cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4600
Views
0
Helpful
4
Replies

Mobility Anchor Problems

Dan
Level 1
Level 1

Hi

 

I've used mobility anchors to do SSID sharing with two other organisations before over a site-to-site VPN - relatively complicated compared to regular Guest mobility anchoring - but despite small problems it worked well, and I understand all the required config to get it working. I'm now doing the same with a third organisation, this time over an MPLS and an ASA, much simpler this time, but getting nowhere.

 

The mobility group is up, the SSID is anchored to Local on my WLC, and to my WLC on the foreign WLC, the firewalls between the WLCs aren't blocking anything, the routing is in place, the SSID settings have been triple checked and they're exactly the same on the Security and Advanced tabs, Proxy DHCP is enabled and the same on both WLCs, Virtual Interface same IP. The anchor has been removed and rebuilt, the SSID has been disabled, anchor removed and re-added multiple times - standard mobility anchor troubleshooting. My WLC is a 5520 on 8.3.143.0, the foreign is a 5508 on the same major release, but a different revision.

 

My SSID is a Flexconnect one, it's configured with an interface on a VLAN connected to a core (Nexus) switch, everything is pingable (icmp, mping and eping) and DHCP is working for local clients on that VLAN - This is set up exactly the same as a previously mentioned working anchor, and clients get a DHCP address from that interface.

 

But when someone connects to the SSID via the foreign WLC, i get only this when debugging a client on my WLC:

 

(Cisco Controller) >*Dot1x_NW_MsgTask_6: May 02 09:36:44.637: [PA] e8:50:8b:##:##:## Mobile Announce recvd from 192.168.FOREIGNWLCIP Vlan List payload not found, ignoring ...

*Dot1x_NW_MsgTask_6: May 02 09:38:39.040: [PA] e8:50:8b:##:##:## Mobile Announce recvd from 192.168.FOREIGNWLCIP Vlan List payload not found, ignoring ...

Logs from the foreign WLC:

debug client E8:50:8B:##:##:##

(Cisco Controller) >*apfOpenDtlSocket: May 02 10:39:53.967: e8:50:8b:##:##:## Recevied management frame ASSOCIATION REQUEST  on BSSID e8:ed:f3:c2:16:55 destination addr e8:ed:f3:c2:16:55
*apfMsConnTask_2: May 02 10:39:53.968: e8:50:8b:##:##:## Re-applying interface policy for client 

*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2985)
*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## 0.0.0.0 START (0) Changing Url ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255),Default action is '0' --- (caller apf_policy.c:3005)
*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:3026)
*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## apf_policy.c:2303 Assigning the SGT 0 to mobile (earlier sgt 0)
*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## Applying site-specific Local Bridging override for station e8:50:8b:##:##:## - vapId 11, site 'default-group', interface 'management'
*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## Applying Local Bridging Interface Policy for station e8:50:8b:##:##:## - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## processSsidIE  statusCode is 0 and status is 0 
*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## processSsidIE  ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## STA - rates (5): 36 176 72 96 108 0 0 0 0 0 0 0 0 0 0 0
*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## suppRates  statusCode is 0 and gotSuppRatesElement is 1 
*apfMsConnTask_2: May 02 10:39:53.969: RSNIE in Assoc. Req.: (20)
*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## Processing RSN IE type 48, length 20 for mobile e8:50:8b:##:##:##
*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## Selected Unicast cipher CCMP128 for client device
*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## Received 802.11i PSK key management suite, enabling Authentication
*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## RSN Capabilities:  128
*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## Marking Mobile as non-11w Capable 
*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## Received RSN IE with 0 PMKIDs from mobile e8:50:8b:##:##:##
*apfMsConnTask_2: May 02 10:39:53.969: e8:50:8b:##:##:## Assigning flex webauth ACL ID :65535 for vlan : 11
*apfMsConnTask_2: May 02 10:39:53.970: e8:50:8b:##:##:## apfProcessAssocReq (apf_80211.c:11711) Changing state for mobile e8:50:8b:##:##:## on AP e8:ed:f3:c2:16:50 from Idle to AAA Pending

*apfMsConnTask_2: May 02 10:39:53.970: e8:50:8b:##:##:## Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
*apfReceiveTask: May 02 10:39:53.982: e8:50:8b:##:##:## Received SGT for this Client.
*apfReceiveTask: May 02 10:39:53.982: e8:50:8b:##:##:## SGT is not applied, sgtLen 0, sgt_stringp 0x2d7d5c3b
*apfReceiveTask: May 02 10:39:53.982: e8:50:8b:##:##:## Sending assoc-resp with status 1 station:e8:50:8b:##:##:## AP:e8:ed:f3:c2:16:50-01 on apVapId 11
*apfReceiveTask: May 02 10:39:53.982: e8:50:8b:##:##:## Sending Assoc Response (status: 'unspecified failure') to station on AP 192.168.25.20 on BSSID e8:ed:f3:c2:16:55 ApVapId 11 Slot 1, mobility role 0
*apfReceiveTask: May 02 10:39:53.982: e8:50:8b:##:##:## apfProcessRadiusAssocResp (apf_80211.c:5243) Changing state for mobile e8:50:8b:##:##:## on AP e8:ed:f3:c2:16:50 from AAA Pending to Authenticated

*apfReceiveTask: May 02 10:39:53.983: e8:50:8b:##:##:## Scheduling deletion of Mobile Station:  (callerId: 18) in 10 seconds
*apfOpenDtlSocket: May 02 10:39:56.058: e8:50:8b:##:##:## Recevied management frame ASSOCIATION REQUEST  on BSSID e8:ed:f3:c2:16:55 destination addr e8:ed:f3:c2:16:55
*apfMsConnTask_2: May 02 10:39:56.059: e8:50:8b:##:##:## Processing assoc-req station:e8:50:8b:##:##:## AP:e8:ed:f3:c2:16:50-01 ssid : IPAD SSID thread:1b9088e8
*apfMsConnTask_2: May 02 10:39:56.059: e8:50:8b:##:##:## Station:  E8:50:8B:##:##:##  trying to join WLAN with RSSI -39. Checking for XOR roam conditions on AP:  E8:ED:F3:C2:16:50  Slot: 1
*apfMsConnTask_2: May 02 10:39:56.059: e8:50:8b:##:##:## Station:  E8:50:8B:##:##:##  is associating to AP  E8:ED:F3:C2:16:50  which is not XOR roam capable
*apfMsConnTask_2: May 02 10:39:56.059: e8:50:8b:##:##:## Updating location for mobile on same AP e8:ed:f3:c2:16:50-1
*apfMsConnTask_2: May 02 10:39:56.059: e8:50:8b:##:##:## Setting RTTS enabled to 0 
*apfMsConnTask_2: May 02 10:39:56.059: e8:50:8b:##:##:## Association received from mobile on BSSID e8:ed:f3:c2:16:55 AP 192.168.25.20
*apfMsConnTask_2: May 02 10:39:56.059: e8:50:8b:##:##:## Station:  E8:50:8B:##:##:##  trying to join WLAN with RSSI -39. Checking for XOR roam conditions on AP:  E8:ED:F3:C2:16:50  Slot: 1
*apfMsConnTask_2: May 02 10:39:56.059: e8:50:8b:##:##:## Station:  E8:50:8B:##:##:##  is associating to AP  E8:ED:F3:C2:16:50  which is not XOR roam capable
*apfMsConnTask_2: May 02 10:39:56.059: e8:50:8b:##:##:## Global 200 Clients are allowed to AP radio

*apfMsConnTask_2: May 02 10:39:56.059: e8:50:8b:##:##:## Max Client Trap Threshold: 0  cur: 0

*apfMsConnTask_2: May 02 10:39:56.059: e8:50:8b:##:##:## Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## override for default ap group, marking intgrp NULL
*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## Re-applying interface policy for client 

*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2985)
*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## 0.0.0.0 START (0) Changing Url ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255),Default action is '0' --- (caller apf_policy.c:3005)
*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:3026)
*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## Applying site-specific Local Bridging override for station e8:50:8b:##:##:## - vapId 11, site 'default-group', interface 'management'
*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## Applying Local Bridging Interface Policy for station e8:50:8b:##:##:## - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## processSsidIE  statusCode is 0 and status is 0 
*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## processSsidIE  ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## STA - rates (5): 36 176 72 96 108 0 0 0 0 0 0 0 0 0 0 0
*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## suppRates  statusCode is 0 and gotSuppRatesElement is 1 
*apfMsConnTask_2: May 02 10:39:56.060: RSNIE in Assoc. Req.: (20)

*apfMsConnTask_2: May 02 10:39:56.060:      [0000] 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f

*apfMsConnTask_2: May 02 10:39:56.060:      [0016] ac 02 80 00

*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## Processing RSN IE type 48, length 20 for mobile e8:50:8b:##:##:##
*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## Selected Unicast cipher CCMP128 for client device
*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## Received 802.11i PSK key management suite, enabling Authentication
*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## RSN Capabilities:  128
*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## Marking Mobile as non-11w Capable 
*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## Received RSN IE with 0 PMKIDs from mobile e8:50:8b:##:##:##
*apfMsConnTask_2: May 02 10:39:56.060: e8:50:8b:##:##:## Assigning flex webauth ACL ID :65535 for vlan : 11
*apfMsConnTask_2: May 02 10:39:56.061: e8:50:8b:##:##:## apfProcessAssocReq (apf_80211.c:11711) Changing state for mobile e8:50:8b:##:##:## on AP e8:ed:f3:c2:16:50 from Authenticated to AAA Pending

*apfMsConnTask_2: May 02 10:39:56.061: e8:50:8b:##:##:## Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
*apfReceiveTask: May 02 10:39:56.082: e8:50:8b:##:##:## Received SGT for this Client.
*apfReceiveTask: May 02 10:39:56.082: e8:50:8b:##:##:## SGT is not applied, sgtLen 0, sgt_stringp 0x2cf44707
*apfReceiveTask: May 02 10:39:56.082: e8:50:8b:##:##:## Sending assoc-resp with status 1 station:e8:50:8b:##:##:## AP:e8:ed:f3:c2:16:50-01 on apVapId 11
*apfReceiveTask: May 02 10:39:56.082: e8:50:8b:##:##:## Sending Assoc Response (status: 'unspecified failure') to station on AP 192.168.25.20 on BSSID e8:ed:f3:c2:16:55 ApVapId 11 Slot 1, mobility role 0
*apfReceiveTask: May 02 10:39:56.082: e8:50:8b:##:##:## apfProcessRadiusAssocResp (apf_80211.c:5243) Changing state for mobile e8:50:8b:##:##:## on AP e8:ed:f3:c2:16:50 from AAA Pending to Authenticated

*apfReceiveTask: May 02 10:39:56.082: e8:50:8b:##:##:## Scheduling deletion of Mobile Station:  (callerId: 18) in 10 seconds
*apfOpenDtlSocket: May 02 10:39:57.238: e8:50:8b:##:##:## Recevied management frame ASSOCIATION REQUEST  on BSSID e8:ed:f3:c2:16:55 destination addr e8:ed:f3:c2:16:55
*apfMsConnTask_2: May 02 10:39:57.238: e8:50:8b:##:##:## Processing assoc-req station:e8:50:8b:##:##:## AP:e8:ed:f3:c2:16:50-01 ssid : IPAD SSID thread:1b9088e8
*apfMsConnTask_2: May 02 10:39:57.238: e8:50:8b:##:##:## Station:  E8:50:8B:##:##:##  trying to join WLAN with RSSI -39. Checking for XOR roam conditions on AP:  E8:ED:F3:C2:16:50  Slot: 1
*apfMsConnTask_2: May 02 10:39:57.238: e8:50:8b:##:##:## Station:  E8:50:8B:##:##:##  is associating to AP  E8:ED:F3:C2:16:50  which is not XOR roam capable
*apfMsConnTask_2: May 02 10:39:57.238: e8:50:8b:##:##:## Updating location for mobile on same AP e8:ed:f3:c2:16:50-1
*apfMsConnTask_2: May 02 10:39:57.238: e8:50:8b:##:##:## Setting RTTS enabled to 0 
*apfMsConnTask_2: May 02 10:39:57.238: e8:50:8b:##:##:## Association received from mobile on BSSID e8:ed:f3:c2:16:55 AP 192.168.25.20
*apfMsConnTask_2: May 02 10:39:57.238: e8:50:8b:##:##:## Station:  E8:50:8B:##:##:##  trying to join WLAN with RSSI -39. Checking for XOR roam conditions on AP:  E8:ED:F3:C2:16:50  Slot: 1
*apfMsConnTask_2: May 02 10:39:57.238: e8:50:8b:##:##:## Station:  E8:50:8B:##:##:##  is associating to AP  E8:ED:F3:C2:16:50  which is not XOR roam capable
*apfMsConnTask_2: May 02 10:39:57.238: e8:50:8b:##:##:## Global 200 Clients are allowed to AP radio

*apfMsConnTask_2: May 02 10:39:57.238: e8:50:8b:##:##:## Max Client Trap Threshold: 0  cur: 0

*apfMsConnTask_2: May 02 10:39:57.239: e8:50:8b:##:##:## Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_2: May 02 10:39:57.239: e8:50:8b:##:##:## override for default ap group, marking intgrp NULL
*apfMsConnTask_2: May 02 10:39:57.239: e8:50:8b:##:##:## Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_2: May 02 10:39:57.239: e8:50:8b:##:##:## Re-applying interface policy for client 

*apfMsConnTask_2: May 02 10:39:57.239: e8:50:8b:##:##:## 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2985)
*apfMsConnTask_2: May 02 10:39:57.239: e8:50:8b:##:##:## 0.0.0.0 START (0) Changing Url ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255),Default action is '0' --- (caller apf_policy.c:3005)
*apfMsConnTask_2: May 02 10:39:57.239: e8:50:8b:##:##:## 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:3026)
*apfMsConnTask_2: May 02 10:39:57.239: e8:50:8b:##:##:## apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*apfMsConnTask_2: May 02 10:39:57.239: e8:50:8b:##:##:## Applying site-specific Local Bridging override for station e8:50:8b:##:##:## - vapId 11, site 'default-group', interface 'management'
*apfMsConnTask_2: May 02 10:39:57.239: e8:50:8b:##:##:## Applying Local Bridging Interface Policy for station e8:50:8b:##:##:## - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_2: May 02 10:39:57.239: e8:50:8b:##:##:## processSsidIE  statusCode is 0 and status is 0 
*apfMsConnTask_2: May 02 10:39:57.239: e8:50:8b:##:##:## processSsidIE  ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_2: May 02 10:39:57.239: e8:50:8b:##:##:## STA - rates (5): 36 176 72 96 108 0 0 0 0 0 0 0 0 0 0 0
*apfMsConnTask_2: May 02 10:39:57.239: e8:50:8b:##:##:## suppRates  statusCode is 0 and gotSuppRatesElement is 1 
*apfMsConnTask_2: May 02 10:39:57.239: RSNIE in Assoc. Req.: (20)

I've sanitised this log somewhat.

 

I'm really drawing a blank on this one - can't think of anything else to check. As far as I can see, I've followed the exact same steps as my other, working anchors. Can anyone see something I'm missing or something in the logs? 

 

Much appreciated

 

2 Accepted Solutions

Accepted Solutions

Hi

 

 "Changing state for mobile e8:50:8b:##:##:## on AP e8:ed:f3:c2:16:50 from Authenticated to AAA Pending *apfMsConnTask_2: May 02 10:39:56.061: e8:50:8b:##:##:## Scheduling deletion of Mobile Station: (callerId: 20) in 10 seconds *apfReceiveTask: May 02 10:39:56.082: "

 

This suggest authentication problem. 

 

 

-If I helped you somehow, please, rate it as useful.-

View solution in original post

Well, we figured out the problem. The third party had either entered the RADIUS shared secret, or their WLC didn't like the length or characters in the password. I didn't think to check this to begin with, because the MAC filtered SSID we were testing with seemed like everything was authenticating correctly on our ISE deployment. As soon as I tried using our regular, 802.1x SSID it worked fine.

View solution in original post

4 Replies 4

Hi

 

 "Changing state for mobile e8:50:8b:##:##:## on AP e8:ed:f3:c2:16:50 from Authenticated to AAA Pending *apfMsConnTask_2: May 02 10:39:56.061: e8:50:8b:##:##:## Scheduling deletion of Mobile Station: (callerId: 20) in 10 seconds *apfReceiveTask: May 02 10:39:56.082: "

 

This suggest authentication problem. 

 

 

-If I helped you somehow, please, rate it as useful.-

"My SSID is a Flexconnect one, it's configured with an interface on a VLAN connected to a core (Nexus) switch."

 

Does SSID in FlexConnect central switching or local switching ?

 

In previous two times, APs are local mode or FlexConnect mode ?

 

HTH

Rasika

The SSID is a FlexConnect one. I always make an interface with an SVI associated with it - even though it isn't used - for all my FlexConnect SSIDs, because I knew I'd be doing Mobility Anchors and devices connecting to foreign WLCs on Flex SSIDs get an IP address in that subnet.

 

All my APs are set up in FlexConnect mode - I'm not sure about the foreign APs actually. Do they have to be in a non-Local mode for this to work?

Well, we figured out the problem. The third party had either entered the RADIUS shared secret, or their WLC didn't like the length or characters in the password. I didn't think to check this to begin with, because the MAC filtered SSID we were testing with seemed like everything was authenticating correctly on our ISE deployment. As soon as I tried using our regular, 802.1x SSID it worked fine.
Review Cisco Networking for a $25 gift card