Cisco Guest Wireless - Issues?

Reply
Not applicable

Cisco Guest Wireless - Issues?

Hi all,

I recently installed a PAN 5050 cluster in-line between my internal Cisco Wireless Controllers and the DMZ guest access mobility controller and saw the control and data paths flap constantly.  I put in an application override rule (along with a number of other measures not related to PAN) and the behaviour seemed to stop.  Can anyone confirm whether puting in an application override rule for UDP 16666 has definitively resolved the issue in your environment?

To PAN: Is there a proactive way to identify or confirm whether L7 inspection is causing issues with an application?  (packets out of sequence, packet in/out difference auditing?)

Thanks.


Accepted Solutions
Not applicable

I have had our PA-5050 in place with PAN-OS 5.0.4 installed using these settings and guest wireless has been solid for two weeks.  Thanks for the post. : )

View solution in original post


All Replies
Not applicable

Hi,

By checking global counter and/or by making a debug packet-diag to see how packets are handled by the device, You will be able to see if there is a issue.

If you check your traffic logs, how the UDP traffic on port 16666 is seen (unknown-udp ?) ?

Regards

L1 Bithead

We have a similar issue and in the traffic logs we are seeing it as unknown-udp

L4 Transporter

The cisco-wlc-mobility App-ID covers traffic for wireless lan controllers on udp/16666. If you are seeing this as unknown-udp, please open a case with technical support along with a packet capture.

L1 Bithead

Just yesterday we migrated to a PAN-5050 in active-passive configuration. After that we experienced problems with flapping control and data paths.

Our setup: 4 remote WLC, 1 centralized Anchor-WLC hosted in a DMZ.

First of all, it´s important to understand that the etherchannel is always initiated by the host with the lowest MAC-Address. As a result you may want to implement (probably) bidirectional rules for easier handling. The first goal would be to make sure that no packets are dropped by your PAN. As with PAN-OS 5.0.3 and AppVer 365-1733 (03/26/13) the Application are detected correctly (etherip and cisco-wlc-mobility) – this is a sitenote realted to the following topic: https://live.paloaltonetworks.com/message/25148#25148. Only one thing seems a little bit weird: The traffic log says that etherip is using Port 0 (I´m not sure about that one).

PAN_values.PNG

In the second step I changed the values for the timeouts on application level (you can set custom values for etherip and  cisco-wlc-mobility in the Application Tab). Unfortunately there was no recognizable difference in the behavior.


SOLUTION: I changed the default values for the session timeouts (Device > Setup > Session Tab) and rebooted the foreign as well as the Anchor WLC. After that procedure all Data and Control Paths seem to work fine.


Additional information: It doesn´t seem like this behavior/problem is Palo Alto specific. In fact I found a topic on the Cisco Support forums where someone is having the same problems with a Checkpoint firewall.


It would be nice if someone else in this community could confirm that the described work-around is working.

Not applicable

I expect to put our PAN firewalls back into production in approximately 2 weeks.  Please share what changes you made to the defaults to under the session tab.  I will replicate your settings and report back on the results.

As some background on differences - we were previously an active-active cluster when the problem first manifested.  The scheduled second attempt will be an active-passive cluster as 5.0.3.

L1 Bithead

Hi,

I changed the default values for sessions according to the picture in my last post (it´s on the right side - grey on grey).

Not applicable

I have had our PA-5050 in place with PAN-OS 5.0.4 installed using these settings and guest wireless has been solid for two weeks.  Thanks for the post. : )

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!