09-18-2013 01:17 AM - edited 07-04-2021 12:52 AM
Hello,
I´m testing right now following solution :
We have a Flexconnect & OEAP WLC5508 installed in our DMZ ( LAG configured together with a DMZ switch ) . Our Firewall is a PaloAlo device.
Now I get following problems:
All working without problems . I get a connection over the internet with my OEAP600 AP and get an IP and can also use my Cisco Phone
which is connected to the RemoteLAN on the OEAP. Strange thing is now If I do for testing a reconnect on my Laptop
( disconnect OEAP SSID and reconnect ) the Tunnel interrups and rebuild. In the most cases then the tunnel come back and everything works ( Phone & WLAN ) again and sometimes only a reboot from the OEAP will fix the problem.
I checked if I see any blocking on the PaloAlto but I don´t see anything what is blocked.
Regards
Alex
09-18-2013 05:12 AM
So you have lag enabled on the WLC in the DMZ and you have an etherchannel setup to the same DMZ switch? So when you are using the remote LAN, your dumping the traffic to a segment in the DMZ? Remote LAN doesn't allow anchoring back to the inside/foreign WLC. The ssid that users connect to on the OEAP is anchored back to the WLC on the inside correct? I have had issues with Palo Alto and the DMZ WLC and the foreign WLC mobility flapping and it was a rule that was in the config somewhere that was dripping the mobility ports.
Sent from Cisco Technical Support iPhone App
09-18-2013 07:49 AM
Hi,
Thnaks for the nanswer , see below more clarifications:
So you have lag enabled on the WLC in the DMZ and you have an etherchannel setup to the same DMZ switch --> yes
So when you are using the remote LAN, your dumping the traffic to a segment in the DMZ -> yes
All our controllers are placed into the DMZ . We used one controller as Flexconnect termination and OEAP termination point. We have a second controller which is used only for Guest Access and works fine .
I also inserted the command network ap-discovery nat-ip-only disable.
I opened the ports UDP 5246 and UDP 5247 outside to DMZ. If I done a test and removed the rules from the PA it works. But I don´t see any blocking if activated the rules again. This is the strange thing for me and I not know why the tunnel goes down. I thought also if this could be a problem with my DHCP configuration because I´m using DHCP proxy on the WLC for my OEAP interfaces.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: