WLC 2504 sudden network instability
Hello,
we're running a WLC 2504 with two SSIDs on it. It is connected to to a small PoE switch. Standard untagged vlan. A handfull APs connected to it. No DHCP, the APs have all static IP addresses.
All of a sudden we're having a number of issues with the network connection:
APs restarting
The APs restart every now and then reporting that their IP is being used by another device. Looking through the logs there are two MAC addresses that are reported as using the APs IP address. These two MAC addresses have unknown vendor IDs.
Warning: AP with Base Radio MAC f8:72:ea:7c:9d:e3 has found its IP Address 0.2.146.0 being used by a machine with MAC
Address 04:c6:f8:40:00:00 (The other mac that is reported is 04:cc:90:40:00:00)
AP 'AP5', MAC: 0c:68:03:dd:1b:80 disassociated previously due to Link Failure. Uptime: 4 days, 00 h 48 m 50 s . Reason: Capwap WTP Event request.
So: There are two MACs that use the IP addresses of 7 APs?!?! And there is no vendor to be found for these MACs?
Ping timouts on the webGUI and CLI
I have a ping running on the IP for managing the device. This is running fine for ages. As soon as I connect via webGUI or CLI I lose packets. Get timeouts etc. some packets get through some don't. More of the latter. So ping is fine but any other traffic seems to be impacted heavily.
What we have done for troubleshooting
Checked duplex/speed settings of the interfaces. Everything ok.
Connected to another switchport. Same.
Changed the IP address of the management port. Same.
Swapped places with a laptop with the same IP address --> Worked fine.
Plugged in a completely new device, installed the latest firmware (7.6) and uploaded the config from the other one. Same.
Restarted the default gateway for the subnet the controler is on.
So now we're at the end of our knowledge. It seems to be a non-physical network issue, but we're a small team and no one has changed anything they say :-/
Any ideas what we could check next?
Kat
Hello,
thanks for your suggestions. It's hard to find those two MAC addresses. As they seem to be virtual I cannot get a hint from the vendor ID. A show mac-address table on the switch the WLC is connected to doesn't show those two
I found an error in the WLC AP config. AP1 had the same IP as AP5 and a wrong netmask. I changed that. Unfortunately that doesn't solve our problem.
Here are some more messages from the WLC's log:
AP 'AP3', MAC: 0c:68:03:dd:34:00 disassociated previously due to Link Failure. Uptime: 4 days, 15 h 04 m 15 s . Reason: Capwap WTP Event request.
AP Disassociated. Base Radio MAC:0c:68:03:dd:34:00
AP's Interface:1(802.11a) Operation State Down: Base Radio MAC:0c:68:03:dd:34:00 Cause=Heartbeat Timeout Status:NA
AP 'AP3', MAC: 0c:68:03:dd:34:00 disassociated previously due to Link Failure. Uptime: 4 days, 15 h 00 m 45 s . Reason: Capwap WTP Event request.
RF Manager updated TxPower for Base Radio MAC: 0c:68:03:dd:34:00 and slotNo: 0. New Tx Power is: 2
AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:0c:68:03:dd:16:e0 Cause=Max Retransmission Status:NA
IDS Signature attack detected. Signature Type: Standard, Name: Deauth flood, Description: Deauthentication flood, Track: per-signature, Detecting AP Name: AP7, Radio Type: 802.11b/g, Preced: 9, Hits: 500, Channel: 6, srcMac: C2:9F:DB:21:47:60
This is the sh run-config of our WLC including one AP:
>show run-config
System Inventory
NAME: "Chassis" , DESCR: "Cisco 2500 Series Wireless LAN Controller"
PID: AIR-CT2504-K9, VID: V01, SN: PSZ17381EPZ
Burned-in MAC Address............................ 50:17:FF:27:12:80
Maximum number of APs supported.................. 15
System Information
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.4.110.0
Bootloader Version............................... 1.0.18
Field Recovery Image Version..................... 1.0.0
Firmware Version................................. PIC 16.0
Build Type....................................... DATA + WPS
System Name...................................... UK-BRI-WFAPC
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1279
IP Address....................................... 172.17.128.12
Last Reset....................................... Power on reset
System Up Time................................... 4 days 0 hrs 46 mins 6 secs
System Timezone Location.........................
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... GB - United Kingdom
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +20 C
External Temperature............................. +25 C
Fan Status....................................... 4000 rpm
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 3
Number of Active Clients......................... 6
Memory Current Usage............................. Unknown
Memory Average Usage............................. Unknown
CPU Current Usage................................ Unknown
CPU Average Usage................................ Unknown
Burned-in MAC Address............................ 50:17:FF:27:12:80
Maximum number of APs supported.................. 15
AP Bundle Information
Primary AP Image Size
ap1g2 9568
ap3g1 11288
ap3g2 11196
ap801 7164
ap802 8568
c1130 5072
c1140 9416
c1250 6944
c1520 8044
c602i 3736
Secondary AP Image Size
ap3g1 5792
ap801 5192
ap802 5232
c1100 3084
c1130 4964
c1140 4992
c1200 3364
c1240 4812
c1250 5504
c1310 3136
c1520 6404
c3201 4324
c602i 3716
Switch Configuration
802.3x Flow Control Mode......................... Disable
FIPS prerequisite features....................... Disabled
secret obfuscation............................... Enabled
Strong Password Check Features:
case-check ...........Enabled
consecutive-check ....Enabled
default-check .......Enabled
username-check ......Enabled
Network Information
RF-Network Name............................. RFGROUP
Web Mode.................................... Disable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Disable
Secure Web Mode RC4 Cipher Preference....... Disable
OCSP........................................ Disabled
OCSP responder URL..........................
Secure Shell (ssh).......................... Enable
Telnet...................................... Disable
Ethernet Multicast Forwarding............... Disable
Ethernet Broadcast Forwarding............... Disable
AP Multicast/Broadcast Mode................. Multicast Address : 0.0.0.0
IGMP snooping............................... Disabled
IGMP timeout................................ 60 seconds
IGMP Query Interval......................... 20 seconds
MLD snooping................................ Disabled
MLD timeout................................. 60 seconds
MLD query interval.......................... 20 seconds
User Idle Timeout........................... 300 seconds
ARP Idle Timeout............................ 300 seconds
Cisco AP Default Master..................... Disable
AP Join Priority............................ Disable
Mgmt Via Wireless Interface................. Disable
Mgmt Via Dynamic Interface.................. Disable
Bridge MAC filter Config.................... Enable
Bridge Security Mode........................ EAP
Mesh Full Sector DFS........................ Enable
AP Fallback ................................ Enable
Web Auth CMCC Support ...................... Disabled
Web Auth Redirect Ports .................... 80
Web Auth Proxy Redirect ................... Disable
Web Auth Captive-Bypass .................. Disable
Web Auth Secure Web ....................... Enable
Fast SSID Change ........................... Disabled
AP Discovery - NAT IP Only ................. Enabled
IP/MAC Addr Binding Check .................. Enabled
CCX-lite status ............................ Disable
oeap-600 dual-rlan-ports ................... Disable
oeap-600 local-network ..................... Enable
mDNS snooping............................... Disabled
mDNS Query Interval......................... 15 minutes
Port Summary
STP Admin Physical Physical Link Link
Pr Type Stat Mode Mode Status Status Trap POE
1 Normal Forw Enable Auto 1000 Full Up Enable N/A
2 Normal Forw Enable Auto 100 Full Up Enable N/A
3 Normal Forw Enable Auto 1000 Full Up Enable Enable (Power Off)
4 Normal Disa Enable Auto Auto Down Enable Enable (Power Off)
AP Summary
Number of APs.................................... 7
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
AP7 2 AIR-CAP1602I-E-K9 f8:72:ea:e4:9a:81 default location 1 GB 1
AP1 2 AIR-CAP1602I-E-K9 f8:72:ea:7c:9d:e3 default location 1 GB 1
AP3 2 AIR-CAP1602I-E-K9 f8:72:ea:e4:9c:57 default location 1 GB 1
AP6 2 AIR-CAP1602I-E-K9 f8:72:ea:e4:9a:90 default location 1 GB 1
AP2 2 AIR-CAP1602I-E-K9 f8:72:ea:7c:9b:63 default location 1 GB 1
AP4 2 AIR-CAP1602I-E-K9 f8:72:ea:e4:9a:9b default location 1 GB 1
AP5 2 AIR-CAP1602I-E-K9 f8:72:ea:e4:9a:cb default location 1 GB 1
AP Tcp-Mss-Adjust Info
AP Name TCP State MSS Size
AP7 disabled -
AP1 disabled -
AP3 disabled -
AP6 disabled -
AP2 disabled -
AP4 disabled -
AP5 disabled -
AP Location
Total Number of AP Groups........................ 0
Site Name........................................ default-group
Site Description.................................
NAS-identifier................................... UK-BRI-WFAPC
AP Operating Class............................... Not-configured
RF Profile
2.4 GHz band.....................................
5 GHz band.......................................
WLAN ID Interface Network Admission Control Radio Policy
1 corporate Disabled None
2 dirtynetwork Disabled None
3 dirtynetwork Disabled None
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
AP7 2 AIR-CAP1602I-E-K9 f8:72:ea:e4:9a:81 default location 1 GB 1
AP1 2 AIR-CAP1602I-E-K9 f8:72:ea:7c:9d:e3 default location 1 GB 1
AP3 2 AIR-CAP1602I-E-K9 f8:72:ea:e4:9c:57 default location 1 GB 1
AP6 2 AIR-CAP1602I-E-K9 f8:72:ea:e4:9a:90 default location 1 GB 1
AP2 2 AIR-CAP1602I-E-K9 f8:72:ea:7c:9b:63 default location 1 GB 1
AP4 2 AIR-CAP1602I-E-K9 f8:
RF Profile
Number of RF Profiles............................ 0
Out Of Box State................................. Disabled
RF Profile Name Band Description 11n-client-only
AP Config
Cisco AP Identifier.............................. 15
Cisco AP Name.................................... AP7
Country code..................................... GB - United Kingdom
Regulatory Domain allowed by Country............. 802.11bg:-E 802.11a:-E
AP Country code..................
................ GB - United Kingdom
AP Regulatory Domain............................. -E
Switch Port Number .............................. 1
MAC Address...................................... f8:72:ea:e4:9a:81
IP Address Configuration......................... Static IP assigned
IP Address....................................... 172.17.128.24
IP NetMask....................................... 255.255.128.0
Gateway IP Addr.................................. 172.17.128.1
Domain...............
Name Server......................................
NAT External IP Address.......................... None
CAPWAP Path MTU.................................. 1485
Telnet State..................................... Disabled
Ssh State........................................ Disabled
Cisco AP Location................................ default location
Cisco AP Floor Label............................. 0
Cisco AP Group Name.............................. default-group
Primary Cisco Switch Name........................
Primary Cisco Switch IP Address.................. Not Configured
Secondary Cisco Switch Name......................
Secondary Cisco Switch IP Address................ Not Configured
Tertiary Cisco Switch Name.......................
Tertiary Cisco Switch IP Address................. Not Configured
Administrative State ............................ ADMIN_ENABLED
Operation State ....
............................. REGISTERED
Mirroring Mode .................................. Disabled
AP Mode ......................................... Local
Public Safety ................................... Disabled
AP SubMode ...................................... Not Configured
Remote AP Debug ................................. Disabled
Logging trap severity level ..................... informational
Logging syslog facility ..
....................... kern
S/W Version .................................... 7.4.110.0
Boot Version ................................... 15.2.2.0
Mini IOS Version ................................ 7.4.1.37
Stats Reporting Period .......................... 180
Stats Collection Mode ........................... normal
LED State........................................
Enabled
PoE Pre-Standard Switch.......................... Disabled
PoE Power Injector MAC Addr...................... Disabled
Power Type/Mode.................................. Power injector / Normal mode
Number Of Slots.................................. 2
AP Model......................................... AIR-CAP1602I-E-K9
AP Image...............................
.......... C1600-K9W8-M
IOS Version...................................... 15.2(2)JB2$
Reset Button..................................... Enabled
AP Serial Number................................. FGL1725W7F7
AP Certificate Type.............................. Manufacture Installed
AP User Mode..................................... AUTOMATIC
AP User Name..................................... Not Configured
AP Dot1x User Mode............................... Not Configured
AP Dot1x User Name............................... Not Configured
Cisco AP system loggi
ng host..................... 255.255.255.255
AP Up Time....................................... 3 days, 23 h 26 m 50 s
AP LWAPP Up Time................................. 0 days, 00 h 14 m 12 s
Join Date and Time............................... Tue Jan 28 18:11:43 2014
Join Taken Time.................................. 0 days, 00 h 11 m 41 s
Attributes for Slot 0
Radio Type................................... RADIO_TYPE_80211n-2.4
Administrative State ........................ ADMIN_ENABLED
Operation State ............................. UP
Radio Role .................................. ACCESS
Radio Mode .................................. Local
CellId ...................................... 0
Station Configuration
Configuration ............................. AU
TOMATIC
Number Of WLANs ........................... 3
Medium Occupancy Limit .................... 100
CFP Period ................................ 4
CFP MaxDuration ........................... 60
BSSID ..................................... 0c:68:03:dd:16:e0
Operation Rate Set
1000 Kilo Bits........................... MANDATORY
2000 Kilo Bits........................... MANDATORY
5500 Kilo Bits........................... MANDATORY
11000 Kilo Bits.......................... MANDATORY
6000 Kilo Bits........................... SUPPORTED
9000 Kilo Bits........................... SUPPORTED
12000 Kilo Bits.......................... SUPPORTED
18000 Kilo Bits.......................... SUPPORTED
24000 Kilo Bits.......................... SUPPORTED
36000 Kilo Bits.......................... SUPPORTED
48000 Kilo Bits.......................... SUPPORTED
54000 Kilo Bits.......................... SUPPORTED
MCS Set
MCS 0.................................... SUPPORTED
MCS 1.................................... SUPPORTED
MCS 2.................................... SUPPORTED
MCS 3.................................... SUPPORTED
MCS 4.................................... SUPPORTED
MCS 5.................................... SUPPORTED
MCS 6.................................... SUPPORTED
MCS 7.................................... SUPPORTED
MCS 8.................................... SUPPORTED
MCS 9.................................... SUPPORTED
MCS 10................................... SUPPORTED
MCS 11................................... SUPPORTED
MCS 12..
................................. SUPPORTED
MCS 13................................... SUPPORTED
MCS 14................................... SUPPORTED
MCS 15................................... SUPPORTED
MCS 16................................... DISABLED
MCS 17................................... DISABLED
MCS 18................................... DISABLED
MCS 19................................... DISABLED
MCS 20................................... DISABLED
MCS 21................................... DISABLED
MCS 22................................... DISABLED
MCS 23................................... DISABLED
Beacon Period ............................. 100
Fragmentation Threshold ................... 2346
Multi Domain Capability Implemented ....... TRUE
Multi Domain Capability Enabled ........... TRUE
Country String ............................ GB
Multi Domain Capability
Configuration ............................. AUTOMATIC
First Chan Num ............................ 1
Number Of Channels ........................ 13
MAC Operation Parameters
Configuration ............................. AUTOMATIC
Fragmentation Threshold ................... 2346
Packet Retry Limit ........................ 64
Tx Power
Num Of Supported Power Levels ............. 4
Tx Power Level 1 .......................... 16 dBm
Tx Power Level 2 .......................... 13 dBm
Tx Power Level 3 .......................... 10 dBm
Tx Power Level 4 .......................... 7 dBm
Tx Power Configuration .................... AUTOMATIC
Current Tx Power Level .................... 3
Tx Power Assigned By ...................... DTPC
Phy OFDM parameters
Configuration ............................. AUTOMATIC
Current Channel ........................... 6
Channel Assigned By ....................... DCA
Extension Channel ......................... NONE
Channel Width.............................. 20 Mhz
Allowed Channel List....................... 1,2,3,4,5,6,7,8,9,10,11,12,
......................................... 13
TI Threshold .............................. -50
Legacy Tx Beamforming Configuration ....... CUSTOMIZED
Legacy Tx Beamforming ..................... ENABLED
Antenna Type............................... INTERNAL_ANTENNA
Internal Antenna Gain (in .5 dBi units).... 8
Diversity.................................. DIVERSITY_ENABLED
802.11n Antennas
A....................................... ENABLED
B....................................... ENABLED
C....................................... ENABLED
Performance Profile Parameters
Configuration ............................. AUTOMATIC
Interference threshold..................... 10 %
Noise threshold............................ -70 dBm
RF utilization threshold................... 80 %
Data-rate threshold........................ 1000000 bps
Client threshold........................... 12 clients
Coverage SNR threshold..................... 12 dB
Coverage exception level................... 25 %
Client minimum exception level............. 3 clients
Rogue Containment Information
Containment Count............................
CleanAir Management Information
CleanAir Capable......................... No
Radio Extended Configurations
Beacon period.............................. 100 milliseconds
Beacon range............................... AUTO
Multicast buffer........................... AUTO
Multicast data-rate........................ AUTO
RX SOP threshold........................... AUTO
CCA threshold.............................. AUTO
Similar Messages
-
Up until last week I had my home network configured in the way described below and it worked fine. Without any changes that I'm aware suddenly I'm having trouble staying connected to my ISP.
I have a dual band network:
A Time Capsule connected via ethernet to my ISP. I have it set to "create a wireless network" (n speed 5 GHz). I use DHCP and have it set to "share a public IP address". The network called "adibiase" is extended at the other end of the house by an Airport Extreme n with "Fast Ethernet".
Connected to the Airport Extreme/Fast Ethernet that extends the n network is an older domed Airport Extreme. I use it to broadcast a network called "gdibiase" at g speed. It's set to "participate in a WDS network" and has its connection sharing set to "Off (Bridge Mode)".
I access the n network with a MacBook Pro. My wife access the g network with a iBook G4.
This all worked great until the n network started losing it connection to my ISP. Sometimes it works....but frequently now doesn't. At these times I could switch over to the g network which interestingly gave me a pretty fast connection. In fact, at times I've been finding it more efficient to work on the g network....it's more reliable (doesn't drop out as much) and actually at times seems faster than the n network.
I'm sure my configurations are not the best. But for a few months they did seem to work flawlessly.
Any suggestions will be appreciated,
AllanUp until last week I had my home network configured in the way described below and it worked fine. Without any changes that I'm aware suddenly I'm having trouble staying connected to my ISP.
I have a dual band network:
A Time Capsule connected via ethernet to my ISP. I have it set to "create a wireless network" (n speed 5 GHz). I use DHCP and have it set to "share a public IP address". The network called "adibiase" is extended at the other end of the house by an Airport Extreme n with "Fast Ethernet".
Connected to the Airport Extreme/Fast Ethernet that extends the n network is an older domed Airport Extreme. I use it to broadcast a network called "gdibiase" at g speed. It's set to "participate in a WDS network" and has its connection sharing set to "Off (Bridge Mode)".
I access the n network with a MacBook Pro. My wife access the g network with a iBook G4.
This all worked great until the n network started losing it connection to my ISP. Sometimes it works....but frequently now doesn't. At these times I could switch over to the g network which interestingly gave me a pretty fast connection. In fact, at times I've been finding it more efficient to work on the g network....it's more reliable (doesn't drop out as much) and actually at times seems faster than the n network.
I'm sure my configurations are not the best. But for a few months they did seem to work flawlessly.
Any suggestions will be appreciated,
Allan -
Acs 5.3 and wlc 2504 config with restricted network access
Hello,
i submit you the following issue that i'm actually facing:
i must configure a secured wireless network with access restriction based on SSID. the equipements are : cisco wlc 2504 (soft 7.3) cisco secure acs aplliance 1121 (soft 5.4) .
the users that will connect to the network are regrouped by identity groups, each identity group having it's own SSID. Clearly each group of users must access only one SSID.
i followed the procedure below to configure it:
-- creating user identity groups;
-- creating users and assigning them to the groups;
--- creating authorization profiles for each SSID under policy element/ authorization and permission/network access/authorization profiles and putting the Airespace-Wlan-Id(the SSID number) in the radius tab.
--- assigning the authorization profiles to the identity groups under access policies.
after all these config the users can access the network using there userid/password configured. But the problem is Every user can access every SSID, seems like the restriction is so not very well configured.
i found some documentation on this kind of config but the version of ACS used seems older than the one that i use, so menu are very different.
Please can someone provide with the right steps to follow to achieve this kind of config.
tkx in advanceYes.. you only have to add the end filter like what I posted... as far as the calling station id in the WLC security tab, it doesn't matter because that is not used when using 802.1x. I would also try to not enable everything that you have just to start from the basic and make sure it works first. The WAP Authentication Method might or might not work for you. Uncheck that for now and when you have a successful authentication, look at the monitor log and see what radius attributes are being sent, because those attributes is what you can use to build your policies.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
I have two WLC 2504 controllers. These controllers are for two different buildings. But they share a VLAN, and network address range.
How can I control the access points to the register selected only at a specific controller.
Example:
AP 1 -> WLC 1
AP 2 -> WLC 2
AP 3 -> WLC 1
Since the buildings also broadcast in different SSID.
The two controllers are in a mobility group.I also ran into an install similar to yours. My client had a flat network and each wlc had licenses for the amount of APs in a particular building. What I did to make sure the APs never join the other wlc, is to use a Mac list. This allowed me to enter the APs base Mac address on the wlc and I enabled under the ap policy to verify authorization using Mac list. You can also do what AA mentioned which is good practice, but you have a chance that APs might join the other wlc. If the other wlc has different configurations, it might cause issues until the ap falls back to its primary.
Sent from Cisco Technical Support iPad App -
Best practices for network design on WLC 2504 and 5508
Dear all:
I'm looking for some recommendations on WLC 2504 and 5508 about the the following:
Maximum amount of AP per port
The scenario when to use all ports in both WLC
Maximum number of clients(users) per port
Bandwidth comsumption of management vs data in order to assign one port for management
I've just found this:
Cisco 5508 controllers have eight Gigabit Ethernet distribution system ports, through which the controller can manage multiple access points. The 5508-12, 5508-25, 5508-50, 5508-100, and 5508-250 models allow a total of 12, 25, 50, 100, or 250 access points to join the controller. Cisco 5508 controllers have no restrictions on the number of access points per port. However, Cisco recommends using link aggregation (LAG) or configuring dynamic AP-manager interfaces on each Gigabit Ethernet port to automatically balance the load. If more than 100 access points are connected to the 5500 series controller, make sure that more than one gigabit Ethernet interface is connected to the upstream switch.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/6-0/configuration/guide/Controller60CG/c60mint.html
Thanks for your help.The 5508-12, 5508-25, 5508-50, 5508-100, and 5508-250 models allow a total of 12, 25, 50, 100, or 250 access points to join the controller.
This is an old document. 5508 can now support up to 500 APs if you run firmware 7.X. 2504 can support up to 75 APs if you run firmware 7.4.X.
I'm looking for some recommendations on WLC 2504 and 5508 about the the following:
Best practice and recommendation is to LAG all ports so you will be able to form a link redundancy. If one link goes down, you have other link to push traffic. -
DHCP Error with WLC 2504 and Aironet 2600 setup across subnets
Hey guys
I have just setup a new WLC 2504 controller to manage a WiFi service that will span 6 geographic locations. The local networks at each location are on different subnets (all 192.168.x.x) and are linked up via IPSEC VPN links, and there is Active Directory spanning the sites, with DNS and DHCP servers running at each location.
I tested the WLC at our main office with a single AP, and it worked fine. The AP set itself up, and wireless devices connect with no probs. Great! Yesterday I headed out to one of our remote sites, and connected an AP to their network - and that seemed to work fine too. Within a few minutes I was able to see the WiFi network I'd setup, and my smartphone connected to it straight away (as I'd rpeviously connected at the main office), so I was pretty happy that all was working well.
This morning however I've had notification that wifi performance at the remote site isn't great. I've got someone to check their ip address, and I've found that their IP address and default gateway match the LAN at the main office where the WLC is based - NOT the LAN where the wireless client is. Obvioulsy this is not ideal!
So I guess my question is, what have I done wrong? (I guess I HAVE done something wrong!?). And how can I get wireless clients at remote sites to pick up an IP from the DHCP server at THEIR site?
Any help would be greatly appreciated!
Thanks!Hello Tim,
What mode your APs are in? Local mode? or FlexConnect mode?
If local mode, then all the traffic will be tunnelled to the WLC and they'll be same as if you are connecting from the WLC location.
If you use FlexConnect APs (which is recommended for remote sites) you can configure FlexConnect groups on the WLC and add each location in a specific group. In that group you can decide what VLAN the users should be in.
Check this link for FlexConnect group configuration
http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_flexconnect.html#wp1230080
HTH
Amjad
Rating useful replies is more useful than saying "Thank you" -
WLC: 2504
Firmware: 7.6.100
Hello,
I'm getting very confused in how to set up redundancy with WLC 2504. Some sources talk about Client SSO, some about N+1.
But it seems that although I should use Client SSO with firmware 7.6, the WLC 2504 doesn't support it.
When I type config redundancy, I have no choice
>config redundancy ?
unit Configure redundancy unit [primary | secondary]
So I typed "config redundancy unit primary" on my 2504 and "config redundancy unit secondary" on my 2504-HA
And when I issue this command I have very little information
>show redundancy summary
Type of the Unit = Primary
Does someone has guidelines for redundancy with WLC 2504 on firmware 7.6 ?
Thank youHello,
Thank you both for your answers.
Something I didn't understand in the documentation is this.
Is there a replication of configuration between the WLC primary and the HA ? I did read that they should have different network settings (IP addresses) so I understand that there is not a total replication, what about the rest of the configuration ?
The only result I have when I issue a command on the WLC-HA is this
>show redundancy summary
Type of the Unit = Secondary
It doesn't look exactly what I see in the documentation.
Thank you -
WLC 2504 can't change WAP name or switch off CDP via WLC gui
Hi All,
Please can you assist? I have 1 x Cisco WLC 2504 & 2 x Cisco WAP AIR-CAP1602I-E-K9 running 7.4.100.60.
All three devices are installed and working correcty within a corporate environment. However, there are a few tweaks that I would like to do, to tidy up the configuration and switch certain elements on or off. For example, my core networking hardware is Huawei and I would like to switch off 'CDP' on the WAP's as the associated error messages are filling up my logging buffer on my switch. So, I https to my WLC, locate the WAP in question, goto 'interfaces' and untick the box for 'CDP state' hit apply, then I get the following error message "controller name is mandatory when controller ip address is configured" and then the tick reappears!
At present I have two WAP's. Both have static IP addresses and both are reachable on the network. The one WAP did allow me to change the name to something meaningful, but the other WAP would not let me and still has the default MAC address as its name. I have the same issue, when I try to change the name on the WAP it says "controller name is mandatory when controller ip address is configured"
I have also tried to CLI directly in to the WAP to make these alterations, but as soon as i launch 'putty' it quits out. I guess this is locked down once the WAP's associate with the WLC.
And around I go.... Someone must have been in this situation, what am i missing? Thanks in advance!Hi Andy,
By default SSH & Telnet is disabled for WLC controlled APs. So you have to enable it first via WLC GUI in order to access the AP via telnet or SSH.
Wireless -> Select your AP -> Advanced -> Tick Telnet/SSH boxes.
If you could not change AP name via WLC GUI (it may be a bug), but as I said earlier try to change it via WLC CLI (not AP CLI itself). SSH to your WLC & then try the following.Old AP name is the one with its mac address.
(WLC) >config ap name
(WLC) >save config
Are you sure you want to save? (y/n) y
Configuration Saved
HTH
Rasika
*** Pls rate all useful responses **** -
Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510
I need to add guest (internet only) wireless to our existing internal wireless and am looking for advice as to the best practice configuration. Existing infrastructure as follows:
WLC 2504
1142 LAPs
4510R+E
ASA 5510
Existing configuration as follows:
WLC management interface and APs addressed on the 192.168.126.0 /25 network
Internal WLAN mapped to the management interface
Management interface VLAN ID 0 (untagged) and dynamic AP management enabled
WLC port 1 (only) connected to 4510 via trunk with native VLAN set to 7 and allowed VLAN set to 7
4510 connected to ASA inside interface (security level 100)
Switchport on 4510 connected to ASA configured as switchport access VLAN 99 (our internet VLAN)
ASA inside interface NOT configured for subinterfaces and is addressed on the 192.168.121.0 /25 network
What is the best way to add guest wireless to our existing configuration?
Note: I need the guest wireless to be filtered by Websense as our internal wireless is
Any advice would be greatly appreciated!Thank for the reply Scott. The configuration recommendations from Yahya did not work. I set up as he recommended and also added a dhcp scope on the wlc. Client gets dhcp but cannot even ping the wlc much less anything else. Yahya stated above to configure port 2 on the wlc to an access port on my 4510. Aren't all connections from the wlc supposed to be trunk links to the switch? Shouldn't I just leave the management interface on the wlc untagged and add a dynamic interface for each wlan and tag it with the approriate vlan id? And then leave the (one) physical connection on the wlc (port 1) connected to a trunk link on the 4510 that allows the required vlans?
Any input would be greatly appreciated...
JW -
Cisco WLC 2504 and ways to authenticate users
Hi All,
What is the ways to make user authenticate to WLC 2504 and what is the best and simple way and what is the differences btw each method _i mean for example need radius server or something else to be exist_ ?
and any one can give me case study for this issue
System consist of Cisco 2504 and Cisco LAP 1140
ThanksTo implement radius based authentication is the best practice for the small & enterprise environment.
Information About RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that provides centralized security for users attempting to gain management access to a network. It serves as a backend database similar to local and TACACS+ and provides authentication and accounting services:
•Authentication—The process of verifying users when they attempt to log into the controller.
Users must enter a valid username and password in order for the controller to authenticate users to the RADIUS server. If multiple databases are configured, you can specify the sequence in which the backend database must be tired.
•Accounting—The process of recording user actions and changes.
Whenever a user successfully executes an action, the RADIUS accounting server logs the changed attributes, the user ID of the person who made the change, the remote host where the user is logged in, the date and time when the command was executed, the authorization level of the user, and a description of the action performed and the values provided. If the RADIUS accounting server becomes unreachable, users are able to continue their sessions uninterrupted.
RADIUS uses User Datagram Protocol (UDP) for its transport. It maintains a database and listens on UDP port 1812 for incoming authentication requests and UDP port 1813 for incoming accounting requests. The controller, which requires access control, acts as the client and requests AAA services from the server. The traffic between the controller and the server is encrypted by an algorithm defined in the protocol and a shared secret key configured on both devices.
You can configure multiple RADIUS accounting and authentication servers.For example, you may want to have one central RADIUS authentication server but several RADIUS accounting servers in different regions. If you configure multiple servers of the same type and the first one fails or becomes unreachable, the controller automatically tries the second one, then the third one if necessary, and so on.
For more Information : http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp2149947 -
The customer have 1x WLC 2504 and 7x AP 3502i.
He are installing a automation system called Savant, this system use the Bonjour protocol to discovery the services on the network.
I've configured the multicast group on controller and switch (SG300) with IP 239.xxx.xxx.xxx, but the Savant (on iPad) don't finds the service.
Somebody has gone through a similar scenario?
I've used this document: http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_tech_note09186a0080bb1d7c.shtml
PS: The customer haven't VLAN
Best regards.#Disable mdns/bonjour on wlc. place the WLC Management and AP vlan on same subnet. keep the savant server and iphone on same wlan and try.
#WLC 2500 supports only Multicast to Multicast for AP mode, be sure that wired side Multicast is configured properly and working.
#Try with any standard app to verify bonjour and AP mode multicast works.
#it is possible there may be any specific string that require to be added onto bonjour profile for savant to work. do debug mdns all enable and see what is missing.
it is suggested to open TAC case for troubleshooting. -
Configure a second Wlan on WLC 2504
Hello,
I created a topic about this problem on the learningnetwork cisco site too. You can find it here: https://learningnetwork.cisco.com/thread/73201.
The problem is:
We have the Cisco WLC 2504 with a couple of access points. On this WLC we have a network connection via a radius server for our employees. The DHCP server for this connection is the server you see on the drawing. The connection from the switch to the WLC is connected on port 1 of the WLC. This connection works like a charm.
Now I want to create a second network (which is divorced from our internal network) for our guests, but it doesn’t work till now. What we have at the moment is:
A connection from the firewall via the router to the internet
A connected cable from the firewall to the WLC on port 2
A configured interface (port 2) on the WLC
A configured Wlan on the WLC (it is possible to connect to the guest Wlan with a static ip)
The SSID of the guest network is broadcasted via the AP’s which also broadcast the internal network SSID
The problem I have now is:
I have no connection between the WLC Port 2 (192.168.10.2) and the firewall (192.168.10.1). When I try to ping the firewall (192.168.10.1) I get a no reply received message.
How can I get this working? I hope someone can help me with this. Thanks in advance!
Screenshots:
Guest interface
Network layout
Show int sum
Show wlan sum
Wlan general
Wlan advancedFrank,
The issue is that the WLC will not route between VLANs. In order for the scenario that Rasika recommended to work, the switch needs to be a layer 3 switch or needs a layer 3 device attached to it to route between the VLANs.
In my WLC, I have a guest interface as well:
The gateway listed in the VLAN 50 Interface on my L3 Switch:
I then have a route established on my switch to send that traffic to my ASA:
Due to that, I can ping the ASA from my WLC:
Of course, my WLAN for guests only has access to the guest Interface Group:
Try these changes on your switch (or other Layer 3 Device) and let us know if it worked for you.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton -
This might be a really stupid question but I need to ask just so that I get a definitive answer. I have a customer that is using a WLC 2112 and has maxed out the licenses for the WLC. I have suggested for him to purchase a 2504 with 30 or 40 licenses to replace the existing 2112. He doesn't want to purchase 30 to 40 licenses and doesn't want to remove the 2112 from the network environment. He would rather purchase a WLC 2504 with 15 licenses and just add that into the network.
My question is, will there be a problem running a 2504 and a 2112 on the same network? Or can I just make one a primary and one a secondary?That should be fine. Just make sure the WLCs are running the same code version and everything should work fine. This is required for APs failover from one WLC to another. You don't want the APs upgrading or downgrading code versions every time the ap moves from the primary to the secondary WLC.
Sent from Cisco Technical Support iPhone App -
Hi there,
It's me again... same devices which making trouble.
I have an allready configured WLC 2504 running in the network. Every LAP i add to the network joins imidiatly to the Controller.
But not the AP1121G AP.
It fails the Handshake everytime and the Controller shows me an failmessage at the statistics in the GUI.
GUI Message:
RADIUS authorization is pending for the AP
CLI Debug:
*spamApTask0: May 23 17:29:18.258: 00:11:20:6e:2b:14 Allocated index from main list, Index: 16
*spamApTask0: May 23 17:29:18.259: 00:11:20:6e:2b:14 DTLS keys for Control Plane are plumbed successfully for AP 192.168.1.100. Index 17
*spamApTask0: May 23 17:29:18.259: 00:11:20:6e:2b:14 DTLS Session established server (192.168.1.10:5246), client (192.168.1.100:1716)
*spamApTask0: May 23 17:29:18.260: 00:11:20:6e:2b:14 Starting wait join timer for AP: 192.168.1.100:1716
*spamApTask0: May 23 17:29:18.263: 00:11:20:6e:2b:14 Join Request from 192.168.1.100:1716
*spamApTask0: May 23 17:29:18.264: 00:11:20:6e:2b:14 Deleting AP entry 192.168.1.100:1716 from temporary database.
*spamApTask0: May 23 17:29:18.264: 00:11:20:6e:2b:14 AP with same name AP0011.206e.2b14 exist. Using default name AP0011.206e.2b14 for this AP.
*spamApTask0: May 23 17:29:18.265: 00:11:20:6e:2b:14 In AAA state 'Idle' for AP 00:11:20:6e:2b:14
*spamApTask0: May 23 17:29:18.266: 00:11:20:6e:2b:14 State machine handler: Failed to process msg type = 3 state = 0 from 192.168.1.100:1716
*spamApTask0: May 23 17:29:18.267: 00:11:20:6e:2b:14 Failed to parse CAPWAP packet from 192.168.1.100:1716
*spamApTask0: May 23 17:29:18.267:
*spamApTask0: May 23 17:29:18.267: 00:11:20:6e:2b:14 Finding DTLS connection to delete for AP (192.168.1.100/1716)
*spamApTask0: May 23 17:29:18.268: 00:11:20:6e:2b:14 Disconnecting DTLS Capwap-Ctrl session 0x1458bd60 for AP (192.168.1.100/1716)
*spamApTask0: May 23 17:29:18.268: 00:11:20:6e:2b:14 CAPWAP State: Dtls tear down
*spamApTask0: May 23 17:29:18.268: 00:11:20:6e:2b:14 DTLS keys for Control Plane deleted successfully for AP 192.168.1.100
*spamApTask0: May 23 17:29:18.270: 00:11:20:6e:2b:14 DTLS connection closed event receivedserver (172:16:58:250/5246) client (192.168.1.100/1716)
*spamApTask0: May 23 17:29:18.270: 00:11:20:6e:2b:14 Entry exists for AP (192.168.1.100/1716)
*spamApTask0: May 23 17:29:18.272: 00:11:20:6e:2b:14 No AP entry exist in temporary database for 192.168.1.100:1716
*spamApTask0: May 23 17:29:18.272: 00:11:20:6e:2b:14 Discarding non-ClientHello Handshake OR DTLS encrypted packet from 192.168.1.100:1716)since DTLS session is not established
*spamApTask0: May 23 17:29:18.277: 00:11:20:6e:2b:14 Received LWAPP JOIN REQUEST from AP 00:11:20:6e:2b:14 to 84:78:ac:b3:73:c0 on port '1'
*spamApTask0: May 23 17:29:18.278: 00:11:20:6e:2b:14 incomingRadJoinPriority = 1Problem solved
Hey guys, i solved the problem. It wasn't the firmwareversion. I downgraded the WLC and the problem still exists.
Problem reason: The AP1121G series doesn't has a MIC - Manufactured Installed Certificate - which is compatible/ accpeted by the WLC 2504 and it's parameters for the RADIUS server. Maybe it has no MIC, i don't know.
So you need the SSC - Self Signed Certificate - for the join authentication.
Solution:
1. Logon to GUI or CLI of the WLC.
2. Enable "Accpet Self Signed Certificate"
GUI: Security > AP policy
CLI: (Cisco Controller) >config auth-list ap-policy ssc enable
3. Look for the SSC Hash of the AP:
CLI: (Cisco Controller) >debug CAPWAP events enable
There you'll find an event which is called e.g.:
Mon May 22 06:34:14 2006: sshpmGetIssuerHandles: SSC Key Hash is 9e4ddd8dfcdd8458ba7b273fc37284b31a384eb9
4.Add the ap manually to the controller
GUI Security> AP policy > Add There you have to set the right parameters, ap MAC, Cert. type: "SSC" and the Key.
CLI:
(Cisco Controller) >config auth-list add ssc 00:0e:84:32:04:f09e4ddd8dfcdd8458ba7b273fc37284b31a384eb9
5. Maybe you should reboot the ap.
And it's done -
CME, WLC 2504, 3602i and 7926
Hello,
I have a wlc 2504, several indoor 3602i using Cisco 7926. The APs are in flexconnec mode, signal looks good from the 7926 site survey too. Good coverage anywhere from -50 to -65. I can be standing directly under an AP and the 7926 will loose network connectivity and connect again. A site survey was done before AP placements
Most of my system configuration on the WLC are defaults. Any idea why this is happening
Thanks
NkiDuplicate post #2.
Maybe you are looking for
-
Windows 8.1 on Bootcamp for Snow Leopard?
I was operating Windows 7 Ulitmate via Bootcamp on my Macbook Pro Snow Leopard (I think? - I got the computer during the summer of 2010). I recently was forced to upgrade to Windows 8.1 and did so through the upgrade on the Windows website. The ins
-
How do I listen to just one album in a box set?
If I load a large box set of CDs into iTunes, I seem to have one of two choices for how to click 'play'. One is to click the master play button, which starts the box set on CD1, track1. The other is to click on one of the tracks in the box set - us
-
Invalid Project ID error in TIMECARD
Hi I am trying to configure the Project and Task valusets for the first and segment column on the time card. We do not want to use Oracle Projects so I am trying to use the "Project Accounting" screen to create some projects and tasks. I have created
-
OAM and OIM 11g study Material
Hi All, Please can anybody provide me the study material for the OAM and OIM 11g. Regards, Anil
-
Limitations of using AP Div Tags in page design
I have recently set up a complex page using AP Div Tags. It looks great, and behaves exactly how I want it to. I did this because it was quick and simple to do (I haven't used DW for about 8 years, and a lot has changed), and to take advantage of t