topic Re: Cisco Guest Wireless - Issues? in General Topics

Cisco Guest Wireless - Issues?

ttreurniet — Mon, 03 Dec 2012 17:25:18 GMT

Hi all,

I recently installed a PAN 5050 cluster in-line between my internal Cisco Wireless Controllers and the DMZ guest access mobility controller and saw the control and data paths flap constantly. I put in an application override rule (along with a number of other measures not related to PAN) and the behaviour seemed to stop. Can anyone confirm whether puting in an application override rule for UDP 16666 has definitively resolved the issue in your environment?

To PAN: Is there a proactive way to identify or confirm whether L7 inspection is causing issues with an application? (packets out of sequence, packet in/out difference auditing?)

Thanks.

Re: Cisco Guest Wireless - Issues?

cviaud — Thu, 24 Jan 2013 06:00:43 GMT

Hi,

By checking global counter and/or by making a debug packet-diag to see how packets are handled by the device, You will be able to see if there is a issue.

If you check your traffic logs, how the UDP traffic on port 16666 is seen (unknown-udp ?) ?

Regards

Re: Cisco Guest Wireless - Issues?

itsecll — Sun, 17 Mar 2013 13:55:04 GMT

We have a similar issue and in the traffic logs we are seeing it as unknown-udp

Re: Cisco Guest Wireless - Issues?

SRA — Mon, 18 Mar 2013 06:47:20 GMT

The cisco-wlc-mobility App-ID covers traffic for wireless lan controllers on udp/16666. If you are seeing this as unknown-udp, please open a case with technical support along with a packet capture.

Re: Cisco Guest Wireless - Issues?

VUGD — Wed, 03 Apr 2013 13:29:15 GMT

Just yesterday we migrated to a PAN-5050 in active-passive configuration. After that we experienced problems with flapping control and data paths.

Our setup: 4 remote WLC, 1 centralized Anchor-WLC hosted in a DMZ.

First of all, it´s important to understand that the etherchannel is always initiated by the host with the lowest MAC-Address. As a result you may want to implement (probably) bidirectional rules for easier handling. The first goal would be to make sure that no packets are dropped by your PAN. As with PAN-OS 5.0.3 and AppVer 365-1733 (03/26/13) the Application are detected correctly (etherip and cisco-wlc-mobility) – this is a sitenote realted to the following topic: https://live.paloaltonetworks.com/message/25148#25148. Only one thing seems a little bit weird: The traffic log says that etherip is using Port 0 (I´m not sure about that one).

In the second step I changed the values for the timeouts on application level (you can set custom values for etherip and cisco-wlc-mobility in the Application Tab). Unfortunately there was no recognizable difference in the behavior.

SOLUTION: I changed the default values for the session timeouts (Device > Setup > Session Tab) and rebooted the foreign as well as the Anchor WLC. After that procedure all Data and Control Paths seem to work fine.

Additional information: It doesn´t seem like this behavior/problem is Palo Alto specific. In fact I found a topic on the Cisco Support forums where someone is having the same problems with a Checkpoint firewall.

It would be nice if someone else in this community could confirm that the described work-around is working.

Re: Cisco Guest Wireless - Issues?

ttreurniet — Wed, 03 Apr 2013 13:53:51 GMT

I expect to put our PAN firewalls back into production in approximately 2 weeks. Please share what changes you made to the defaults to under the session tab. I will replicate your settings and report back on the results.

As some background on differences - we were previously an active-active cluster when the problem first manifested. The scheduled second attempt will be an active-passive cluster as 5.0.3.

Re: Cisco Guest Wireless - Issues?

VUGD — Wed, 03 Apr 2013 13:57:50 GMT

Hi,

I changed the default values for sessions according to the picture in my last post (it´s on the right side - grey on grey).

Re: Cisco Guest Wireless - Issues?

ttreurniet — Wed, 24 Apr 2013 19:00:20 GMT

I have had our PA-5050 in place with PAN-OS 5.0.4 installed using these settings and guest wireless has been solid for two weeks. Thanks for the post. : )