Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

WLC management interface - unexpected traffic

Hello

      I have a number of WLCs/WiSM2 running 7.0.230.0 (still using WCS for management). The management interfaces for the controllers are on a purely private subnet. While going through the intenet edge ASA logs I noticed some traffic drops for the controllers on the Inside interface. I took a packet capture from the controllers and found that they were sending TCP traffic to a number of IP addresses (Microsoft, Hotmail and Google) - always with a src port 2028 (submitserver) with the ACK/FIN flags set.

      Can anyone tell me why this traffic is coming from the management interfaces? The management interface is not used by any wireless clients and is not the default interface for any of the SSIDs.

Thanks

Andy

1 ACCEPTED SOLUTION

Accepted Solutions

Re: WLC management interface - unexpected traffic

IIRC the customer started to ignore them as they weren't causing any issues. What we found were clients that hadn't authed were trying to connect to sites, and the WLC was sourcing the fin ack, to stop the establishment of the clients.

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
4 REPLIES

Re: WLC management interface - unexpected traffic

I remember a case I took years ago that has similar packets dropped on the firewall.

I bet what you are seeing is traffic from clients in a guest network that have not web-authed yet.

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered

Re: WLC management interface - unexpected traffic

thanks for the reply steve. we have a few web-auth ssids - one is a standard web-auth ssid using a custom login page (with a pre-auth acl), the other is a "captive portal" (web-auth set to external site) with a pre-auth acl.

was there a resolution to the case you worked on? i've got an acl on the management svi which is filtering this traffic out so it doesn't reach the firewall but i'm interested to find out why this traffic is coming from the management interface.

thanks

andy

Re: WLC management interface - unexpected traffic

IIRC the customer started to ignore them as they weren't causing any issues. What we found were clients that hadn't authed were trying to connect to sites, and the WLC was sourcing the fin ack, to stop the establishment of the clients.

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered

Re: WLC management interface - unexpected traffic

thanks for the info . makes sense - although the preauth acls seem to be blocking the clients ok prior to authentication. its not causing any issues for us either (except for filling the ASA logs) - i'll continue to filter this traffic at source.

thanks again

andy

ps forgot to mention in the original post - when i first noticed this issue, the traffic was sourced from the wlc's service port ip addreses. when i removed the ip addresses from the service ports, the traffic started using the management ip addresses for the source

368
Views
0
Helpful
4
Replies
CreatePlease to create content