Re: About Mobility Anchor: Policy Manager State = DHCP_REQD

mr.marslin · ‎11-16-2011

Dears,

I install three WLC4402 at three office.

Now I want to config SSID-1 traffic anchor to WLC-1.

WLC-2 anchor to WLC-1, All User is OK.

But WLC-3 Client access the SSID-1, then they can not anchor success.

Checking the WLC-3, the client already Policy Manager State = RUN / Auth = YES(SSID-1 use MAC-Filter).

But In WLC-1(Anchor Controller), the client's Policy Manager State = DHCP_REQD!!!

Try to mping / eping, It is OK, But WLC-3 to WLC-1 always can not anchor success....

Having other idea for it ?

Thanks.

------------

WLC-3:

Wed Nov 16 15:45:08 2011: 00:26:c7:24:69:6c Received Anchor Export Ack for client from Switch IP: 10.240.64.1

Wed Nov 16 15:45:08 2011: 00:26:c7:24:69:6c Anchor Mac: 00:1b:d4:6b:6a:60, Old Foreign Mac: 00:1b:d4:6b:27:a0 New Foreign Mac: 00:1b:d4:6b:27:a0

Wed Nov 16 15:45:08 2011: 00:26:c7:24:69:6c 0.0.0.0 DHCP_REQD (7) mobility role update request from Unassociated to Export Foreign

Peer = 10.240.64.1, Old Anchor = 10.240.64.1, New Anchor = 10.240.64.1

Wed Nov 16 15:45:08 2011: 00:26:c7:24:69:6c 0.0.0.0 RUN (20) Plumbing duplex mobility tunnel to 10.240.64.1

as Export Foreign (VLAN 141)

Wed Nov 16 15:45:08 2011: 00:26:c7:24:69:6c Mobility Response: IP 0.0.0.0 code 4, reason 4, PEM State RUN, Role Export Foreign(5)

-----------

WLC-1:

Wed Nov 16 15:45:07 2011: Mobility packet received from:

Wed Nov 16 15:45:07 2011: 10.240.141.1, port 16666

Wed Nov 16 15:45:07 2011: type: 3(MobileAnnounce) subtype: 0 version: 1 xid: 696069 seq: 46784 len 116 flags 0

Wed Nov 16 15:45:07 2011: group id: 7a5f146e e7e0466f f96196a5 7076080a

Wed Nov 16 15:45:07 2011: mobile MAC: 00:26:c7:24:69:6c, IP: 0.0.0.0, instance: 0

Wed Nov 16 15:45:07 2011: VLAN IP: 10.240.141.1, netmask: 255.255.255.0

Wed Nov 16 15:45:07 2011: Switch IP: 10.240.141.1

Wed Nov 16 15:45:07 2011: 00:26:c7:24:69:6c Ignoring Announce, client record for not found

Wed Nov 16 15:45:08 2011: Mobility packet received from:

Wed Nov 16 15:45:08 2011: 10.240.141.1, port 16666

Wed Nov 16 15:45:08 2011: type: 16(MobileAnchorExport) subtype: 0 version: 1 xid: 696070 seq: 46785 len 241 flags 0

Wed Nov 16 15:45:08 2011: group id: 7a5f146e e7e0466f f96196a5 7076080a

Wed Nov 16 15:45:08 2011: mobile MAC: 00:26:c7:24:69:6c, IP: 0.0.0.0, instance: 0

Wed Nov 16 15:45:08 2011: VLAN IP: 10.240.141.1, netmask: 255.255.255.0

Wed Nov 16 15:45:08 2011: Switch IP: 10.240.141.1

Wed Nov 16 15:45:08 2011: 00:26:c7:24:69:6c Received Anchor Export request: from Switch IP: 10.240.141.1

Wed Nov 16 15:45:08 2011: 00:26:c7:24:69:6c mmAnchorExportRcv:, Mobility role is Unassoc

.

Wed Nov 16 15:45:08 2011: 00:26:c7:24:69:6c mmAnchorExportRcv Ssid=himax-pad Security Policy=0x2000

Wed Nov 16 15:45:08 2011: 00:26:c7:24:69:6c 0.0.0.0 START (0) mobility role update request from Unassociated to Export Anchor

Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.240.64.1

Wed Nov 16 15:45:08 2011: 00:26:c7:24:69:6c Received Anchor Export policy update, valid mask 0x0:

Qos Level: 0, DSCP: 0, dot1p: 0 Interface Name: , ACL Name:

Wed Nov 16 15:45:08 2011: Anchor Mac : 00.1b.d4.6b.6a.60

Wed Nov 16 15:45:08 2011: Mobility packet sent to:

Wed Nov 16 15:45:08 2011: 10.240.141.1, port 16666

Wed Nov 16 15:45:08 2011: type: 17(MobileAnchorExportAck) subtype: 0 version: 1 xid: 696070 seq: 13077 len 275 flags 0

Wed Nov 16 15:45:08 2011: group id: 7a5f146e e7e0466f f96196a5 7076080a

Wed Nov 16 15:45:08 2011: mobile MAC: 00:26:c7:24:69:6c, IP: 0.0.0.0, instance: 1

Wed Nov 16 15:45:08 2011: VLAN IP: 192.168.65.1, netmask: 255.255.255.0

Wed Nov 16 15:45:08 2011: 00:26:c7:24:69:6c 0.0.0.0 DHCP_REQD (7) Plumbing duplex mobility tunnel to 10.240.141.1

as Export Anchor (VLAN 365)

------------

THANKS.

Scott Fella · ‎11-16-2011

When anchoring always make sure your SSID's match exactly except for the interface. The foreign wlc interface is the management and the anchor is the interface you want to put users on. That being said, make sure your WLAN SSID mobility anchoring is setup right. The foreign wlc should anchor to wlc-1 and wlc-1 anchors to itself.

If that doesn't fix your issue and you said mobility is up, delete the SSID and recreate it on the wlc that isn't working.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

mr.marslin · ‎11-16-2011

Dear Sir,

I try to recreate SSID-1. It still not working~

Only WLC-3 anchor to WLC-1 not working, WLC-2 anchor to WLC-1 always OK!

Scott Fella · ‎11-16-2011

Can you post your show mobility summary from wlc3 and the show wlan from wlc3 and wlc1

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

mr.marslin · ‎11-16-2011

WLC-3

----------

(Cisco Controller) >show mobility summary

Symmetric Mobility Tunneling (current) .......... Enabled

Symmetric Mobility Tunneling (after reboot) ..... Enabled

Mobility Protocol Port........................... 16666

Mobility Security Mode........................... Disabled

Default Mobility Domain.......................... Himax

Multicast Mode .................................. Disabled

Mobility Domain ID for 802.11r................... 0xd806

Mobility Keepalive Interval...................... 10

Mobility Keepalive Count......................... 3

Mobility Group Members Configured................ 3

Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group

MAC Address IP Address Group Name Multicast IP Sta tus

00:1b:d4:6b:27:a0 10.240.141.1 Himax 0.0.0.0 Up

00:1b:d4:6b:51:e0 10.240.64.2 Himax 0.0.0.0 Up

00:1b:d4:6b:6a:60 10.240.64.1 Himax 0.0.0.0 Up

-----------------------------------------------------------------------------------------------------------------------------------

WLC-1

------------

(Cisco Controller) >show mobility summary

Symmetric Mobility Tunneling (current) .......... Disabled

Symmetric Mobility Tunneling (after reboot) ..... Enabled

Mobility Protocol Port........................... 16666

Mobility Security Mode........................... Disabled

Default Mobility Domain.......................... Himax

Multicast Mode .................................. Disabled

Mobility Domain ID for 802.11r................... 0xd806

Mobility Keepalive Interval...................... 10

Mobility Keepalive Count......................... 3

Mobility Group Members Configured................ 4

Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group

MAC Address IP Address Group Name Multicast IP Status

00:18:ba:49:70:60 10.240.133.1 Himax 0.0.0.0 Up

00:1b:d4:6b:27:a0 10.240.141.1 Himax 0.0.0.0 Up

00:1b:d4:6b:51:e0 10.240.64.2 Himax 0.0.0.0 Up

00:1b:d4:6b:6a:60 10.240.64.1 Himax 0.0.0.0 Up

pcroak · ‎11-16-2011

Your mobility configuration appears to be OK.

Now we need to verify that your WLAN settings are identical for both WLC 1 and 3:

Can you capture:

show wlan x

From both WLC 1 and WLC 3?

(where x is the wlan ID for the SSID in question)

-Pat

mr.marslin · ‎11-16-2011

WLC-1

----------

(Cisco Controller) >show wlan 2

WLAN Identifier.................................. 2

Profile Name..................................... himax-pad

Network Name (SSID).............................. himax-pad

Status........................................... Enabled

MAC Filtering.................................... Enabled

Broadcast SSID................................... Disabled

AAA Policy Override.............................. Disabled

Number of Active Clients......................... 0

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. Infinity

Webauth DHCP exclusion........................... Disabled

Interface........................................ himax-pad

WLAN ACL......................................... unconfigured

DHCP Server...................................... 10.240.230.162

DHCP Address Assignment Required................. Disabled

Quality of Service............................... Silver (best effort)

WMM.............................................. Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

--More-- or (q)uit

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

IPv6 Support..................................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

Accounting.................................... Disabled

Local EAP Authentication......................... Disabled

Security

802.11 Authentication:........................ Open System

Static WEP Keys............................... Disabled

802.1X........................................ Disabled

Wi-Fi Protected Access (WPA/WPA2)............. Disabled

CKIP ......................................... Disabled

IP Security................................... Disabled

IP Security Passthru.......................... Disabled

Web Based Authentication...................... Disabled

Web-Passthrough............................... Disabled

Conditional Web Redirect...................... Disabled

Splash-Page Web Redirect...................... Disabled

--More-- or (q)uit

Auto Anchor................................... Enabled

Cranite Passthru.............................. Disabled

Fortress Passthru............................. Disabled

H-REAP Local Switching........................ Disabled

Infrastructure MFP protection................. Enabled (Global Infrastructure MFP Disabled)

Client MFP.................................... Optional but inactive (WPA2 not configured)

Tkip MIC Countermeasure Hold-down Timer....... 60

Mobility Anchor List

WLAN ID IP Address Status

------- --------------- ------

2 10.240.64.1 Up

!

WLC-3

-------------

(Cisco Controller) >show wlan 1

WLAN Identifier.................................. 1

Profile Name..................................... himax-pad

Network Name (SSID).............................. himax-pad

Status........................................... Enabled

MAC Filtering.................................... Enabled

Broadcast SSID................................... Disabled

AAA Policy Override.............................. Disabled

Number of Active Clients......................... 0

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. Infinity

Webauth DHCP exclusion........................... Disabled

Interface........................................ management

WLAN ACL......................................... unconfigured

DHCP Server...................................... 10.240.230.162

DHCP Address Assignment Required................. Disabled

Quality of Service............................... Silver (best effort)

WMM.............................................. Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

--More-- or (q)uit

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

IPv6 Support..................................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

Accounting.................................... Disabled

Local EAP Authentication......................... Disabled

Security

802.11 Authentication:........................ Open System

Static WEP Keys............................... Disabled

802.1X........................................ Disabled

Wi-Fi Protected Access (WPA/WPA2)............. Disabled

CKIP ......................................... Disabled

IP Security................................... Disabled

IP Security Passthru.......................... Disabled

Web Based Authentication...................... Disabled

Web-Passthrough............................... Disabled

Conditional Web Redirect...................... Disabled

Splash-Page Web Redirect...................... Disabled

--More-- or (q)uit

Auto Anchor................................... Enabled

Cranite Passthru.............................. Disabled

Fortress Passthru............................. Disabled

H-REAP Local Switching........................ Disabled

Infrastructure MFP protection................. Enabled (Global Infrastructure MFP Disabled)

Client MFP.................................... Optional but inactive (WPA2 not configured)

Tkip MIC Countermeasure Hold-down Timer....... 60

Mobility Anchor List

WLAN ID IP Address Status

------- --------------- ------

1 10.240.64.1 Up

pcroak · ‎11-16-2011

Alright, your WLAN and mobility configuration appear to be ok. Your original debugs show that the anchor export is actually working...

It's time to capture client debugs from both controllers when you try to connect:

debug client xx:xx:xx:xx:xx:xx

That should give us more insight as to why the process is failing.

-Pat

mr.marslin · ‎11-16-2011

OK, I will do it tomorrow.

thanks for you help~

wififofum · ‎11-20-2011

What version are you running? What model of APs are involved?

What is the client roaming pattern? Are you sure its from WLC-1 to WLC-3, or do they touch WLC-2 on the way?

Can you move APs on WLC-3 to WLC-2 to see if the problem goes away?