03-26-2024 07:39 PM
Hey all-
TL:DR is mobility group between foreign WLC (AirOS) and anchor WLC (9800) appears to have CONTROL path UP and DATA path down.
Foreign: 5520 on 8.10.185.0 and 8540 on 8.8.125.0
Anchor: 9800 on 17.9.4a
Background: Our enviroment has 10+ foreign WLCs and 4 anchor WLCs. The 3 anchor WLCs still running AirOS have successful mobility groups established with all foreign WLCs. The 4th anchor WLC that I am currently replacing (same exact IP address) with the 9800 appears to establish the Control path but the Data path remains down. I have tried re-establishing the group with/without Hash Key, with/without secure mobility, with/without data encryption - and all of the combinations in between.
The 9800 has a very basic configuration with NTP, SSH, TACACS, GUI set up, using the 4 2.5 GB uplinks as trunk ports to the switch. Static route defined as the gateway for the Wireless Management Interface. Foreign and Anchor can successfully ping each other.
The exact message the keeps appearing from CLI on anchor is: Mar 27 02:07:07.203: %MM_INFRA_LOG-3-RECV_FAILED: Chassis 1 R0/0: mobilityd: Unable to receive mobility message mobile_announce from ipv4: [foreign WLC IP] . reason: Peer link is down
I wouldn't think this is anything FW related as I checked to confirm the proper ports are being allows and it is using the same exact IP address anyway. Desspite Control path appearing to be up... both mping and eping from the foreign AirOS WLC is NOT successful.
Any guidance would be greatly appreciated. I've been at this all day. Any further information needed can be provided.
Solved! Go to Solution.
03-27-2024 02:15 AM - edited 03-27-2024 02:16 AM
Hello
Did you set the mobility mac address on the 9800 ?
Which model of 9800 is it ?
To my understanding, hask key is mandatory only when using 9800-CL. Hardware models use SUDI certificates.
Mobility with 9800 uses UDP ports 16666 and 16667
Secure mobility is mandatory with 9800 so you have to enable it on AireOS side.
Data encryption is optionnal but must be set the same on both sides.
Can you post output from :
- show mobility summary (AireOS foreign)
- show wireless mobility summary (9800 anchor)
Here a documentation : https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/b_c9800_wireless_controller-aireos_ircm_dg.html#id_85244
Regards
03-27-2024 01:06 AM
>...The exact message the keeps appearing from CLI on anchor is...
Check logs on the particular foreign controller too when that happens,
- Use latest advisory release ; https://software.cisco.com/download/home/286284738/type/280926587/release/8.10.190.0
This remains important whether related to the others working or not ,
- Have a checkup of the none working controllers' configuration , using WirelessAnalyzer input (procedure) for AireOs controllers
and feed that output into Wireless Config Analyzer
- Regardless of operational states working for the others it is important to the same for the 9800 with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer
M.
03-27-2024 02:15 AM - edited 03-27-2024 02:16 AM
Hello
Did you set the mobility mac address on the 9800 ?
Which model of 9800 is it ?
To my understanding, hask key is mandatory only when using 9800-CL. Hardware models use SUDI certificates.
Mobility with 9800 uses UDP ports 16666 and 16667
Secure mobility is mandatory with 9800 so you have to enable it on AireOS side.
Data encryption is optionnal but must be set the same on both sides.
Can you post output from :
- show mobility summary (AireOS foreign)
- show wireless mobility summary (9800 anchor)
Here a documentation : https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/b_c9800_wireless_controller-aireos_ircm_dg.html#id_85244
Regards
03-27-2024 06:27 AM
Remember Data encryption on mobility group. We have Wifi-calling issues, until we use encryption (only between aos <-> ios-xe)
04-04-2024 06:32 AM
Hey all - for our old set up between AirOS -> AirOS we allowed UDP 16666 for tunnel control traffic · IP Protocol 97 for user data traffic. We had to adjust our FW rules with the new anchor 9800 WLCs to allow UDP 16667. Once done, the data path came up. Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide