Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
61346
Views
45
Helpful
45
Replies

Data path down control path up issue

Adam Watts
Level 1
Level 1

‎05-06-2010 03:05 AM - edited ‎07-03-2021 06:46 PM

have just set up a WLC 4402 as a Guest WLan controler on the DMZ of our network.

i have sucsessfully managed to get our internal controllers to connect to it, with the exception of 1. it says the control path is up but the data path is down. the other 14 controllers worked fine, and in testing the last one was ok but it is now not working properly. the 2 controllers can ping each other but just won't create the data tunnel. there is a firewall in the middle but that has been set up to allow traffic between the 2 groups of controllers to be unrestricted.

the internal controllers are 4404's and all controllers are running the same version of code. 5.1.151.0

any ideas would be great.

Adam

4 people had this problem
Labels:
0 Helpful
45 Replies 45

Scott Fella
Hall of Fame
Hall of Fame
In response to christopher.hodge

‎01-30-2011 01:37 PM

This link will help you understand mping and eping.

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b1a506.shtml

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to christopher.hodge

‎01-30-2011 01:41 PM

Are you positive that you anchored your WLAN on the foreign controller?

Is this Anchor controller used for guest anchoring with your other controllers?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

christopher.hodge
Level 1
Level 1
In response to George Stefanick

‎01-30-2011 03:10 PM

Are you positive that you anchored your WLAN on the foreign controller? YES

Is this Anchor controller used for guest anchoring with your other controllers? YES

I read the Cisco doc and confirm eping and mping test the required ports.

Still...NOGO.....have a good night and I plan to respond with findings.

0 Helpful

dperowne
Level 1
Level 1
In response to christopher.hodge

‎05-06-2011 01:14 AM

In my case this was the firewall. I had end-end IP connectivity, managed to establish mping successfully, but eping wasn't working. I had Data down between the anchors and the foreign WLCs. I had the 16666-7 capwap ports allowed back, but turned out I needed a rule returning for the snmp & protocol 97 traffic, despite having in on egress from the foreign side, they are needed on the anchor side as well for initiation, ie: it's bi-directional.

0 Helpful

csco10979295
Level 1
Level 1
In response to christopher.hodge

‎10-20-2018 02:12 AM

Even I am facing same issue . i can able to ping between two WLC are in different location . But not able to do mping and eping 

 

is this correct way of doing :-

 

  WLC configured  serviceport and Management port 

   1) Service port is for management purpose 

   2) Management port we configured for Mobility communication 

 

But the issue we face 

   we are not able route the traffic via Management port and management IP not allowed to configre as WLC gateway .

 

Any one suggest please  

 

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to csco10979295

‎10-20-2018 06:43 AM

The management interface is required to be used for everything. The service port is only to be used as OOB and if connected to the network should not be routable. Your setup is backwards.
-Scott
*** Please rate helpful posts ***
0 Helpful

csco10979295
Level 1
Level 1
In response to Scott Fella

‎10-21-2018 12:07 AM

Hi Scott,

 

        Thank you . yes based on that i have configured . but i am not able to add any routing for the management port . that is the issue . 

"Gateway need to be on service port subnet"

 

try to delete it - but not able to delete also . 

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to csco10979295

‎10-21-2018 09:01 AM

The WLC is a L2 device. All you need is the gateway information when you are defining the management interface. The service port is OOB and again should not be routable. You will have issues if it is.  Your best bet is to remove the service port from the network and just have the management port connected. 

-Scott
*** Please rate helpful posts ***
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to csco10979295

‎10-21-2018 09:03 AM

Post some screen shot so I can at least understand what you have and what you are trying to do. 

-Scott
*** Please rate helpful posts ***
0 Helpful

chris.van.krieken
Level 1
Level 1
In response to christopher.hodge

‎05-12-2011 07:34 AM

Facing the same issue here. Control Path up, Datapath down when Checkpoint firewall policy is pushed with SecureXL enabled.

What kind of firewalls are in between achor and foreign controller ?

Dave Lewis
Level 1
Level 1

‎10-21-2011 07:18 AM

I know this post is old but I came across it when I was really stuck with the same issue and thought I'd share what resolved it for me.

So controller in DMZ (anchor) would not respond to eping from foreign controller. mping and icmp were fine.

ASA was the firewall.

Much packet tracing and frustration followed as the rule to allow IP protocol 97 was in the ACL for both the DMZ interface and the inside interface.

In my case the problem was that I had added the UDP CAPWAP rule into the ACL's first, this allowed the control path to come up. Unfortunately, because the mobility group keep-alive is set to 10 seconds it kept the flow up between the two WLC's on the ASA. Therefore when I added the ACE for IP 97 it wasn't reflected because there was an existing flow between the two.

So, solution for me was this on the firewall..

clear conn add x.x.x.x add y.y.y.y

...where x.x.x.x equals the management IP of your DMZ controller and y.y.y.y is the management IP of the foreign controller.

Once this was done I could then eping succesfully. So frustraing seeing the correct ACL's in place and traffic still not passing, still - it's a lesson learned for me!

Hope this helps someone else in a similar situation in future.

Dave

Ilya.Puzyrin
Level 1
Level 1
In response to Dave Lewis

‎12-01-2011 02:26 AM

Hi Dave,

I can confirm that likely you have found the proper solution (or workaround) for this issue. Yesterday we had the same issue with the mobility anchors whereas control path was up and data path was down and that was only applicable for random very selective controllers (whilst the others were fine) which didn't make sense at all.

Clearing the EoIP session on the firewall (Juniper in our case) has resolved the issue and restored data path.

Perhaps Adam has resolved this since then as well, however this forum is still very good for those who may experience the same.

Cheers,

Ilya

karthikeyansrinivasan
Level 1
Level 1
In response to Dave Lewis

‎07-21-2014 11:31 AM

 

Head Shot Dave, Your fix worked like a Charm.

Irrespective of ASA , Juniper or Checkpoint, clearing the connections always seemed to help.

 

Can't THANK YOU ENOUGH laugh

0 Helpful

Steve11
Level 1
Level 1
In response to Dave Lewis

‎04-13-2016 03:21 AM

I can confirm this still works, stuck with 'Data Path Down' until we cleared the connections. Similar scenario running 8.0 with an Anchor in a DMZ behind an ASA.  Saved potentially hours of troubleshooting.

0 Helpful

dakahn
Level 1
Level 1
In response to Dave Lewis

‎07-27-2016 09:19 PM

Your my hero Dave! Same issue and after clearing conn, came up immediately! Thanks!!

Chris

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card