Creating a certificate may take some time. Do you wish to continue? (y/n) y
Web Administration certificate has been generated
e. Verify Basic IP Connectivity
Check basic ip connectivity from the client to the WLC mgmt interface. Ping the wlc mgmt interface. If that fails, check for any access control that may be configured along the path- between the client and the controller mgmt that could be blocking this traffic.
Telnet- tcp port 23
ssh- tcp port 22
http- tcp port 80
https- tcp port 443
If the client is on a different vlan than the wlc, check for inter vlan routing.
Move the client to the same vlan as the controller and then try to access the WLC to rule out inter vlan routing issues.
f. Capture a Sniffer Trace.
Assuming that the controller is attached to a switch, it will likely be necessary to configure a monitor (span) session to capture a sniffer trace of the controller's traffic. This will tell us what packets are going to the controller and how (if at all) the controller responds.
This debug allows capturing packets coming to the controller:
debug packet logging acl ip 1 permit <WLC mgmt ip> anydebug packet logging acl ip 2 permit any <WLC mgmt ip>debug packet logging enable all 1-65535C:\Program Files\Wireshark>C:\Program Files\Wireshark>text2pcap.exe Must specify input and output filenameText2pcap 1.0.99CAPWAP_0.0.1 Generate a capture file from an ASCII hexdump of packets.
h. Check the controller syslog and trap logs for any suspicious behaviour.
i. In some corner cases, we did spot only https access broken while ssh and http worked fine.
Saw the following in the bootup log-
-> "Starting portmap deamon"
Warning!!!: You don't seem to have internal USB storage for lic/cert
Please request for one and add to the system
-> "Starting "VPN-Services"
Unable to load system certificate!!! Contact your Cisco Systems Inc. technical support representativeok
-> "Starting Management Services:
Web Server: ok
Secure Web: Web Admin Certificate not found (error).
License Agent: ok
This issue requires hardware replacement for resolution.
j. LAG and switch channel distribution method
If LAG is enabled on the controller, check the load balancing algorithm enabled on the controller.
Use only ip-src or ip-src ip-dst load balancing options in the switch EtherChannel configuration. Some switch models might use incompatible load balancing mechanisms by default, so it is important to verify.
This is how to verify the EtherChannel load balancing mechanism:
switch#show etherchannel load-balance EtherChannel Load-Balancing Configuration: src-dst-ip EtherChannel Load-Balancing Addresses Used Per-Protocol: Non-IP: Source XOR Destination MAC address IPv4: Source XOR Destination IP address IPv6: Source XOR Destination IP address
This is how to change the switch configuration (IOS):
After FIPS is enabled on a controller, sometimes users are unable to https into the controller when using IE6 or IE7.
Prior to enabling FIPS they did not experience any problems.
The issue is specific to IE7 and IE6+, firefox does not appear to have this issue.
l. Management Access Priority Order configuration
If Tacacs or Radius is the primary management access method, confirm that the management user credentials are present on the authentication server. If the Tacacs or Radius server is unavailable or unreachable, the controller will revert to locally configured credentials.
Mgmt Via Wireless Interface................. Disable
Mgmt Via Dynamic Interface.................. Enable
c. Verify Basic IP Connectivity
Ping the dynamic interface ip from the wireless client. Does that work? Check for any acls along the path.
d. Compare with same Vlan Wired Client
Place a WIRED client on the same vlan as the dynamic interface and have that wired client http and/or telnet to the controller both via management and dynamic interface.
This will isolate if the problem is with wired or just wireless client.
Telnet /SSH to the WLC management fails if the client from which we are starting the session is in same subnet as of Service port .
This is documented in Cisco WLC config guide as well .
Cisco 4400 and Cisco 5500 Series Controllers also have a 10/100/1000 copper Ethernet service port. The service port is controlled by the service-port interface and is reserved for out-of-band management of the controller and system recovery and maintenance in the event of a network failure. It is also the only port that is active when the controller is in boot mode.. Use of the service port is optional.
Caution Do not configure wired clients in the same VLAN or subnet of the service port on the network. If you configure wired clients on the same subnet or VLAN as the service port, you will not be able to access the management interface.