cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
2286
Views
18
Helpful
51
Replies

Configuring SSO on a pair of 9800-L issue

tdennehy
Level 2
Level 2

I am trying to configure what should be a very simple setup.  Two 9800-Ls on a bench with a switch in between.  They can ping each other when I configure SSO on both boxes, and I can ping the secondary.  But neither will ever become the standby.

I'm wondering if there is "something else", that everyone always forgets to do when configuring SSO.  Its so simple, just using vlan1 on both, with 192.168.1.x addresses.

Waiting for remote chassis to join
#######################################################################################

wc01:

interface Port-channel1
description ** uplink **
switchport mode trunk
!
interface Port-channel2
description ** uplink **
switchport mode trunk

 
interface TenGigabitEthernet0/1/0
switchport mode trunk
no negotiation auto
no mop enabled
channel-group 1 mode on
!
interface TenGigabitEthernet0/1/1
switchport mode trunk
no negotiation auto
channel-group 1 mode on
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.1.100 255.255.255.0
negotiation auto
no mop enabled
!
interface Vlan1
ip address 192.168.1.249 255.255.255.0 secondary
ip address 192.168.1.251 255.255.255.0
ip helper-address 192.168.1.254
no mop enabled

ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route vrf Mgmt-intf 0.0.0.0 255.255.255.0 192.168.1.254
redun-management interface Vlan1 chassis 2 address 192.168.1.249 chassis 1 address 192.168.1.250

 

wc02:

!
interface Port-channel1
description ** uplink **
switchport mode trunk
!
interface Port-channel2
description ** uplink **
switchport mode trunk
!

interface TenGigabitEthernet0/1/0
switchport mode trunk
speed 1000 (its a 1gig SFP)
no negotiation auto
no snmp trap link-status
no mop enabled
channel-group 2 mode on
!
interface TenGigabitEthernet0/1/1
switchport mode trunk
speed 10000
no negotiation auto
no snmp trap link-status
channel-group 2 mode on
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.1.101 255.255.255.0
negotiation auto
no mop enabled
!
interface Vlan1
ip address 192.168.1.250 255.255.255.0 secondary
ip address 192.168.1.252 255.255.255.0
ip helper-address 192.168.1.254
no mop enabled

!
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route vrf Mgmt-intf 0.0.0.0 255.255.255.0 192.168.1.254

redun-management interface Vlan1 chassis 1 address 192.168.1.250 chassis 2 address 192.168.1.249

Could I be missing something?  This should not be that difficult!!!

1 Accepted Solution

Accepted Solutions

No that will never work. The rules for SSO are absolutely clear - both chassis must have the identical PID.

View solution in original post

51 Replies 51

tdennehy
Level 2
Level 2

When I plug in the uplink, I get this output on wc02:

*Jan 27 19:35:29.618: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel2, changed state to up
*Jan 27 19:35:29.621: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Jan 27 19:35:30.425: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Jan 27 19:35:34.150: %RIF_MGR_FSM-6-RMI_GW_DECISION_DEFERRED: Chassis 1 R0/0: rif_mgr: High CPU utilisation on active or standby, deferring action on gateway-down event
*Jan 27 19:35:54.151: %RIF_MGR_FSM-6-GW_REACHABLE_ACTIVE: Chassis 1 R0/0: rif_mgr: Gateway reachable from Active
*Jan 27 19:35:56.798: %RIF_MGR_FSM-6-RMI_LINK_UP: Chassis 1 R0/0: rif_mgr: The RMI link is UP.
*Jan 27 19:35:56.798: %STACKMGR-1-DUAL_ACTIVE_CFG_MSG: Chassis 1 R0/0: stack_mgr: Dual Active Detection link is available now

edh001-001-wc02#sho chassis
Chassis/Stack Mac Address : 8c1e.806e.9080 - Local Mac Address
Mac persistency wait time: Indefinite
Local Redundancy Port Type: Twisted Pair
H/W Current
Chassis# Role Mac Address Priority Version State IP
-------------------------------------------------------------------------------------
*1 Active 8c1e.806e.9080 1 V02 Ready 169.254.1.250

wc01: (when I plug in the uplinks, changes its name)


edh001-001-wc01(recovery-mode)_2_RP_0(diag)#
edh001-001-wc01(recovery-mode)_2_RP_0(diag)#

 

Share your topology 

MHM

Two wlcs on a bench, side by side with a switch configured with uplinks.  Literally a flat network.  I have been messing with it all day, and I have gotten this to work in production boxes.  For some reason I'm having an issue with the two on the bench with a switch with vlan 1 @ 192.168.1.254.

The two WLCs have IPs in the .249  .250  .251 and .252    Its the simplest of networks, so I figured I missed something very simple.  Leo suggests both Chassis 1, so I will go look at that.

utilisation on active or standby, deferring action on gateway-down event <<-

This important, 

RMI and WMI in same subnet 

In SW do you config  SVI for mgmt VLAN?

RMI of both unit must point this IP

MHM

Yes, RMI and WMI in same subnet.  VLAN 1. 

Switch SVI is vlan1, IP = 192.168.1.254

As soon as I plug the interfaces to the switch, the switch name changes to the one in the output in the thread.  I'm not sure what I'm missing.

The interfaces in trunks and POs are supported.    I guess my next step is to create another vlan and assign interfaces for SSO in there to see if that fixes it.  This is ridiculous, its the most simple config and I must be missing something very, very basic.

 

 @tdennehy wrote : >....I guess my next step is to create another vlan and assign interfaces for SSO in there to see if that fixes it.  This is ridiculous, its the most simple config and I must be missing something very, very basic.
         Well in general it is not advises to stick to vlan1 for all 9800 operations and use
         Remember to always use the WirelessAnalyzer procedure when configuring the 9800 ; it is vital for these cases.
         I repeat it here :  using the CLI command show tech wireless
         (not a simple show tech ) and feed the output from that into Wireless Config Analyzer

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Marce, using vlan 1 is ONLY on the bench.  This is not production.  I'm just doing this so I can run through a scenario and write a document so we can upgrade our production boxes.  We like to run things through on the bench first before doing a production facility that is 24x7x365.

High Availability: Redundancy management interface has overlapping address with wireless management, this can cause serious network problems
Action: Modify the command redun-management using non-overlapping addresses.
230078
High Availability: Redundancy state indicates a possible problem. Please check status of the other unit
Action: RMI configuration was detected, and the current redundancy state indicates a problem. Check the status of the other unit
230124
Management: HTTP server does not have an IPv4 access class set. To improve security, it is advisable to set ACL explicitly allowing address that can configure the controller
Action: For better WebUI security, set access class with ip http access-class command. For more information: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-17/221107-filter-traffic-destined-to-cisco-ios-xe.html
230001
Version: IOS-XE Controller with not recommended code:17.9.4a, please check software download page for the current version for your hardware
Action: Controller is running not recommended code and should be upgraded, better, similar code is available.
230023
NTP: Controller with no valid time source (sync has not happened) or file without NTP information, please check if controller has valid NTP server configured
Action: No active time source detected for this controller. It could be incomplete configuration. Command: config time ntp server
230038
Management: To prevent WebUI issues while using some large GUI options (VLANs for example), it is advisable to increase the VTY count to 50
Action: Use the command 'line vty 0 50' to increase the VTY count
230056
Management: Service tcp-keepalive in/out, should be enabled to reduce lingering inactive connections to management points
Action: Add: service tcp-keepalives in/service tcp-keepalives out to configuration
230065
Webauth: The Webauth Global parameter map, does not have IPv6 virtual address. It is advisable to add one
Action: Depending on your client types, it is good idea to define IPv6 virtual address for Webauth. It can reduce redirection errors. Use 'parameter-map type webauth global' config command, then 'virtual-ip ipv6 ADDRESS'
230085
LAG: LAG was detected in use, and port channel load balancing is not set to src-dst-mixed-ip-port. Per best practices, please change both the controller and the switch for optimal port balancing
Action: Best practices recommend to use command port-channel load-balance src-dst-mixed-ip-port, for best port balancing. This must be configured as well on the switch side
230129
Security: Current configuration is vulnerable to CVE-2023-48795/CSCwi59338, Chacha20 should be removed from SSH encryption options
Action: CVE-2023-48795 describes a security problem on some SSH extensions present in OpenSSH for specific encryption protocols. It is recommended to remove this option from SSH configuration. Use command: ip ssh server algorithm encryption aes128-gcm@openssh.com aes256-gcm@openssh.com aes128-gcm aes256-gcm aes128-ctr aes192-ctr aes256-ctr.
230140
Interfaces: More than one Port Channel interface with same allowed VLAN list
Action: Allowing same VLANs across Port Channels, may cause traffic loop, and possible instability issues. It is advisable to filter out vlans that are not required to be duplicated. Check your topology, as this may depend on switch side configuration as well, and could be fine for your config. Command: switchport trunk allowed vlan
230057
DHCP: If DHCP helper (relay) is defined, the interface should have dhcp relay source interface command pointing to wireless management interface, to avoid asymmetric DHCP routing scenarios. Interfaces: Vlan1
Action: Add: ip dhcp relay source-interface to the interface SVI/Vlan configuration
240020
11k: 11k Neighbor List is in use, but dual band is disabled. if not using single-band devices, enable both for best results. WLAN(s): JAYHAWK
Action: For best results, it is better to enable dual band support for 11k. This should only be avoided, if single band devices are present on the network. This is part of the WLAN profile
250014
ARP: ARP proxy is disabled. To save client battery and other performance improvements, it is recommended to enable. Profiles: default-policy-profile
Action: Go to the policy profile and enable ARP proxy setting. This is available from 17.3
250015
Security: Profile with vlan set to default or 1. This is not recommended, even for AAA override scenarios. Profiles: default-policy-profile
Action: Go to the policy profile configure a VLAN. Default should only be used on small network, with low security requirements
290004
Syslog: Syslog host is not set (using default broadcast value). For best practices, it is recommended to use a syslog server. AP Profiles: default-ap-profile
Action: To ensure data is available for future troubleshooting in case of problems, it is best practices to define a syslog server for all APs on the Join profile
230026
11b: Legacy rate enabled in Global Config . Disabling low data rates/11b can help to optimise the channel utilisation on the 2.4 band. Depending on RF coverage, or if using legacy clients, this may cause problems. Please validate before enforcing the changes, as this may have important RF dependencies.
Action: In most scenarios, it is good idea to disable 11b data rates (1,2,5.5,11), as they would use more RF time, and be more sensible to interference, it is advisable to only enable 11g rates, unless you need to support legacy devices. Command:config 802.11b rate disabled X
230045
Client Profiling: Device Classification (client profiling) is not globally enabled, it is recommended to use it
Action: Use Device classification as best practice, to help on troubleshooting, network characterization or problem isolation
230046
RRM: ED-RRM is not in use. It is recommended to enable for enterprise environments. Band(s): 2.4 GHz 5 GHz
Action: This is purely a general recommendation, please validate if applicable in your environment. ED-RRM could provide fast reaction to severe RF issues
230042
Security: Password Encryption is not enabled. This is optional feature to protect keys/passwords in configuration
Action: Use password encryption aes command.For more information, check 9800 Best practices guide
230083
Tags: For versions 17.6 and higher, it is advisable to use AP tag persistency command, to ensure tags are preserved if AP is temporarily moved to another controller
Action: Configure ap tag persistency enable, this is specially important for N+1 redundancy scenarios
230099
Rogues: Rogue AP policies and rules should be defined, specially around managed SSIDs
Action: Rogue rules can improve alerting for possible rogues impersonating managed SSID. It is advisable to enable them. For more information: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_classify_rogue_aps_ewlc.html
290005
Monitoring: AP system monitoring statistics are not enabled. To improve AP status visibility it would be recommended to use it. AP Profiles: default-ap-profile
Action: Monitor System Statistics is a feature in 17.5 and higher, to enable AP CPU and memory monitoring , you can enable it on AP profile, AP tab, AP statistics section
RF Stats WLC Level Summary
 
 

I think this is the issue:

High Availability: Redundancy management interface has overlapping address with wireless management, this can cause serious network problems
Action: Modify the command redun-management using non-overlapping addresses.
 
Does it NOT want me to have redun-management addresses on the same subnet?  below:
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.1.100 255.255.255.0
negotiation auto
no mop enabled
!
interface Vlan1
ip address 192.168.1.249 255.255.255.0 secondary
ip address 192.168.1.251 255.255.255.0
ip helper-address 192.168.1.254
no mop enabled
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route vrf Mgmt-intf 0.0.0.0 255.255.255.0 192.168.1.254
!
Is it that the OOB G0 cannot have the same subnet as vlan1?

They should be in the same subnet, however the RP needs to be direct connected or connect both controller RP port to a vlan that is not used, just to isolate the traffic.

-Scott
*** Please rate helpful posts ***

That's what I just did.  Still doesn't work, though.  "unconfigging" was difficult.  Had many reboots.

wlc01

interface Vlan1
no ip address 192.168.1.249 255.255.255.0 secondary
ip address 192.168.1.251 255.255.255.0
ip helper-address 192.168.1.254
no mop enabled

interface Vlan10
ip address 10.1.10.249 255.255.255.0 secondary
ip address 10.1.10.251 255.255.255.0
ip helper-address 10.1.10.1
no shut
no mop enabled

no redun-management interface Vlan1 chassis 2 address 192.168.1.249 chassis 1 address 192.168.1.250

redun-management interface vlan 10 chassis 2 address 10.1.10.249 chassis 1 address 10.1.10.250

====================================
wlc02

interface Vlan1
no ip address 192.168.1.250 255.255.255.0 secondary
ip address 192.168.1.252 255.255.255.0
ip helper-address 192.168.1.254
no mop enabled

interface Vlan10
ip address 10.1.10.250 255.255.255.0 secondary
ip address 10.1.10.252 255.255.255.0
ip helper-address 10.1.10.1
no mop enabled
no shut

vlan 10
name mgmt
!

no redun-management interface Vlan1 chassis 1 address 192.168.1.250 chassis 2 address 192.168.1.249

redun-management interface Vlan10 chassis 1 address 10.1.10.250 chassis 2 address 10.1.10.249

========================

Each WLC can ping the other's 10.1.10.x addresses just fine.  Redundancy doesn't work, though.  At least the hostnames are NOT changing.  Fix one thing, break something else....

When I was labbing that out a while back, I just wiped the whole config because it was easier that way.
-Scott
*** Please rate helpful posts ***


@tdennehy wrote:
This is ridiculous, its the most simple config and I must be missing something very, very basic.

My 2 cents is, its simple if you do this all the time, troubleshooting, upgrading, etc. on SSO is not easy at all.  That wi why I tend to implement N+1 rather than SSO, but that is me. Maybe this week I will lab this up on a 9800-CL, like what others have also mentioned, I don't use vlan 1 anywhere, especially with wireless.

-Scott
*** Please rate helpful posts ***

Switch config:  

interface Port-channel1
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
!
interface Port-channel2
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
!


interface GigabitEthernet0/25  <wlc01
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
channel-group 1 mode on
!
interface GigabitEthernet0/26
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
channel-group 1 mode on
!
interface GigabitEthernet0/27  <- WLC02
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
channel-group 2 mode on
!
interface GigabitEthernet0/28
switchport mode trunk
switchport nonegotiate
logging event trunk-status
logging event bundle-status
channel-group 2 mode on
!
interface Vlan1
description bench network
ip address 192.168.1.254 255.255.255.0

 

Review Cisco Networking for a $25 gift card