I'm having trouble setting up an Anchor Controller on my DMZ. I have setup everything up and tested it out on my inside network and the Anchor Controller comes up with no problem. When I put the Anchor Controller on the DMZ the data path is up but the control path is down. I can do EPING's but MPINGS fail everytime. The DMZ is secured by a checkpoint firewall. I've made sure ports UDP 16666, 16667 and TCP 97 are open on the firewall. It looks like the traffic is going out to the Anchor controller on the DMZ but not coming back in to establish the tunnel. I've contacted Checkpoint but there support is not the best and I'm wondering if anyone has suppport for a checkpointfirewall. Thanks in advance
The following verifications and troubleshooting tasks assume the following: â¢The solution is using the web authentication functionality resident in the anchor controller(s). â¢User credentials are created and stored locally on the anchor controller(s).
Before attempting to troubleshoot the various symptoms below, at the very least you should be able to ping from the campus (foreign) controller to the anchor controller(s). If not, verify routing.
Next, you should be able to perform the following advanced pings. These can only be performed via the serial console interfaces of the controllers: â¢mping neighbor WLC ip
This pings the neighbor controller through the LWAPP control channel. â¢eping neighbor WLC ip
This pings the neighbor controller through the LWAPP data channel.
If a standard ICMP ping goes through, but mpings do not, ensure that the default mobility group name of each WLC is the same, and ensure that the IP, MAC, and mobility group name of each WLC is entered in the mobility members list of every WLC.
If pings and mpings are successful, but epings are not, check the network to make sure that IP protocol 97 (Ethernet-over-IP) is not being blocked.
Please make sure that the mobility group names are on each other's controller.
I am wondering if you ever got this resolved. I am running into the exact same problem you described here. I've got the local Checkpoint admins looking into it, but if you happen to have the fix for this, I'd be much appreciative!
Yes we got this working. The problem was a NAT statement on the CheckPoint Firewall. Make sure you have nat statments for the outside Anchor Controller and also NATS for the inside networks. Hopefully you'll be able to get this issue fixed.