Solved: Re: Control Path Down

scottwilliamson · ‎10-23-2009

Hi,

The control path between our Guest Anchor WLC4402 and one of our foreign controllers is down all other control paths are up as are all of the data paths. The Anchor is behind a firewall the configuration of which must be ok due to the other WLCs data and control paths being up. Can anyone tell me how I check that the WLCs are reciving each others mobility packets e.g. via debug.

Many Thanks

Scott

weterry · ‎10-23-2009

debug mobility keepalive

you should see a "data path" keepalive every 10 seconds and a "control path" keepalive every 30 seconds.

I believe the Control Path will be a message about port 16666.

Run this from all controllers and verify who is sending the keepalive (I believe it is lowest mac address).

Bottom line is that if you see one controller send it, and the other doesn't recieve it, that sounds like it is getting lost along the way.

I've seen configuration before where if the DMZ Controller is the initiator of the keepalive (high mac address?), then the path may be down. It had to do with the firewall allowing the session from Trust to DMZ (and the return traffic), but not allowing the DMZ to initiate the session.

You could try an mping from both controllers and see if you can get a response....?

View solution in original post

weterry · ‎10-23-2009

debug mobility keepalive

you should see a "data path" keepalive every 10 seconds and a "control path" keepalive every 30 seconds.

I believe the Control Path will be a message about port 16666.

Run this from all controllers and verify who is sending the keepalive (I believe it is lowest mac address).

Bottom line is that if you see one controller send it, and the other doesn't recieve it, that sounds like it is getting lost along the way.

I've seen configuration before where if the DMZ Controller is the initiator of the keepalive (high mac address?), then the path may be down. It had to do with the firewall allowing the session from Trust to DMZ (and the return traffic), but not allowing the DMZ to initiate the session.

You could try an mping from both controllers and see if you can get a response....?

scottwilliamson · ‎10-26-2009

Hi Wesley,

Thanks for that you've helped me realise what the problem is: The Anchor was not sending udp port 16666 to the problem controller, it occured to me that the Service Port address of the Anchor was on the same subnet as the Manager interfaces of the controller it could not establish the EoIP tunnel with - I've changed the Service Port address and everything now works.

Thank you,

Scott

santoshrijala12 · ‎06-20-2025

I am having the same issues and DMZ controller send keepalive messages to 9800 controller and when i check logging on 9800 Controller the peer link to DMZ is down.

on DMZ:

*mmMobility: Jun 20 11:33:17.758: Keepalive:VALID:ETHOIP_OP_REQ:Sent to 10.xxx.x.x:version=02:SeqNo=37744104:receiverStatusOnTransmitter=0

mmMobility: Jun 20 11:33:17.758: Keepalive: Mobility Data Ping response failed for the peer 10.xxx.x.x retryCount= 2

on 9800 logging:

Jun 20 10:38:09.095: %MM_INFRA_LOG-3-RECV_FAILED: Chassis 1 R0/0: mobilityd: Unable to receive mobility message pmk_update from ipv4: 192.168.xxx.x . reason: Peer link is down

Rich R · ‎06-22-2025

@santoshrijala12 as @Mark Elsen has already said to you on duplicate post https://community.cisco.com/t5/wireless/mobility-link-down-after-update-17-3-3-on-9800-cl/m-p/5301162/highlight/true#M284210 - please open a new thread and provide complete details of your issue rather than trying to revive years old threads which could be on different hardware and versions of software and be of limited relevance now.

- What models of WLC at each end?
- What versions of software are the WLCs running?
- What troubleshooting have you performed?
- What caused it to stop working? What changes were made?
- Have you used the Config Analyser to check both the WLC configs? (see the link and tips below)

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

santoshrijala12 · ‎06-30-2025

MY issue has been resolved after deleting and re-adding both the controllers from DMZ(AireOS) and 9800(IOS-XE) Controller and before deleting mobility peers from 9800 controller, it is required to to move the anchor controller from Policy Tab and re-add them, hope it helps others too. But at first i confirmed with the Radio active trace from 9800 controllers targeting aireOS controller MAC address.