Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1250
Views
0
Helpful
5
Replies

WLC Mobility (Guest Anchor)

spencermoore
Level 1
Level 1

‎06-24-2015 06:25 AM - edited ‎07-05-2021 03:27 AM

Hello. I'm unable to initialize a mobility tunnel between a foreign and anchor WLC in my DMZ. The controllers are separated by a firewall, but I have allowed all traffic between the two devices as well as configured NAT in order to achieve connectivity. I can ping both devices, but e and m pings fail. When I perform a packet capture on my firewall, I see packets traversing the firewall destined to the anchor controller and visa versa, but every other packet or so says "association request; malformed packet". Note, there is a two or so minute time discrepancy between the two controllers and a 30 minute discrepancy on both controllers from the actual time. Does this need to be corrected? Cisco documentation doesn't mention time has to match.

 

Steps I've completed:

1. Verified ping

2. Setup Mobility Group named "Guest" on foreign using anchor ip and MAC (from inventory screen)

3. Setup Mobility Group named "Guest" on anchor using foreign ip and MAC (from inventory screen)

 

Hardware:

Foreign: 5508 7.6.110.0

Anchor: 4402 7.0.252.0

 

Update: Debug shows Anchor sending keep-alives. Debug on foreign shows: 

Keepalive:INVALID(GroupMismatch):ETHOIP_OP_REQ:Received from 172.1                                           6.x.x:version=02:SeqNo=36:receiverStatusOnTransmitter=0
*mmMobility: Jun 24 10:18:27.449:  Keepalive:Mobility Member 172.16.x.x detected DOWN status 3, cleaning                                            up client entries

 

 

Thanks for your help!

 

 

Labels:
0 Helpful
5 Replies 5

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎06-24-2015 06:54 AM

Yes, the times need to be insync or at least close. The mobility messaging is time sensitive.

 

I'd also check if the NAT is manipulating a MAC address, pcap and check the src and dst on both sides.

 

HTH,

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

spencermoore
Level 1
Level 1
In response to Stephen Rodriguez

‎06-24-2015 06:56 AM

Thanks. I just updated the post. I'm getting a "group mismatch" on foreign. Does this have to do with the group name? I've confirmed they're both identical. 

0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to spencermoore

‎06-24-2015 07:01 AM

Group mismatch would be the mobility group name, make sure you dont' have a trailing space

 

HTH,

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

spencermoore
Level 1
Level 1
In response to Stephen Rodriguez

‎06-24-2015 01:21 PM

No trailing space; however, the 5505 has an "hash" option which is currently set to "none". The 4400 has no such option. Could this be the issue? I also manually set the Anchor controller time to be within a few seconds of the foreign. Issues resolved: removed the group and just used the default name. Not ideal, but it works.

0 Helpful

J. Adams
Level 1
Level 1
In response to spencermoore

‎06-24-2015 04:28 PM

The lack of "hash" option is not related.  I have peering and MA anchoring between 4400s and 5500s with OS types 7.0.252.0 and 7.6.130.0 and various Group Names without any issues but with NTP servers. Regards

0 Helpful
Review Cisco Networking for a $25 gift card
Top