Cisco WLAN Controller doesn't want to use default gateway

[Tommouse]

Hello All

We just rolled out a Cisco 4400 series Wireless Controller. Got it working no big deal, and it's working great, no complaints from users or anything . BUT Manageability wise it's still being a pain, it doesn't want to use it's default gateway, as far as I can tell. I have to remote to another machine on the 20net (where the controller also is) then ssh in, as sshing from anything off the 20net doesn't work. Which screams routing problem but I can't find where the config is fubared. Here is a clip of the config, all the interface stuff anyways, I hope you enjoy my private IPs .

Usually this is the case when IP Routing gets turned on, but I can't find any mention of it. Regardless I tried adding a default route and it complains when I put in an IP/mask of 0.0.0.0. It can ping the gateway, just doesn't use it. Any help would be great TIA!

(WLAN-Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 4.1.185.0
RTOS Version..................................... 4.1.185.0
Bootloader Version............................... 3.2.195.10
Build Type....................................... DATA + WPS
<--snip-->
(WLAN-Controller) >show running-config
<--snip-->
interface create corporatewlan 100
interface create guestwlan 101
interface create mgmnt 1
interface address ap-manager 192.168.102.2 255.255.255.0 192.168.102.1
interface address dynamic-interface corporatewlan 192.168.100.2 255.255.255.0 192.168.100.1
interface address dynamic-interface guestwlan 192.168.101.2 255.255.255.0 192.168.101.1
interface address management 192.168.102.3 255.255.255.0 192.168.102.1
interface address dynamic-interface mgmnt 192.168.20.80 255.255.252.0 192.168.20.67
interface address virtual 1.2.3.4
interface dhcp ap-manager primary 192.168.102.3
interface dhcp dynamic-interface corporatewlan primary 192.168.100.1
interface dhcp dynamic-interface guestwlan primary 192.168.101.1
interface vlan corporatewlan 100
interface vlan guestwlan 101
interface vlan mgmnt 1
interface port ap-manager 1
interface port corporatewlan 1
interface port guestwlan 1
interface port management 1
interface port mgmnt 1
network mgmt-via-dynamic-interface enable
<--snip-->

 

[spidey07]

as long as 192.168.102.1 is the gateway it should be fine. There is no real concept of a default gateway for the controller, each interface has it's own gateway address.

Are you sure your trunking and native vlan are setup correctly on the switchports?

 

[Tommouse]

Sorry I should have been more clear. The Gateway that I want it to use is 20.67 from the 20.80 IP on the mgmnt interface. This is my workaround so I don't have to route the 102 network around. If I change the management (not mgmnt, thats the interface I made) interface to have the exact same info, it works, but then the AP's don't configure correctly. I don't understand why, but that's what I have observed.

So I created this other interface and set it up the same way and used the command to enable management via "dynamic-interfaces." So now I can get to the controller from the 20 network (great, works as planned) but once I'm on another network, it can't connect anymore. So the 20.80 interface is able to talk, and is making it back into our corporate office (we have a /22 net that we use everywhere, it's not ideal and it's one of the things I've slowly been reworking since I was hired) where the gateway is. It can ping the gateway, it just doesn't use it as it's gateway.

The native vlan stuff is ok, as everything else works as desired except for this one last bit (no pun intended)

 

[spidey07]

well I've only ever used the mangagement interface. That's probably your problem. It is running in layer3 lwapp mode?

Also the reason the APs have trouble is they learn the address of their controllers when they start up via dhcp or dns (however you set it up). If you go changing this without changing the corresponding dhcp or dns information then they will attempt to join an address that is no longer reachable.

 

[Tommouse]

yes, we are running it in Layer3 LWAPP mode

Here is the bit where I host the DHCP server locally on the controller. (The goal is to keep the 102 net cut off from as much as possible)

dhcp create-scope APs
dhcp address-pool APs 192.168.102.10 192.168.102.25
dhcp enable APs
dhcp network APs 192.168.102.0 255.255.255.0

Thanks for the replies spidey
I'm personally thinking its a bug of some sort as the command to use a "dynamic-interface" for management was just added in a 4.x release. They (some site ...) stated that before version 4 you are SOL. So might be a bug.

 

[nightowl]

Ok, so you defined the default gateway for the management interface as 192.168.102.1. The "mgmnt" interface is a dynamic interface for a WLAN. If you want to use he address that you mentioned before for your default gateway you will need to change the VLAN the management interface is on. There are only 2 interfaces that you can access on the controller the management and service interfaces. Also, the service interface has to be on a separate CLASSFULL subnet than other interfaces.

If you have any other questions let me know.

Here is the config from my controller

interface create guest 0
interface create private 12
interface address ap-manager 172.20.5.4 255.255.255.0 172.20.5.1
interface address dynamic-interface guest 172.20.15.2 255.255.255.0 172.20.15.1
interface address management 172.20.5.3 255.255.255.0 172.20.5.1
interface address dynamic-interface private 172.20.12.2 255.255.255.0 172.20.12.1
interface address virtual 1.1.1.1
interface dhcp ap-manager primary 172.20.5.1
interface dhcp dynamic-interface guest primary 172.20.15.1
interface dhcp management primary 172.20.5.1
interface dhcp dynamic-interface private primary 172.20.12.1
interface vlan ap-manager 5
interface vlan management 5
interface vlan private 12
interface port ap-manager 1
interface port guest 2
interface port management 1
interface port private 1

Edit: There are multiple ways an AP can learn the controllers address and L3 LWAPP is the only mode of operation now. The methods for finding the controller are as follows, L3 broadcast for APs on the same subnet as the management interface of the controller, over the air from existing LWAPP APs, previously learned management IP, DHCP option 43, and finally DNS.

 

[spidey07]

nightowl, I think you're on the right track. I think it could be a bug. A call to TAC would probably be in order.

The classfull aspect of the service interface is important as well and catches me everytime.

What he's trying to do is access a dynamic interface for management. I'm not used to this and it sounds like a new feature. Can you now assign the true management address/interface as a dynamic INT?

 

[nightowl]

Spidey, it is indeed a new feature that was added and it has not been publicized so I did not know it even existed. I am going to check on my controller to try it out.

Edit: It does work for me on the dynamic interfaces. I am running 4.2.61 and all that I did was add the mgmt-via-dynamic command to the config and it worked with the config that I posted.

 

[Tommouse]

I just noticed that we are running 4.1.185.0, and not 4.2.61.0. The consultant my bosses boss brought in to do the initial setup told me/us it was up to date. Guess not... Also found out that these only support tftp, so I won't be upgrading it anytime soon as it has to go over a WAN link, and I'm not rolling those dice. I'm sure I could checksum it on both side to make sure it's the same, but I'll just wait until I'm sitting next to it to upgrade, as if something does go wrong I don't want to be 30 miles away.

I will try upgrading the next time I'm out at that location. Thanks guys!

 

[nightowl]

Well, I would not automatically say it is a bug. I would open a TAC case if you really want to find the source of the problem (be it a bug or something else). I have another controller that I can try to see if this feature works. I did run through the release notes and did a quick search and I did not see any bugs relating to the problem you are seeing though.

Edit: I just tried this on a 4402 running 4.1.171 and it worked fine. I would look at your network configuration (network and controller) for problems. It does seem that your controller is fine though from what you have posted.

A couple things to check, first how are you accessing the controller (wired or wireless). Second, what is the configuration of your ethernet interfaces on controller, switch, and L3 gateway (trunking, LAG, routing).

 

[nightowl]

So, I did find a bug that looks like what you are seeing Tommouse. When I was working on my controller running 4.2.61.0 I forgot to check from a L3 hop away and when I did do that I could no longer connect to the dynamic interface anymore. The interesting thing is that 4.1.171.0 does work as you would think it should. If you want to check with TAC they may have an interim release for you that will fix this or you change your "management" interface to the mgmnt network and change over your APs.

I know you tried this earlier and did not have much success but it you let me know how the APs are discovering the controller I can give you a hand with changing things over.