SNMP problems on NM-WLC

Unanswered Question
Apr 7th, 2009


I have a NM-WLC installed on a 2811 router.

I seem to have full ip connectivity between my LAN, and the WLC management interface.

I also have a couple of wlans running without any problems on the WLC.

My only problem at this point, is that I cannot get responses to SNMP packets that I send to the WLC.

I do get responses from the 2811 router housing my WLC, but not from the WLC itself.

The strange thing is that I DO get SNMP responses, when I connect from another subnet, which is over an IPSec VPN.

This may sound like a NAT / routing / ACL issue and I agree.

However, I have tried and eliminated every possibility of there being a ACL that blocks responses, or a NAT translation.

I can ssh to the management IP address, and since I can hit SNMP from another subnet, I know that SNMP is setup correctly.

Any suggestions would be highly appriciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
shahedvoicerite Tue, 04/07/2009 - 10:05

The 2811 housing the WLC has 2 FastEthernet interfaces.

I attached a PC to one of them, (the other is connected to the LAN), and I could get SNMP packets to/from the WLC.

So I guess its a combination of BVI / IRB / Sub-Interfaces that I have on the FastEthernet and the WLC, that may be causing some sort of issue.

shahedvoicerite Tue, 04/07/2009 - 13:59

I was able to send/recieve SNMP packets from a PC on a VLAN that did not have a BVI interface on the router housing the WLC.

Another router was routing the packets between the PC and the 2811 housing the WLC.

The reason I need to have the BVI interfaces is to allow the WLANS to connect to the VLANS on the wired side.

I am sure that if I had a 4402 or a 2106, then I would not be facing all these problems.

Its the backplane integration of the NM that seems to causes all these headaches :-(

Leo Laohoo Tue, 04/07/2009 - 15:33

Make sure the SNMP communities are correct. Try to use alpha-numeric characters for testing purposes. Is your target SNMP Read or Read-Write? Try targeting the Read-Write.

shahedvoicerite Wed, 04/08/2009 - 04:31


I dont think that is the problem, as I am able to communicate via SNMP from another subnet, suing the same snmp config.

My topology is as follows

R1 (fa0/0.1) on VLAN 1

VLAN 1 has the following hosts (via a switch)

...........R2 fa 0/0 on trunk switchport

...................fa 0/0.1 + BVI 1

...................fa 0/0.20 + BVI 20

...........PC1 on access switchport

R1 (fa 0/0.7) <------VLAN 7-----> PC on vlan 7 can send / recv SNMP to WLC

R1 :

Main router on a stick for all subnets.

Also does NAT for internet access.

DHCP for (VLAN1) and VLAN20.

Has a static router to WLC via R2 (

R2 :

Hosts the WLC in a NM.

Uses BVI to bridge wireless and wired vlans together.

From subnet, I can ssh / browser into the WLC.

Also a WLAN on the WLC for VLAN 1 ( works fine, and hands out DHCP address via R1 in the subnet.

In short, everything SEEMS TO WORK JUST FINE !!

Now, when I try and send SNMP packets to my WLC, I only get replies, if I send them from a VLAN, other than VLAN 1 or 20.

I have another VLAN (7), which can get to the WLC via R1 and then on to R2. SNMP from a host in this VLAN gets responses FINE !!!!!.

Relavant config for R2 is as below.

I cant seem to understand why, when ssh / telnet / web access works from hosts on VLAN 1 to the WLC, why SNMP seems to create a problem ..

The SNMP packets do reach the WLC. (A debug on the WLC confirms that). Its only the RETURN packets that never make it through.

bridge irb





interface FastEthernet0/0

no ip address

duplex auto

speed auto

no cdp enable


! Sub interfaces for VLAN 1 and 20

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip helper-address

ip virtual-reassembly

bridge-group 1

interface FastEthernet0/0.20

description guestvlan

encapsulation dot1Q 20

bridge-group 20


! WIRELESS Side Config



interface wlan-controller1/0

no ip address

! wlan-controller sub interfaces for VLANS 1 , 20

interface wlan-controller1/0.1

encapsulation dot1Q 1

bridge-group 1

interface wlan-controller1/0.20

encapsulation dot1Q 20

bridge-group 20

! NATIVE 802.1q TRUNK TO WLC management interface with IP address

interface wlan-controller1/0.11

encapsulation dot1Q 11 native

ip address

ip directed-broadcast

ip virtual-reassembly


! BVI Interfaces to enable wlan dynamic interfaces (VLANS) to communicate with

! Wired side VLANS


! BVI are for VLANS 1 and 20 ONLY


interface BVI1

ip address

ip helper-address

ip helper-address

no ip redirects

interface BVI20

ip address


ip forward-protocol nd

ip forward-protocol udp 12222

ip forward-protocol udp 12223

ip forward-protocol udp snmp

! DEFAULT ROUTER ON A STICK for all routes

ip route

shahedvoicerite Thu, 04/09/2009 - 09:54

Ok, after doing a packet level debug on the WLC, and running it through ethereal, it seems that the WLC keeps sending ARP requests to resolve the address of the SNMP sender.

However, it does not seem to get a reply.

Perhaps I will have to setup some sort of arp forwarding ?

A debug arp on the router housing the WLC shows :-

IP ARP req filtered src 0015.2ce9.6a40, dst 0000.0000.0000 wrong cable, interface wlan-controller1/0.11

In this case, my SNMP software is on

shahedvoicerite Wed, 04/15/2009 - 06:28

I think my problem is SOLVED as per the doc snippit below.

I had my WCS in the same vlan as a dynamic interface and when I changed the WCS to another vlan it worked.

What I would really like to know is what is the cause of these "asymetric" wouting issues, and WHO drops the packets.. (WLC internally, Router hosting WLC... ??)

I suppose everyone either keeps the Dynamic interfaces separate from the Management VLANS anyway as a best practice


This issue of asymetric routing occurs only with NM-WLC.

Per design, most of the CPU initiated traffic is sent from the management address in the controller. For example, SNMP traps, RADIUS authentication requests, multicast forwarding, and so forth.

The exception to this rule is DHCP related traffic, which is sent from the interface related to the WLAN settings, for controller software version 4.0 and later. For example, if a WLAN uses a dynamic interface, the DHCP request is forwarded using this Layer 3 address.

This is important to take into account when you configure firewall policies or design the network topology. It is important to avoid configuring a dynamic interface in the same sub network as a server that has to be reachable by the controller CPU, for example a RADIUS server, as it might cause asymmetric routing issues.


This Discussion