We have a Flexconnect & OEAP WLC5508 installed in our DMZ ( LAG configured together with a DMZ switch ) . Our Firewall is a PaloAlo device.
Now I get following problems:
All working without problems . I get a connection over the internet with my OEAP600 AP and get an IP and can also use my Cisco Phone
which is connected to the RemoteLAN on the OEAP. Strange thing is now If I do for testing a reconnect on my Laptop
( disconnect OEAP SSID and reconnect ) the Tunnel interrups and rebuild. In the most cases then the tunnel come back and everything works ( Phone & WLAN ) again and sometimes only a reboot from the OEAP will fix the problem.
I checked if I see any blocking on the PaloAlto but I don´t see anything what is blocked.
So you have lag enabled on the WLC in the DMZ and you have an etherchannel setup to the same DMZ switch? So when you are using the remote LAN, your dumping the traffic to a segment in the DMZ? Remote LAN doesn't allow anchoring back to the inside/foreign WLC. The ssid that users connect to on the OEAP is anchored back to the WLC on the inside correct? I have had issues with Palo Alto and the DMZ WLC and the foreign WLC mobility flapping and it was a rule that was in the config somewhere that was dripping the mobility ports.
Thnaks for the nanswer , see below more clarifications:
So you have lag enabled on the WLC in the DMZ and you have an etherchannel setup to the same DMZ switch --> yes
So when you are using the remote LAN, your dumping the traffic to a segment in the DMZ -> yes All our controllers are placed into the DMZ . We used one controller as Flexconnect termination and OEAP termination point. We have a second controller which is used only for Guest Access and works fine . I also inserted the command network ap-discovery nat-ip-only disable. I opened the ports UDP 5246 and UDP 5247 outside to DMZ. If I done a test and removed the rules from the PA it works. But I don´t see any blocking if activated the rules again. This is the strange thing for me and I not know why the tunnel goes down. I thought also if this could be a problem with my DHCP configuration because I´m using DHCP proxy on the WLC for my OEAP interfaces.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...