Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1104
Views
10
Helpful
5
Replies

Static Mobility Group Status - Control and Data Path Down

Go to solution
latenaite2011
Level 4
Level 4

‎10-29-2022 05:25 AM

Does anyone know why the Control and Data Path Down status appears for the Static Mobility Group an an IP setup between the a 9800 WLC and a 5508 Anchor WLC?  We double-checked the configuration and the firewall rules and ensure that everything is setup the same (even set up added the new 9800 WLC to the same firewall rule) but yet it still remains down. Is there anyway to troubleshoot this from the 9800 WLC to see what might be causing this? Is there a packet packet or what logs can we look at on the 9800 WLC via CLI (we looked at the GUI's logs and didn't see anything).

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-29-2022 07:28 AM - edited ‎10-29-2022 07:29 AM

As you mentioned there is FW between, what logs you see on the Firewall when the traffic passing through FW.

Monitor on FW to see if BLOCK UDP  16666  / UDP 16667  or IP 97 

check some mping ping tests:

https://mrncciew.com/2013/03/24/mobility-ping-tests/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-29-2022 07:28 AM - edited ‎10-29-2022 07:29 AM

As you mentioned there is FW between, what logs you see on the Firewall when the traffic passing through FW.

Monitor on FW to see if BLOCK UDP  16666  / UDP 16667  or IP 97 

check some mping ping tests:

https://mrncciew.com/2013/03/24/mobility-ping-tests/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
latenaite2011
Level 4
Level 4
In response to balaji.bandi

‎10-29-2022 07:45 AM

Excellent Balaji, this is excellent and well written!  Will try this.  Exactly what I needed and thanks for the quickly reply!

Note that even though secure tunnel is enabled (and so is the original controller), I didn't any rules for UDP 16667 or IP 97 (even for the first one so not sure how the first one worked).  Are those need to be allowed? As for firewall rules logs, didn't see anything at all, which is weird and they could see logs being denied/ping on the for the first controller. 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to latenaite2011

‎10-29-2022 07:48 AM

Not sure how your network topology looks like ? so we need more information here.

If the FW do not see the logs at all that means that packers not even reaching FW ( I am assuming this) - so you need to where it is blocking before reaching FW.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
latenaite2011
Level 4
Level 4
In response to balaji.bandi

‎10-29-2022 07:57 AM

Yes. Agree.  Packet captures might be next, thanks again! 

0 Helpful

Go to solution
latenaite2011
Level 4
Level 4
In response to balaji.bandi

‎10-30-2022 07:36 AM

Hey Balaji,

Have another question. 

Should multicast be enabled (it is not now) if there is just one Anchor WLC Controller in the DMZ but this anchor controllers talk to two different foreign controllers on the LAN side.  Since we have now introduced a new WLC controller, would it make sense to enable multicast or would it work just as fine without enabling multicast.

 

Thanks in advance!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card