Re: Mobility path down between 9800-40 and 9800CL

michael18 · ‎04-04-2023

I have a problem getting the data path up between C9800-40 (foreign) 9800CL (anchor). the foreign is behind my firewall, the anchor behind a 3rd party firewall.

both are on ver: Cisco IOS XE Software, Version 17.06.04

captures show connectivity on my firewall inside int:

1: 09:06:50.217624 172.18.60.4.16667 > 10.40.251.10.16667: udp 130
2: 09:06:50.217670 172.18.60.4.16666 > 10.40.251.10.16666: udp 115
3: 09:06:50.218433 10.40.251.10.16667 > 172.18.60.4.16667: udp 121
4: 09:06:50.218479 10.40.251.10.16667 > 172.18.60.4.16667: udp 130
5: 09:06:50.218723 10.40.251.10.16666 > 172.18.60.4.16666: udp 110

capture from my firewall dmz interface:

300: 09:12:30.250582 802.1Q vlan#800 P0 172.18.60.3 > 10.40.251.10 icmp: 172.18.60.4 udp port 16667 unreachable
301: 09:12:40.251390 802.1Q vlan#800 P0 172.18.60.3 > 10.40.251.10 icmp: 172.18.60.4 udp port 16667 unreachable
302: 09:12:40.251589 802.1Q vlan#800 P0 172.18.60.3 > 10.40.251.10 icmp: 172.18.60.4 udp port 16667 unreachable
303: 09:12:50.252077 802.1Q vlan#800 P0 172.18.60.3 > 10.40.251.10 icmp: 172.18.60.4 udp port 16667 unreachable
304: 09:12:50.252291 802.1Q vlan#800 P0 172.18.60.3 > 10.40.251.10 icmp: 172.18.60.4 udp port 16667 unreachable
305: 09:12:54.653362 802.1Q vlan#800 P0 10.40.251.10 > 172.18.60.4 icmp: echo request
306: 09:12:54.654095 802.1Q vlan#800 P0 172.18.60.4 > 10.40.251.10 icmp: echo reply
307: 09:12:54.654934 802.1Q vlan#800 P0 10.40.251.10 > 172.18.60.4 icmp: echo request
308: 09:12:54.655605 802.1Q vlan#800 P0 172.18.60.4 > 10.40.251.10 icmp: echo reply
309: 09:12:54.656490 802.1Q vlan#800 P0 10.40.251.10 > 172.18.60.4 icmp: echo request
310: 09:12:54.657146 802.1Q vlan#800 P0 172.18.60.4 > 10.40.251.10 icmp: echo reply
311: 09:12:54.658031 802.1Q vlan#800 P0 10.40.251.10 > 172.18.60.4 icmp: echo request
312: 09:12:54.658489 802.1Q vlan#800 P0 172.18.60.4 > 10.40.251.10 icmp: echo reply
313: 09:12:54.659389 802.1Q vlan#800 P0 10.40.251.10 > 172.18.60.4 icmp: echo request
314: 09:12:54.660000 802.1Q vlan#800 P0 172.18.60.4 > 10.40.251.10 icmp: echo reply
315: 09:13:00.253038 802.1Q vlan#800 P0 172.18.60.3 > 10.40.251.10 icmp: 172.18.60.4 udp port 16667 unreachable
316: 09:13:00.253221 802.1Q vlan#800 P0 172.18.60.3 > 10.40.251.10 icmp: 172.18.60.4 udp port 16667 unreachable
317: 09:13:10.254289 802.1Q vlan#800 P0 172.18.60.3 > 10.40.251.10 icmp: 172.18.60.4 udp port 16667 unreachable

Mobility summary

IP Public Ip MAC Address Group Name Multicast IPv4 Multicast IPv6 Status PMTU

10.40.251.10 N/A 44b6.bee8.fa6b Internal 0.0.0.0 :: N/A N/A

172.18.60.4 172.18.60.4 000c.29d6.680f Internal 0.0.0.0 :: Data Path Down 1385

ping from foreign to anchor

WLC001#ping 172.18.60.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.60.4, timeout is 2 seconds:
!!!!!

the anchor is behind a NAT. the foreign targets 172.18.60.4

All documentation seems to point to catalyst to AireOS.

Where do i look for data path issues.

Thanks

marce1000 · ‎04-04-2023

- Check if these commands can provide additional info's :
show wireless mobility summary
show wireless stats mobility
show wireless stats mobility messages
show platform hardware chassis active qfp feature wireless punt statistics

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

marce1000 · ‎04-04-2023

- (adding) : on both controllers review the configuration with (CLI) show tech wireless ; have the output analyzed with
https://cway.cisco.com/wireless-config-analyzer/

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎04-04-2023

What is 172.18.60.3?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

michael18 · ‎04-05-2023

Its is the 3rd party firewall interface.

ive just found this document: Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Amsterdam 17.3.x - NAT Support on Mobility Groups [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco

We may have the mobility group IP info incorrect. I need to check it

Rich R · ‎04-05-2023

And the 3rd party firewall is blocking the mobility traffic:
172.18.60.3 > 10.40.251.10 icmp: 172.18.60.4 udp port 16667 unreachable
That's the firewall telling you it's dropped those packets which were destined for 172.18.60.4.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390