HA WLC Pair

We purchased a pair of WLCs with a layer 2 link between the 2. As it has turned out this link won't be
available anytime soon. The problem we have is the primary site has the HA WLC installed with no
intrinsic AP = 0 support, and the WLC with the 500 licenses is in the secondary. Is there any magic
that can be worked to swap the license over remotely so we don't have to physically swap the hardware
over ?
AIR-CT5508-500-K9
AIR-CT5508-HA-K9

No, in fact I'm about to do a blog post on this subject ..
Here is a recent TAC case I opened ..
Regarding your questions:
Problem Details: I have a question specific to the 5508 and WISM HA SKU part number.
AIR-CT5508-HA-K9 - If purchased can it be converted back to a licensable WLC. In other words, can i make this a regular WLC.
Can I convert an HA SKU to a primary by adding licenses?
No. This migration is not supported. The exception is if someone converted a controller with licenses to HA in the first place and now intends to revert back. The WLC retain the licenses.
If I have a licensable WLC today. What minimum license requirement is needed to turn a WLC into HA ?
The controller needs to have at least 50 access point licenses in order to be able to convert the controller to the standby controller for the wireless LAN.

Similar Messages

WLC in HA Keep Rebooting

Hey guys I have a WLC HA issue and thought I checked if anyone been through the same and can share the solution to it. I have a WLC pair setup in HA SSO mode and the primary controller keeps rebooting while the HA WLC takes over and becomes the Active WLC.
I configured the WLC as a HA pair and it was all working fine before. The main WLC would be the active. I tested that the failover works with both WLC. Now the main WLC went down, HA WLC took over, and the main WLC doesn't come back up but keeps rebooting. In CLI it shows the below:
Starting VPN Services: ok
Starting Licensing Services: ok
Starting Redundancy: Starting Peer Search Timer of 120 seconds
Found the Peer. Starting Role Determination...
Restarting system ..
Updating license storage ... Done.
Restarting system.
It just keeps go through the same thing over and over. It doesn't even go through the XML configuration stage. The last resort will be to reset to default config on main WLC and rebuild the config and HA pair. I am trying to avoid that as the WLCs are in a live environment.
Thanks in advance!

Thanks Leo, Power off/on and disconnect the SFP didn't work. I can't upgrade the FUS code because it never gets to a prompt unless I break the HA pair.
I ended up loggin a TAC case and it turned out to be a bug http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuc34199
Will be fixed in the upcoming release.

Initial AP rollout on 5508 HA-SKU and N+1 redundancy

Hi Board,
I have a 7.4 WLC pair - one as primary and one as secondary WLC. They are not doing AP-SSO.
I'm aware of all the design and configuration guides, but there are still some questions.
Primary WLC: 50 AP count / Secondary WLC: 500 AP count (due to HA-SKU).
Both WLCs are in one Mobility group.
A factory default AP will discover the WLCs (for example using DHCP 43). Even if the secondary WLC is not discovered in the hunting phase, the primary WLC will tell the AP about it's secondary buddy (mobility group).
The tie breaker is the WLC capacity - in this case all the APs will join the secondary WLC, because of the 500 AP count.
As soon as this happens, the 90 day "nagging" timer is started, right?
So here's the question:
- Will the 90 day timer stop if the APs are migrated to the primary WLC using primary, secondary per AP config?
- When will the 90 day timer be reseted?
How did you guys solve this issue?
One solution would be to place WLC1 and WLC2 in different mobility groups and only propagate WLC1 (primary) in the hunting phase.
In this case a brand new AP could not join the network if the primary WLC is unavailable...
Regards,
Johannes

Hi,
Here is the whole process:
One WLC has a valid AP Count license and the other WLC has a HA SKU UDI
    1. HA SKU is a new SKU with a Zero AP Count License.
   2. The device with HA SKU becomes Standby the first time it pairs up.
   3. AP-count license info will be pushed from Active to Standby.
   4. On event of Active failure, HA SKU will let APs join with AP-count obtained and will start 90-day countdown. The granularity of this is in days.
    5. After 90-days, it starts nagging messages. It will not disconnect connected APs.
    6. With new WLC coming up, HA SKU at the time of paring will get the AP Count:
        If the new WLC has a higher AP count than the previous, the 90-day counter is reset.
        If the new WLC has a lower AP count than the previous, the 90-day counter is not reset.
       In order to lower AP count after switchover, the WLC offset timer will continue and nagging messages will be displayed after time expiry.
             Elapsed time and AP-count will be remembered on reboot.
The factory default HA-SKU controller should not allow any APs to join.
Regards
Dont forget to rate helpful posts

WLC 5508 in HA pair (7.4.121.0) sudden reload

I have a pair of WLC 5508 in HA pair running version 7.4.121.0, last week I have two sudden reload on my active WLC. Here's the error from my syslog server on the first sudden reload. The second reload has almost the same logs.
10.x.x.234 - active
10.x.x.237 - standby
2014-01-30 17:52:20 Local0.Error 10.x.x.237 WLC-HA01: *rmgrMain: Jan 30 17:52:24.498: #RMGR-3-RED_HEARTBEAT_TMOUT: rmgr_main.c:242 rmgrTmoHeartbeat: Recved GW ping count 6 phyMgr ping count 0.
2014-01-30 17:52:20 Local0.Emerg 10.x.x.237 WLC-HA01: *rmgrMain: Jan 30 17:52:24.555: #RMGR-0-RED_HA_RELOAD: rmgr_utils.c:198 System reboot: reason: category Sanity check object Self
2014-01-30 17:52:21 Local0.Emerg 10.x.x.234 WLC-HA01: *rmgrMain: Jan 30 17:52:24.989: #RMGR-0-RED_HA_RELOAD: rmgr_utils.c:188 System reboot: reason: category Peer reload req object Peer
2014-01-30 17:52:21 Local0.Alert 10.x.x.234 WLC-HA01: *dtlArpTask: Jan 30 17:52:25.106: #DTL-1-IP_CONFLICT_DETECTED: dtl_net.c:4857 Network device with mac addr 7c:ad:74:8d:6b:0f using IP address of local interface
Cisco TAC recommends to disable monitoring the default gateway.
--> config redundancy management-gateway-failover disable
I was wondering if someone has the issue with what I have.
Second issue I have is when it fails over to the standby WLC, I do get a web-auth certificate error from the WLC when clients login. This only happens after a sudden reload. If I do a redundancy force-switchover during maintenance window, the certificate error doesn't show up. To fix the certificate error I have to bounce both WLCs one after the other.
Thanks in advance.

Hi,
I exeprienced a reload problem in standby WLC, with HA in release 7.6.100.0.
I use a dedicated VLAN to transport the redundancy sync and info, 'cause the two WLCs are in different buildings.
The standby WLC reload continuously 'cause it doesn,t find the default gateway.
(Cisco Controller-Standby) >show redundancy summary
            Redundancy Mode = SSO ENABLED
                Local State = STANDBY HOT
                 Peer State = ACTIVE
                       Unit = Secondary - HA SKU (Inherited AP License Count = 500)
                    Unit ID = 00:06:F6:DB:E3:E0
           Redundancy State = SSO (Both AP and Client SSO)
               Mobility MAC = 58:8D:09:CD:81:C0
Management Gateway Failover = ENABLED (Management GW failover would be operational in few moments)
Average Redundancy Peer Reachability Latency = 621 usecs
Average Management Gateway Reachability Latency = 0 usecs
Redundancy Management IP Address................. 40.231.36.6
Peer Redundancy Management IP Address............ 40.231.36.5
Redundancy Port IP Address....................... 169.254.36.6
Peer Redundancy Port IP Address.................. 169.254.36.5
Rebooting as default GW is not reachable from Standby Controller
Restarting system. Reason: Default Gateway is not reachable ..
The problem is that the WLC tries to ping the DGW using the primary IP management address belonging to the active WLC, so we have duplicated IP problem, ARP problem and so on .....
The standby WLC should use the redundancy managemet address to ping the default gateway, instead the primary IP management address!!!!!!
So the workaround is the CLI command :
config redundancy management-gateway-failover disable
on the primary WLC, via console or in SSH.
When the standby will reload it will inherit the config from the active primary WLC
(Cisco Controller-Standby) >show redundancy summary
            Redundancy Mode = SSO ENABLED
                Local State = STANDBY HOT
                 Peer State = ACTIVE
                       Unit = Secondary - HA SKU (Inherited AP License Count = 500)
                    Unit ID = 00:06:F6:DB:E3:E0
           Redundancy State = SSO (Both AP and Client SSO)
               Mobility MAC = 58:8D:09:CD:81:C0
Management Gateway Failover = ENABLED (Management GW failover is disabled as it is DISABLED on the Peer)
Average Redundancy Peer Reachability Latency = 666 usecs
Average Management Gateway Reachability Latency = 0 usecs
Redundancy Management IP Address................. 40.231.36.6
Peer Redundancy Management IP Address............ 40.231.36.5
Redundancy Port IP Address....................... 169.254.36.6
Peer Redundancy Port IP Address.................. 169.254.36.5
The workaround works in my experience.

Upgrade WLC HA pair 7.4.110.0 to 7.6.130.0

Hi
I'll be upgrading a HA pair of 5508's from 7.4.110.0 to 7.6.130.0. The documentation suggests that I just need to upgrade the active and this code is copied to the standby. Then simply reboot. After this verify that the active is not the standby HA WLC. Verify all AP's have rejoined and upgraded.
I also need to want to upgrade the FUS image after this.
Has anyone had any issues with upgrading HA pairs?
Or would it be better to break HA and upgrade each of them seperately then recreate the HA pair (not something I really want to have to do).
Any other suggestions\precautions to reduce the risk of issues?
I plan to create backups before and after.
I'll also use "show ap cdp nei all" to get a list of AP's and where they are connected to verify they all rejoin the WLC and upgrade.
Thanks in advance

Thanks Leo,
But according to this document its not required break HA do the FUS upgrade?
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.html#pgfId-43571
"The FUS image can be upgraded while the controllers have HA enabled. The secondary controller will get upgraded just like it does when upgrading the regular code. However, when you initiate the reboot on the primary controller both controllers will be unreachable until the FUS upgrade completes on both the active and the standby in the HA pair. This process will take around 30 to 40 minutes to complete just like in a non-HA FUS upgrade."
I have a maintainence window for the activity so having both down during the FUS upgrade is not an issue. My only concern is that if something goes wrong to both WLC's during the FUS upgrade I might have 2 dead WLC's and no backup plan !
Thanks

5508 WLC HA pair - change management interface settings

Hi,
We have a pair of 5508 WLC's in a HA configuration that is working well at the moment, however I have noticed that the management interface is configured as untagged. I would like to change this to tagged and change the attached switch to trunk for these devices but if I try and edit the management interface through the GUI the VLAN and IP address section is greyed out and cannot be changed. While I could attempt it through the CLI and am comfortable doing that, the fact that it cannot be changed through the GUI implies that this should not be changed and so I am after further information. I don't have any lab equipment other than the HA pair in production so I cannot try changing it through the CLI at the moment.
The WLC's are in LAG mode if that makes any difference. I realise there may be downtime required for making this change but I am trying to work out the steps to get this done without having to drastically reconfigure things.
Any assistance would be appreciated.

Introduction of New Interfaces for HA Interaction
Redundancy Management Interface
The IP address on this interface should be configured in the same subnet as the management interface. This interface will check the health of the Active WLC via network infrastructure once the Active WLC does not respond to Keepalive messages on the Redundant Port. This provides an additional health check of the network and Active WLC, and confirms if switchover should or should not be executed. Also, the Standby WLC uses this interface in order to source ICMP ping packets to check gateway reachability. This interface is also used in order to send notifications from the Active WLC to the Standby WLC in the event of Box failure or Manual Reset. The Standby WLC will use this interface in order to communicate to Syslog, the NTP server, and the TFTP server for any configuration upload.
Redundancy Port
This interface has a very important role in the new HA architecture. Bulk configuration during boot up and incremental configuration are synced from the Active WLC to the Standby WLC using the Redundant Port. WLCs in a HA setup will use this port to perform HA role negotiation. The Redundancy Port is also used in order to check peer reachability sending UDP keep-alive messages every 100 msec (default timer) from the Standby WLC to the Active WLC. Also, in the event of a box failure, the Active WLC will send notification to the Standby WLC via the Redundant Port. If the NTP server is not configured, a manual time sync is performed from the Active WLC to the Standby WLC on the Redundant Port. This port in case of standalone controller and redundancy VLAN in case of WISM-2 will be assigned an auto generated IP Address where last 2 octets are picked from the last 2 octets of Redundancy Management Interface (the first 2 octets are always 169.254).

5508 WLC HA pair and layer 3 roaming

Hey,
We have a pair of 5508 WLC's configured in HA (primary/standby). We have a single SSID that we're broadcasting across each floor of our head office. The AP's are in flexconnect mode so users pickup an IP address from the DHCP range for that building level and that's all working well.
The problem I have is that users cannot roam between floors without losing access to the network. They roam to the AP's on the different floors, and maintain wireless connection throughout the building, but they cannot connect to anything on the network when outside of the floor that contains an IP range that matches the client's IP. I was told by a number of technical consultants that this sort of layer 3 roaming should work in this configuration. When users go to a different floor, they retain their original IP and the traffic is tunneled (EOIP) back to the controller to maintain network connectivity, however this does not appear to be happening.
Firstly I'm wondering if this is possible with a HA pair configured in active/standby. All of the documentation around layer 3 roaming seems to involve at least 2 controllers, the foreign and the anchor. In this case as they're a HA pair their is technically only a single controller.
If it is possible to do layer 3 roaming on a single controller (intra-controller), if anyone can provide some guidance on things I should be checking or looking out for that would be appreciated.
Thanks.

Still though, I had a number of technical consultants from a very large system integrator design this setup and despite my asking a number of times how this roaming could work I was simply told it would.
ROFL!
We contracted a consulting company/implementors to do a wireless job (back in 2011) for a particular project (politics dictate I keep stay away from it). They had one "wireless expert".
Then one day, I got a call from the "wireless expert" and the phone conversation went like this, "It's me. I am doing another wireless project for another agency. But I would like to know how do you convert an autonomous AP to controller-based IOS". <FACEPALM>
Long story short: They won't know. Not all of them know. Their main concern is YOUR MONEY in their hands. That's all. But I can tell you this: I am the end user. I configure stuff. Roaming works if you get the basics correct. Roaming works if you know what you want and you get it done right. Scott Fella and Steve Rodriguez, two regular in this forum, (and works for CDW) and they are good. There's another "mad Texan" by the name of George Stefanick is another one. An Aussie by the name of Rasika is also around.
The most basic item is roaming is how you space your APs. Unless you've got wireless antennas coming out of your ears, you need to organize a wireless site survey. And when you want to do the a "good" wireless site survey, you "future proof" your requirements. Right now, my wireless site survey is aimed at "wireless VoIP" requirement.

HA-SSO pairing possible between LDPE and non LDPE wlc?

Hi all.
I was to day to finalise the migration of a customer network to HA-SSO enabled central controllers.
However on one site this failed. Unfortunately the ordering or delivery had been mismatched in a recent additional controller ordered with HA-SSO option.
The Primary original controller is non LDPE standard controller. By some unknown reason the new controller is LDPE enabled.
In the documentation it is stated: HA Pairing is possible only between same type of hardware and software version. Mismatch may result in Controllers entering Maintenance mode.
My question is very simple - will HA-SSO fail or not when these different codes and licensed functionalty types?
If so - how can we correct the LDPE issue; can TAC relicense or somehow "fix" this error?
Thankful for anything that can help me in the right direction.
Sincere Regards
Mats

Thanks Scott....
...Nothing mentioned in the guidelines about Controllers becoming unresponsive/dead after installing the license and rebooting!
- Are you aware of any pitfalls?
Unit has been unresponsive for 15 minutes.
Current image is AIR-CT5500-LDPE-K9-7-3-112-0.aes and ER image AIR-CT5500-LDPE-K9-1-7-0-0-FUS.aes.
What now - RMA?
Thanks in advance.

LACP configuration between a pair of WLC 5760s and VSSed 4500Xs

Hello, I'm trying to setup an LACP port-channel between a stacked pair of 5760s and VSSed 4550Xs. I see that the 5760s can group all 12 ports in 1 port-channel using LACP, but I could not find a configuration example for the 4500Xs. All docs for the 4500Xs state that you can only have up to 8 ports in a port-channel. Has anyone created a successfully port-channel using all 12 ports on the 5760s? Do I have to separate the port-channels into 2 and have the second one as a backup port-channel?
Thanks,
Yosef

You cannot bundle more than 8 ports in these switch platform.
http://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12025-49.html
Why do you require such 120Gbps connectivity from you 5760 to the rest of the network ? If you work it out your traffic requirement may be much less than this max capacity.
HTH
Rasika
**** Pls rate all useful responses. Each time you rate a response Cisco will donate $1 to Kiva ****

WLC, ISE certificate authentication issue

Hi Folks,
This is the setup:
Redundant pair of WLC 5508 (version 7.5.102.0)
Redundant Pair of ISE (Version 1.2.0.899)
     The ISE servers are connected to the corporate Active Directory (the AD servers are configured as external identity sources)
     There is a rule based authentication profile which queries the AD identity source when it receives wireless 802.1x authentication requests.
A corporate WLAN is configured on the WLC:
L2 security WPA+WPA2 (AES Encryption), ISE server 1 and 2 configured as the AAA Authentication servers.
This is all working correctly - I associate to the Corp WLAN (Authentication WPA2 enterprise, encryption AES CCMP, 802.1x auth MS-CHAPv2 using AD credentials) ... I can see the authentication request being processed correctly by the ISE, and I get access to the network.
The client I am working for wants to restrict access to the WLAN to users who have been allocated a certificate from the corporate CA, and this is where I am having issues.
I took a test laptop, and requested a new certificate (mmc, add snapin, certificates, current user, personal, request new cert).
The cert that was issued was signed only by a Corporate AD server with CA services (there is nothing in the certification path above the cert I was issued, apart from the issuing server itself).   I changed the security settings of my connection to the corp wlan (using TLS instead of mschapv2, and pointing to the certificate I requested)
Initally authentication failed because the ISE did not trust the CA that provided my certificate (the ISE radius authentication troubleshooting tool had this entry: '12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain').
I exported the issuing CA's root certificate (followed this process http://support.microsoft.com/kb/555252), and imported the cert into ISE (administration, system, certificates, certificate store, import) - status of the cert is enabled, and it is trusted for client auth.
After I did this, I could no longer associate to the Corp WLAN.
My laptop's wireless management software logs were filled with messages saying that the authentication server did not respond.
The ISE troubleshooting tool reported no new failed or successful authentication attempts.
Strangely though, the WLC log had a lot of entries like this: 'AAA Authentication Failure for UserName:host/laptop_asset_tag.corp.com User Type: WLAN USER'.
It looks like the WLC is trying to locally authenticate my session when I use TLS, rather than hand off the authentication request to the ISE.    Other users who authenticate using their AD credentials only (as I described above) can still authenticate ok.
Anyone able to shed some light on where I have gone wrong or what additional troubleshooting I can do?
Thanks in advance,
Darragh

Hi,
I had the same issue with microsoft CA and running ISE 1.1.4. The CA file was "corrupted", but you didn't see it at first glance. You can verify if the client CA matches the root CA via openssl.
Try to export the root CA and the issuing CA in a different format (Base64), import both root and issuing into ise and check if that works. Also check if "Trust for client authentication or Secure Syslog services" in the Certificate Store -> CA -> Edit, is set.
If this does not work, try to import the CA into another system and export it, then import into ISE.
Regards,

How can I apply existing WCS "WLAN Config" templates to a new WLC?

We've been running a pair of WLC 4402s managed by WCS, thus we are still on the older 7.0.235.0 (WCS) / 7.0.235.3 (WLC) release. I'm trying to add an additional WLC 4402-50 as a hot spare. I first ran the manual setup steps to give it an IP in our range, and used the WLCs web page to set our SNMP communities and such to the values used by our existing WLCs, then I added the new WLC in WCS.
At this point I could apply most of the "Controller Templates" from our existing configuration to the new unit. However, I can not get it to take our existing interfaces nor our WLAN Configurations. How do I avoid needing to recreate these from scratch on the new WLC?
We only have four dynamic interfaces, and each WLC needs its own IP address for each interface, so I did manually add these via the WLCs web page. However, now when I go to the WCS' "Configure > Contoller Templagte Launch Pad" page, then select "WLANs > WLAN Configuration", I see my usual list of WLANs, but can't figure how to push them to the new WLC.
For all of the other templates on the launch pad, I can select a template, click the "Apply to Controllers..." button, and I get a list that has my existing two and also the new controller. I can select the new controller, and apply the template, and it succeeds.
Yet if I select a specific WLAN config, and press "Apply to Controllers...", the list that appears has only my existing two WLCs, not the the new one.
In small green type at the top it says, "Controllers configured with Interface/Interface Group - 'w-restricted' and selected RADIUS server(s), LDAP servers, ACL Name with rules and Ingress interface are shown."
I have already manually added the interface "w-restricted" to the new controller, and have added the RADIUS servers via the template used by our other two WLCs. Not sure what to do about "LDAP servers, ACL Name with rules and Ingress interface", as we don't have any ACL rules, nor use LDAP directly from the WLCs (as all user ID stuff is via RADIUS).
Any hints on what manual setup I should add to get the new WLC in the list for these WLAN Configs?
Thanks,
Steve

To be honest, if your only adding another WLC, your better off creating the interface and WLAN's manually. I don't like pushing out templates to create new WLAN's. I would use it to adjust an existing WLAN, but that would be it. To me it's safer. Also your new WLC is on the same code? If you really want to figure it out, I would manually add the interfaces first then refresh the co fog from the new WLC and then push out the WLAN SSID and see if it takes. If not, don't waste your time anymore and create it manually.
Sent from Cisco Technical Support iPhone App

ISE 1.2 rejects RADIUS messages from 5508 WLC

The setup in ref is:
WLC 5508 HA pair running 7.6 talking to ISE 1.2 patch 7 (was 6).
Wireless users are authenticated fine, so the 5508 is a valid NAD in ISE, but...
When I setup active RADIUS fallback, so that the WLC can poll the ISE servers I get the message:
"The RADIUS request from a non-wireless device was dropped because the installed license is for wireless devices only"
Why would ISE drop a RADIUS message from a WLC which is a wireless device? Surely this is a mistake?

Hi Nicholas,
This is a known defect.
CSCug34679 ISE drop keep alive coming from WLC.
Symptom:
ISE drops keep alive authentications coming from the WLC, with message 11054 Request from a non-wireless device due to installed wireless license.
Conditions:
When only a wireless license is install on the ISE and using active keep alive on the WLC.
Workaround:
Use passive keep alive on the WLC and not active.
Regards,
Jatin Katyal
*Do rate helpful posts*

WLC, FlexConnect, ISE: Dynamic VLAN not working

Hi,
Not sure if this is a WLC or ISE problem, but since I am unsure of the WLC config I will try here first.
Equipment:
WiSM2 7.2.111.3
ISE 1.1.1.268
AP 3502 in FlexConnect
What I want to achive:
One SSID, multiple VLAN
Devices gets profiled in ISE and based on type of device it gets asigned to a VLAN
Problem:
When the device connects the first time it ends up in native VLAN and not switched to the right VLAN, but when I reconnect then it is added to the right VLAN.
WLC config (I know you like images so here you go ):
I must be missing something but I can't figure out what. I will be attaching a debug aaa event enable for when the client connect the first time.
In ISE I have an Authorization Profile that just say VLAN ID/Tag 158 (the VLAN that the device should go to) an it is added to the Authorization rule of the profiled device. CoA is set to Reauth.
When the client connects I get three events in ISE:
1.
Authentication failed :
22056 Subject not found in the applicable identity store(s)
2. Authentication Success. With the results:
UserName=00:18:DE:A2:BC:3A
User-Name=00-18-DE-A2-BC-3A
State=ReauthSession:c20e8b2f0000027e50ed27f8
Class=CACS:c20e8b2f0000027e50ed27f8:ISE01/144259326/671335
Termination-Action=RADIUS-Request
Tunnel-Type=(tag=1) VLAN
Tunnel-Medium-Type=(tag=1) 802
Tunnel-Private-Group-ID=(tag=1) 158
cisco-av-pair=profile-name=AX-Intel-Device
3.
Dynamic Authorization failed :
11213 No response received from Network Access Device
Has anyone got this to work? Do I need to add FlexConnect groups? If so then why?
Regards,
Philip

I think you're hitting CSCua58554
The bugtoolkit description is horrible.... From what I recall when I ran into it, I believe that Flex connect is having a problem with Mac filtering based AAA override on open wlans (and/or CWA based). In general, AAA override works fine when it is from like an eap authentication.
We had to use a 7.3 ES to resolve it.....
Looks like it is implemented in 7.4 though..... If you dont want to join the 7.4 bandwagon quite yet, you might could ask TAC for an ES of 7.3, don't think they have a 7.2 build.

ISE Airespace ACL WLC problem

Hello,
i've configured ISE and WLC to use guestportal with CWA but there is a problem with CoA -- it doesn't want to apply airespace alc after auth at guestportal.
1. At authC page i've configured a wireless MAB to continue if user not found and to use a Internal users as a identity store.
2. At authZ page i've configured a WEBAUTH as a default rule with the following:
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=ACL-WEBAUTH-REDIRECT
cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
3. I've also configured this ACL at WLC to permit
permit dns and icmp any-any
permit any-to-ise-8443
permit ise-to-any
This part works fine because i able to redirect to guestportal and use my guest login&pw to authorize myself. The guest account was previously generated through sponsor portal and it's working too.
4. At authC page i've use a wireless dot1x to use Internal users
5. At authZ page i've use a "if internal users:Guest then GUEST permission" rule
6. GUEST rule looks like the following:
Access Type = ACCESS_ACCEPT
Airespace-ACL-Name = GUEST_INTERNET_ONLY
7. This ACL is configured on the WLC permitting any except private networks (ISE is also permitted)
After guest portal auth i see a success message and i able to ping internet but i have no web access to it. It looks like CoA and Airespace acl are don't working and i keep using my ACL-WEBAUTH-REDIRECT access-list and i see a strange error messages in the WLC logs:
*apfReceiveTask: Nov 12 17:32:27.317: %ACL-3-ENTRY_DONOT_EXIST: acl.c:369 Unable to find an ACL by name "".
I swear my ACL name spelling is correct and both ACL-WEBAUTH-REDIRECT and GUEST_INTERNET_ONLY are on the WLC with their counters growing!
I don't have a point what issue it could be...
Any ideas?
P.S. see attach for Live authentication log

Thank you guys for your responses, it's working now!
The first problem was there:
Changing IPv4 ACL 'none' (ACL ID 255) ===> 'GUEST_INTERNET_ONLY' (ACL ID 5)
There are only 3 ACLs on my WLC so ALC ID 5 is kinda suspicious -- after WLC reload it becames ACL ID 1 but the problem was unresolved.
After that i changed my authZ matching rule to use another authZ profile:
Access Type = ACCESS_ACCEPT
Airespace-ACL-Name = PERMIT_ALL_TRAFFIC
cisco-av-pair = Airespace:Airespace-ACL-Name
Then i created ACL PERMIT_ALL_TRAFFIC on my WLC with one ACE "permit any any". I also denied access to my private networks at ASA where guest vlan's gateway resides.
I think the problem was in WLC's GUEST_INTERNET_ONLY ACEs which denied traffic to my private networks.
Thanks for the help!

Can't get 1532i to associate to 5508 WLC running 7.6.130.0

Greetings,
I've got 20 or so APs on a 5508 WLC. Most of the APs are 1242, one is 3602. I'm now trying to get a 1532i to associate to the 5508 and it's not happening. This is the first 1532 on this controller.
Also, I got this 1532 AP from a sister site and they had it configured as Autonomous in wgb mode, so I had to do the Autonomous to Unified Conversion. This conversion appeared to go successfully. But now the AP won't associate to my controller.
Thanks
Following is what happens from the AP's console :
AP78da.6e59.e58a#reload
Proceed with reload? [confirm]
Writing out the event log to flash:/event.log ...
Write of event.log done
*Oct 28 20:27:37.151: %SYS-5-RELOAD: Reload requested by Cisco on console. Reload Reason: Reload.
*Oct 28 20:27:37.155: %LWAPP-5-CHANGED: CAPWAP changed state to DOWN
*Oct 28 20:27:39.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.132.249.5:5246
*Oct 28 20:27:40.039: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
System Bootstrap, Version U-Boot 1.1.4-gf5ee82b1-dirty Corfu , RELEASE SOFTWARE
Build Date: Oct 17 2013 - 18:08:55
corfu - Scorpion 1.0
DRAM: 256 MB
Now running in RAM - U-Boot at: 8ffbc000
Flash Manuf Id 0xc2, DeviceId0 0x20, DeviceId1 0x14
flash size 1MB, sector count = 256
Atheros on-chip NAND FLash Controller Driver, Version 0.1 (c) 2010 Atheros Communications, Ltd.
Ath Nand ID[8ffee17c]: 2c:f1:80:95:02
ONFI MICRON MT29F1G08ABADAWP
Micron NAND 128MiB 3,3V 8-bit [128MB]
size = 128MB
Hit any key to stop autoboot: 0
boot_method is set to IOS_BOOT, boot IOS bootloader in NOR flash
Loading .text @ 0x84000000 (207840 bytes)
Loading .rodata @ 0x84032be0 (39008 bytes)
Loading .data @ 0x8403c440 (3264 bytes)
Loading .data.rel.local @ 0x8403d100 (1084 bytes)
Loading .data.rel @ 0x8403d53c (124 bytes)
Loading .data.rel.ro @ 0x8403d5b8 (960 bytes)
Clearing .bss @ 0x8403d980 (161116 bytes)
Clearing .scommon @ 0x84064edc (56 bytes)
## Starting application at 0x84000000 ...
IOS Secondary Bootloader - Starting system.HW Test Status(0)
Ath Nand ID: 95:80:f1:2c:00
Using driver version 1 for media type 2
Valid buffers 146
total146 146
success found all blocks
start end 65 85
found in range
high low end 2728 2089 85
Xmodem file system is available.
mifs[0]: 15 files, 5 directories
mifs[0]: Total bytes : 131334144
mifs[0]: Bytes used : 7966720
mifs[0]: Bytes available : 123367424
mifs[0]: mifs fsck took 0 seconds.
Base Ethernet MAC address: 78:da:6e:59:e5:8a
Setup MAC....
Waiting for PHY auto negotiation to complete...Port 0 Negogiation success.
Ethernet speed is 100 Mb - FULL duplex
Scorpion ----> F1 PHY *
: cfg1 0xf cfg2 0x7115
Loading "flash:/ap1g3-k9w8-mx.152-4.JB6/ap1g3-k9w8-mx.152-4.JB6"...##########################################################################################################################################################################################################################################################################################################################################################################
File "flash:/ap1g3-k9w8-mx.152-4.JB6/ap1g3-k9w8-mx.152-4.JB6" uncompressed and installed, entry point: 0x60080000
executing...
Stop MAC.
Starting IOS...
cp0 timer begin value is set as 1000
prid= 19750
Starts main.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, C1530 Software (ap1g3-K9W8-M), Version 15.2(4)JB6, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 22-Aug-14 11:03 by prod_rel_team
Initializing flashfs...
Ath Nand ID: 95:80:F1:2C:00
Using driver version 1 for media type 2
Valid buffers 146
total146 146
success found all blocks
start end 65 85
found in range
high low end 2728 2089 85
mifs[4]: 15 files, 5 directories
mifs[4]: Total bytes : 131334144
mifs[4]: Bytes used : 7966720
mifs[4]: Bytes available : 123367424
mifs[4]: mifs fsck took 2 seconds.
mifs[4]: Initialization complete.
...done Initializing flashfs.
:pci_init_board:521 *** Warning *** : PCIe1 WLAN Module not found !!!
pci_rc2_init_board:570 PCIE Controller Init Bus Master Enable
:pci_rc2_init_board:593 PCIe2 WLAN Module Found !!!
soap_pci_subsys_init:706 Bus Master/Mem Enable on pci_write side
soap_pci_subsys_init(713): PCI vendor ID: 0x168C ret:0
soap_pci_subsys_init(715): PCI device ID: 0x33 ret:0
Scorpion ----> F1 PHY *
Waiting for PHY auto negotiation to complete...Port 0 Negogiation success.
Disabling 802.3az feature on port 0
sgmii cal value = 0xE
Disabling 802.3az feature on port 1.
SGMII setup done, status is 0x2
Radio0 present 9550 9000 0 0 0 0
Rate table has 282 entries (12 legacy/96 11n/174 11ac)
Radio1 present 9590 9000 0 0 B2000000 1
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-CAP1532I-A-K9 (MIPS74k) processor (revision 27) with 204800K/57344K bytes of memory.
Processor board ID FTX1813201L
MIPS74k CPU at 700MHz, revision number 0x0000
Last reset from power-on
LWAPP image version 7.6.100.0
2 Gigabit Ethernet interfaces
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 78:DA:6E:59:E5:8A
Part Number : 74-11942-01
PCA Assembly Number : 000-00000-00
PCA Revision Number :
PCB Serial Number : FOC180951ZR
Top Assembly Part Number : 000-00000-00
Top Assembly Serial Number : FTX1813201L
Top Revision Number : 23
Product/Model Number : AIR-CAP1532I-A-K9
% Please define a domain-name first.
Press RETURN to get started!
*Mar 1 00:00:09.895: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed (11)mips74k_config_radio_pci(302): PCI CMD write: 0x356
*Mar 1 00:00:14.391: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to upEnterprise mode: 0x44000000
*Mar 1 00:00:14.895: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 (2)
*Mar 1 00:00:14.971: ath_load_ctl_pwr_tbl() dot11radio 2G loading CTL binary flash:/ap1g3-k9w8-mx.152-4.JB6/CO2.bin version# 3.0
*Mar 1 00:00:15.419: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 (2)
*Mar 1 00:00:15.419: ath_load_ctl_pwr_tbl() dot11radio 5G loading CTL binary flash:/ap1g3-k9w8-mx.152-4.JB6/CO5.bin version# 3.4
*Mar 1 00:00:15.699: CDP_PD: Power Source: 4-pair Power Injector
*Mar 1 00:00:15.723: AP Mesh platform identified (backhaul config:0x2, access:0xF)
*Mar 1 00:00:15.735: Starting Ethernet promiscuous mode
*Mar 1 00:00:15.735: Skipping Ethernet bridge initializaion
*Mar 1 00:00:16.431: %LINK-6-UPDOWN: Interface GigabitEthernet1, changed state to up
*Mar 1 00:00:18.363: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1530 Software (ap1g3-K9W8-M), Version 15.2(4)JB6, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 22-Aug-14 11:03 by prod_rel_team
*Mar 1 00:00:18.363: %SNMP-5-COLDSTART: SNMP agent on host AP78da.6e59.e58a is undergoing a cold start
*Mar 1 00:00:18.399: %MESH-6-BVI_CREATED: Mesh BVI1 interface created
*Mar 1 00:00:18.399: ath_ACIF_set_distance: Retrieved existing timeout value: 25us for distance: 0km
*Mar 1 00:00:18.399: ath_ACIF_set_distance: Setting new timeout value: 45us for distance: 3km
*Mar 1 00:00:18.399: %CDP_PD-4-POWER_OK: Full power - HIGH_POWER inline power source
*Mar 1 00:00:18.619: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar 1 00:00:18.619: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:00:18.619: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to uplwapp_crypto_init: MIC Present and Parsed Successfully
*Mar 1 00:00:18.811: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:20.399: %LINK-6-UPDOWN: Interface BVI1, changed state to down
*Mar 1 00:00:37.015: Logging LWAPP message to 255.255.255.255.
*Mar 1 00:00:37.027: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:00:38.027: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:00:38.035: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:00:39.027: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:00:39.067: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:00:40.023: %MESH-6-ADJACENCY_STATE_MACHINE_STARTED: Mesh adjacency state machine started
*Mar 1 00:00:40.067: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Mar 1 00:01:13.531: Mesh setting the ethernet port 0 state to 2
*Mar 1 00:01:13.531: %MESH-6-CAPWAP_RESTART: Mesh Capwap re-started
*Mar 1 00:01:15.531: %LINK-6-UPDOWN: Interface BVI1, changed state to up
*Mar 1 00:01:16.531: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar 1 00:01:18.639: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Mar 1 00:01:18.651: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:01:19.639: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:01:19.671: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:01:20.671: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:01:28.643: %MESH-6-CAPWAP_RESTART: Mesh Capwap re-started
*Mar 1 00:01:28.759: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.132.120.85, mask 255.255.255.0, hostname AP78da.6e59.e58a
*Mar 1 00:01:28.759: %MESH-6-CAPWAP_RESTART: Mesh Capwap re-started
*Mar 1 00:01:33.791: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Mar 1 00:01:33.855: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
Translating "CISCO-CAPWAP-CONTROLLER.americas.mittalco.com"...domain server (10.132.250.250) [OK]
*Mar 1 00:01:33.867: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:01:34.855: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar 1 00:01:34.855: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:01:34.915: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:01:35.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:01:44.855: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Oct 28 20:29:44.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.132.249.5 peer_port: 5246
*Oct 28 20:29:44.495: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.132.249.5 peer_port: 5246
*Oct 28 20:29:44.495: %CAPWAP-5-SENDJOIN: sending Join Request to 10.132.249.5
*Oct 28 20:29:44.499: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Oct 28 20:29:44.499: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Oct 28 20:29:44.499: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Oct 28 20:29:44.499: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 10.132.249.5
*Oct 28 20:29:49.495: %CAPWAP-5-SENDJOIN: sending Join Request to 10.132.249.5
*Oct 28 20:30:43.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.132.249.5:5246
*Oct 28 20:30:44.031: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Oct 28 20:30:44.095: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Oct 28 20:30:44.135: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Oct 28 20:30:45.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Oct 28 20:30:45.155: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Oct 28 20:30:46.155: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Oct 28 20:30:54.095: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Oct 28 20:30:52.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.132.249.5 peer_port: 5246
*Oct 28 20:30:52.499: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.132.249.5 peer_port: 5246
*Oct 28 20:30:52.499: %CAPWAP-5-SENDJOIN: sending Join Request to 10.132.249.5
*Oct 28 20:30:52.499: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Oct 28 20:30:52.503: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Oct 28 20:30:52.503: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Oct 28 20:30:52.503: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 10.132.249.5
*Oct 28 20:30:57.499: %CAPWAP-5-SENDJOIN: sending Join Request to 10.132.249.5

You have to add the MAC address of the 1530 to the WLC mac filter list before the AP will join. Here is a link that explains it.
http://www.cisco.com/c/en/us/td/docs/wireless/access_point/1530/quick/guide/ap1532qsg.html#pgfId-45801
Scott

HA WLC Pair

Similar Messages

Maybe you are looking for