Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
1
Replies

Wired Guest Access with converged access (sup8/3850) as MA, CT-5508 as MC and Anchor

tjoliveira
Level 1
Level 1

‎08-12-2015 02:33 AM - edited ‎07-05-2021 03:43 AM

Hi,

 

We are trying to set up a Wired Guest Access solution based on the infrastructure:

  • Converged access (sup8/3850) as Mobility Agent (MA)
  • CT-5508 as Mobility Controller (MC)
  • CT-5508 as Mobility Anchor (on DMZ)

There is a Switch Peer Group (SPG) on the MC for the sup8/c3850 and the link between MA/MC and between SPG members is up, so no problems there at this moment.

 

The issue is that we cannot establish the tunnel for the Wired Guest Access, from the MA to the anchor, we keep on receiving these messages on the MA:

Aug 12 08:00:42.463: epm_spi_client_tunnel_add:server
Aug 12 08:00:42.463: Sending tunnel add request to WCM for server_handle 3100004B, server_rh 7A000053, mac 0023.ebc8.92d6, audit_ses_id 0A8320080000101DD2318554, profile name TUNNEL-CAPWAP, src intf 0x101A4000000015A, client iif id 0x100E080000002D9, client hdl 74000010
Aug 12 08:00:42.463: EPM_SESS_EVENT: Feature (EPM Tunnel Feature PLUG-IN) identity has been updated (status 1)
Aug 12 08:00:42.464: spi_epm_wired_tunnel_wcm_epm_response_handler
Aug 12 08:00:42.464: tunnel add failed
Aug 12 08:00:42.464: EPM_SESS_EVENT: Feature (EPM Tunnel Feature PLUG-IN) Status (2) Notified
Aug 12 08:00:42.464: EPM_SESS_EVENT: Failed feature attrs provided for EPM Tunnel Feature PLUG-IN

 

Software versions:

  • Sup8: 03.07.01E
  • c3850: 03.06.02a.E
  • CT-5508: 7.6.130.0

 

Relevant config on sup8

wireless mobility controller ip <CT-5508 MC IP> public-ip <CT-5508 MC IP>
!
guest-lan WIRED-GUEST 1
 shutdown
 client vlan 10
 mobility anchor <CT-5508 anchor IP>
 no security web-auth
 no shutdown
!
service-template GUEST-TUNNEL
 tunnel type capwap name TUNNEL-CAPWAP
!
policy-map type control subscriber TUNNELLED-GUEST
 event session-started match-all
  1 class DOT1X-NO-RESP do-until-failure
   1 activate service-template GUEST-TUNNEL
!
vlan 10
 name GUEST
 exit    
!
access-session tunnel vlan 10
!
interface GigabitEthernet2/1
 description *** Phone + Laptop
 switchport access vlan 5
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 6
 access-session host-mode multi-domain
 access-session port-control auto
 dot1x pae authenticator
 dot1x timeout tx-period 6
 dot1x timeout supp-timeout 6
 spanning-tree portfast
 service-policy type control subscriber TUNNELLED-GUEST

 

Relevant config on CT-5508 MC

Enable New Mobility(Converged Access)
SPG and SPG members

 

Relevant config on CT-5508 Anchor

Enable New Mobility(Converged Access)
Guest LAN WIRED-GUEST

 

Has anyone done this type of setup?

1 person had this problem
Labels:
0 Helpful
1 Reply 1

tjoliveira
Level 1
Level 1

‎01-15-2016 06:57 AM

For documentation proposes, in case someone reaches here in the future, the problem is solved.

The name of the tunnel (bold underline below)

service-template GUEST-TUNNEL
 tunnel type capwap name TUNNEL-CAPWAP

has to match the guest-lan name (bold underline below)

guest-lan WIRED-GUEST 1
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card