- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-27-2025 06:42 PM
I am trying to configure what should be a very simple setup. Two 9800-Ls on a bench with a switch in between. They can ping each other when I configure SSO on both boxes, and I can ping the secondary. But neither will ever become the standby.
I'm wondering if there is "something else", that everyone always forgets to do when configuring SSO. Its so simple, just using vlan1 on both, with 192.168.1.x addresses.
Waiting for remote chassis to join
#######################################################################################
wc01:
interface Port-channel1
description ** uplink **
switchport mode trunk
!
interface Port-channel2
description ** uplink **
switchport mode trunk
interface TenGigabitEthernet0/1/0
switchport mode trunk
no negotiation auto
no mop enabled
channel-group 1 mode on
!
interface TenGigabitEthernet0/1/1
switchport mode trunk
no negotiation auto
channel-group 1 mode on
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.1.100 255.255.255.0
negotiation auto
no mop enabled
!
interface Vlan1
ip address 192.168.1.249 255.255.255.0 secondary
ip address 192.168.1.251 255.255.255.0
ip helper-address 192.168.1.254
no mop enabled
!
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route vrf Mgmt-intf 0.0.0.0 255.255.255.0 192.168.1.254
redun-management interface Vlan1 chassis 2 address 192.168.1.249 chassis 1 address 192.168.1.250
wc02:
!
interface Port-channel1
description ** uplink **
switchport mode trunk
!
interface Port-channel2
description ** uplink **
switchport mode trunk
!
interface TenGigabitEthernet0/1/0
switchport mode trunk
speed 1000 (its a 1gig SFP)
no negotiation auto
no snmp trap link-status
no mop enabled
channel-group 2 mode on
!
interface TenGigabitEthernet0/1/1
switchport mode trunk
speed 10000
no negotiation auto
no snmp trap link-status
channel-group 2 mode on
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.1.101 255.255.255.0
negotiation auto
no mop enabled
!
interface Vlan1
ip address 192.168.1.250 255.255.255.0 secondary
ip address 192.168.1.252 255.255.255.0
ip helper-address 192.168.1.254
no mop enabled
!
!
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route vrf Mgmt-intf 0.0.0.0 255.255.255.0 192.168.1.254
redun-management interface Vlan1 chassis 1 address 192.168.1.250 chassis 2 address 192.168.1.249
Could I be missing something? This should not be that difficult!!!
Solved! Go to Solution.
- Labels:
-
Wireless LAN Controller
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2025 11:44 PM - edited 01-29-2025 11:53 PM
No that will never work. The rules for SSO are absolutely clear - both chassis must have the identical PID.
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-27-2025 06:47 PM
When I plug in the uplink, I get this output on wc02:
*Jan 27 19:35:29.618: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel2, changed state to up
*Jan 27 19:35:29.621: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Jan 27 19:35:30.425: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Jan 27 19:35:34.150: %RIF_MGR_FSM-6-RMI_GW_DECISION_DEFERRED: Chassis 1 R0/0: rif_mgr: High CPU utilisation on active or standby, deferring action on gateway-down event
*Jan 27 19:35:54.151: %RIF_MGR_FSM-6-GW_REACHABLE_ACTIVE: Chassis 1 R0/0: rif_mgr: Gateway reachable from Active
*Jan 27 19:35:56.798: %RIF_MGR_FSM-6-RMI_LINK_UP: Chassis 1 R0/0: rif_mgr: The RMI link is UP.
*Jan 27 19:35:56.798: %STACKMGR-1-DUAL_ACTIVE_CFG_MSG: Chassis 1 R0/0: stack_mgr: Dual Active Detection link is available now
edh001-001-wc02#sho chassis
Chassis/Stack Mac Address : 8c1e.806e.9080 - Local Mac Address
Mac persistency wait time: Indefinite
Local Redundancy Port Type: Twisted Pair
H/W Current
Chassis# Role Mac Address Priority Version State IP
-------------------------------------------------------------------------------------
*1 Active 8c1e.806e.9080 1 V02 Ready 169.254.1.250
wc01: (when I plug in the uplinks, changes its name)
edh001-001-wc01(recovery-mode)_2_RP_0(diag)#
edh001-001-wc01(recovery-mode)_2_RP_0(diag)#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-27-2025 07:29 PM
Share your topology
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-27-2025 07:58 PM
Two wlcs on a bench, side by side with a switch configured with uplinks. Literally a flat network. I have been messing with it all day, and I have gotten this to work in production boxes. For some reason I'm having an issue with the two on the bench with a switch with vlan 1 @ 192.168.1.254.
The two WLCs have IPs in the .249 .250 .251 and .252 Its the simplest of networks, so I figured I missed something very simple. Leo suggests both Chassis 1, so I will go look at that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-27-2025 08:12 PM
utilisation on active or standby, deferring action on gateway-down event <<-
This important,
RMI and WMI in same subnet
In SW do you config SVI for mgmt VLAN?
RMI of both unit must point this IP
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-28-2025 07:54 AM
Yes, RMI and WMI in same subnet. VLAN 1.
Switch SVI is vlan1, IP = 192.168.1.254
As soon as I plug the interfaces to the switch, the switch name changes to the one in the output in the thread. I'm not sure what I'm missing.
The interfaces in trunks and POs are supported. I guess my next step is to create another vlan and assign interfaces for SSO in there to see if that fixes it. This is ridiculous, its the most simple config and I must be missing something very, very basic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-28-2025 07:58 AM - edited 01-28-2025 08:00 AM
@tdennehy wrote : >....I guess my next step is to create another vlan and assign interfaces for SSO in there to see if that fixes it. This is ridiculous, its the most simple config and I must be missing something very, very basic.
Well in general it is not advises to stick to vlan1 for all 9800 operations and use
Remember to always use the WirelessAnalyzer procedure when configuring the 9800 ; it is vital for these cases.
I repeat it here : using the CLI command show tech wireless
(not a simple show tech ) and feed the output from that into Wireless Config Analyzer
M.
-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-28-2025 05:48 PM
Marce, using vlan 1 is ONLY on the bench. This is not production. I'm just doing this so I can run through a scenario and write a document so we can upgrade our production boxes. We like to run things through on the bench first before doing a production facility that is 24x7x365.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-28-2025 06:23 PM
High Availability: Redundancy management interface has overlapping address with wireless management, this can cause serious network problems Action: Modify the command redun-management using non-overlapping addresses. | |
230078 | High Availability: Redundancy state indicates a possible problem. Please check status of the other unit Action: RMI configuration was detected, and the current redundancy state indicates a problem. Check the status of the other unit |
230124 | Management: HTTP server does not have an IPv4 access class set. To improve security, it is advisable to set ACL explicitly allowing address that can configure the controller Action: For better WebUI security, set access class with ip http access-class command. For more information: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-17/221107-filter-traffic-destined-to-cisco-ios-xe.html |
230001 | Version: IOS-XE Controller with not recommended code:17.9.4a, please check software download page for the current version for your hardware Action: Controller is running not recommended code and should be upgraded, better, similar code is available. |
230023 | NTP: Controller with no valid time source (sync has not happened) or file without NTP information, please check if controller has valid NTP server configured Action: No active time source detected for this controller. It could be incomplete configuration. Command: config time ntp server |
230038 | Management: To prevent WebUI issues while using some large GUI options (VLANs for example), it is advisable to increase the VTY count to 50 Action: Use the command 'line vty 0 50' to increase the VTY count |
230056 | Management: Service tcp-keepalive in/out, should be enabled to reduce lingering inactive connections to management points Action: Add: service tcp-keepalives in/service tcp-keepalives out to configuration |
230065 | Webauth: The Webauth Global parameter map, does not have IPv6 virtual address. It is advisable to add one Action: Depending on your client types, it is good idea to define IPv6 virtual address for Webauth. It can reduce redirection errors. Use 'parameter-map type webauth global' config command, then 'virtual-ip ipv6 ADDRESS' |
230085 | LAG: LAG was detected in use, and port channel load balancing is not set to src-dst-mixed-ip-port. Per best practices, please change both the controller and the switch for optimal port balancing Action: Best practices recommend to use command port-channel load-balance src-dst-mixed-ip-port, for best port balancing. This must be configured as well on the switch side |
230129 | Security: Current configuration is vulnerable to CVE-2023-48795/CSCwi59338, Chacha20 should be removed from SSH encryption options Action: CVE-2023-48795 describes a security problem on some SSH extensions present in OpenSSH for specific encryption protocols. It is recommended to remove this option from SSH configuration. Use command: ip ssh server algorithm encryption aes128-gcm@openssh.com aes256-gcm@openssh.com aes128-gcm aes256-gcm aes128-ctr aes192-ctr aes256-ctr. |
230140 | Interfaces: More than one Port Channel interface with same allowed VLAN list Action: Allowing same VLANs across Port Channels, may cause traffic loop, and possible instability issues. It is advisable to filter out vlans that are not required to be duplicated. Check your topology, as this may depend on switch side configuration as well, and could be fine for your config. Command: switchport trunk allowed vlan |
230057 | DHCP: If DHCP helper (relay) is defined, the interface should have dhcp relay source interface command pointing to wireless management interface, to avoid asymmetric DHCP routing scenarios. Interfaces: Vlan1 Action: Add: ip dhcp relay source-interface to the interface SVI/Vlan configuration |
240020 | 11k: 11k Neighbor List is in use, but dual band is disabled. if not using single-band devices, enable both for best results. WLAN(s): JAYHAWK Action: For best results, it is better to enable dual band support for 11k. This should only be avoided, if single band devices are present on the network. This is part of the WLAN profile |
250014 | ARP: ARP proxy is disabled. To save client battery and other performance improvements, it is recommended to enable. Profiles: default-policy-profile Action: Go to the policy profile and enable ARP proxy setting. This is available from 17.3 |
250015 | Security: Profile with vlan set to default or 1. This is not recommended, even for AAA override scenarios. Profiles: default-policy-profile Action: Go to the policy profile configure a VLAN. Default should only be used on small network, with low security requirements |
290004 | Syslog: Syslog host is not set (using default broadcast value). For best practices, it is recommended to use a syslog server. AP Profiles: default-ap-profile Action: To ensure data is available for future troubleshooting in case of problems, it is best practices to define a syslog server for all APs on the Join profile |
230026 | 11b: Legacy rate enabled in Global Config . Disabling low data rates/11b can help to optimise the channel utilisation on the 2.4 band. Depending on RF coverage, or if using legacy clients, this may cause problems. Please validate before enforcing the changes, as this may have important RF dependencies. Action: In most scenarios, it is good idea to disable 11b data rates (1,2,5.5,11), as they would use more RF time, and be more sensible to interference, it is advisable to only enable 11g rates, unless you need to support legacy devices. Command:config 802.11b rate disabled X |
230045 | Client Profiling: Device Classification (client profiling) is not globally enabled, it is recommended to use it Action: Use Device classification as best practice, to help on troubleshooting, network characterization or problem isolation |
230046 | RRM: ED-RRM is not in use. It is recommended to enable for enterprise environments. Band(s): 2.4 GHz 5 GHz Action: This is purely a general recommendation, please validate if applicable in your environment. ED-RRM could provide fast reaction to severe RF issues |
230042 | Security: Password Encryption is not enabled. This is optional feature to protect keys/passwords in configuration Action: Use password encryption aes command.For more information, check 9800 Best practices guide |
230083 | Tags: For versions 17.6 and higher, it is advisable to use AP tag persistency command, to ensure tags are preserved if AP is temporarily moved to another controller Action: Configure ap tag persistency enable, this is specially important for N+1 redundancy scenarios |
230099 | Rogues: Rogue AP policies and rules should be defined, specially around managed SSIDs Action: Rogue rules can improve alerting for possible rogues impersonating managed SSID. It is advisable to enable them. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_classify_rogue_aps_ewlc.html |
290005 | Monitoring: AP system monitoring statistics are not enabled. To improve AP status visibility it would be recommended to use it. AP Profiles: default-ap-profile Action: Monitor System Statistics is a feature in 17.5 and higher, to enable AP CPU and memory monitoring , you can enable it on AP profile, AP tab, AP statistics section |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-28-2025 06:29 PM
I think this is the issue:
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.1.100 255.255.255.0
negotiation auto
no mop enabled
!
interface Vlan1
ip address 192.168.1.249 255.255.255.0 secondary
ip address 192.168.1.251 255.255.255.0
ip helper-address 192.168.1.254
no mop enabled
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route vrf Mgmt-intf 0.0.0.0 255.255.255.0 192.168.1.254
!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-28-2025 07:10 PM
They should be in the same subnet, however the RP needs to be direct connected or connect both controller RP port to a vlan that is not used, just to isolate the traffic.
*** Please rate helpful posts ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-28-2025 08:29 PM
That's what I just did. Still doesn't work, though. "unconfigging" was difficult. Had many reboots.
wlc01
interface Vlan1
no ip address 192.168.1.249 255.255.255.0 secondary
ip address 192.168.1.251 255.255.255.0
ip helper-address 192.168.1.254
no mop enabled
interface Vlan10
ip address 10.1.10.249 255.255.255.0 secondary
ip address 10.1.10.251 255.255.255.0
ip helper-address 10.1.10.1
no shut
no mop enabled
no redun-management interface Vlan1 chassis 2 address 192.168.1.249 chassis 1 address 192.168.1.250
redun-management interface vlan 10 chassis 2 address 10.1.10.249 chassis 1 address 10.1.10.250
====================================
wlc02
interface Vlan1
no ip address 192.168.1.250 255.255.255.0 secondary
ip address 192.168.1.252 255.255.255.0
ip helper-address 192.168.1.254
no mop enabled
interface Vlan10
ip address 10.1.10.250 255.255.255.0 secondary
ip address 10.1.10.252 255.255.255.0
ip helper-address 10.1.10.1
no mop enabled
no shut
vlan 10
name mgmt
!
no redun-management interface Vlan1 chassis 1 address 192.168.1.250 chassis 2 address 192.168.1.249
redun-management interface Vlan10 chassis 1 address 10.1.10.250 chassis 2 address 10.1.10.249
========================
Each WLC can ping the other's 10.1.10.x addresses just fine. Redundancy doesn't work, though. At least the hostnames are NOT changing. Fix one thing, break something else....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-28-2025 09:21 PM
*** Please rate helpful posts ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-28-2025 08:12 AM
@tdennehy wrote:
This is ridiculous, its the most simple config and I must be missing something very, very basic.
My 2 cents is, its simple if you do this all the time, troubleshooting, upgrading, etc. on SSO is not easy at all. That wi why I tend to implement N+1 rather than SSO, but that is me. Maybe this week I will lab this up on a 9800-CL, like what others have also mentioned, I don't use vlan 1 anywhere, especially with wireless.
*** Please rate helpful posts ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-27-2025 08:09 PM
Switch config:
interface Port-channel1
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
!
interface Port-channel2
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
!
interface GigabitEthernet0/25 <wlc01
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
channel-group 1 mode on
!
interface GigabitEthernet0/26
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
channel-group 1 mode on
!
interface GigabitEthernet0/27 <- WLC02
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
channel-group 2 mode on
!
interface GigabitEthernet0/28
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
channel-group 2 mode on
!
interface Vlan1
description bench network
ip address 192.168.1.254 255.255.255.0
