Solved: Re: WLC 9800 Mobility Anchore with Airos WLC

viv42 · ‎08-17-2023

Hi Team,

I was doing the Mobility anchor for the guest ssid, between Airos WLC and WLC9800.

The Airos WLC is the central WLC and the anchor, other WLCs are joined to it for Guest ssid.

I was trying to create the mobility tunnel between Airos WLC and WLC 9800. I have done the firewall port opening as well which is mentioned in the Cisco document. The mobility MAC and group are configured properly. But still, the control path is showing down.

Am I missing something or please suggest to me how to troubleshoot this?

Rasika Nayanajith · ‎08-18-2023

if it is 9800-CL (VM) then you need to add certificate hash when configuring mobility between AireOS WLC & 9800-CL. Refer below
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213913-building-mobility-tunnels-on-catalyst-98.html#anc33

"Hash is only required in cases where the 9800 uses a self-signed certificate such as the C9800-CL. Hardware Appliances have a SUDI certificate and do not need a hash (for example a 9800-40, 9800-L, and so on)".

HTH
Rasika
*** Pls rate all useful responses ***

View solution in original post

marce1000 · ‎08-17-2023

- Checkout : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html#toc-hId--2049776176
Also have a checkup of the WLC9800 configuration with the CLI command show tech wireless ; feed the output into :
https://cway.cisco.com/wireless-config-analyzer/

Also what are the involved models and software versions being used ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

viv42 · ‎08-17-2023

Hi Marce1000,

Thanks for the quick response,

I have followed the same document for configuration.

Anchor WLC-Airos version 8.10.162.0 & the foreign WLC9800 version 17.6.5

Even I have done the Firewall port opening 16666 & 16667.

Is there any way to generate the traffic so I can check on the firewall side whether the request is passing or not?

marce1000 · ‎08-18-2023

>...Is there any way to generate the traffic so I can check on the firewall side whether the request is passing or not?
- Guess that is a bit less relevant for the moment because the mobility anchor configuration should just be up and running ; please use the suggested procedure for WirelessAnalyzed. You may do the same for the AireOs controller using :
https://community.cisco.com/t5/networking-knowledge-base/show-the-complete-configuration-without-breaks-pauses-on-cisco/ta-p/3115114#toc-hId-1039672820
as input for https://cway.cisco.com/wireless-config-analyzer/

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rasika Nayanajith · ‎08-18-2023

if it is 9800-CL (VM) then you need to add certificate hash when configuring mobility between AireOS WLC & 9800-CL. Refer below
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213913-building-mobility-tunnels-on-catalyst-98.html#anc33

"Hash is only required in cases where the 9800 uses a self-signed certificate such as the C9800-CL. Hardware Appliances have a SUDI certificate and do not need a hash (for example a 9800-40, 9800-L, and so on)".

HTH
Rasika
*** Pls rate all useful responses ***

viv42 · ‎08-18-2023

Hey, it got resolved by just enabling the secure mobility option on Airos WLC.

Thanks to all for the workarounds.