Im receving this error on my syslog server: capwap_ac_sm.c:1443 Ignoring Primary discovery request received on non-management interface (2) from APalready checked the configuration and everything seems ok. They are registered and with clients associated.What could be the cause?
View 2 Replies
We have two WLC's 5508. Following are its interfaces & details:mgmt 10.49.5.251 on wlc1 & .252 on wlc2 access p 10.49.6.251 on wlc1 & .252 on wlc2 there is no AP manager interface seen on both wlc's nor configured. both wlc1 & wlc2 are connected each to two switch ports, configured as normal trunk link each.LAG is enabled on both WLC's.
View 2 Replies View RelatedI have a Catalyst switch that is redistributing some static routes into OSPF. These are received on a Nexus 7K and appear in the database however the 7K does not add them to its routing table, one of the routes is ignored and not added. I haven't got a clue why this is happening.
The routes on the Catalyst are as follows with ID of 172.30.255.22:
ip route 172.24.59.0 255.255.255.0 10.56.7.46
ip route 192.168.168.0 255.255.255.0 10.56.7.62
on the 7K the database shows:
172.24.59.0 172.30.255.22 1374 0x80001a44 0x1a48 0
192.168.168.0 172.30.255.22 1374 0x80001a45 0x6c5b 0
The routing table shows:
sh ip ro 172.24.59.0/24IP Route Table for VRF "default"'*' denotes best ucast next-hop'**' denotes best mcast next-hop'[x/y]' denotes [preference/metric]
172.24.59.0/24, ubest/mbest: 1/0 *via 172.30.253.10, Po7, [110/20], 20w4d, ospf-NCC, type-2
sh ip ro 192.168.168.0/24IP Route Table for VRF "default"'*' denotes best ucast next-hop'**' denotes best mcast next-hop'[x/y]' denotes [preference/metric] Route not found
We are setting up a WLC 7500 for the first time and are having a hard time trying to connect an LAP to the WLC. We have 1042 Access Points.Reason for last unsucessful attempt: to many concurrent ap image downloads
-Last Error Occurred: Lwapp discovery request rejected
-Last Error Occurred Reason: Too many concurrent AP image downloads
We only have 1 AP plugged in so far and it does recieve an IP address from DHCP.
I am in the process of turning our autonomous wireless network into a centrally managed lwapp network. We have a new 5508 with 1140 series APs which will be distributed in three locations nationwide.
My manager saw a presentation that showed the AP just getting plugged in and all of its configurations were downloaded. Right now I am able to get basic global information to install on an AP in the local network but I feel I am missing something. If I have three locations using different IP schemes (eg: 10.0.1.0 for A, 10.0.2.0 for B and 10.0.3.0 for C), the remote locations are getting their DHCP info from the routers.
Is there a way based on location/IP that the APs associate themselves with the correct WLAN or AP group? How much can I automate once the AP discovers the controller? I am reading the manual and searching the web but information is a bit vauge on this. My plan is if an AP fails in a remote location, all I need to do is ship a new AP out to be replaced and when the AP is added to the network the firmware and other information is downloaded and is then ready to be accessed with minimal configuration on the controller end.
I have a wireless network infrastructure that is controlled by two WLC 5508s, Prime NCS and ISE. I have two networks for my users, an employee network and a student network. I started publishing the information for these networks via a group policy and the settings are identical, with the exception to the SSID.
My employees can logon to the employee network with no problems. I can walk up to any laptop, regardless if I have logged on to it before or not, and logon with no issues. ISE correctly profiles my account and authorizes me for the right profile. My students however are another story. Laptops that are designated for student use have the wireless network in their network list, and at the logon it shows that it will attempt to connect to the STUDENTS network. When I enter in a student username and password, it begins to login but then gives an error that says:
'There are currently no logon servers available to process the logon request'
The students cannot login at all. I can use my domain admin or my account and login to one of the units with no problem, even if I haven't logged onto the unit before with that account.
I don't know if this is an ISE issue or some other type of issue. I'm leaning towards ISE being the issue, since its what is passing authentication through to the domain. I have my students all in groups and I have those groups added to ISE, just like I have my employees added.
I am getting little confuse about the configuration of my second WLC .I have a project going on with main office and 10 sites . I have placed my primary WLC 5508 with software 6.0 and all the branches i deployed ap . I put all the AP in Hreap mode did VLAN MAPPING . And i Created Groups based on the location and i put this AP's insde those group .All the sites seems perfectly working. Now I have to place my sedcond WLC in one another branch . I did all the initial configuration of my 2nd WLC .
But am worried if my primary wlc fail how could it can be taken to second WLC . And if i put inside wireless--> hight avaliabilty--primary ip and secondary ip .Again do i need to configure those WLAN , AP GROUPS , everythink in this WLC sepretely or any option . If i need to create the group do i need to select the ap's which already added to primary wlc groups.
I have newly deployed a Prime Infrastructure (PI) in my network, and i want to add my wirless controller in it. I get an error SNMP time out whenever i add my controller to PI through SNMP.
There are default SNMP configurations in the controller and i am simply adding them in PI with their private/public SNMP string.
WLC 5508 is connected to my core switch and PI is connected to another switch which is directly connected to core switch via Layer 3.
Is there any configuration required to be done on the switch side.?
custommer of mine tried to configure HA AP-SSO with two 5508 controllers. After rebooting the primary controller changed into Maintanence Mode. [code]
View 15 Replies View RelatedI just turned on 2 Wirelless LAN Controllers 5508 and I am getting this message on both of them:
Loading primary image (Image not found)
** Unable to read "linux.pri.img" from ide 0:2 **
Loading backup image (Image not found)
** Unable to read "linux.bak.img" from ide 0:2 **
And it is taking me to the BootMenu. I selected option 4 to Clear Configuration and the controller seems to restart the system but I still get the same error. I checked the LEDs status and Sys is Amber and Alarm is OFF which according to the documentation is a System Crash.
I'm trying to add some 2800 series routers to our monitoring environment, but I can't get them discovered.
On the Mgmt Server I need to go through a "discovery" process to add the 2800 to the system. For this I target the internal interface ( i) but the discovery fails. I'm assuming the packets are getting dropped on the outside interface (e). I know SNMP is set up correctly and works as I had PRTG installed on a local box (p) for testing purposes.
The intention is to do the data gathering via a proxy agent (p), so enableing SNMP on the outside interface is not going to do me any good.What do I need to do to let those discovery packets pass through? At least temporarily?
Using a small network (WAN) with three 1921 routers (IOS 15.1(T)) connected via E1 links. One host (industrial PC - core 2 due running Win XP Pro) connected to each router. The spare Gigabit Ethernet port on each router is bridged with the active one (so a portable management PC (laptop) can be plugged in there and communicate with the router and the industriual PC.
Multicast routing strategy between the routers is as per "Anycast - Static RP", with PIM sparse-mode enabled on all interfaces and sink RP defined on all three routers.
Problem occurs when a (IPV4) multicast application on one PC communicates with the others:
(a) IGMP V2 membersip reports etc. work correctly at the sender and at the other two PCs receiving the multicast stream
(b) Multicast routing on the WAN is working correctly; running Wireshark on the receiving PCs shows that multicast data is received on the expected group.
(c) But, there is an error in the Ethernet packets
i. The first packet's Ethernet header contains the correct destination MAC address 01:00:5E:aa:bb:cc where aa:bb:cc match with the last three octets of the mulicast group's address, and that packet is received OK by the listening multicast application
ii. However, subsequent packets' Ethernet headers have the wrong MAC address 01:00:5E:00:00:00 (the last three octets are all zeroes and these packets are discarded by Windows on the receiving PC and not seen by the multicast application.
Problem is related to the presence of integrated routing & bridging; if I delete the bridge virtual interface,disable bridging and give the two Gigabit Ethernet ports their own IP addresses, the multicast reception works correctly; all received multicast packets have te expected value on the destination MAC address (matching the group address)I have used the same integrated routing/bridging configuration successfully on Cisco 2611 and 2811 routers and there was no such issue with the multicast packets.Have I overlooked some subtle aspect of configuration in the 1921 router or have I uncovered a bug...?
For reference - snippets from router configuration scripts
:
In the non-working configuration (with Integrated Routing & Bridging)
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
[code]....
In the working configuration all the bridging is gone and the two Gigabit Ethernet interfaces have a very plain & simple configuration in different subnets
interface GigabitEthernet0/0
ip address 192.168.212.1 255.255.255.128
no ip directed-broadcast
ip pim sparse-mode
duplex auto
[code]....
I have a ASA5540 firewall set-up with an interface MTU of 1500.
I suspect that we are receiving packets with a larger MTU but have not found an easy way of confirming this. Any command that can be run on the firewall to display the MTU packet size being received on an interface?
We are also running Solar Winds so could query an OID if such a variable exists.
We are experiencing a lot of these RADIUS failed to respond messages on our WLC's leading to a lot of RADIUS server hopping within the WLC.We are using Cisco 5508's, 1142 AP's and a Microsoft NPS RADIUS backend. SSID is WPA2+802.1xThe first workaround to this problem was to disable aggressive failover on the WLC. But this is only a temporary fix, because in the end, there will be more than 3 consequetive clients, failing to authenticate to the WLAN network. As a result, the WLC will swap to the 2nd RADIUS server configured.When we dived into this a little bit more we saw the following messages being logged on the RADIUS backend at the time we saw the RADIUS messages on the WL:Event ID: 6274: Network Policy Server discarded the request for a user.
View 16 Replies View Relatedaccounting in ACS 5.3. When I setup accounting on WLC 440x / 5508 ACS takes them as an authentication request and fail.
Here are some logs what I see in acsview:
Dec 9,11 6:05:11.783 PM
Radius authentication failed for USER: navrka2 MAC: a.b.c.d AUTHTYPE: Radius authentication failed
ACS Session ID:
dc2aaa1v/112555963/420
Audit Session ID:
0a9a01d7000001fd4ee23a3d
Tunnel Details:
[code]...
Management purchased a HA package from Cisco consisting of 2 5508's with pre installed 500 users license on the Primary WLC and none on the secondary WLC. We have 5508's already so I am familiar with setting them up and so forth. What I am not familiar with is setting them up using HA for failover and license sharing. I've looked and looked and can't find documentation online showing how to set this up. I have found some but nothing that is complete. I have spent 2 days spinning my wheels.
View 2 Replies View RelatedI'm receiving this error on a WAVE-574 appliance. The primary interface is configured and I can ping between the wave and the central manager.
View 1 Replies View RelatedHere's my problem. I'm going to be using Cisco 1941 routers at a bunch of remote sites. All of these sites have 2 comm paths out. Some of them have 2 IP/VHF radios and some have 1 IP/VHF radio and a copper link using Patton ethernet extenders. From the VHF radios the data hit our MPLS network back to our HQ and the sites with copper go directly back to our HQ. Everything ends up at a Cisco 4948 switch. The problem I'm having is that I want the routers at the remote site to use one ethernet port (G0/0) as the primary and the other (G0/1) as the backup interface. I've tried the backup interface command but the problem is that depending on where an outage occurs the ethernet link to either the radio or Patton stays up so it never switches over. We're using OSPF as our routing protocol and I'm sure there's something that can be done with it but I'm not sure what.
View 4 Replies View RelatedI am in the process of upgrading our wireless infrastructure from a series of APs centrally managing the infrastructure centrally with the WLC 5508 and new APs (1142). All seems to be going well, the APs see the controller and are downloading the latest information/changes and I can connect to a test network. The current issue I am having is that I cannot connect to the AP via the web interface.
The config for the management interface of the 5508 is:
interface GigabitEthernet4/0/20
description ** Connection to WLC-5508-01 **
[Code].....
Is there any limitations of network size for an interface in a WLC 5508? Any recomendations of netmask size? Maximum /24, maximun /21?
View 5 Replies View RelatedYesterday I was in one of our client premises configuring a WLC 5508 with software 7.2, went through the initial configuration wizard with no problem whatsoever, my issue began when trying to configure a ap-manager interface.In many WLC configuration guides cisco states that for 5508 it is not required to configure an ap-manager interface because the management will suffice, but then they put a side note recommending it's configuration for best practices and better performance. OK so I saw that in an earlier version document and now they do not make the recommendation but the still use the word required and for me that's still is not a limitation. I can't create the ap manager interface because when I put the VLAN ID it says the it is being used by another interface.
View 5 Replies View RelatedI'm setting up a new 5508. I've used the config from a 4402, have successfully connected to the Service port to manage the device, but for some reason cannot connect to the Management interface. In this case, port 1.
The service port is connected to a Catalyst switch and grabbed an ip address (10.2.x.x subnet) no problem. I can access the 5508 via https using the SP. However, port 1 is connected to the same Catalyst switch, but on a different vlan (subnet 10.20.x.x). Both ends show that the interfaces are up, I can ping the interface from any other host on the network, but when I try to manage the device via https I cannot connect. We are using WCS and I cannot add the device from the WCS. About all I can do is ping that interface.
at the moment we are using as default the manager interface as ap-manager interface.
Now I have to change the IP. I would like to change that very smooth with all our locations. My question, is it possible to add a ap-manager interface with a new vlan and IP Range, so that I can move the AP's to the second interface as as soon as it is planed with the location. Sometimes in special cases we have hard coded the WLC IP oder we just need to change the DHCP option but this needs to be planed and I see problem to do that in a hard cut.
After I've upgraded software to the v7.3 and applied AP-SSO it made imposible to access the controller's gui via Service-port. So we tried to access it by management-port, but there is some problem too. It is not working from another subnets. But default gateway on management vlan is set correctly and I even tried to turn of all acl's on switch. WLC is only accessible from the same network. But at the same time wlc is replying on ping fine.All other protocols cannot connect to the controller.
View 3 Replies View RelatedI am wondering if anyone has seen this before. We have about 50 AIR-LAP1242AG-E-K9 access points connected to a WLC5508 running 7.4.100.0. These were all being used as autonomous APs previously and were converted when the controller was installed. About 12 of these have a lovely feature where their radio interface goes down at random. The radio is still in enable mode but the opertational status is DOWN. It seems to happen particularly when there has been a power outage and the AP rejoins the controller. All of the other 1242s are fine and never sees this problem. The APs are all on power injectors.
Once the radio is down, the only way I can get the to come back online is by doing the following:
1. Set the radio admin status to "disable" and apply
2. Turn off CDP
3. Reboot the AP Wait until the AP is back online and registered on the controller
4. Enable the radio admin status and CDP.
If I do not remove the CDP setting I cannot bring the radio back to "UP". I know we had previous issues with autonomous 1242 APs that did not like CDP being enabled. Have I perhaps got a bunch that are like that? Despite these having operated as autonomous APs they are AIR-LAP1242 from the factory.
I have 2 x 5508 Wireless Controllers, 1 mgmt port on each as standard. I noticied something different between these controllers running the same code.I can bound a physical port to the mgmt interface on one controller but not the other (both interfaces are untagged)see below, this config appears on one controller but not the other? Is this something to do with the initial setup? How can I add Phyiscal information to the other controller mgmt interface, I cannot delete the mgmt interface. Physical InformationPort Number Backup Port Active Port Enable Dynamic AP Management?
View 2 Replies View RelatedI have got a wireless project with WLC main office and have 10 sites where ap's are there and ap's getting registerd .we need 4 ssid in all branches same .
ssid guest
ssid scanner
ssid user
vlan 600 main office for scanner 192.168.1.0
in branch
vlan 600 for scanner but ip is 172.16.1.0
and bgp is running . And customer is asking me not to edit the ip range or vlan or create new vlan . but in wlc am not able to create branch network 172.16.1.0 range interface and vlan 600 as vlan 600 i already created for scanner main office 192.168.1.0 So is there a way to do that .
Temprarly one site i did like created vlan 610 in branch no ip . And in main office interface vlan 610 given another ip range . and i created interface in wlc . from branch i can connect the ssid and getting ip . But they dont want to create any aditional vlan or another network . Customer dont have a smartnet contract . They recently baught 2 wlc 5508 and 40 ap 1142.
Since WLC5508 MGMT interface is configured a AP-Mgr at the same time, can I set a Backup Port to WLC5508 MGMT interface? Refer to WLC configuration Guide:
In the Backup Port text box, enter the number of the backup port assigned to the management interface. If the primary port for the management interface fails, the interface automatically moves to the backup port.
Note Do not define a backup port for an AP-manager interface. Port redundancy is not supported for AP-manager interfaces. If the AP-manager interface fails, all of the access points connected to the controller through that interface are evenly distributed among the other configured AP-manager interfaces
if I need to configure the backup port for MGMT interface, i need to remove the AP-manager on MGMT interface and create a network dynamic interface for AP-Manager ?
We have a Windows XP machine on our network that is giving us a strange problem. We have it statically configured with an IP and a default gateway address which points to a router on our network. This is the same router that nearly all of our machines point to and none of the other machines have this issue.If we open up CMD and make a ping request from an outside server (public or interal servers on other subnets) we get a 'destination host unreachable' error. We can ping the ip address of the router that is assigned as the default gateway. We can circumvent this ip address by adding a static route ('route add' from CMD) directing all traffic on the network interface to the ip of the router. Once this is done we can ping and get a response from any server both internal and external. We also tried doing a tracert (without have the static route added) to an external site by IP address. The tracert does not even show a hop for the router so it seems as if the request is never making it past the interface on the XP machine. We simply get an error saying it is unable to find the host. Interesting though it does provide us with a domain name for the ip address. So somehow it is able to reslove DNS. (We have a local DNS server on the same subnet)
View 7 Replies View Related I'm configuring up aa ASA-5510, and I have several interfaces, some of which include:
interface Ethernet0/0.200
vlan 200
nameif SITECORP
security-level 90
ip address 10.1.4.1 255.255.254.0
!
[code]....
This definitely confuses me, because SITECORP has an inbound access-list of permit ip any any.
its been a while since I configured a Cisco firewall (PIX 6.0, SDM) - I've now been thrown in the deep end with a pair of 5525-X's (Latest Software) and I need to achieve the belowWebsense integration (Got this working)AAA Authentication for various outbound traffic routes.I'm using ASDM as I'm more comfortable with the GUI than CLI (I'm the other way round with switches!!!), I have AD Agent configured but the ASA isn't doing anything based on User Name but I have a few other things to try. What I'm trying to achieve now is ignoring certain user names from being matched to IP Addresses as I believe that this may have something to do with it.We use Sophos AV and each PC requires a Service Account to run Sophos under. Each update that Sophos attempts is seen as a login and that is the user attached to the IP Address of the machine. Within Websense, it can be told to ignore certain users for purposes of filtering and reporting etc.. but I dont seem to be able to do this with the AD Agent.
View 3 Replies View RelatedI made the unpleasant discovery recently that all my corporate laptops are using the wifi network even when sitting on their docks or otherwise connected to the wired network. Most of them have intel wifi cards, and the proset software allowed me to disable-by-policy wifi if a lan connection is detected.Some, however, have a more generic wifi card that doesn't have fancy management software, leaving me with the default windows stuff.In an attempt to correct the problem I
a) Put Local Area Connections at the top of the Adapters and Bindings list
b) manually assigned cost metrics to the connections in the tcp/ip settings
I face a strange bahavior with my rv220w router : I set up access rules to deny all outbound trafic for a particular IP range. It seems to work fine .... but when I enable content filtering, HTTP access on port 80 works again (and other ports are denied). It seems that activating content filtering makes the router ignore firewall rule.
View 2 Replies View Related
