3850 as MC and 5508 as Anchor Guest

Can i use a 5508 WLC with relase 7.4.121.0 as anchor guest for a 3850 configured as Mobility Controller?
The Converged access (new mobility) is supported only in 7.3.112 or 7.5 and later relase, but i don't need to configure the 3850 as Mobility Agent.
I need to configure the 3850 to connect to my anchor guest controller 5508 in DMZ.

Hi
You need to run 7.6.110.0 on your 5508 & enable "New Mobility" feature on your 5508 if you want to have Anchor-Foreign setup between 3850 & 5508.
 NB: 7.3.x & 7.5.x codes are differed & 7.4.x code does not support this "new mobility"
HTH
Rasika
**** Pls rate all useful responses *****

Similar Messages

  • 3850's using WLC 2504 as a guest anchor

    Hi,
    Does anyone know if it's possible to use a WLC2504 as a guest anchor when we have deployed 3850's for regular corporate WLAN?
    The corporate stuff is all up and running OK using 3850's but i've now to come to look at the guest provisioning and i'd like it to terminate on a guest anchor in the DMZ if possible, just wondering if it's possible to do this with that setup?
    Thanks,
    Ian.

    Do you know if it's possible to keep the 3850's as MC and MA's and deploy a 5760/5508/WiSM2 as just a guest anchor.
    Yes, this is possible & what I have done in my production network (5760 as MC & Guest Anchor where 3850 as MA). In your case you can have 3850 MC/MA while 5508 as Guest Anchor.
    Good to see my blog helps you & thanks for the comment.
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Clients unable to connect and get DHCP - LAP1142N AP and 5508 WLC

    Hi,
    I have 19 locations, each with 1 or more LAP1142N AP's in FlexConnect mode, AP's are primed using CAPWAP to my 5508 WLC at the datacenter. The AP's join the WLC without issue every time. I have two WLAN's, one guest and one staff, the guest network is open and obtains DHCP from a WatchGuard XTM33 firewall at each of the remote locations. The staff side is WPA2/RADIUS and DHCP is assigned from the WLC. Each AP is assigned a static IP that is not in the DHCP scope. For example: DHCP scope on the branch firewall is 192.168.1.10-250 the AP will be assigned static IP of 192.168.1.1.. The AP's are connected to a HP procurve switch that has a untagged VLAN, the firewall is using the native vlan 1 and so is the AP.
    I have been running this network for over a year and it has not had a single issue until the last two weeks. Nothing on the network has changed or has been upgraded.
    Now for the issue: The issue I am seeing is that clients are no longer able to connect to the AP and do not get DHCP assigned to them. I am able to get it working, if I remove the static IP from the AP, the AP will reboot, join the controller, then begin working, users can connect and DHCP is assigned from the firewall as it should. However, If the AP then reboots, the AP will join back to the controller but no clients can connect nor do they get a DHCP address. So, I then reassign a static IP to the AP again and it reboots, connects to the controller and clients then can connect and get DHCP.
    Attached is a running config from one of the APs
    I've found several posts on this topic, in fact the patch of unassigning or reassigning static IP is one that I found. However, I wanted to post this to see if there is any further assistance I can get on this. I am also waiting on my SmartNet to start up and will be contacting Cisco support as well.
    Thanks for any help.

    Alright, so I finally figured out the issue with this. I had a Mobility Anchor set on the guest WLAN and once I removed that all started working again.
    What is Mobility Anchor?
    A. Mobility Anchor, also referred to as Guest tunneling or Auto Anchor Mobility, is a feature where all the client traffic that belongs to a WLAN (Specially Guest WLAN) is tunneled to a predefined WLC or set of controllers that are configured as Anchor for that specific WLAN. This feature helps to restrict clients to a specific subnet and have more control over the user traffic. Refer to the Configuring Auto-Anchor Mobility section of Cisco Wireless LAN Controller Configuration Guide, Release 7.0 for more information on this feature.

  • Ask the Expert: NGWC (3850/5760): Architecture and Deployment

    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about NGWC (3850/5760): Architecture and Deployment.
    Ask questions from Monday, April 13th, 2015 to Friday, April 24th, 2015
    This Ask the Expert Session will cover questions spanning NGWC products (3850/5760) on Implementation and Deployment from the Wired and Wireless perspective. This will be more specific to Customer’s and Partners questions covering 3850/5760 configuration, Implementation and deployment.
    Dhiresh Yadav is a customer support engineer in High-Touch Technical Services (HTTS)  handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco Wireless CUWN and NGWC Product line. He has over 7 years of industry experience working with large enterprise and service provider networks. He also holds CCNP (RS) and CCIE (DC-Written) and CCIE Wireless certification.
    Naveen Venkateshaiah is working as a Customer support engineer in High-Touch Technical Services (HTTS) handling  and supporting Lan-switching and Data center Products. His areas of expertise include Catalyst 3k,4k , 6500 , Nexus 7k Platform  He has over 7 years of industry experience working with large Enterprise and Service Provider networks. He also holds CCNA, CCNP (RS) and  CCDP-ARCH,CCIE-R&S Written, AWLANFE, LCSAWLAN Certification.
    Find other  https://supportforums.cisco.com/expert-corner/events.
    **Ratings Encourage Participation! **
    Please be sure to rate the Answers to Questions

    Hi Dhiyadav,
    thank you for your reply it cleared some doubts that were in my mind but i need your more support to guide me a converged access deployment which i am going to deploy within few days.
    i have 
    2x5508 in HA as MC
    30x3850 switches, and all will be used as MA(s) with multiple SPGs
    2X5508  1:1 as an anchor controller
    1xISE 1.3 for guest access
    1xCPI for wireless mgmt and monitoring purpose
    1xMSE3355 with wips and context aware licenses
    200x cisco 3702i WAP
    50x WSSI module for monitoring the channels
    can you please put a light on the design and guide me that which are the best possible solutions to get this job done very smoothly.
    i will also let you know about my proposed design scenario but for sure i need your recommendations as well :)
    so,
    i will use 2x5508 wlcs in HA as a MC which are AP-Count and HA licensed..
    3850 switches will be MA and i ll configure SPGs per floor switches stacks 
    WAPs will join on these 3850 MAs base on each floor
    i would have 2 ssid like employee and guest
    i will configure them on each 3850 stack MA along with their SVIs for users access like (empolyee and guest ssid)
    here my question is for guest ssid and its vlan... do i configure it here or on anchor controller???
    i want ISE to be integrated with wireless for employee 802.1x and for guest web Auth. so, how i will integrate ISE with wireless. i mean weather i will integrate it anchor controller or with each 3850 MA???
    between foreign and anchor controller i will use new mobility instead of old EOIP!!!
    where shall place ISE in my network, in DMZ or with Core switch?
    my target for guest users to do not have access to any corporate network sources ?
    MSE:
    can i use both wips and context aware on the single MSE box?
    if yes, than what is the best practice for configuring them?
    are each 3850 MA will be added in MSE?
    WSSI module . will be used for monitoring purpose for wips and context aware profiles.
    all access point will be worked in local mode for serving users access.
    thank you

  • WLC+Anchor+Guest NAC

    Hello all
    I have few basic clarifications on these components.. i have a network, with LWAPP's and WLC on one site - say site A. lets consider only the guest SSID, access as of now.. The Anchor guest controller is positioned on a DMZ segment on Site B. Site A & B are connected through a routed network. I also have a NAC guest server, on Site C. Now, i want to integrate all these components. As per my knowledge following is the traffic flow:
    1) When guest users access their SSID, they are mapped to the anchor controller in DMZ, throu mobililty groups.. the WLC then initiates a EoIP tunnel to DMZ controller.. Firewall rules allow,all reuired ports (IP 97, 16666 UDP etc), and end to end ip communication happens.
    2) Upon the reuest, the Anchor controller provides an Ip address from DHCP configured locally. In this case, will the default gateway of the PC's be Anchor DMZ controller's WLAN IP or will it be local to Site A (say L3 switch) ?
    3) Then when the user tries to access any site, he is given a web authentication portal, which is linked to the radius server/nac guest server. during authentication, dmz controller again tries speaking to the nac guest server in site c. hence the firewall has to alow for UDP 1812/1813 radius ports..
    4) after authentication, the user browses internet. Now, what will be the ip packet flow in this instance. Will all traffic be first tunneled across LWAPP to the controller, and from there EoIP'ed to the Anchor ? Anchor then forwards it to the internet gateway, through DMZ ? as asked before, will the default gateway of the PC's be the WLAN IP of the anchor ? if there are too many users, will I create many WLAN SSID's for guests, for Site A ?
    Sorry for the long post..
    Raj

    Greg
    Thanks again.. that was useful too. One last query.. and this was grilling my head:
    1) how does the guest vlan egress work ? I have a WLC on a new DMZ of PIX, with /27 subnet.. This WLAN is used only for EoIP communication.. now, when the guest user gets a DHCP IP, what IP pool should i define here ? since the default route is going to be towards the PIX, it should be one among the 4 interfaces, right now ? or should I have another interface or VLAN dmz for the egress traffic from WLC ? SRND says something about dynamic interfaces, but not been explained at all :(
    2) will the foreign WLC talk to the Anchor controller 1 & 2, in load balancing mode ? why i'm asking is, if the dhcp is defined on Anchor 1 and if the request goest to anchor 2, then it will be an issue.. otherwise is it advicible to split up dhcp scopes between the two Anchors ? say 1-127 in one anchor and 128-254 on other ?
    3) Lastly.. about guest nac servers.. i have 2 of them in place.. will the guest database be replicated between them , like what ACS does ? if so, is the replication bidirectional ? If lobby admin creates an account, it will be good if he just creates in one box, and the other box replicates it ..
    Thanks for all your answers.. it has been really useful to me.. and i think will be useful for anyone who works on Anchor+guest+foreign WLC designs :)
    Raj

  • A MacBook Air was reported stolen From a room at my hotel that belong to a guest. I request a apple Id and password from the guest in order to track it though iCloud, when I login into the account the MacBook was not their, however I saw other device. A f

    A MacBook Air was reported stolen
    From a room at my hotel that belong to a guest. I request a apple Id and password from the guest in order to track it though iCloud, when I login into the account the MacBook was not their, however I saw other device. A few days has past then the MacBook appear. How does that happened, please explain?

    For a stolen Macbook to appear in iCloud - the person who stole it must turn it on.
    You can't track something that's turned off.

  • Cannot access to any site with ssl connection and fail to open safari and keychain, unless restart computer and login in with Guest account.

    when Update to 10.7.2 ,I cannot access to any site with ssl connection and fail to open safari and keychain, unless restart computer and login in with Guest account.
    OS:10.7.2
    Macbook Pro 2010-mid 13inch

    I also have the same problem, however if I use Firefox or Opera sites with ssl connection work fine. Still, I can't use Google Chrome (ssl), Safari (ssl), the Mac app store (generally), or the iTunes store (generally). Both the iTunes store, Safari and the app store won't respond, and Chrome displays this error: (net::ERR_TIMED_OUT). The problem persists regardless of what network I'm using. Also, when trying to access the keychain or iCloud, the process will not start (will hang). I didn't have these problems at all before updating to 10.7.2.
    Sometimes rebooting helps, and sometimes not. If the problem disappears by rebooting, then it only lasts a few minutes before it reappears. It is very frustrating, especially since there doesn't seem to be any obvious or consistent way of which to fix it.
    I'm also using a Macbook Pro 13-inch mid 2010.

  • Best practices for network design on WLC 2504 and 5508

    Dear all:
    I'm looking for some recommendations on WLC 2504 and 5508 about the the following:
    Maximum amount of AP per port
    The scenario when to use all ports in both WLC
    Maximum number of clients(users) per port
    Bandwidth comsumption of  management vs data in order to assign one port for management
    I've just found this:
    Cisco 5508 controllers have eight Gigabit Ethernet distribution system ports, through which the controller can manage multiple access points. The 5508-12, 5508-25, 5508-50, 5508-100, and 5508-250 models allow a total of 12, 25, 50, 100, or 250 access points to join the controller. Cisco 5508 controllers have no restrictions on the number of access points per port. However, Cisco recommends using link aggregation (LAG) or configuring dynamic AP-manager interfaces on each Gigabit Ethernet port to automatically balance the load. If more than 100 access points are connected to the 5500 series controller, make sure that more than one gigabit Ethernet interface is connected to the upstream switch.
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/6-0/configuration/guide/Controller60CG/c60mint.html
    Thanks for your help.

    The 5508-12, 5508-25, 5508-50, 5508-100, and 5508-250 models allow a total of 12, 25, 50, 100, or 250 access points to join the controller.
    This is an old document.  5508 can now support up to 500 APs if you run firmware 7.X.  2504 can support up to 75 APs if you run firmware 7.4.X.
    I'm looking for some recommendations on WLC 2504 and 5508 about the the following:
    Best practice and recommendation is to LAG all ports so you will be able to form a link redundancy.  If one link goes down, you have other link to push traffic. 

  • WLC mobility group between 4404 and 5508 controllers

    Mobility 'Control and Data Path Down' between 4404 and 5508 WLC's.
    Hello, we have 5 x 4404 WLC's running 7.0.240.0 with mobility configured fine between them.
    We have installed a 5508 with HA running 7.4.110.0, and have tried to add it to the mobility group, however we see 'Control and Data Path Down' between the new 5508 and all the 4404 controllers.
    All controllers have:
    The same virtual address
    Management interfaces are in the same VLAN, and indeed all the controllers connect via the same pair of 3750X stacked switches.
    The default mobility domain name is the same
    4404 output when issung the command 'show mobility summary'
    Symmetric Mobility Tunneling (current) .......... Enabled
    Symmetric Mobility Tunneling (after reboot) ..... Enabled
    Mobility Protocol Port........................... 16666
    Default Mobility Domain.......................... SGH-Mobility
    Multicast Mode .................................. Disabled
    Mobility Domain ID for 802.11r................... 0xe209
    Mobility Keepalive Interval...................... 10
    Mobility Keepalive Count......................... 3
    Mobility Group Members Configured................ 6
    Mobility Control Message DSCP Value.............. 0
    5508 ouput when issueing the command 'show mobility summary'
    Mobility Architecture ........................... Flat
    Mobility Protocol Port........................... 16666
    Default Mobility Domain.......................... SGH-Mobility
    Multicast Mode .................................. Disabled
    Mobility Domain ID for 802.11r................... 0xe209
    Mobility Keepalive Interval...................... 10
    Mobility Keepalive Count......................... 3
    Mobility Group Members Configured................ 6
    Mobility Control Message DSCP Value.............. 0
    I've spent quite some time double checking all the configurations to no avail.
    Has anybody seen this problem before?
    Kind regards
    Dave Bell

    Thanks Sandeep.
    I am well versed with WLC's and mobility, however trying to add a 5508 to a mobility group with 4404's has come up with a bit of a curve ball.
    All the 4404 controllers all joined the mobility group fine, no problems at all - its only the 5508 I am struggling with.
    In theory its simple, populate the IP address, and MAC addres of the management interface of the remote WLC, as long as the management interfaces are in the same VLAN, and the Default Mobility Domain Name are the same it should come up.
    Interestingly I have found the 5508 reports its own management interface MAC address incorrectly when viewing the Mobility Groups:
    For example:
    {Screen shot WLC1.jpg}
    5508 management address is 10.95.x.x and when viewing the Mobility Management screen it shows its own MAC address as bc:16:65:f9:37:60.
    however!
    From our router is I do an sh arp | i 10.95.x.x (controller management address), I see:f872.eaee.becf.
    {Screen shot wlc2.jpg}
    Hence the WLC reports as: bc:16:65:f9:37:60
    and
    The network reports as: f872.eaee.becf for the same IP address.
    I have changed the other WLC's to the MAC adress seen on the network for the new controller, aka changed from
    bc:16:65:f9:37:60
    to
    f8:72:ea:ee:be:cf
    I now see the controllers reporting the mobility with the new controller as 'Control Path Down', however I am at a loss as to what may be causing this?
    Kind regards
    Dave Bell

  • I updated MUSE and now the anchors stop working after one click. Active state on the buttons are not working either. The vertical scroll also stops working. Is this a bug.

    I updated to Adobe Muse 2014 and now the anchors on my site stop working on the page after one click. Vertical scroll and active state on the buttons also do not work. Is this a bug?

    I am also dealing with an anchor that stopped working. I tried everything i can think of to make it work, but no luck so far. I hope to see a helpful response here. Thanks.

  • Need to understand WebAuth using 3850 MA, 5760 MC and 5508 GA

    All,
    I would appreciate if anyone could provide clarification on my current understanding of Converged Access mobility design for WebAuth and guest access. My setup is as follows:
    (WAP)---(MA)---(MC)---(Firewall)---(GA)
    Wireless Access Point (WAP) - 3500
    Mobility Agent (MA) - Cisco 3850 (running IPServices)
    Mobility Controller (MC) - WLC 5760
    DMZ Firewall
    Guest Anchor (GA) - WLC 5508 (running 7.5.110.0 and new mobility feature enabled)
    I have my mobility domain configured with an SPG and the 3850 MAs configured into the domain. All status indicators are up for MC to MA and MC to GA. The WAPs are connected to the 3850 MA and appear on the MA using the command 'show ap summary'. There are also a number of WAPs that associate directly to the 5760 MC.
    My configuration on the MC has a guest wireless service using WebAuth, which anchors over to the GA. Clients connecting to the WebAuth service on WAPs associated directly to the 5760 MC receive and IP address from the GA DMZ and are redirected to the GA WLC. This is as expected with the usual centralized wireless model.
    My initial thoughts with the Mobility Agents (MA) was that it was a simple case of pointing the 3850s to the MC and the wireless service (WLAN) configurations would automatically appear. Through configuration tests and converged access deployment guides, I now believe this to no longer be the case. Therefore, for MAs to advertise wireless services they have to be individually configured. Am I correct with my thoughts?
    This was proved with a Secure 802.1x WLAN on the MA and it was a simple case of replicating the 5760 Secure WLAN on the MA.
    For the deployment of WebAuth wireless services on the MA 3850 switches, I have not managed to find a guide that explains how an MA anchors wireless clients to the GA. I have found documents that describe combined MC/MA configurations to GA, but not when the 3850 is just an MA. Is it is case that:
    1. MA WebAuth wireless service is configured to anchor to the GA using the command 'mobility anchor <GA IP Address>'. This would require the DMZ firewall to allow mobility tunnels between the MA to GA and MC to GA, or;
    2. MA WebAuth wireless service is configured to anchor to the MC using the command 'mobility anchor <MC IP Address>'. This would mean the traffic from the MA for WebAuth is tunneled to MC and then onwards to GA.
    I suspect option 1 is the correct method, but would appreciate confirmation.
    Also, I have not configured a Mobility Oracle (MO) since I only have one MC and the GA. If it is advisable to do, then would it be best to enable the MO on the MC or GA?
    Thanks in advance
    Ian

    Hi Ian,
    It is a long post & many questions 
    I will try to answer as much as I can.
    "I have not configured a Mobility Oracle (MO) since I only have one MC and the GA. If it is advisable to do, then would it be best to enable the MO on the MC or GA?"
    No, you don't want MO unless your set-up is extremely large (it is similar to use of BGP route reflector to reduce complexity of having full mesh)
    "My initial thoughts with the Mobility Agents (MA) was that it was a simple case of pointing the 3850s to the MC and the wireless service (WLAN) configurations would automatically appear. Through configuration tests and converged access deployment guides, I now believe this to no longer be the case. Therefore, for MAs to advertise wireless services they have to be individually configured. Am I correct with my thoughts?"
    Yes, you have to configure your WLAN configuration in MC & MA, it won't automatically propagate to MA.
    "For the deployment of WebAuth wireless services on the MA 3850 switches, I have not managed to find a guide that explains how an MA anchors wireless clients to the GA. I have found documents that describe combined MC/MA configurations to GA, but not when the 3850 is just an MA"
    I have not configured this, but this is my understanding.  You would configure MA WLAN  pointing to GA as mobility anchor. Still traffic will transit through MC as it will manage MA & SPG (any thing outside SPG should go through MC)
    Here is the some useful reference information I gathered over the timel. (white paper is the one you should read to cover everything)
    https://supportforums.cisco.com/discussion/11984726/converged-access-design-information
    HTH
    Rasika
    *** Pls rate all useful responses ****

  • 5508 and 4402 Controller Anchoring?

    Hello,
    I am running 5508 wireless controllers. I pass along another agency's WLAN across my wireless network that is anchored to their older 4402 controller.
    I wish to run the new 3600 series APs and am planning on migrating to NCS and the new 7.2 code.
    I know that the older 4400 series controllers will not handle the newer 7.1 or 7.2 code. However, i still wish to maintain this anchor relatiosnhip with the older 4402 controller. I need to know if this will work or not.
    Surely someone else has encountered this?
    Thanks,
    Phill

    Sent this one to TAC... they said it should work fine.
    I am planning a large deployment that depends heavily on the 3600 series AP...
    Not anchoring with older controllers would be a show stopper..or at least bring the project to a crawl...
    I'm already trying to figure out a workaround for surveying with the 3600 AP when i cant even run it. 
    (7.1, and 7.2 will not work with WCS...I already tried running it and it broke my ability create guest accounts...I was impressed with the 3600 AP though...).
    I have to wait until I can get NCS purchased to migrate to the 7.2 code
    Not looking for anymore surprises....
    Phill

  • Anchor Guest controller and DHCP configuration

    I checked the cisco documentation about the DHCP configuration but I´m not 100%sure which DHCP server address I must use.
    I  used as example the scope 10.240.97.0/24 for our Guest Users. In this range are the DHCP scope and the Guest interface configured. For the management I used as example the range 10.240.96.0/24.Now I configured our Guest WLC and I insert on the Guest interface as Primary DHCP address the Guest interface address. After I applied I got the message I can´t use this DHCP address. Now I checked the cisco and found following description:
    “If DHCP services are to be implemented locally on the anchor controller, populate the primary DHCP server field with the management IP address of the controller"
    Means it now I must insert as the IP for the Primary DHCP Server on the Guest interface  the IP from the management
    Interface and the controller will then forward the traffic to the internal DHCP scope on the Guest subnet and wil sent it back ?
    ( DHCP proxy is on the Guest WLC  enabled ) .
    Thanks
    Al

    For Anchor you can use either internal or external dhcp server.
    Means it now I must insert as the IP for the Primary DHCP Server on the Guest interface  the IP from the management
    Interface and the controller will then forward the traffic to the internal DHCP scope on the Guest subnet and wil sent it back ?
    Yes. WLC forwards the unicast dhcp req to management ip for guest interface. All cpu generated traffic by default uses management interface as source address i.e., snmp, radius, ping...
    Is your question whether you need routing between guest and management interface.
    No, routing is not required in this case bcoz the interface residing on WLC's management. Also for proxy it uses the virtual ip address for dhcp instead of actual dhcp ip. And only wireless client can get ip from WLC's internal dhcp server.
    If you're using dhcp proxy on wlc and having external dhcp server on different vlan then yes you need routing between the two vlans.

  • Total throughput and client limitations per guest anchor controller; 7,000 guest clients

    When I read the specs of a Cisco 5508WLC I read the following : 
    Cisco 5508 Wireless LAN Controller (WLC) – 8 Gbps and 7,000 guest clients
    What happens when client 7001 tries to connect ? Is this a hardcoded like the max 500AP's limit ? Or is this just a guideline ?

    7000 is the number of entries it can handle in its client database. So you cannot have more than 7000 clients in single 5508.
    HTH
    Rasika
    **** Pls rate all useful resposnes ****

  • OEAP and remote lan anchoring

    Hi all,
    can someone explain how to configure anchoring on a 'remote lan' wlan for the OE-solution?
    That's my setup:
    - DMZ:
    2504-CTR with code 7.3.101.0
    - Internal
    5508-CTR with code 7.3.101.0
    I've configured two WLAN's and anchored it to the internal Controlller => everything works fine
    I also want to use the Remote Lan Port on the OEAP600. I've created a new WLAN on the DMZ-CTR and choosed Remote Lan from the drop down menu. On the internal CTR I've created also a new WLAN, choosed Guest Lan from the menu and mapped the egress-interface to an existing Wired-Interface.
    When I now want to configure the anchor on the newly created remote lan on the DMZ-CTR, the problem is, that the menu is only showing 'remove', there is nothing with 'mobility anchor' or something like that.
    So how can I create the EoIP-tunnel for the remote lan?
    Thanks, Florian

    They removed that feature starting on v7.2. I was told from TAC that it was broke and that it was decided to be removed. I have remote lans configured on v7.3, but it was because it was in place when the WLC's were running v7.0.x. They told me not to do the reverse tunnel like what your trying to do, but open the FW to the internal WLC and have that WLC manage the OEAP's.
    I don't line the idea that they did this, because it does work but now I can't add, modify or delete the remote LAN.
    Sent from Cisco Technical Support iPhone App

Maybe you are looking for