OEAP & PaloAlto & Tunnel Interruption

Unanswered Question
Sep 18th, 2013
User Badges:

Hello,


I´m testing right now following solution :

We have a Flexconnect & OEAP WLC5508 installed in our DMZ ( LAG configured together with a DMZ switch  )  . Our Firewall is a PaloAlo device.

Now I get following problems:

All working without problems . I get a connection over the internet with my OEAP600 AP and get an  IP and can also use my Cisco Phone

which is connected to the RemoteLAN on the OEAP. Strange thing is now If I do for testing a reconnect on my Laptop

( disconnect OEAP SSID and reconnect ) the Tunnel interrups and rebuild. In the most cases then the tunnel come back and everything works ( Phone & WLAN )  again and sometimes only a reboot from the OEAP will fix the problem.

I checked if I see any blocking on the PaloAlto but I don´t see anything what is blocked.


Regards

Alex

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Wed, 09/18/2013 - 05:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

So you have lag enabled on the WLC in the DMZ and you have an etherchannel setup to the same DMZ switch? So when you are using the remote LAN, your dumping the traffic to a segment in the DMZ? Remote LAN doesn't allow anchoring back to the inside/foreign WLC. The ssid that users connect to on the OEAP is anchored back to the WLC on the inside correct? I have had issues with Palo Alto and the DMZ WLC and the foreign WLC mobility flapping and it was a rule that was in the config somewhere that was dripping the mobility ports.

Sent from Cisco Technical Support iPhone App

alex.roth Wed, 09/18/2013 - 07:49
User Badges:

Hi,


Thnaks for the nanswer , see below more clarifications:


So you have lag enabled on the WLC in the DMZ and you have an etherchannel setup to the same DMZ switch  --> yes

So when you are using the remote LAN, your dumping the traffic to a segment in the DMZ -> yes
All our controllers are placed into the DMZ . We used one controller as Flexconnect termination and OEAP termination point. We have a second controller which is used only for Guest Access and works fine .
I also inserted the command network ap-discovery nat-ip-only disable.
I opened the ports UDP 5246 and UDP 5247 outside to DMZ.  If I done a test and removed the rules from the PA it works. But I don´t see any blocking if activated the rules again. This is the strange thing for me and I not know why the tunnel goes down. I thought also if this could be a problem with my DHCP configuration because I´m using DHCP proxy on the WLC for my  OEAP interfaces.


Thanks

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode