Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
2
Replies

OEAP & PaloAlto & Tunnel Interruption

alex.roth
Level 1
Level 1

‎09-18-2013 01:17 AM - edited ‎07-04-2021 12:52 AM

Hello,

I´m testing right now following solution :

We have a Flexconnect & OEAP WLC5508 installed in our DMZ ( LAG configured together with a DMZ switch  )  . Our Firewall is a PaloAlo device.

Now I get following problems:

All working without problems . I get a connection over the internet with my OEAP600 AP and get an  IP and can also use my Cisco Phone

which is connected to the RemoteLAN on the OEAP. Strange thing is now If I do for testing a reconnect on my Laptop

( disconnect OEAP SSID and reconnect ) the Tunnel interrups and rebuild. In the most cases then the tunnel come back and everything works ( Phone & WLAN )  again and sometimes only a reboot from the OEAP will fix the problem.

I checked if I see any blocking on the PaloAlto but I don´t see anything what is blocked.

Regards

Alex

Labels:
0 Helpful
2 Replies 2

Scott Fella
Hall of Fame
Hall of Fame

‎09-18-2013 05:12 AM

So you have lag enabled on the WLC in the DMZ and you have an etherchannel setup to the same DMZ switch? So when you are using the remote LAN, your dumping the traffic to a segment in the DMZ? Remote LAN doesn't allow anchoring back to the inside/foreign WLC. The ssid that users connect to on the OEAP is anchored back to the WLC on the inside correct? I have had issues with Palo Alto and the DMZ WLC and the foreign WLC mobility flapping and it was a rule that was in the config somewhere that was dripping the mobility ports.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

alex.roth
Level 1
Level 1
In response to Scott Fella

‎09-18-2013 07:49 AM

Hi,

Thnaks for the nanswer , see below more clarifications:

So you have lag enabled on the WLC in the DMZ and you have an etherchannel setup to the same DMZ switch  --> yes

So when you are using the remote LAN, your dumping the traffic to a segment in the DMZ -> yes
All our controllers are placed into the DMZ . We used one controller as Flexconnect termination and OEAP termination point. We have a second controller which is used only for Guest Access and works fine .
I also inserted the command network ap-discovery nat-ip-only disable.
I opened the ports UDP 5246 and UDP 5247 outside to DMZ.  If I done a test and removed the rules from the PA it works. But I don´t see any blocking if activated the rules again. This is the strange thing for me and I not know why the tunnel goes down. I thought also if this could be a problem with my DHCP configuration because I´m using DHCP proxy on the WLC for my  OEAP interfaces.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card