Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

OEAP & PaloAlto & Tunnel Interruption

Hello,

I´m testing right now following solution :

We have a Flexconnect & OEAP WLC5508 installed in our DMZ ( LAG configured together with a DMZ switch  )  . Our Firewall is a PaloAlo device.

Now I get following problems:

All working without problems . I get a connection over the internet with my OEAP600 AP and get an  IP and can also use my Cisco Phone

which is connected to the RemoteLAN on the OEAP. Strange thing is now If I do for testing a reconnect on my Laptop

( disconnect OEAP SSID and reconnect ) the Tunnel interrups and rebuild. In the most cases then the tunnel come back and everything works ( Phone & WLAN )  again and sometimes only a reboot from the OEAP will fix the problem.

I checked if I see any blocking on the PaloAlto but I don´t see anything what is blocked.

Regards

Alex

2 REPLIES
Hall of Fame Super Silver

Re: OEAP & PaloAlto & Tunnel Interruption

So you have lag enabled on the WLC in the DMZ and you have an etherchannel setup to the same DMZ switch? So when you are using the remote LAN, your dumping the traffic to a segment in the DMZ? Remote LAN doesn't allow anchoring back to the inside/foreign WLC. The ssid that users connect to on the OEAP is anchored back to the WLC on the inside correct? I have had issues with Palo Alto and the DMZ WLC and the foreign WLC mobility flapping and it was a rule that was in the config somewhere that was dripping the mobility ports.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

OEAP & PaloAlto & Tunnel Interruption

Hi,

Thnaks for the nanswer , see below more clarifications:

So you have lag enabled on the WLC in the DMZ and you have an etherchannel setup to the same DMZ switch  --> yes

So when you are using the remote LAN, your dumping the traffic to a segment in the DMZ -> yes
All our controllers are placed into the DMZ . We used one controller as Flexconnect termination and OEAP termination point. We have a second controller which is used only for Guest Access and works fine .
I also inserted the command network ap-discovery nat-ip-only disable.
I opened the ports UDP 5246 and UDP 5247 outside to DMZ.  If I done a test and removed the rules from the PA it works. But I don´t see any blocking if activated the rules again. This is the strange thing for me and I not know why the tunnel goes down. I thought also if this could be a problem with my DHCP configuration because I´m using DHCP proxy on the WLC for my  OEAP interfaces.

Thanks

207
Views
0
Helpful
2
Replies
CreatePlease to create content