Solved: Cisco 9800 to Cisco 9800 Mobility Anchor

Toy Thompson · ‎03-17-2025

We have a Cisco 9800 WLC in my Core connected to the Core Switch
We have a Cisco 9800 WLC in a DMZ connected to the DMZ switch.
We configured a mobility anchor between the Core WLC and the DMZ WLC without any DTLS encryption.
When we connect the DMZ switch directly to the Core switch both the control and data path for the Mobility Anchor comes up.

We installed a Palo Alto Firewall between the Core Switch (PA-Inside) and the DMZ Switch (PA-Outside) and allow any any traffic between the inside and outside interfaces, but both the control and data path for the Mobility Anchor stays down. I can ping from the Core WLC to the DMZ WLC when within the Mobility Anchor configuration.
Is there another way to test/troubleshoot why the Mobility Anchor do not come up or any specific configs on the PA I need to check

Toy Thompson · ‎03-19-2025

Thank you for the feedback, as a result I reviewed my configs and found on the DMZ-WLC I was pointing the anchor to the RMI interface of the CORE-WLC (.33) and not the VIP .31. I corrected it and the mobility anchor is now operational

View solution in original post

Scott Fella · ‎03-17-2025

Cisco Catalyst 9800 Series Wireless Controllers use UDP ports 16666 and 16667 for mobility tunnels. I would think there is something that is breaking that between the core and the DMZ. You have proven that because you can successfully setup the tunnel when you connect the DMZ 9800 to the core.

-Scott
*** Please rate helpful posts ***

marce1000 · ‎03-17-2025

1) Even when allowing any traffic between them on the Palo Alto , examine logs for traffic between the controller's
on the Palo Alto
Make sure everything goes through as intended

2) These commands can be useful on the controllers : (examine differences for both configurations)
show wireless mobility summary
show wireless stats mobility
show wireless stats mobility messages
show platform hardware chassis active qfp feature wireless punt statistics

3) Whilst it seems unrelated , checkout the configuration on both controllers using
the CLI command show tech wireless and feed the output from that into Wireless Config Analyzer
Use the full command denoted in green, do not use show tech-support

4) What is the software version being used on both controllers ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Toy Thompson · ‎03-19-2025

Thank you for the feedback, as a result I reviewed my configs and found on the DMZ-WLC I was pointing the anchor to the RMI interface of the CORE-WLC (.33) and not the VIP .31. I corrected it and the mobility anchor is now operational

marce1000 · ‎03-19-2025

@Toy Thompson : Great work!!

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

marce1000 · ‎03-19-2025

- @Toy Thompson Tx, for your endorsements, as I also said , inspecting the traffic on the Palo Alto is important, because sometimes firewalls can have a behavior as in 'this is bad anyway' for several reasons, then extra policy changes could be needed to let the traffic go through!

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '