Troubleshooting network access (telnet/ssh/http/https) to Wireless LAN Controller

Document

Tue, 01/27/2015 - 06:30
Jun 4th, 2012
User Badges:
  • Cisco Employee,

Introduction

There can be various issues why a client (wired or wireless) is unable to reach the controller management interface.

Access to the controller can be in the form of telnet, ssh, http or https. Through this document I have tried to list the things to check to troubleshoot such a problem.

Configuration

1). Wired Client for WLC Management Access:

a. Check controller configuration for network access-

(Cisco Controller) > show network summary

Web Mode.................................... Enable

Secure Web Mode............................. Enable

Secure Web Mode Cipher-Option High.......... Enable

Secure Web Mode Cipher-Option SSLv2......... Enable

Secure Shell (ssh).......................... Enable

Telnet...................................... Disable

 

Telnet is disabled by default. To enable: 

(Cisco Controller) > config network telnet enable

To enable https to the controller:

(Cisco Controller) >config network secureweb enable

You must reboot for the change to take effect.

b. Service Port addressing issues.

"Note  If the service port is in use, the management interface must  be on a different supernet from the service-port interface. "

http://www.cisco.com/en/US/customer/docs/wireless/controller/7.0MR1/configuration/guide/cg_ports_interfaces.html

Move the service port to a class B or class C address instead of using the same supernet as the management interface (assuming it is on class A address). 

c. Make sure there is no CPU acl applied on the controller.

(Cisco Controller) >show acl cpu

CPU Acl Name................................ NOT CONFIGURED
Wireless Traffic............................ Disabled
Wired Traffic............................... Disabled

 

CPU acls regulate traffic to and from the controller. This could definitely block access to the controller mgmt. 

d. Web Admin Certificate issues.

If invalid site certificate errors are displayed when attempting to access a controller via web browser https, the local Web Admin certificate may need to be regenerated. 

(Cisco Controller) config certificate generate webadmin

Creating a certificate may take some time. Do you wish to continue? (y/n) y

Web Administration certificate has been generated

e. Verify Basic IP Connectivity

Check basic ip connectivity from the client to the WLC mgmt interface. Ping the wlc mgmt interface. If that fails, check for any access control that may be configured along the path- between the client and the controller mgmt that could be blocking this traffic.

  • Telnet- tcp port 23
  • ssh- tcp port 22
  • http- tcp port 80
  • https- tcp port 443

If the client is on a different vlan than the wlc, check for inter vlan routing.

Move the client to the same vlan as the controller and then try to access the WLC to rule out inter vlan routing issues. 

f. Capture a Sniffer Trace.

Assuming that the controller is attached to a switch, it will likely be necessary to configure a monitor (span) session to capture a sniffer trace of the controller's traffic.  This will tell us what packets are going to the controller and how (if at all) the controller responds.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml 

g. Debug Packet Logging 

This debug allows capturing packets coming to the controller:

debug packet logging acl ip 1 permit <WLC mgmt ip> any
debug packet logging acl ip 2 permit any <WLC mgmt ip>
debug packet logging enable all 1-65535

C:\Program Files\Wireshark>
C:\Program Files\Wireshark>text2pcap.exe Must specify input and output filename
Text2pcap 1.0.99CAPWAP_0.0.1 Generate a capture file from an ASCII hexdump of packets.

See http://www.wireshark.org <http://www.wireshark.org/>  for more information.

 

Usage: text2pcap [options] <input-filename> <output-filename>

h. Check the controller syslog and trap logs for any suspicious behaviour.

show msglog

show traplog 

i. In some corner cases, we did spot only https access broken while ssh and http worked fine.

Saw the following in the bootup log-

-> "Starting portmap deamon"

Warning!!!: You don't seem to have internal USB storage for lic/cert

Please request for one and add to the system

-> "Starting "VPN-Services"

Unable to load system certificate!!! Contact your Cisco Systems Inc. technical support representativeok

-> "Starting Management Services:

   Web Server: ok

   CLI: ok

   Secure Web: Web Admin Certificate not found (error).

   License Agent: ok

 

This issue requires hardware replacement for resolution.

j. LAG and switch channel distribution method

If LAG is enabled on the controller, check the load balancing algorithm enabled on the controller.

Use only ip-src or ip-src ip-dst load balancing options in the switch EtherChannel configuration. Some switch models might use incompatible load balancing mechanisms by default, so it is important to verify.

This is how to verify the EtherChannel load balancing mechanism:

   switch#show etherchannel load-balance

    EtherChannel Load-Balancing Configuration:

    src-dst-ip

    EtherChannel Load-Balancing Addresses Used Per-Protocol:

    Non-IP: Source XOR Destination MAC address

    IPv4: Source XOR Destination IP address

    IPv6: Source XOR Destination IP address

 

This is how to change the switch configuration (IOS):

    switch(config)#port-channel load-balance src-dst-ip

k. FIPS configuration

After FIPS is enabled on a controller, sometimes users are unable to https into the controller when using IE6 or IE7.   

Prior to enabling FIPS they did not experience any problems.

The issue is specific to IE7 and IE6+, firefox does not appear to have this issue. 

l. Management Access Priority Order configuration

If Tacacs or Radius is the primary management access method, confirm that the management user credentials are present on the authentication server.  If the Tacacs or Radius server is unavailable or unreachable, the controller will revert to locally configured credentials.

(Cisco Controller) >show aaa auth

Management authentication server order:

    1............................................ radius

    2............................................ local

 

2) Wireless Client for WLC Management Access:

a. Access to the controller interface from a wireless client is disabled by default.

(Cisco Controller) >show network summary

Mgmt Via Wireless Interface................. Disable

Mgmt Via Dynamic Interface.................. Disable

 

To enable:

(Cisco Controller) >config network mgmt-via-wireless enable

b. Additionally, you can use the following command to access the controller via the dynamic interface mapped to the ssid/wlan the wireless client is connecting on: 

(Cisco Controller) > config network mgmt-via-dynamic-interface enable 

(Cisco Controller) >show network summary

Mgmt Via Wireless Interface................. Disable

Mgmt Via Dynamic Interface.................. Enable

 

c. Verify Basic IP Connectivity

Ping the dynamic interface ip from the wireless client. Does that work? Check for any acls along the path.

d. Compare with same Vlan Wired Client 

Place a WIRED client on the same vlan as the dynamic interface and have that wired client http and/or telnet to the controller both via management and dynamic interface.

This will isolate if the problem is with wired or just wireless client.

 

Telnet /SSH to the WLC management fails if the client from which we are starting the session is in same subnet as of Service port .

This is documented in Cisco WLC config guide as well .

Service Port

Cisco 4400 and Cisco 5500 Series Controllers also have a 10/100/1000  copper Ethernet service port. The service port is controlled by the  service-port interface and is reserved for out-of-band management of the  controller and system recovery and maintenance in the event of a  network failure. It is also the only port that is active when the  controller is in boot mode.. Use of the service port is optional.

Caution Do  not configure wired clients in the same VLAN or subnet of the service  port on the network. If you configure wired clients on the same subnet  or VLAN as the service port, you will not be able to access the  management interface.

Reference

Cisco Wireless LAN Controller Configuration Guide, Release 7.0 - Configuring Ports and Interfaces

 

Loading.
Sharath Kattema... Mon, 08/13/2012 - 19:04
User Badges:
  • Cisco Employee,
  • Events Top Contributors,

    2013

Very Nicely documented .


Would  like to add some information to the same .


Telnet /SSH to the WLC management fails if the client from which we are starting the session is in same subnet as of Service port .



This is documented in Cisco WLC config guide as well .


Service Port


Cisco 4400 and Cisco 5500 Series Controllers also have a 10/100/1000  copper Ethernet service port. The service port is controlled by the  service-port interface and is reserved for out-of-band management of the  controller and system recovery and maintenance in the event of a  network failure. It is also the only port that is active when the  controller is in boot mode.. Use of the service port is optional.




Caution Do  not configure wired clients in the same VLAN or subnet of the service  port on the network. If you configure wired clients on the same subnet  or VLAN as the service port, you will not be able to access the  management interface.

Actions

This Document

Related Content