cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

826
Views
0
Helpful
13
Replies
Beginner

WLC 7.3.101.0 Mobility group peer cannot up.

Hi Guys,

It seems the 7.3.101 version Mobility group peer cannot up,: refer to the attach,

Peer 1: version: 7.3.101

Peer 2: version 7.0.98

Peer3: version 7.2.103

Today we got new two WLC for Anchor use, and config the mobility group, but it's failed and cannot up, the ping is ok.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Master

Re: WLC 7.3.101.0 Mobility group peer cannot up.

Chris is right here. One thing I tell my clients is to allow everything between the foreign and the anchor WLC's just to verify that the mobility can come up, then lock it down. Here is some links that explain what test is for what port.

http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00809a30cc.shtml#qa8

Anchor Controller Positioning
Because the anchor controller is responsible for termination of guest WLAN traffic and subsequent access to the Internet, it is typically positioned in the enterprise Internet DMZ. In doing so, rules can be established within the firewall to precisely manage communications between authorized controllers throughout the enterprise and the anchor controller. Such rules might including filtering on source or destination controller addresses, UDP port 16666 for inter-WLC communication, and IP protocol ID 97 Ethernet in IP for client traffic. Other rules that might be needed include the following:
•TCP 161 and 162 for SNMP
•UDP 69 for TFTP
•TCP 80 or 443 for HTTP, or HTTPS for GUI access
•TCP 23 or 22 for Telnet, or SSH for CLI access
Depending on the topology, the firewall can be used to protect the anchor controller from outside threats.
For the best possible performance and because of its suggested positioning in the network, it is strongly recommended that the guest anchor controller be dedicated to supporting guest access functions only. In other words, the anchor controller should not be used to support guest access in addition to controlling and managing other LWAPP APs (LAPs) in the enterprise.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Master

Re: WLC 7.3.101.0 Mobility group peer cannot up.

If you perform the following test from either WLC.

mping this test udp 16666 and udp 16667

eping this test IP 97

Post the show mobility summary from each WLC.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
13 REPLIES 13
Participant

WLC 7.3.101.0 Mobility group peer cannot up.

Hi,

Is there a firewall or any filtering in between the controllers?

If yuo log onto the CLI of the controllers and try eping mping what results do you get?

Apart from icmp you will also need protocol 97 and UDP 16666 and 16667 open.

Thanks

Chris

Beginner

WLC 7.3.101.0 Mobility group peer cannot up.

Yes, there is a Firewall between the Anchors and LAN WLC, but we have two Anchors which in the same network.

Hall of Fame Master

Re: WLC 7.3.101.0 Mobility group peer cannot up.

Allow everything between the the WLC's. This will test the mobility. Then lock it down and see if it fails then look at the drop logs.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Master

Re: WLC 7.3.101.0 Mobility group peer cannot up.

If you perform the following test from either WLC.

mping this test udp 16666 and udp 16667

eping this test IP 97

Post the show mobility summary from each WLC.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Beginner

WLC 7.3.101.0 Mobility group peer cannot up.

16666 and 16667 no problem.

97 failed.

=======================================

(Cisco Controller) >mping 10.x.x.x

Send count=3, Receive count=3 from 10.x.x.x

(Cisco Controller) >eping 10.x.x.x

Send count=3, Receive count=0 from 10.x.x.x

(Cisco Controller) >

(Cisco Controller) >eping 10.x.x.02

Send count=3, Receive count=0 from 10.x.x.02

===============FW config:==================

Hall of Fame Master

Re: WLC 7.3.101.0 Mobility group peer cannot up.

So IP 97 is being dropped somewhere.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Beginner

WLC 7.3.101.0 Mobility group peer cannot up.

Yes, I need verify the FW policy..

Hall of Fame Master

Re: WLC 7.3.101.0 Mobility group peer cannot up.

Chris is right here. One thing I tell my clients is to allow everything between the foreign and the anchor WLC's just to verify that the mobility can come up, then lock it down. Here is some links that explain what test is for what port.

http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00809a30cc.shtml#qa8

Anchor Controller Positioning
Because the anchor controller is responsible for termination of guest WLAN traffic and subsequent access to the Internet, it is typically positioned in the enterprise Internet DMZ. In doing so, rules can be established within the firewall to precisely manage communications between authorized controllers throughout the enterprise and the anchor controller. Such rules might including filtering on source or destination controller addresses, UDP port 16666 for inter-WLC communication, and IP protocol ID 97 Ethernet in IP for client traffic. Other rules that might be needed include the following:
•TCP 161 and 162 for SNMP
•UDP 69 for TFTP
•TCP 80 or 443 for HTTP, or HTTPS for GUI access
•TCP 23 or 22 for Telnet, or SSH for CLI access
Depending on the topology, the firewall can be used to protect the anchor controller from outside threats.
For the best possible performance and because of its suggested positioning in the network, it is strongly recommended that the guest anchor controller be dedicated to supporting guest access functions only. In other words, the anchor controller should not be used to support guest access in addition to controlling and managing other LWAPP APs (LAPs) in the enterprise.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Beginner

WLC 7.3.101.0 Mobility group peer cannot up.

it's already opened the below ports, but seems still cannot up:

object-group service WLC_EoIP_Traffic

description Wireless LAN controller EoIP traffic

service-object udp eq 16666

service-object udp eq 16667

service-object 97

service-object udp eq tftp

service-object tcp eq domain

service-object icmp

Hall of Fame Master

Re: WLC 7.3.101.0 Mobility group peer cannot up.

One thing I would do also is delete the mobility configuration and add all the WLC's back in. Make sure your using the MAC address of the WLC that is shown in the mobility group. The Mac address is the first one listed for that WLC. Sometime that has helped me get the tunnels up but you have to do it on all the WLC's.


Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Highlighted
Beginner

WLC 7.3.101.0 Mobility group peer cannot up.

Thank you friends, the problem caused in the FW configure that block the 97 port traffic. We have allow and issues fixed.

Thanks again.

Hall of Fame Master

WLC 7.3.101.0 Mobility group peer cannot up.

Glad you got it working.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
Rising star

WLC 7.3.101.0 Mobility group peer cannot up.

Hello Dongle,

As per your query i can suggest you the following solution-

Perform the test from any of the WLC

mping WLC ip to test udp 16666 and udp 16667

eping WLC ip to test IP 97

UDP port 16666 is used for inter-WLC communication, and IP protocol ID 97 Ethernet in IP for client traffic

Hope this will help you.

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards