There are no ACL on the Management Interface or the Dynamic Interfaces. The 2 devices existing on different subnets but there are no ACL between the 2 networks.

I can ping back and forth between the 2 devices. Synchronization between MSE and WLC occurs, only the NMSP show inactive. 0 echo request count and 0 echo response count.

netstat on the MSE show SYN packet from MSE trying to reach WLC on port 16113.

John,

Can you get 'show nmsp status' from the CLI of one of the WLC's ?

Please make sure the MSE & the WLC(s) are sync'ed to a NTP source. The time needs to be in-sync.

The state of the port from the MSE should be in established state.

[root@nms-mse3350-a ~]# netstat -ano | grep 16113

tcp        0      0 ::ffff:14.32.51.20:24055    ::ffff:14.32.70.10:16113    ESTABLISHED off (0.00/0/0)

Also, how is the WLC managed from NCS ? (using read-only or read write). It has to be read-write so it can write the MSE (mac & ssc key hash) values to the WLC. The access mode can be verified from NCS under

Configure --> Controller --> Click on the device name --> Under SNMP parameters -> you'll see Access mode.

Ram.

Just thought I would post it here that I had the same issue. I fix it by changing the MSE assignment with the Controller. You can find this at Services > Synchronize Services > Controllers. Check the controller, click on "Change MSE Assignment", then uncheck CAS, click Synchronize. Give it a few minutes and then do it again to turn CAS back on. Once I did this NMSP went active and clients started to show on my floor plans. 

This is what helped me with this issue. I hope it helps someone else as well.

Cheers!

Robert Stack

I'm being a "me tooer" to Roberts post...
Running WLC code 8.0.110.11, PI 2.2 and MSE 8.0.100 and one of my WLC's was at a status of "Inactive" under NMSP and changeing the MSE Assigment as Robert stated brought the WLC back to "Active". 

Great catch here. WLC 8.1.120, MSE 8.0.120, PI 3.0 - same problem. Your fix worked like a charm!

Hi guys,

I did the same but when I type "netstat -ano | grep 16113" command I see this output:

[root@vMSE ~]# netstat -ano | grep 16113

tcp        0      0 ::ffff:10.48.7.122:36688    ::ffff:10.48.7.120:16113    TIME_WAIT   timewait (8.44/0/0)

tcp        0      0 ::ffff:10.48.7.122:36692    ::ffff:10.48.7.120:16113    TIME_WAIT   timewait (23.44/0/0)

tcp        0      0 ::ffff:10.48.7.122:36696    ::ffff:10.48.7.120:16113    TIME_WAIT   timewait (38.44/0/0)

tcp        0      0 ::ffff:10.48.7.122:36700    ::ffff:10.48.7.120:16113    TIME_WAIT   timewait (53.44/0/0)

[root@vMSE ~]#

.120 - it's my vWLC IP address. Where could be a problem?

After a while , I am able to see this:

[root@vMSE ~]# netstat -ano | grep 16113

tcp        0      1 ::ffff:10.48.7.122:57416    ::ffff:10.48.7.120:16113    SYN_SENT    on (0.50/1/0)

Looks like MSE can't reach vWLC. I try to ping vWLC from MSE. There is no success:

[root@vMSE ~]# ping 10.48.7.120

PING 10.48.7.120 (10.48.7.120) 56(84) bytes of data.

...

Okay... I try to ping MSE from vWLC. Success!

Now try to ping vWLC again from MSE:

PING 10.48.7.120 (10.48.7.120) 56(84) bytes of data.

64 bytes from 10.48.7.120: icmp_seq=44 ttl=128 time=2.44 ms

64 bytes from 10.48.7.120: icmp_seq=45 ttl=128 time=0.255 ms

Pings are successful!

But "netstat" shows the same:

[root@vMSE ~]# netstat -ano | grep 16113

tcp        0      0 ::ffff:10.48.7.122:57485    ::ffff:10.48.7.120:16113    TIME_WAIT   timewait (53.51/0/0)

tcp        0      0 ::ffff:10.48.7.122:57481    ::ffff:10.48.7.120:16113    TIME_WAIT   timewait (38.51/0/0)

tcp        0      0 ::ffff:10.48.7.122:57477    ::ffff:10.48.7.120:16113    TIME_WAIT   timewait (23.50/0/0)

tcp        0      0 ::ffff:10.48.7.122:57472    ::ffff:10.48.7.120:16113    TIME_WAIT   timewait (8.51/0/0)

Where could be a problem , guys?

Guys,

If you are using virtual environment ( vWLC specifically) it is a bug:

https://supportforums.cisco.com/thread/2183040

It works now for me!

Hope that helps!

Thanks for posting the fix!

Sent from Cisco Technical Support iPhone App

Hi All,

I have the same issue where NMSP status is showing inactive on the PI.

Workaround performed
1. Deleted the SHA key from Controller (From WLC Web Gui TAB > Security>AAA>AP Polices )
2. From the MSE CLI got the output of "show server-auth-info" and collected MAC address and SHA keys
3. Re-configured WLC with SHA key 1/ SHA key 2 with below command, But no luck.
"config auth-list add sha256-lbs-ssc <MAC address of MSE > <SHA Key>"
(MAC of the MSE in xx:yy format)
4. Restarted the MSE services (# /etc/init.d/msed stop # /etc/init.d/msed start)
5. Also tried this from MSE CLI: config unauthenticated-nmsp true
6. Restarted the PI services (# ncs stop verbose # ncs start verbose)
7. Synchronized the WLC on the PI/ Deleted and re-added back the WLC on the PI.
8. We are running only WIPS, Hence tried synchronizing with disabling and enabling back the WIPS service.
9. Still i don't see the NMSP status is showing as active.

PI version: 3.2
MSE version: 8.0.150.0

PI and MSE are on VM

Please suggest..

Hi,

What version of software is the WLC running? As per the release notes there are a couple of NMSP configurations which could be road blocking you.

https://www.cisco.com/c/en/us/td/docs/wireless/mse/release/notes/mse8_0_150.html

1) On MSE try forcing it to use SHA-1 under advanced parameters. The notes indicate this is a CPI issue however and you are running latest CPI so in theory this is unlikely to fix it.

2) For WLCs running lower than 8.0.72.x code you need to force TLS 1.0 enablement in MSE:

1. From the Cisco MSE shell prompt, enter the /opt/mse/setup/setup.sh command.

2. Enter the Menu mode.

3. Select the 23) Configure TLSv1.0 for NMSP option.

4. Follow the prompts to enable TLSv1.0.

5. Select the 25) ## Verify and apply changes ## option to apply the changes. Note that this restarts Cisco MSE services.

Try both of those and see how you go?

Ric

Hi Ric,

Thanks for your workaround. WLC running on 8.2.151.0. 

 Will apply the workaround and let you know with an update.

-- Binish

Hi Ric,

I applied the workaround you suggested, But no luck.

Binish