Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Guest Access issue

I am trying to configure Guest Access. I have a 5508 wlc inside the LAN (wlc01) and a dedicated 5508 guest access wlc (wlc02) behind the firewall in the dmz. My Mobility group status is showing as control path down data down. I have therefore performed some tests to confirm IP connectivity between controllers. IP connectivity fails in one direction. It is here where I am seeing strange results.. Below is the ipconfig of the controllers and the results:-

wlc01 ip 10.106.1.90

mgmt interface 10.106.1.90, 255.255.255.0, gateway 10.106.1.5

wlc02 ip 192.168.1.250,

mgmt interface 192,168.1.250, 255.255.255.0, gateway 192.168.1.254

firewall 10.106.4.10

1)     I can ping wlc02 to wlc01 (dmz to lan)

2)     I can ping wlc01 to firewall (lan to fw)

3)     I cannot ping wlc01 to wlc02 (lan to dmz), however see (4) below

4)     I have configured a client with IP 10.106.1.94, 255.255.255.0, gateway 10.106.1.5. I can ping wlc02 from this client. (lan to dmz).

So in a nutshell I cannot ping the dmz controller from the LAN controller, but I can ping the DMZ controller from a client on the same subnet as the LAN controller.

Before I can confirm the protocol 97 and udp 16666, 16667 are flowing between controllers I wanted to confirm basic IP connectivity.

Any sugestions welcome!!!!

18 REPLIES
Hall of Fame Super Silver

Re: Guest Access issue

Do you see the FW dropping packets?  Try to open up everything form wlc01 and wlc02 first or do an eping or mping.

Make sure that the DMZ and local WLC in the wired network are reachable. Use mobility pings (eping and mping) to test.

  • Mobility ping over UDP—This test runs over mobility UDP port 16666 and tests whether the mobility control packet can be reached over the management interface.mping mobility_peer_IP_address
  • Mobility ping over EoIP—This test runs over EoIP - IP port 97 and tests the mobility data traffic over the management interface.eping mobility_peer_IP_address

Note: Only one mobility ping test per controller can be run at a given time.

  • If there is a firewall present, make sure that the UDP port 16666 and IP port 97 are opened for communication between the WLCs.
-Scott
*** Please rate helpful posts ***
New Member

Re: Guest Access issue

Hi

Thanks for the reply.

No, when i ping from wlc01 to wlc02 the packets do not reach the fw. I cannot see where the packets are dropped. Neither can i understand why i can ping wlc02 from a client on the same subnet as wlc01

Date: Fri, 2 Dec 2011 15:33:05 -0700

From: supportforums-donotreply@jivesoftware.com

To: shaneorrell@hotmail.com

Subject: - Re: Guest Access issue

Home

Re: Guest Access issue created by Scott Fella in Other Wireless - Mobility Subjects - View the full discussion

Doyou see the FW dropping packets? Try to open up everything form wlc01 and wlc02 first

Reply to this message by going to Home

Start a new discussion in Other Wireless - Mobility Subjects at Home

Hall of Fame Super Silver

Re: Guest Access issue

Check your management interface configuration again and also your switchport configuration.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Guest Access issue

You can ping wlc01 from any other subnet in your internal LAN?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: Guest Access issue

Yes wlc1 is pingable from anywhere inside the lan and from guest wlc2 (dmz). wlc1 can ping the fw but not guest wlc2 behind the firewall. Is it not possible to traceroute from wlc1? mgmt interface configured o.k. (I can ping this from anywhere inside the lan and from guest wlc2 dmz). To confirm no packets reaching fw from wlc1 but packets reaching fw from client (same gateway as mgmt interface) on same subnet as wlc1. Mobility Group created (dmz guest wlc2 anchored to itself, wlc1 anchored to guest wlc2 in dmz). Control path down data path down on mobilty group

Get your widget or badge - JustGiving

Date: Fri, 2 Dec 2011 15:55:53 -0700

From: supportforums-donotreply@jivesoftware.com

To: shaneorrell@hotmail.com

Subject: - Re: Guest Access issue

Home

Re: Guest Access issue

created by Scott Fella in Other Wireless - Mobility Subjects - View the full discussion

You can ping wlc01 from any other subnet in your internal LAN? Sent from Cisco Technical Support iPhone App

Reply to this message by going to Home

Start a new discussion in Other Wireless - Mobility Subjects at Home

Hall of Fame Super Silver

Re: Guest Access issue

So your mping and eping fails then. You can't traceroute from the WLC. You don't have any acl's in place that might be blocking and have you tried to open the FW up between the two WLC's.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

Re: Guest Access issue

eping & mping fails.

no acl's in place.

fw has been opened up

in wcs there is an option when configuring controller to run a ping. I have just run this ping repeatedly from wlc1 (lan) to the guest wlc2 (dmz), at the same time i rebooted guest wlc2. My ping was successful before, during and after rebooting guest wlc2. How can this be?

The wlc1 is plugged directly into the core router. From this core router i cannot ping guest wlc2. So why is it that i can ping guest wlc2 from within wcs but from nowhere on the lan, including the core?

Date: Sat, 3 Dec 2011 11:40:12 -0700

From: supportforums-donotreply@jivesoftware.com

To: shaneorrell@hotmail.com

Subject: - Re: Guest Access issue

Home

Re: Guest Access issue created by Scott Fella in Other Wireless - Mobility Subjects - View the full discussion

So your mping and eping fails then. You can't traceroute from the WLC. You don't have any acl's in place that might be blocking and have you tried to open the FW up between the two WLC's.

Sent from my iPhone

Reply to this message by going to Home

Start a new discussion in Other Wireless - Mobility Subjects at Home

Hall of Fame Super Silver

Re: Guest Access issue

Did you reboot wlc1?

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

Re: Guest Access issue

yes just after. the fw guys are adamant that this issue is due to the config on wlc1 because i can ping guest wlc2 from a client configured with same mask/gateway as wlc1. i am stumped!

Date: Sat, 3 Dec 2011 12:04:56 -0700

From: supportforums-donotreply@jivesoftware.com

To: shaneorrell@hotmail.com

Subject: - Re: Guest Access issue

Home

Re: Guest Access issue created by Scott Fella in Other Wireless - Mobility Subjects - View the full discussion

Did you reboot wlc1?

Sent from my iPhone

Reply to this message by going to Home

Start a new discussion in Other Wireless - Mobility Subjects at Home

Hall of Fame Super Silver

Re: Guest Access issue

If you take wlc2 off the network and you can still ping the ip, then you have a duplicate address somewhere. It goes the same for wlc1.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Guest Access issue

You must have a duplicate ip address.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

Re: Guest Access issue

have looked at the static routes on the core and nothing resembling the guest wlc2 address

Date: Sat, 3 Dec 2011 12:06:44 -0700

From: supportforums-donotreply@jivesoftware.com

To: shaneorrell@hotmail.com

Subject: - Re: Guest Access issue

Home

Re: Guest Access issue created by Scott Fella in Other Wireless - Mobility Subjects - View the full discussion

You must have a duplicate ip address.

Sent from my iPhone

Reply to this message by going to Home

Start a new discussion in Other Wireless - Mobility Subjects at Home

Hall of Fame Super Silver

Re: Guest Access issue

It can be a device. What about your dhcp pool, you excluded the wlc ip? If you look at your switch log, you would see duplicate address errors.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Silver

Re: Guest Access issue

If you don't want to take wild stabs at what the problem could be, just go get a wired port span of the switchport the WLC connects to.   Same for the DMZ.  Just go track down where your packets are or are not making it. This beats the hell out of guessing what your problem is, if you can go prove where your packet is and isn't making it.

If you want to capture "debug mobility keepalive enable " (from both WLCs) and attach it here,  we can at least determine who is or is not hearing who.   You'd like still need wired captures to track it down, but at least it lets you know which direction your problem lies.

Honestly, almost every case I've worked where a firewall was involved,  the packets would hit the FW and not go out the other end, even though the security team was adament it wasn't their issue.  If you can prove the packets hit the FW and don't come out,  thats something the FW will have to explain the reason for.

New Member

Re: Guest Access issue

Hi fella5 Please can you confirm what interfaces and ip's are required on the lan & guest controllers based on the below? mgmt - do the ip settings have to be unique to each controller?a guest interface - do the ip settings have to be unique to each controller lan controller - 10.106.1.90, 255.255.255.0, 10.106.1.5, vlan101mgmt interface- ??guest interface - ?? guest controller - 192.168.1.5, 255.255.255.0, 192.168.1.254, vlan666mgmt interface - ??guest interface - ??

Get your widget or badge - JustGiving

Date: Sat, 3 Dec 2011 12:12:39 -0700

From: supportforums-donotreply@jivesoftware.com

To: shaneorrell@hotmail.com

Subject: - Re: Guest Access issue

Home

Re: Guest Access issue

created by Scott Fella in Other Wireless - Mobility Subjects - View the full discussion

It can be a device. What about your dhcp pool, you excluded the wlc ip? If you look at your switch log, you would see duplicate address errors. Sent from my iPhone

Reply to this message by going to Home

Start a new discussion in Other Wireless - Mobility Subjects at Home

Hall of Fame Super Silver

Re: Guest Access issue

All ip address has to unique between each wlc. Only the Virtual IP Address can be the same.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

Re: Guest Access issue

thanks for all your help

Get your widget or badge - JustGiving

Date: Mon, 5 Dec 2011 12:40:20 -0700

From: supportforums-donotreply@jivesoftware.com

To: shaneorrell@hotmail.com

Subject: - Re: Guest Access issue

Home

Re: Guest Access issue

created by Scott Fella in Other Wireless - Mobility Subjects - View the full discussion

All ip address has to unique between each wlc. Only the Virtual IP Address can be the same. Sent from my iPhone

Reply to this message by going to Home

Start a new discussion in Other Wireless - Mobility Subjects at Home

New Member

Re: Guest Access issue

found a duplicate ip in the routing table. have removed and now have ip connectivity

protocol 97, ports 16666,16667 open. identical wlans. mobility group created on each controller anchor created on guest controller, foriegn controller points to anchor, guest controller points to itself for anchor, epings & mpings fail, control & data path showing as down. any ideas?

Date: Sat, 3 Dec 2011 12:12:39 -0700

From: supportforums-donotreply@jivesoftware.com

To: shaneorrell@hotmail.com

Subject: - Re: Guest Access issue

Home

Re: Guest Access issue created by Scott Fella in Other Wireless - Mobility Subjects - View the full discussion

It can be a device. What about your dhcp pool, you excluded the wlc ip? If you look at your switch log, you would see duplicate address errors.

Sent from my iPhone

Reply to this message by going to Home

Start a new discussion in Other Wireless - Mobility Subjects at Home

1077
Views
0
Helpful
18
Replies
CreatePlease to create content