Unable to connect to management GUI Cisco 5508 WLC

We have three Cisco 5508 WLC. On one only I cannot connect (doesn't even get to login prompt) to the management GUI, only from a certain site. However, if I RDP to a workstation at another site I can connect and login fine (IP address specific?).

Is there some security setting that causes the controller to reject access attempts from certain IP addresses or subnets? I've looked and not found anything.

Thank you.
CUSD200Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
Check CPU ACLs on the WLC.
CUSD200Author Commented:
Good thought, but there are no ACLs.
Craig BeckCommented:
Can you ping the WLC from the site that can't access the management interface?
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

CUSD200Author Commented:
Yes. A little research led me to this, but our WLC is in 10.120.x.x, while wired clients (where we're trying to access it from) are in 10.20.x.x:

Cannot manage WLC from same subnet

Maybe a reboot would do it? I can't even say for sure how long this condition has existed, as I can access it from my workstation in a different building (10.100.x.x subnet), which is where we RDP to and connect successfully. I wasn't even aware there was a problem until last week when we installed all new APs.

Thanks for you help.
Craig BeckCommented:
That article is correct, in that if your workstation is on the same subnet as the service interface you won't be able to see the management IP of the WLC.  You should be able to reach the GUI and CLI of the WLC using the service-port IP address though.  Have you tried that?

That behavioiur is by design.
CUSD200Author Commented:
Agreed re: the article. Thanks for the confirm.

Re: the service-port, it has an ip address (3.3.3.3) I've not seen on our network before, and I can't ping it, so it does not appear to be routed. I'll need to config a device in that subnet and see if I can reach the service-port.

Thanks for the suggestion.
Craig BeckCommented:
There is a network routes section on the WLC.  Check that (Controller -> Network Routes) to see if there's a static route on the WLC pointing to the subnet that's affected.
CUSD200Author Commented:
The network routes are empty, but they are also empty on our other two 5508s and one 4400, and they're working fine.
Craig BeckCommented:
Is the subnet mask correct on the management interface on the affected WLC?

Does the affected WLC have a management IP in the same subnet as the other two WLCs?

When you're trying to access the affected WLC, are you trying wirelessly?  If so, is the workstation connected to an AP which is joined to the affected WLC?
CUSD200Author Commented:
All great suggestions. The mask is good. As for the management IP, it is different as it is at a different site. As for connecting wirelessly, no we are on the wired building LAN (10.20.x.x). That is the crux of the issue - the connection problem is specific to that building's IP subnet. I cannot connect to the secured management IP (10.120.2.11) from IP 10.20.x.x (wired LAN) or 10.120.32.x (wireless), but if I RDP to my PC at our main facility (which is assigned 10.100.10.11 statically) I can connect from there.

I'm stumped. Everything looks fine on the WLC and seems like it should work. I will check the switches at the affected site for an ACL, but barring that maybe a reboot is in order just for the heck of it.

Thanks again for your help.
CUSD200Author Commented:
Closing this out for now until we get a a maintenance window for a WLC reboot. Thank you Craig for your assistance.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CUSD200Author Commented:
Closing this out for now until we get a a maintenance window for a WLC reboot.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.