Traffic LWAPP Flow the WLC

Similar Questions

• The traffic load between the power of Cisco ASA and FireSight Management Center fire

  Hi all

  I have a stupid question to ask.

  Can I know what is the traffic load and the e/s flow between firepower Cisco ASA and FireSight Management Center?

  Currently working on a project, client require such information to adapt to their network. Tried to find in the document from Cisco, but no luck.

  Maybe you all have no idea to provide.

  It varies depending on the number of events reported from the module to the CSP. No event = only health controls and policy changes are exchanged. 10,000 events per second = much more traffic.

  Generally it is not a heavy load, however.

• Uplink on the WLC 2100 series

  Hello

  I missed something in the Cisco WLC 2100 series documentation. In fact, the plug technical it is mentioned that the WLC 2100 "provides eight 10/100 Ethernet ports to support a combination of access points and rising redundant LAN", while in the configuration guide noted that the WLC 2100 supports no LAG (aggregation of links). So how WLC 2100 can use a redundant network connection without aggregation of links?

  Thank you in advance.

  You can use a port for management and interface ap - manager and another for the vlan specific used for the ssid of your wlan with connection of access points to your WLC. This way you can say that port 1 is your management and ap-Manager, port 2 is for your internal ssid vlan x, port 3 is for your voice ssid vlan x, port 4 is for the traffic of comments, 5 & 6 port is used to connect the two access points.

• Upgrade for the WLC code questions

  We 6.0.132 (lastest) WCS and our controllers are on 4.2.130, we now to upgrade to deal with sometimes, but don't want to capwap yet.

  Question 1: what is the last exit LWAPP code?

  Question2:Whats the differences between 4.2.207 (support page for cisco said it's the latest version), but it has same releases with ie 6.0 how it works it is very confusing workout a way to upgrade to higher versions

  See you soon

  Hi Tyrone,

  I'm not an expert on the management of versions, but here are some basic in response details

  at your request

  4.2.207 is the last version on the Train of 4.2 and is without doubt an excellent choice

  If you are avoiding CAPWAP for now. You will see in the link below which

  There are several 'simultaneous' for the WLC Trains (and most of the Cisco product). People

  were not big fans of the first Trains 5.x (quite buggy) and was introduced to CAPWAP

  in 5.2 and the attacker thus is why 4.2.207 seems to be a good choice for you

  In the later version or 5.2 controller software version, Cisco lightweight access points use the IETF control and commissioning of Access Points (CAPWAP) standard protocol to communicate between the controller wireless and other points of light access on the network. Versions software controller before 5.2 use the Lightweight of Point access (LWAPP) Protocol to these communications.

  CAPWAP, which is based on LWAPP, is a standard and interoperable protocol that allows a controller manage a collection of wireless access points. CAPWAP is implemented in version 5.2 software controller for these reasons:

  *

  To provide a path for upgrade of Cisco products that use LWAPP generation Cisco products that use CAPWAP
  *

  To manage RFID readers and similar devices
  *

  To allow controllers to interoperate with third party access points in the future

  LWAPP compatible access points can discover and join a CAPWAP controller, and conversion to a controller of CAPWAP is transparent. For example, the process of discovery of controller and firmware download process when using CAPWAP are the same as when you are using LWAPP. The only exception is for layer 2 deployments, which are not supported by CAPWAP.

  You can deploy CAPWAP and LWAPP controllers on the same network. The CAPWAP compatible software allows access points join to be a controller running CAPWAP-LWAPP. The only exception is the Access Point Cisco Aironet 1140 series, which takes in charge only CAPWAP and joined so only controllers that run CAPWAP. For example, 1130 series access point can reach a controller running CAPWAP or LWAPP considering that access of series 1140 point can join only a controller running CAPWAP.

  http://www.Cisco.com/en/us/products/ps6366/products_qanda_item09186a008064a991.shtml

  4.2.207 was released on July 24, 2009 which makes the new second version available on any train.

  http://www.Cisco.com/en/us/products/ps6366/prod_release_notes_list.html

  See you soon!

  Rob

• VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network

  Hello

  I'm a little confused as to which is the problem. This is the premise for the problem I have face.

  One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.

  Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)

  So essentially the encryption field is configured as follows:

  access-list line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
  access-list line 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
  access-list line 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173)

  Free NAT has been configured as follows (names modified interfaces):

  NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP

  the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202

  NAT (interface2) 0-list of access VPN-SHEEP

  VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252

  After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.

  There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)

  The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.

  Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).

  This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.

  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit rule
  Additional information:
  MAC access list

  Phase: 2
  Type: FLOW-SEARCH
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  Not found no corresponding stream, creating a new stream

  Phase: 3
  Type:-ROUTE SEARCH
  Subtype: entry
  Result: ALLOW
  Config:
  Additional information:
  in 10.82.0.200 255.255.255.252 outside

  Phase: 4
  Type: ACCESS-LIST
  Subtype: Journal
  Result: ALLOW
  Config:
  Access-group interface interface1
  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  Additional information:

  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 6
  Type: INSPECT
  Subtype: np - inspect
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  Policy-map global_policy
  class inspection_default
  inspect the http
  global service-policy global_policy
  Additional information:

  Phase: 7
  Type: FOVER
  Subtype: Eve-updated
  Result: ALLOW
  Config:
  Additional information:

  Phase: 8
  Type: NAT-FREE
  Subtype:
  Result: ALLOW
  Config:
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
  Exempt from NAT
  translate_hits = 32, untranslate_hits = 35251
  Additional information:

  -Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.

  Phase: 9
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
  NAT-control
  is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
  static translation at 10.231.0.0
  translate_hits = 153954, untranslate_hits = 88
  Additional information:

  -Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet

  Phase: 10
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT (interface1) 5 10.231.191.0 255.255.255.0
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
  dynamic translation of hen 5 (y.y.y.y)
  translate_hits = 3048900, untranslate_hits = 77195
  Additional information:

  Phase: 11
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional information:

  Phase: 12
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional information:

  Phase: 13
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 1047981896 id, package sent to the next module

  Result:
  input interface: interface1
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  So, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?

  And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.

  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
  current_peer: y.y.y.y

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.

  Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)

  If there is any essential information that I can give, please ask.

  -Jouni

  Jouni,

  8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).

  If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)

  Marcin

• External ACL does not increment for traffic allowed through the site to site VPN

  Hi all, we have many site - to IPSEC VPNS that are sending traffic to us successfully - the largest part of this traffic is FTP or SFTP.

  There is not configuration of the firewall of the SAA sysopt. Access lists have been configured on the external interface of the ASA to allow these VPN for FTP SFTP connections & - however, all counters are 0 when I do a 'show access-list internet-in' for FTP or SFTP.

  There are general IP entries in list of FTP & SFTP natted access connected to the Internet addresses of these FTP servers and these are increment but then there are certain customers who use the internet to transfer files.

  I guess what I was asking is ASA outside increment for traffic access lists allowed by VPN? The access list entries are for THEIRINTERNALIP to OURINTERNALIP (according to crypto card)

  Just to add that these ACL is configured through groups of objects in the case that matters - also once again that they are correctly transfer files to us - only I don't get where they are allowed.

  Thanks in advance

  Mark

  VPN traffic is flowing properly and there is no ACL allowing UDP 500 or ESP?

  Can you post the output of "sh run all the sysopt"

  Federico.

• Site to site VPN, I need all internet traffic to exit the site.

  I have 2 sites connected via a pair of SRX5308

  A = 192.168.1.0/24

  IP WAN = 1.1.1.1

  B = 192.168.2.0/24

  IP WAN = 2.2.2.2

  Now what I need to do, is to have all traffic from B to go to the site one even traffic destined to the internet. That is, I need internet traffic out of our network with the IP 1.1.1.1, even if it is from the network B.

  On my I have set up a route 1.1.1.1 of the ISP, then a value by default 0/0 to 192.168.1.1 it ASA knows how to get to the peer VPN is a more specific route, but sends everything above the tunnel, at the remote end which then hairpin of ASA routes internet outside its own WAN port traffic.

  I can understand though not how to so the same thing on the pair of SRX5308 they either don't raise the tunnel or internet route to the local site address B.

  Anyone have any ideas?

  I need to do this because we are logging and monitoring of internet traffic to A site via tapping from upstream to various IDS solutions and will not (cannot) reproduce this to all our remote sites.

  Thank you

  Dave.

  After some more thought and testing I came up with a workable solution to my own problem. I'll share it here in case it can help others.

  (1) use the wizard at both ends to implement a normal VPN that connects the two segments of network 192.168.1.0 and 192.168.2.0

  (2) go to site VPN - VPN policy remote router192.168.2.1 and click Edit

  (a) disable Netbios

  (b) select "None" from the drop-down list the remote IP address.

  (c) to apply the change

  3) go to the VPN-> VPN policy on the head end site (192.168.1.1) and click Edit

  (a) disable Netbios

  (b) select "None" from the drop-down list the local IP address

  (c) to apply the change

  Now all the traffic wil go down the VPN tunnel and exit to the internet on the site of head end. Hope this helps others with the same question.

• AP failed to connect with the WLC.

  We have 5 sets of 1700 APs works on the mode of the controller and cisco WLC 2500.
  I configured the controller as I always used to do, but this time the access points have been unable to reach the controller.
  That's what I did:
  controller IP address:192.168.1.250/24
  GW:192.168.1.1
  Primary DHCP: 192.168.1.250
  I have connected the port1 controller with ethernet cable from the switch and the same switch I connected the AP.
  We used the adapter instead of the POE switch.
  I even tried assigning address to AP directly through the console as:
  CAPWAP ap controller ip address and so on. This did not help either.

  There was this message in the AP "% CAPWAP-5-DHCP_RENEW: could not find WLC by using DHCP IP." DHCP IP renewal. "
  Moreover, the POE ports in the controller, they provide enough energy for the PA to operate?
  Help, please.
  I have attached the PuTTY log as well.

  Hello
  WLC connection has successfully been created. Then he for some reason any. I don't know if this helps, but try to connect the ethernet cable directly to the AP instead of port POE port to THE.
  You can use port POE on AP even if you don t use the POE switch.

  And regarding the port POE on WLC. Cisco doesn´t recommend that you directly connect AP to WLC, but it is possible.

  Also I Don t see that the IP address is assigned by DHCP.
  Try also to use the commands:
  CAPWAP ap ip address...
  CAPWAP ap ip default-gateway...

  I guess the WLC and switch are configured correctly.

  EDIT:

  I had similar problem today.
  Just connect the cable from the console to AP, go to mode and type the commands:
  Claire capwap private-config
  Claire lwap private-config

  then reload AP with command "reload".

  After these commands AP joined succesfully WLC

• unloading of feature to make dhcp off the WLC and put it on Active Directory.

  I need to use the feature of unloading to dhcp off the WLC and put it on Active Directory.  Someone at - it a walkthrough or a page for this?  I know it's just a checkbox and a redirect to the new dhcp server, but where the hell is the configuration on the WLC?

  Thank you!

  -anne

  You can go there.

  http://www.Cisco.com/c/en/us/TD/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01001001.html

  Point to your existing ad integrated DHCP server.

• Config of basis for the 2nd and 3rd of the WLC?

  I saw the discussion about the configuration of the failover on of the WLC. I think I have a pretty good understanding of what is supposed to happen here. But what is really clear is the config of base on the 2nd and 3rd in WLC. They need to be configured exactly like the first, with the exception of the unique fields such as host name and ip addresses, interface and such? Usually people take the config of the first and do a "Find and replace" to fix the config for subsequent controllers? I will add 2 more to my controller in the near future and try to have a better understanding of the process until I have to implement. Thank you!

  You are right in the config WLC - unique IP/hostname info and everything else the same. There is usually not a lot of changes of configuration to do on the additional WLC, the few times that I did I have manually configured things or used WCS. Configure additional WLC being part of the same group of mobility and/or hardcode primary, secondary & tertiary controllers AP for failover.

  HTH

• ERROR:-cannot download the WLC config.

  Hello

  I'm not able to save the configuration of the wcs of wlc controller Please take a look and suggest me if I'm doing something wrong here.

  (WISN-slot1-2) > transfer mode upload tftp

  (WISN-slot1-2) > upload datatype transfer config

  (WISN-slot1-2) > transfer download IP_serveur 10.10.10.10

  (WISN-slot1-2) > download transfer path.

  (WISN-slot1-2) > name of download WLCconfig file transfer

  (WISN-slot1-2) > transfer download starts

  Mode............................................. TFTP

  TFTP Server IP... 10.10.10.10

  TFTP Path........................................ /

  Name of the TFTP file. WLCconfig

  Data Type........................................ Configuration file

  Encryption... People with disabilities

  WARNING: Config File Encryption Disabled *.

  Are you sure you want to start? y (y/N)

  TFTP Config from transfer.

  Preparation for transfer error!

  NOTE: I use the WCS as the server and do not use any what other tftp. Any help is appricaited.

  Hi Neha,

  You must restart the WLC controller if the WLC is placed on the WISN Module you must reload the WISN module after you will be able to download and upgrade the firmware of the controller.

  What is happening because of some isue internal with WISN/WLC material. I ask you to do and your problem will be solved.

  Kind regards

  Reem

• Update from the WLC-12 to WLC-50

  If someone knows if I would run through all of the questions during the upgrade of a wireless controller Cisco WLC-12 to a Cisco WLC wireless controller - 50? Can we predict problems with me simply copy the startup configuration of the WLC-12 to the WLC-50? All comments are appreciated.

  Thank you

  Travis

  I don't think that that is supported. It is best to configure the new wlc. You don't want to risk having a corrupt on the wlc configuration file. Configure the new, a side by side for you can compare the configuration... does not take long.

• How to retrieve the RADIUS shared secret key on the WLC 5508

  Hi all

  The wirelss privious admin left our company and did not let the other know the shared secret key on the WLC 5508 Radius.

  The 5508 WLC runs on the 7.0.98.0 code. I can access the viao WLC CLI and GUI. I can also access the Win2003 Radius Server, but the button displays an asterisk for me. I have listed partial RADIUS config of the WLC below. How can I get the RADIUS shared secret key? Thanks in advance.

  (Cisco Controller) > show RADIUS summary

  Vendor Id backward compatibility... People with disabilities
  Call Station Id... lower case
  Dial the Station Id Type... IP address
  Aggressive failover... Activated
  Keywrap.......................................... People with disabilities
  Rescue test:
  Test Mode.................................... Off
  Probe of username... cisco-probe
  Interval (in seconds)... 300
  MAC for authentication Messages... hyphen delimiter
  MAC for Accounting Messages... hyphen delimiter

  Authentication servers

  The State of the Port Address Type server all RFC3576 IPSec - AuthMode idx / phase 1/group/life/Auth/BA
  ---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
  1 NM 10.xx.18.48 1645 on 2 off off - no/unknown/group-0/0 None/None

  Accounting servers

  The State of the Port Address Type server all RFC3576 IPSec - AuthMode idx / phase 1/group/life/Auth/BA

  -Other - or ITU (q)
  ---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
  1 N 10.xx.18.48 1646 enabled 2 N/A disabled - no/unknown/group-0/0 None/None

  Kind regards

  Robert

  You can retrieve the RADIUS shared secret key as other passwords that are stored on the WLC by using the procedure at the following link:

  https://supportforums.Cisco.com/community/NetPro/wireless-mobility/begin-wireless/blog/2011/11/04/recover-wepadminguest-account-password-from-WLC

  NOTE: WPA keys are not available through these methods.

  Basically, you can enable password in clear text on the wlc with 'config passwd-cleartext enable' and then issue a "view orders of the running-config' - your RADIUS configuration command should now display the shared secret.

  -Pat

• Regarding the file of configuration on the WLC

  Hi all

  I would like to replace an AIR-WLC4402-25-K9 with AIR-WLC4402-50-K9 because of the amount of AP problem. The two controllers are running on the same version of the software 4.2.61.0. Just out of curiosity, can I just backup the old configuration and download to the new controller? I guess it should work. Correct me if I'm wrong.

  Any input will be appreciated.

  Robert

  Robert,

  It should work, because the difference between them is at a level of asic and not a config.  As long as you don't have two of them on the wire at the same time there should be no problem.

  Alternatively, you can shoot the show running-config to the WLC-25 and then download that the WLC-50 in the config > mode

  See you soon,.
  Steve

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Mac, learning to the passage of the WLC

  Hello

  I plugged WLC on the main switch on concert 5/5,

  Mac address table is lower to -.

  kernel #sh mac-address-table

  Unicast entries
  port of protocols VLAN mac address type

  4001 8843.e131.1983 dynamic ip GigabitEthernet5/5
  4001 8843.e131.198b dynamic ip GigabitEthernet5/5
  4001 c8bc.c80b.f5d7 dynamic ip, other GigabitEthernet5/5
  4001 c8bc.c81c.3572 dynamic ip GigabitEthernet5/5

  selected is mac of the WLC, who are these other mac addresses of learning through concert 5/5?

  These aren't mac virtual port or service of WLC.

  Hello

  2 here is the Cisco devices... check if any other Interface such as AP manager or the dynamic interface has Mac.

  4001 8843.e131.1983 dynamic ip GigabitEthernet5/5
  4001 8843.e131.198b dynamic ip GigabitEthernet5/5,

  the MAC here is the MAC of the seller and not identified by finder YES...

  4001 c8bc.c80b.f5d7 dynamic ip, other GigabitEthernet5/5
  4001 c8bc.c81c.3572 dynamic ip GigabitEthernet5/5

  Just do what the MAC in your network...

  Let me know if that answers your question and please do not forget to note the useful messages!

  Concerning

  Surendra