WLC5508 & OEAP & Flexconnect

Hello,
Follownig question:
We installed a Cisco WLC 5508 with AIR OS 7.4.110.0 into our DMZ  as termination point for our OEAP 600 series and
also for our Flexconnect APs. After we implemented this solution then from time to time some HREAP/Flex APs lost the
connection and re jonide 2 -3 hours later or 2-3 days later and we don´t know why.
We checked the logfile from the WLC and APs and saw also everytimes connection requests to the NAT IP from our WLC.
After we add following command on the Remote sites router
"ip route  WLC IP   Null0 name"
then it seems to be the problem is solved .
The thing  for me is  I never heard of it to add this command in context with the Cisco OEAP solution .
Could this be a software bug in the Cisco AIR OS 7.4.110 ?
Thanks

Hi,
Thanks for the information but I added this command from beginning. For me it seems to be this is the same issues as descibed in following thread:
https://supportforums.cisco.com/thread/2220681
Cheers

Similar Messages

  • FlexConnect, EAP-TLS and dynamic VLAN assignments

    I need to integrate Cisco ISE and WLC5508 with FlexConnect (local switching) using EAP-TLS security for wireless clients across multiple floors (dynamic VLAN assignments based on floor level). The AP model used is 3602.
    I have some questions:
    - What RADIUS Attribute can be used for dynamic VLAN assignments based on floor level? Is there an option where I can group all LWAPs in same floor for getting certain VLAN from ISE?
    - I intend to use WLC software version 7.2 since 7.3 is latest version. Has someone use WLC software version 7.3 without any major bugs/issues pertaining to FlexConnect and EAP-TLS?
    - I read some documents saying L3 roaminig is where the associated WLC has changed. However if user move to different subnet but still associated to the same WLC, would this be consider as L3 roaming too?
    Can someone assist to clear my confusion here? any reference url for layer 2 and layer 3 roaming details is appreciated. Thanks

    I'll give this a shot:)
    For radius vlan attributes, bothe ACS and ISE in the policies have the ability to just enter the vlan id in the profile. You can either do that or use the IETF attributes.
    The RADIUS attributes to configure for VLAN assignment are IETF RADIUS attributes 64, 65, and 81, which control VLAN assignment of users and groups. See RFC 2868 for more information.
    64 (Tunnel-Type) should be set to VLAN (Integer = 13)
    65 (Tunnel-Medium-Type) should be set to 802 (Integer = 6)
    81 (Tunnel-Private-Group-ID) should be set to the VLAN number. This can also be set to VLAN name if using a Cisco IOS device (excludes Aironet and Wireless Controllers however).
    You can find this by searching on Google.... A lot of examples out there
    v7.2 and v7.3 I have had no issues with, with any type of encryption used. With 7.0 and 7.2, I would use the latest due to the Windows 8 fix.
    Layer 3 roaming is what's going to happen if the AP's are in local mode. This means that the client will keep their IP address no matter what ap they are connected to and or WLC as long as the mobility group is the same. So a user who boots up in floor 1 will keep its IP address even if he or she roams to the 12th floor and as long as he or she didn't loose wireless connection.
    FlexConnect you can do that. The AP's are trunked and need to have the vlans. So what your trying to do will be disruptive to clients. When the roam to another floor ap that is FlexConnect locally switched, they will drop and have to re-associate in order to get a new IP address.
    Hope this helps.
    Sent from Cisco Technical Support iPhone App

  • Mesh and Flexconnect with WLC5508

    Hi Community.
    A customer have a bad coverage in a corner of his branch office. He like to add a mesh AP (MAP) in the near of that corner.
    I checked allready the documention about Mesh but i'm not sure if Flexconnect and Mesh works togheter. This MAP is in a branch office and the WLC is in the head quarter therefore he likes to uses Flexconnect togheter with Mesh.
    Best regards Patrick

    Oaky, and if the AP is setup as RAP than other wireless clients cant connect to that AP anymore ?
    I have to do Ethernet Bridging and give the Bridge Group a name, right? Set that on the MAP and the RAP.
    I have to set the port on the switch where the RAP is connected to a trunk port, so all 3 WLANs (VLAN) can reach the switch over Wireless.
    But how do i forward these 3 WLAN (VLAN) from the MAP to the RAP and finaly to the switch.

  • WLC5508 for only HREAP/FlexConnect?

    Having setup several WLC4402's in the past, I am posed with a new implementation that I have never tried before.  I will be setting up a new 5508 that will ONLY be used for remote access-points in H-REAP mode.  It is going into a datacenter and there will be no local LWAPP's.
    Is it still required to setup a dynamic interface on a network that will essentially only have the controller IP?  Or can I serve all the AP's out of the single, untagged management interface (which I believe is also the old ap-manager interface now?) ?

    you can simply use just the managemnet, as no traffic will be locally terminated at the WLC>
    I however would create a 'dummy' interface with a bogus vlan.  Then link the WLANs to the dummy interface, so incase something messes up, you aren't accidentally putting clients on your management subnet.
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • OEAP & PaloAlto & Tunnel Interruption

    Hello,
    I´m testing right now following solution :
    We have a Flexconnect & OEAP WLC5508 installed in our DMZ ( LAG configured together with a DMZ switch  )  . Our Firewall is a PaloAlo device.
    Now I get following problems:
    All working without problems . I get a connection over the internet with my OEAP600 AP and get an  IP and can also use my Cisco Phone
    which is connected to the RemoteLAN on the OEAP. Strange thing is now If I do for testing a reconnect on my Laptop
    ( disconnect OEAP SSID and reconnect ) the Tunnel interrups and rebuild. In the most cases then the tunnel come back and everything works ( Phone & WLAN )  again and sometimes only a reboot from the OEAP will fix the problem.
    I checked if I see any blocking on the PaloAlto but I don´t see anything what is blocked.
    Regards
    Alex

    Hi,
    Thnaks for the nanswer , see below more clarifications:
    So you have lag enabled on the WLC in the DMZ and you have an etherchannel setup to the same DMZ switch  --> yes
    So when you are using the remote LAN, your dumping the traffic to a segment in the DMZ -> yes
    All our controllers are placed into the DMZ . We used one controller as Flexconnect termination and OEAP termination point. We have a second controller which is used only for Guest Access and works fine .
    I also inserted the command network ap-discovery nat-ip-only disable.
    I opened the ports UDP 5246 and UDP 5247 outside to DMZ.  If I done a test and removed the rules from the PA it works. But I don´t see any blocking if activated the rules again. This is the strange thing for me and I not know why the tunnel goes down. I thought also if this could be a problem with my DHCP configuration because I´m using DHCP proxy on the WLC for my  OEAP interfaces.
    Thanks

  • SSID on FlexConnect versus Local mode APs???

    Hello!
    A collegue of mine and  I discussed the different ways we could deliver a SSID on a customers APs on their geographically different sites ...... 
    The customer have a WLC5508 (r7.6) and (mostly) AP1142.
    All of the APs are in FlexConnect mode
    Two SSIDs are centrally switched
    One SSID are FlexConnect on all the sites with a local VLAN
    Now we would like to deploy a new SSID which should be centrally switched on all the sites, except for one site ...  So the problem is that the SSID need support for FlexConnect for one site but should be centrally switched on all the other sites. And on these sites the APs are also in FlexConnect mode...
    Is there a way to do this??? We have been looking around the settings for WLAN, APs, FlexConnect groups etc and cannot figure this out! :-)
    Best Regards
    Göran Blomqvist
    TDC
    Sweden

    How about creating two SSID profiles for the same SSID Name. One with WLAN-ID > 16 & configured it for FlexConnect local switching. Then create an AP group for the particular branch & map that SSID (the one with local switching) to that.
    For other SSID  (without local switching) you can map to all other branch AP (if you have specific group). If you have ap in default-apgroup then as long as you choose WLAN ID < 16, it should be available in all other branches
    Give it a try & see.
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Local Policies and FlexConnect

    Hello,
    My customer has a traditional guest access desgin with foreign and anchor WLC without an ISE.
    It works fine.
    Now he plans to install a new WLC5508 for remote offices.
    All APs in these remote offices will be in FlexConnect mode connected to the central WLC which is also an foreign WLC.
    The guest traffic is central switched and corporate SSIDs will be local switched.
    Now our problem is, is it possible to limit the guest bandwidth on each remote office with different values?
    Example:
    Office 1: Guest Bandwidth should be 1000k
    Office 2: Guest Bandwidth should be 2000k
    and so on....
    All APs in remote office 1 will be in FlexConnect Group 1 and the APs in remote office 2 in FlexConnect 2.
    Further I will create AP Groups for each remote office and add the belonging APs to this AP Group.
    Then I will create "local policies" and map the decided policy in AP group to the Guest SSID.
    So my question is; is this supported and does it work?
    I've read the config guide for 8.0 and didn't find anything about FlexConnect and local policies, I mean there are no Restrictions for Local Policy Classification
    Or is there another option available?
    thanks
    Martin

    Thanks for your help Scott. I'm not in full agreement with all you say, but you have helped me figure it out.
    You said the article was related only to 802.1x, but the article states that "802.1X is used in the example, but other mechanisms are equally applicable.".
    The article you linked regarding FlexConnect groups also states that central switching is only valid in "connected mode", i.e., when the WAN is up.
    However, I have found the following, which kind of explains the purpose of a central switched FlexConnect deployment
    http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml#central
    Thanks again.

  • What is the advantages of using Flexconnect groups

    what is the advantages of using Flexconnect groups in WLC?
    Reg,
    Ezra.

    Pls refer this document for more detail about these features
    http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1091114
    FlexConnect is one mode an AP can operate, typically deployed in Branch setup where you do not have a controller at branch site. Those AP can register to a controller at your HQ or main site. So traffic will terminate at your branch switch instead of tunnel back to HQ-WLC.
    If you want roaming within your branch FlexConnect AP then you have to put those AP into a FlexConnect Group. Then only key information shared among those AP to facilitate fast roaming.
    Pls do not forget to rate our responses if you find them useful.
    HTH
    Rasika

  • Local vs flexconnect which is better for throughput

    We have 190 APs in two buildings on the same campus connected to 2 5508 controllers.  Would it be better to put these APs in flexconnect mode with local switching?  My thought is that traffic would be better to have traffic switched at either the access switches on each floor or the main switches for each building rather than traveling back to the core, through the controllers and then to its destination.

    I understand that's what the documentation says (and keep hearing repeated without any clarification) but surely it all depends on your situation.
    Take this example for instance:
    - A 500-seat campus broken into 4 buildings
    - AP's managed by a HA-pair of 5508's in two DC's (10Gbps ring < 5ms), one DC on the main campus, connected by 6 x 1Gpbs EtherChannel
    - Less than 25 AP's per building
    Surely the only issue then if we used FlexConnect local switching for a WLAN for Corporate PC's would be roaming. That isn't really much of a problem for PC's - who really wanders around a campus with their laptop open wanting persistent connection between sitting down?
    If you have multiple 802.11ac clients connecting to 3702 AP's that 6Gbps bottleneck is going to be saturated fairly quickly.
    As far as I can see FlexConnect groups are limited to 25 AP's but again that's not a huge issue given the usage case.
    For mobile devices (tablets, phones) and guest access then you can still use central switching.

  • Understanding Flexconnect - Local vs Central Switching, and WLC failover scenario ??

    Hello Experts
    We have one WLC 5508 in Building1, few 2700 Series AP in Building1, and one 1252AG in Building2. The LAN subnet is same for both Buildings connected via a dark fiber.
    My requirement is to have Central Switching in Building1 since WLC is located locally, and Local Switching in Building2 to avoid inter-building traffic, for both Buildings we already one VLAN/IP Subnet. (Both Buildings access resources from a central Datacenter which hosts all the servers.)
    Questions:
    1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
    2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
    3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
    4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
    Thanks.

    Hi
    The LAN subnet is same for both Buildings connected via a dark fiber.
    If this is the case there is no need of FlexConnet, as you have enough bandwidth & same L2 extended in those two buildings. Typically FlexConnect is for branch deployment where WAN link bandwidth is a concern.
    Anyway if you want to do this & here is the answer for your specific queries.
    1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
    You can have both local switching & central switching available for a given SSID. Only FlexConnect mode AP will do Local switching & all Local mode AP will do central switching, though both using the same SSID.
    2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
    No, if it is central switching SSID, when WLC is not available client won't able to join this SSID. It is not fall back to Local switching.
    3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
    This is applicable only to FlexConnect mode APs & it always do local switching if that configured. If WLC is not reachable AP will go on "standalone mode" & still do local switching.
    4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
    Yes, when this option configured & WLC is not reachable (but RADIUS is reachable) then AP will act as Authenticator & pass radius messages to Auth Server directly.
    This is a very good Ciscolive presentation you should see as it describe lots of these features & which WLC codes they introduced.
    BRKEWN-2016 - Architecting Network for Branch Offices with Cisco Unified Wireless
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • WLC, FlexConnect, ISE: Dynamic VLAN not working

    Hi,
    Not sure if this is a WLC or ISE problem, but since I am unsure of the WLC config I will try here first.
    Equipment:
    WiSM2 7.2.111.3
    ISE 1.1.1.268
    AP 3502 in FlexConnect
    What I want to achive:
    One SSID, multiple VLAN
    Devices gets profiled in ISE and based on type of device it gets asigned to a VLAN
    Problem:
    When the device connects the first time it ends up in native VLAN and not switched to the right VLAN, but when I reconnect then it is added to the right VLAN.
    WLC config (I know you like images so here you go ):
    I must be missing something but I can't figure out what. I will be attaching a debug aaa event enable for when the client connect the first time.
    In ISE I have an Authorization Profile that just say VLAN ID/Tag 158 (the VLAN that the device should go to) an it is added to the Authorization rule of the profiled device. CoA is set to Reauth.
    When the client connects I get three events in ISE:
    1.
    Authentication failed :
    22056 Subject not found in the applicable identity store(s)
    2. Authentication Success. With the results:
    UserName=00:18:DE:A2:BC:3A
    User-Name=00-18-DE-A2-BC-3A
    State=ReauthSession:c20e8b2f0000027e50ed27f8
    Class=CACS:c20e8b2f0000027e50ed27f8:ISE01/144259326/671335
    Termination-Action=RADIUS-Request
    Tunnel-Type=(tag=1) VLAN
    Tunnel-Medium-Type=(tag=1) 802
    Tunnel-Private-Group-ID=(tag=1) 158
    cisco-av-pair=profile-name=AX-Intel-Device
    3.
    Dynamic Authorization failed :
    11213 No response received from Network Access Device
    Has anyone got this to work? Do I need to add FlexConnect groups? If so then why?
    Regards,
    Philip

    I think you're hitting CSCua58554
    The bugtoolkit description is horrible....  From what I recall when I ran into it, I believe that Flex connect is having a problem with Mac filtering based AAA override on open wlans (and/or CWA based).  In general, AAA override works fine when it is from like an eap authentication.
    We had to use a 7.3 ES to resolve it.....
    Looks like it is implemented in 7.4 though.....     If you dont want to join the 7.4 bandwagon quite yet, you might could ask TAC for an ES of 7.3,  don't think they have a 7.2 build.

  • Best Practice for FlexConnect Wireless roaming in MediaNet environment?

    Hello!
    Current Cisco best practice recommendations for enterprise MediaNet design, specify that VLANs be local to a switch / switch stack (i.e., to limit the scope of spanning-tree). 
    In the wireless world, this causes problems if you want users while roaming to keep real-time applications up and running.  Every time they connect to a new AP on a different VLAN, then they will need to get a new IP address, which interrupts real-time apps. 
    So...best practice for LAN users causes real problems for wireless users.
    I thought I'd post here in case there's a best practice for implementing wireless roaming in a routed environment that we might have missed so far!
    We have a failover pair of FlexConnect 7510s, btw, configured for local switching for Internal users, and central switching with an anchor controller on the DMZ for Guest users.
    Thanks,
    Deb

    Thanks for your replies, Stephen and JSnyder.
    The situation here is that the original design engineer is no longer here, and the original design was not MediaNet-friendly, in that it had a very few /20 subnets bridged over entire large sites. 
    These several large sites (with a few hundred wireless users per site), are connected to an HQ location (where the 7510s in failover mode are installed) via 1G ethernet hand-offs (MPLS at the WAN provider).  The 7510s are new, and are replacing older contollers at the HQ location. 
    The internal employee wireless users use resources both local to their site, as well as centralized resources.  There are at least as many Guest wireless users per site as there are internal employee users, and the service to them consists of Internet traffic only.  (When moved to the 7510s, their traffic will continue to be centrally switched and carried to an anchor controller in the DMZ.) 
    (1) So, going local mode seems impractical due to the sheer number of users whose traffic bound for their local site would be traversing the WAN twice.  Too much bandwidth would be used.  So, that implies the need to use Flex / HREAP mode instead.
    (2) However, re-designing each site's IP environment for MediaNet would suggest to go routed to the closet.  However, this breaks seamless roaming for users....
    So, this conundrum is why I thought I'd post here, and see if there was some other cool / nifty solution I wasn't yet aware of. 
    The only other (possibly friendly to both needs) solution I'd thought of was to GRE tunnel a subnet from each closet to the collapsed Core / Disti switch at each site.  Unfortunately, GRE tunnels are not supported in the rev of IOS on the present equipment, and so it isn't possible to try this idea.
    Another "blue sky" idea I had (not for this customer, but possibly elsewhere in the future), is to use LAN switches such as 3850s that have WLC functionality built-in.  I haven't yet worked with the WLC s/w available on those, but I was thinking it looks like they could be put into a mobility group, and L3 user roaming between them might then work.  Do you happen to know if this might be a workable solution to the overall big-picture problem? 
    Thanks again for taking the time and trouble to reply!
    Deb

  • I would like a Question About Flexconnect HA N+1 After WLC 1 Down and AP go to Joint WLC 2

    Hi everyone
    I would like  a Question About Flexconnect HA N+1 After WLC 1 Down and AP go to Joint WLC 2
    -Cisco WLC 8500   =  2 unit  version 7.6.130.10
    -Mode Flexconnect     HA  N+1
    -AP Joint WLC 1 and 2  mode HA N+1  
    I would like After WLC 1 Down is AP Go to joint WLC 2  Client associate in AP can use DATA Traffic between AP Failover ??
    I think Mode Flexconnect client can use data traffic if WLC 1 , 2 Down becasuse Mode flex data traffic not go to WLC ??
    I think true ??
    thank you

    Hello
    You should try a flexconnect deployment
    combined with locally switched SSIDs, which
    should comply with your requirements.
    fp

  • Cisco 2504 OEAP NAT directly connect AP's no ip

    I setup my 2504 to work with OEAP.  When I enabled NAT on the management interface the one AP I have directly connected to the WLC is no longer getting an IP address.  Any idea why this is?

    First, it is not recommended to have an AP directly connected to the WLC, you really need to connect it to an upstream switch and let it connect that way.
    My first thought would be that you need to take a look a the below link that talk about how the NAT ip commands work.
    http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/command/reference/cli70MR1commands.html#wp14087790
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • Can a Flexconnect (h-reap) survive reload while in standalone mode

    I have searched and asked round for this the last weeks. Can't find the answer.
    When a flexconnect is in standalone mode (WAN down) what happens if the AP is reloaded?
    Is it possible to make a setup with i.e. WPA/PSK where the AP keeps working after a reload in standalone mode ?
    Chears
    Rasmus

    When a flexconnect is in standalone mode (WAN down) what happens if the AP is reloaded?
    When your WAN link(s) goes down and your FlexConnect (H-REAP) WAP reboots, it will not service anything/anyone.

Maybe you are looking for

  • 10.4.11 crashes games

    I hadn't played Quake 4 in quite a while (nor many other games for that matter), but a couple of days ago I tried and after a couple of minutes..kernel panic..I went and upgraded the game thinking maybe it was a compatibility prob. and same thing...I

  • All of a sudden- bz2 files!

    Since yesterday, I have been seeing lots of bz2 extensions on downloaded files, in most cases files that should be .dmg. All the decompressing utilities I have create a .dmg which will not mount. The error is a Warning as if a bad or truncated downlo

  • Portlet content localization

    Hi, I am wondering if someone has successfully localized portlet contents in 5.0 using java. I created two properties files MessagesBundle.properties with "greetings = Hello." and MessagesBundle_de_DE.properties with "greetings = Hallo." In my portle

  • Naming clips within a sequence

    Help, I'm stuck! I've created a sequence from a subclip and would like to assign a different name to each clip within the sequence. Changing one clip affect all the others. I have tried all the options described in the editing workshop book by Tom Wo

  • Suitable exits for QA32

    Hi , i stuck up with on problem that is,in T-code : QA32 (Inspection lot selection) after executing this transaction ,in the next screen we will get set of inspection lots. in the same screen in application tool bar we have ( Usage decision UD ) push