Palo Altp - Cisco WLC Anchor - Foriegn

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Altp - Cisco WLC Anchor - Foriegn

L0 Member



Created a new zone on PA ether1/5 configured all interfaces.  Installed a Cisco 5520 WLC as and Anchor WLC and setup piolices to allow the Capwap tunnnel to the Foreign WLC.

This was a 1 legged approach, WLC in LAG

This worked, tunnel is up and stayed up.  The client traffic breaks out to a layer 2 connection to a 3rd party managed guest solution.

All devices can connected and get a IP from range in DMZ.

Windows devices get the splash page for auuthtication from the 3rd party, apple and android seem to time out, ssl connectin keep being dropped.


I removed LAG from the WLC and turned connected 1 port to be the management on to our dist, the client side still all correct, but now when a Apple and Android device connects, it works as should do.


Is there something on the Palo that is causing this to time out?


When the WLC was on the 1/5 port of Pal, Cisco Prime had trouble to see it, even though I was allowing all services and application to connect,  but as soon as removed from PA, Prime and the WLC could talk  with no problems.


To me, the Cisco side no issues, but something on the Pall affecting it.


L2 Linker



I do not know enough about WLC CAPWAP connections to even begin to assist with debugging this. More than likely, you would have to take packet captures to see what is going on at layers 2 and 3 to debug this issue.


This type of question really needs to be worked through a support case. Have you opened a case with Palo Alto Networks Tech Support?


Please visit or call:


US: 866 898 9087; Int'l: +1 408 738 7799

EMEA Support: +31 20 808 4600

APAC Support: +65 3158 5600


Thank you,




Jeff Hochberg | Sr. Systems Engineer - Technical Business Development

Palo Alto Networks | Atlanta, GA |  USA

Mobile: 404.432.1112 |


The content of this message is the proprietary and confidential property of Palo Alto Networks and should be treated as such. If you are not the intended recipient and have received this message in error, please delete this message from your computer system and notify me immediately by reply e-mail. Any unauthorized use or distribution of the content of this message is prohibited.


Please let me know if you run into any issues with opening a support case.



  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!