05-06-2010 03:05 AM - edited 07-03-2021 06:46 PM
have just set up a WLC 4402 as a Guest WLan controler on the DMZ of our network.
i have sucsessfully managed to get our internal controllers to connect to it, with the exception of 1. it says the control path is up but the data path is down. the other 14 controllers worked fine, and in testing the last one was ok but it is now not working properly. the 2 controllers can ping each other but just won't create the data tunnel. there is a firewall in the middle but that has been set up to allow traffic between the 2 groups of controllers to be unrestricted.
the internal controllers are 4404's and all controllers are running the same version of code. 5.1.151.0
any ideas would be great.
Adam
01-30-2011 01:37 PM
This link will help you understand mping and eping.
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b1a506.shtml
Sent from Cisco Technical Support iPhone App
01-30-2011 01:41 PM
Are you positive that you anchored your WLAN on the foreign controller?
Is this Anchor controller used for guest anchoring with your other controllers?
01-30-2011 03:10 PM
Are you positive that you anchored your WLAN on the foreign controller? YES
Is this Anchor controller used for guest anchoring with your other controllers? YES
I read the Cisco doc and confirm eping and mping test the required ports.
Still...NOGO.....have a good night and I plan to respond with findings.
05-06-2011 01:14 AM
In my case this was the firewall. I had end-end IP connectivity, managed to establish mping successfully, but eping wasn't working. I had Data down between the anchors and the foreign WLCs. I had the 16666-7 capwap ports allowed back, but turned out I needed a rule returning for the snmp & protocol 97 traffic, despite having in on egress from the foreign side, they are needed on the anchor side as well for initiation, ie: it's bi-directional.
10-20-2018 02:12 AM
Even I am facing same issue . i can able to ping between two WLC are in different location . But not able to do mping and eping
is this correct way of doing :-
WLC configured serviceport and Management port
1) Service port is for management purpose
2) Management port we configured for Mobility communication
But the issue we face
we are not able route the traffic via Management port and management IP not allowed to configre as WLC gateway .
Any one suggest please
10-20-2018 06:43 AM
10-21-2018 12:07 AM
Hi Scott,
Thank you . yes based on that i have configured . but i am not able to add any routing for the management port . that is the issue .
"Gateway need to be on service port subnet"
try to delete it - but not able to delete also .
10-21-2018 09:01 AM
The WLC is a L2 device. All you need is the gateway information when you are defining the management interface. The service port is OOB and again should not be routable. You will have issues if it is. Your best bet is to remove the service port from the network and just have the management port connected.
10-21-2018 09:03 AM
Post some screen shot so I can at least understand what you have and what you are trying to do.
05-12-2011 07:34 AM
Facing the same issue here. Control Path up, Datapath down when Checkpoint firewall policy is pushed with SecureXL enabled.
What kind of firewalls are in between achor and foreign controller ?
10-21-2011 07:18 AM
I know this post is old but I came across it when I was really stuck with the same issue and thought I'd share what resolved it for me.
So controller in DMZ (anchor) would not respond to eping from foreign controller. mping and icmp were fine.
ASA was the firewall.
Much packet tracing and frustration followed as the rule to allow IP protocol 97 was in the ACL for both the DMZ interface and the inside interface.
In my case the problem was that I had added the UDP CAPWAP rule into the ACL's first, this allowed the control path to come up. Unfortunately, because the mobility group keep-alive is set to 10 seconds it kept the flow up between the two WLC's on the ASA. Therefore when I added the ACE for IP 97 it wasn't reflected because there was an existing flow between the two.
So, solution for me was this on the firewall..
clear conn add x.x.x.x add y.y.y.y
...where x.x.x.x equals the management IP of your DMZ controller and y.y.y.y is the management IP of the foreign controller.
Once this was done I could then eping succesfully. So frustraing seeing the correct ACL's in place and traffic still not passing, still - it's a lesson learned for me!
Hope this helps someone else in a similar situation in future.
Dave
12-01-2011 02:26 AM
Hi Dave,
I can confirm that likely you have found the proper solution (or workaround) for this issue. Yesterday we had the same issue with the mobility anchors whereas control path was up and data path was down and that was only applicable for random very selective controllers (whilst the others were fine) which didn't make sense at all.
Clearing the EoIP session on the firewall (Juniper in our case) has resolved the issue and restored data path.
Perhaps Adam has resolved this since then as well, however this forum is still very good for those who may experience the same.
Cheers,
Ilya
07-21-2014 11:31 AM
Head Shot Dave, Your fix worked like a Charm.
Irrespective of ASA , Juniper or Checkpoint, clearing the connections always seemed to help.
Can't THANK YOU ENOUGH
04-13-2016 03:21 AM
I can confirm this still works, stuck with 'Data Path Down' until we cleared the connections. Similar scenario running 8.0 with an Anchor in a DMZ behind an ASA. Saved potentially hours of troubleshooting.
07-27-2016 09:19 PM
Your my hero Dave! Same issue and after clearing conn, came up immediately! Thanks!!
Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide