Here is the design.
4402 internal controller in data center
4402 DMZ Guest controller in data center
1242AP behind firewall at remote sites
I had this working, and then all of a sudden DHCP stops working for the clients.
The DHCP scope is defined on the DMZ controller. The DMZ controller is the anchor for the WLAN that the clients are connecting to. When this first started working, I assumed the DHCP requests from the internal controller were being sent accross the EoIP tunnel between the two controllers. When the clients stopped getting DHCP IP assignments, I have tracked it down to the initial request from the client is now being sent outside the EoIP tunnel. I opened up the DMZ firewall to allow the UDP 67 traffic from the internal controller and I see the packets arrive at the DMZ controller, but are dropped with the following message.
Jul 13 12:31:06.399 dhcpd.c:167 DHCP-6-SCOPE_NOT_FOUND: Dropping packet from 172.18.140.210 (unable to match to a dhcp scope)
I am not sure how I changed anything to have the DHCP/Bootps request to stop traversing the EoIP tunnel, but I think that is the root of my problem.
Anyone ever seen this, or have insight as to how to fix?
What else to you see in the FW logs as being dropped? Open UDP port 97 also and make sure UDP port 16666 is open between the foreign WLC and the Guest WLC.
-UDP 16666 for tunnel control traffic
-UDP 16667 for encrypted traffic
-IP Protocol 97 for user data traffic
I have confirmed that 16666 and 97 are in place and taking hits on the ACL. Plus I have performed eping, mping and ping from the command line and verfied the mobility group membership on both controllers.
The version of code on the controllers is 22.214.171.124
Debugging the client on the internal controller, I see the DHCP request cycle through, but no packet is ever returned from the DMZ controller due to the error message in the original post.
I have clients running 4.2.130 also and have no issues. Delete the scope from the DMZ wlc and recreate it. I assume you have the guest ssid on all controllers configured exactly the same and using the management interface?
I do have the same WLAN defined on both wlc.
I have no scope defined on the internal wlc.
On the internal wlc for the wlan I have dhcp defined as the managment interface of the DMZ wlc (anchor).
On the internal wlc I have the wlan interface defined as the management interface.
On the DMZ wlc the dhcp server is defined as the managment interface
On the DMZ wlc the wlan is defined as the dynamic lan terminating in the actual dmz for clients.
On the DMZ wlc the dhcp scope is defined for the range of the dynamic interface dmz ip range.
Q. Do I need to use the virtual ip address anywhere in this configuration? 126.96.36.199?
The virtual ip needs to be the same for all members in the mobility group. Do you have both port from the guest wlc connected to the dmz or do you have one port connected to the internal network and the other to the dmz?
The guest wlc is configured like this
dynamic interface --> vlan3=dmz3
management/ap-mgnt interface --> vlan4=dmz4
Clients tunnel to the guest wlc via dmz4 and exit to dmz3 as nodes on the vlan.
The virtual interface has the same default IP on all controllers.
I did delete the scope and recreate on the quest wlc.
I usually don't create a dynamic interface on the guest wlc. I map the guest ssid to the management since it is already in the dmz. So the only interface I have is the management, ap manager, virtual and service port. I have tried to create a dynamic interface just like you did, but never got it to work that way. Try mapping the guest ssid to the management and create a scope to see if that works for you. I haven't had time to play around with creating and using dynamic interfaces in the dmz....
Q. This is on the DMZ Anchor wlc, under the WLAN/Edit/Advanced/DHCP Server = 188.8.131.52
Does this make sense? or should I have it assigned to the managment interface?
On the internal wlc, I have the DMZ wlc mangement interface defined for the same wlan.
Does that make sense also?
DHCP should be the management ip of the guest anchor. DHCP address on the management interface on the foreign controller s is usually set to your internal dhcp server. Once you change that on the wlan on the guest anchor, it should work. Again, I haven't been able to get this working with dynamic interfaces configured.
I will have to get Cisco back in on Monday. They had it working and some how I managed to hose up the DMZ guest WLC providing dhcp addresses from the internal wlc DHCP server.
I will post the resolution when I get this resolved.
Thanks for your help!