topic Re: Configuring SSO on a pair of 9800-L issue in Wireless

Configuring SSO on a pair of 9800-L issue

tdennehy — Tue, 28 Jan 2025 02:42:26 GMT

I am trying to configure what should be a very simple setup. Two 9800-Ls on a bench with a switch in between. They can ping each other when I configure SSO on both boxes, and I can ping the secondary. But neither will ever become the standby.

I'm wondering if there is "something else", that everyone always forgets to do when configuring SSO. Its so simple, just using vlan1 on both, with 192.168.1.x addresses.

Waiting for remote chassis to join
#######################################################################################

wc01:

interface Port-channel1
description ** uplink **
switchport mode trunk
!
interface Port-channel2
description ** uplink **
switchport mode trunk

interface TenGigabitEthernet0/1/0
switchport mode trunk
no negotiation auto
no mop enabled
channel-group 1 mode on
!
interface TenGigabitEthernet0/1/1
switchport mode trunk
no negotiation auto
channel-group 1 mode on
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.1.100 255.255.255.0
negotiation auto
no mop enabled
!
interface Vlan1
ip address 192.168.1.249 255.255.255.0 secondary
ip address 192.168.1.251 255.255.255.0
ip helper-address 192.168.1.254
no mop enabled
!
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route vrf Mgmt-intf 0.0.0.0 255.255.255.0 192.168.1.254
redun-management interface Vlan1 chassis 2 address 192.168.1.249 chassis 1 address 192.168.1.250

wc02:

!
interface Port-channel1
description ** uplink **
switchport mode trunk
!
interface Port-channel2
description ** uplink **
switchport mode trunk
!

interface TenGigabitEthernet0/1/0
switchport mode trunk
speed 1000 (its a 1gig SFP)
no negotiation auto
no snmp trap link-status
no mop enabled
channel-group 2 mode on
!
interface TenGigabitEthernet0/1/1
switchport mode trunk
speed 10000
no negotiation auto
no snmp trap link-status
channel-group 2 mode on
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.1.101 255.255.255.0
negotiation auto
no mop enabled
!
interface Vlan1
ip address 192.168.1.250 255.255.255.0 secondary
ip address 192.168.1.252 255.255.255.0
ip helper-address 192.168.1.254
no mop enabled
!
!
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route vrf Mgmt-intf 0.0.0.0 255.255.255.0 192.168.1.254

redun-management interface Vlan1 chassis 1 address 192.168.1.250 chassis 2 address 192.168.1.249

Could I be missing something? This should not be that difficult!!!

Re: Configuring SSO on a pair of 9800-L issue

tdennehy — Tue, 28 Jan 2025 02:47:42 GMT

When I plug in the uplink, I get this output on wc02:

*Jan 27 19:35:29.618: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel2, changed state to up
*Jan 27 19:35:29.621: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Jan 27 19:35:30.425: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Jan 27 19:35:34.150: %RIF_MGR_FSM-6-RMI_GW_DECISION_DEFERRED: Chassis 1 R0/0: rif_mgr: High CPU utilisation on active or standby, deferring action on gateway-down event
*Jan 27 19:35:54.151: %RIF_MGR_FSM-6-GW_REACHABLE_ACTIVE: Chassis 1 R0/0: rif_mgr: Gateway reachable from Active
*Jan 27 19:35:56.798: %RIF_MGR_FSM-6-RMI_LINK_UP: Chassis 1 R0/0: rif_mgr: The RMI link is UP.
*Jan 27 19:35:56.798: %STACKMGR-1-DUAL_ACTIVE_CFG_MSG: Chassis 1 R0/0: stack_mgr: Dual Active Detection link is available now

edh001-001-wc02#sho chassis
Chassis/Stack Mac Address : 8c1e.806e.9080 - Local Mac Address
Mac persistency wait time: Indefinite
Local Redundancy Port Type: Twisted Pair
H/W Current
Chassis# Role Mac Address Priority Version State IP
-------------------------------------------------------------------------------------
*1 Active 8c1e.806e.9080 1 V02 Ready 169.254.1.250

wc01: (when I plug in the uplinks, changes its name)

edh001-001-wc01(recovery-mode)_2_RP_0(diag)#
edh001-001-wc01(recovery-mode)_2_RP_0(diag)#

Re: Configuring SSO on a pair of 9800-L issue

Leo Laohoo — Tue, 28 Jan 2025 02:49:36 GMT

Both units are Chassis 1?

Re: Configuring SSO on a pair of 9800-L issue

Scott Fella — Tue, 28 Jan 2025 03:01:18 GMT

I don't know which guide you followed, but when you ener this command, use a vlan that is not on your network, you just want the redundancy management on its own vlan. You don't need to route this. Keep in mind, there are various way's this is done. The docs show different way's. You didn't show all the commands that are required also.

Also, take a look at this guide, there are others that are good and some videos out there.

redun-management interface VlanXXX chassis 1 address 192.168.1.250 chassis 2 address 192.168.1.249

https://howiwifi.com/2021/01/17/cisco-9800-rmirp-high-availability-best-practice-configuration/

https://www.wiresandwi.fi/blog/cisco-wlc-9800-high-availability-sso-rmi-rp-cli-configuration

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/220277-configure-high-availability-sso-on-catal.html#toc-hId-1451838582

Re: Configuring SSO on a pair of 9800-L issue

Scott Fella — Tue, 28 Jan 2025 03:08:04 GMT

I tend to watch some videos before I try anything. It's easier to follow at times. The GUI is very easy and you should probably try that first and then wipe the units and try again from the cli. That way you can learn and document both process.

Re: Configuring SSO on a pair of 9800-L issue

MHM Cisco World — Tue, 28 Jan 2025 03:29:55 GMT

Share your topology

MHM

Re: Configuring SSO on a pair of 9800-L issue

tdennehy — Tue, 28 Jan 2025 03:52:30 GMT

Ugghhh. I hope not. I will go look!

Re: Configuring SSO on a pair of 9800-L issue

tdennehy — Tue, 28 Jan 2025 03:58:06 GMT

Two wlcs on a bench, side by side with a switch configured with uplinks. Literally a flat network. I have been messing with it all day, and I have gotten this to work in production boxes. For some reason I'm having an issue with the two on the bench with a switch with vlan 1 @ 192.168.1.254.

The two WLCs have IPs in the .249 .250 .251 and .252 Its the simplest of networks, so I figured I missed something very simple. Leo suggests both Chassis 1, so I will go look at that.

Re: Configuring SSO on a pair of 9800-L issue

tdennehy — Tue, 28 Jan 2025 03:59:12 GMT

I am following this link: https://justdowifi.blogspot.com/search?updated-max=2023-08-28T17:44:00-07:00&max-results=7

Re: Configuring SSO on a pair of 9800-L issue

tdennehy — Tue, 28 Jan 2025 04:02:39 GMT

edh001-001-wc01#sho chassis
Chassis/Stack Mac Address : 687d.b4fd.4640 - Local Mac Address
Mac persistency wait time: Indefinite
Local Redundancy Port Type: Twisted Pair
H/W Current
Chassis# Role Mac Address Priority Version State IP
-------------------------------------------------------------------------------------
*2 Active 687d.b4fd.4640 2 V02 Ready 169.254.1.249

Re: Configuring SSO on a pair of 9800-L issue

tdennehy — Tue, 28 Jan 2025 04:06:21 GMT

I have gotten this to work in the past, but for some reason, I cannot get it to work on the bench. I figured I missed a vrf or something. The last time I have touched a pair of 9800s was a year ago, and I'm trying to refresh my memory on how to do it and I cannot get it to work. I have followed this link before with success: https://justdowifi.blogspot.com/search?updated-max=2023-08-28T17:44:00-07:00&max-results=7

There must be something I am missing, and its going to be blatantly stupid when I find it.

Re: Configuring SSO on a pair of 9800-L issue

tdennehy — Tue, 28 Jan 2025 04:09:47 GMT

Switch config:

interface Port-channel1
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
!
interface Port-channel2
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
!

interface GigabitEthernet0/25 <wlc01
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
channel-group 1 mode on
!
interface GigabitEthernet0/26
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
channel-group 1 mode on
!
interface GigabitEthernet0/27 <- WLC02
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
channel-group 2 mode on
!
interface GigabitEthernet0/28
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
channel-group 2 mode on
!
interface Vlan1
description bench network
ip address 192.168.1.254 255.255.255.0

Re: Configuring SSO on a pair of 9800-L issue

MHM Cisco World — Tue, 28 Jan 2025 04:12:13 GMT

utilisation on active or standby, deferring action on gateway-down event <<-

This important,

RMI and WMI in same subnet

In SW do you config SVI for mgmt VLAN?

RMI of both unit must point this IP

MHM

Re: Configuring SSO on a pair of 9800-L issue

Scott Fella — Tue, 28 Jan 2025 04:18:02 GMT

I bet.... you try to just connect the RP ports direct?

Re: Configuring SSO on a pair of 9800-L issue

MHM Cisco World — Tue, 28 Jan 2025 04:36:31 GMT

This SSO, there must be no PO from SW toward both WLC!!

This wrong,

You need single link from SW to each of wlc.

That make issue.

MHM

Re: Configuring SSO on a pair of 9800-L issue

Mark Elsen — Tue, 28 Jan 2025 07:45:32 GMT

- Also validate the configuration of the (primary) 9800-L controller using the CLI command show tech wireless
(not a simple show tech ) and feed the output from that into Wireless Config Analyzer

Re: Configuring SSO on a pair of 9800-L issue

Rich R — Tue, 28 Jan 2025 08:03:39 GMT

@MHM Cisco World - all of our 9800 HA SSO pairs run on port channels - it's part of the standard HA design
It's shown in all the guides like page 45 & 49 in
https://www.ciscolive.com/c/dam/r/ciscolive/global-event/docs/2023/pdf/BRKEWN-2846.pdf

Re: Configuring SSO on a pair of 9800-L issue

MHM Cisco World — Tue, 28 Jan 2025 10:22:00 GMT

Friend

Your link is correct but check it'

The PO is from WLC to SW

In his case PO is from SW to both WLC !!!!

That not work.

MHM

Re: Configuring SSO on a pair of 9800-L issue

tdennehy — Tue, 28 Jan 2025 15:54:14 GMT

Yes, RMI and WMI in same subnet. VLAN 1.

Switch SVI is vlan1, IP = 192.168.1.254

As soon as I plug the interfaces to the switch, the switch name changes to the one in the output in the thread. I'm not sure what I'm missing.

The interfaces in trunks and POs are supported. I guess my next step is to create another vlan and assign interfaces for SSO in there to see if that fixes it. This is ridiculous, its the most simple config and I must be missing something very, very basic.

Re: Configuring SSO on a pair of 9800-L issue

Mark Elsen — Tue, 28 Jan 2025 16:00:18 GMT

@tdennehy wrote : >....I guess my next step is to create another vlan and assign interfaces for SSO in there to see if that fixes it. This is ridiculous, its the most simple config and I must be missing something very, very basic.
Well in general it is not advises to stick to vlan1 for all 9800 operations and use
Remember to always use the WirelessAnalyzer procedure when configuring the 9800 ; it is vital for these cases.
I repeat it here : using the CLI command show tech wireless
(not a simple show tech ) and feed the output from that into Wireless Config Analyzer