone could point me in the right direction it would be appreciated.

As a note: The controllers have both reported these WPA MIC errors since I added the controllers to WCS, but no info was updated on the alarm dashboard.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jpeterson6 Thu, 06/28/2007 - 06:28

Nobody has experienced this before or has input?

I've tried looking everywhere, there are no firewall issues as this has been working before the upgrade. No IP addresses have changed, and the server itself seems fine.

WCS is running on RHEL4.0. I ran WCSStatus and everything checks out OK. Are there any logs I should check? Where?

I tried refreshing the configs, rebooting the system twice, restarting the WCS daemon twice.

Anyone else have a suggestion? I really need to get this working.

ericgarnel Thu, 06/28/2007 - 09:27

Is the server dual-homed?

This used to be an issue with WCS. Although the install still asks about nic binding.

There are log settings under administration that allow you to set info, error or trace and then download them locally for viewing.

We no longer see clients since 4.1.171 WCS.

I tried a fresh install vs backup & there was no difference. I use Cacti to pull users/wlan per controller via snmp to get my user count now

jpeterson6 Thu, 06/28/2007 - 11:04

Yes I see the logs and I looked through them.. though I have no idea what I'm really looking for as I have no direction in my troubleshooting.

What does the alarm panel use for it's updating? tftp? snmp? ssh/telnet?

Also I don't believe I mentioned it, but both controllers are pointing to WCS as a 'trap receiver'.

I just don't see how an upgrade can suddenly prevent security logs from being updated on the WCS server. I have a feeling it might have to do with Linux itself as we upgraded that as well from RHEL3...

I also did not see any caveats mentioned.. maybe it's time to open a TAC.

Also; All I did to get WCS running once it was installed was add the two controllers, then refresh the config. Was there something else I was supposed to do other than that?

ericgarnel Fri, 06/29/2007 - 05:01

the alarms are pulled from WLC via snmp.

I believe that the WCS polls the WLCs via snmp, the WCS does not necessarily need to be a trap receiver itself, someone please correct me if I am wrong on that.

It is possible that the RHEL upgrade could have affected it. We ran WCS on RHEL 3 for sometime without any issues, even with the 4.0x WCS even though it said that it was not supported on RHEL 3. Since moving to 4.1 on RHEL 4.x, I no longer can see client counts or locations. Perhaps I should roll back to RHEL 3.

jpeterson6 Fri, 06/29/2007 - 05:41

Now that you mention it I'm not seeing client counts either! I was so caught up in security alarms not being updated that I didn't even notice.

This is pretty strange considering this is the version of linux that was 'tested' by cisco yet there seem to be compatibility issues..

I'm definitely opening up a TAC on this - i'll let you know what is said about the issue when I get more information.

ericgarnel Fri, 06/29/2007 - 05:46

Under WCS | location | Location servers| location server|Administration|Advanced Parameters>location server

I did the following:

Run Java GC

Defragment Database

reboot hardware

This brought back the client clount for a little bit, but now it no longer sees clients, even though there are 7+ 7920 phones active at the moment and my laptop as well.

ericgarnel Fri, 06/29/2007 - 09:13

Ok, I went thru the same steps as above, this time, though, I would check the status after each time. The client count came back only after the reboot.

jpeterson6 Tue, 07/03/2007 - 05:49

I'm sorry, I misunderstood what you meant regarding clients - I'm not actually running a location server. What I mean is that when I go to monitor->clients it lists the top 5 APs in use but the client count for a/b/g/n is 0 on all 5, even though there are clients associated.

ericgarnel Tue, 07/03/2007 - 08:12

Have you defragged the location server db? rebooted?

I am able to see clients in WCS just fine now.

jpeterson6 Tue, 07/03/2007 - 11:11


As I said, I do not run a location server, so that is not the issue.


I ran a tcpdump for the traffic between the WCS and the controllers, and there are a large amount of errors stating: "host [WCS IP] unreachable - admin prohibited for IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 17, length: 129) [controller IP].32771 > [WCS IP].syslog.

Are you getting these as well? I'm wondering if that may have something to do with the client tables not updating.

Also as a side- I did manage to get the security alarms working. Turns out my snmpd and snmp-trap daemons were not starting on boot for the linux server.

ericgarnel Thu, 07/05/2007 - 04:58

the proto 17 is udp. Do you have ACLs blocking udp? Are you allowing snmp & snmp traps through iptables on your linux box?

jpeterson6 Thu, 07/05/2007 - 05:50

Good to know that proto 17 is udp - yes we do have an ACL that isn't allowing port 32771 (rather, it's just not explicitly permitted).

I just wanted to know if he was getting the same message that could be related to the client count issue - but after looking closer it seems pretty obvious that it's coming from the fact that I have the controllers pointing the syslog to the WCS, which I hear isn't necessary anyway, so i'll probably just shut that off.

ericgarnel Thu, 07/05/2007 - 05:58

Lwapp uses the following ports:

Port: 12222 (UDP) data; 12223 (UDP) control.

Are you running the controllers in L2 or L3 mode?

jpeterson6 Thu, 07/05/2007 - 07:10

L3 mode, but LWAPP isn't being blocked. WCS server is on the same subnet as the management interface on both controllers.

ericgarnel Thu, 07/05/2007 - 07:13

But what about iptables? are you blocking snmp/snmp-trap via iptables?


This Discussion



Trending Topics - Security & Network