have just set up a WLC 4402 as a Guest WLan controler on the DMZ of our network.
i have sucsessfully managed to get our internal controllers to connect to it, with the exception of 1. it says the control path is up but the data path is down. the other 14 controllers worked fine, and in testing the last one was ok but it is now not working properly. the 2 controllers can ping each other but just won't create the data tunnel. there is a firewall in the middle but that has been set up to allow traffic between the 2 groups of controllers to be unrestricted.
the internal controllers are 4404's and all controllers are running the same version of code. 22.214.171.124
any ideas would be great.
We have to take care of the ports that should be allowed on the Firewall..
I'm having the same problem. Why is the responder pointing you to documentation when you have clearly removed the issue as a config problem?
As in my scenario, I have active EoIP tunnels it's just one that's not playing nice.
What code are you using?
Is there a FW in the middle of your anchor and foreign controller?
Did you anchor your WLAN on the foreign controller to the anchor controller?
George, thanks for the response.
Code level 7.0.98
Yes, anchor resides behind FW and verified port traffic 16,666-16,667 including UDP 97.
I have two active remote branch site tunneled back to the anchor now and working fine. This is a third WLC and the data/path are down state.
Verified Symetric tunnel and mirroring active working configurations. Can't go wrong as it's a cut-paste config.
Powered cycled the new WLC and NOGO. Read in the forum to cycle the anchor next.
Pretty scary as there appears to be numerous threads noting similiar issues and we plan to expand the guest user access across the enterprise.
Obvious ICMP works and rebuilt configs already. Becoming exhausted and frustrated as this deployment is only going to grow across our enterprise.
We have a NAC in the DMZ which doesn't come into play.
What is the name of the mobility group on the anchor and the name of the mobility group on your foreign controller?
Thanks for the question,
Group name - same for all WLC's
Virtual IP - same for all WLC's
Symetric tunnel enbled - same for all WLC's
Anchor IP - same for all WLC's
Guest VLAN name - same for all WLC's
FW open ports - same for all WLC's
End points ICMP response testing - same for all WLC's
Did I miss anything...I don't think I did...
There are other threads which address similiar issue and recommend resetting the anchor....(reboot)
Lets get back to basics... From your WLC CLI can you mping and eping the anchor controller?
Just researched and not familiar with mping and eping. I do have ping response from the WLC.
Googled the mping and eping...appears to be a MS utility. Is that built into the WLC IOS?
Please provide input as to completing ping type response. How is that accomplished?
from the WLC CLI mping and eping your anchor. If this doesnt work you need to check your ports
Well, I'll be darned...they FAIL..
I reviewed the FW ACL and ran a trace between the two WLC's. They both check open for defined ports 97 and 16,666-16,667. I think it's going to be the requirement to (reboot) the anchor WLC. Internet forums address this as a (known) problem. But, I'm still listening...
(Cisco Controller) >mping 10.48.27.182
Send count=3, Receive count=0 from 10.48.27.182
(Cisco Controller) >eping ?
(Cisco Controller) >eping 10.48.27.182
Send count=3, Receive count=0 from 10.48.27.182
(Cisco Controller) >
I cant say Ive ever had to reboot a anchor to make mobility work. Is there a route back from the firewall?I mean if the ports are listing then they should respond .. Is there any other ACLs you may have over looked ?
Did you say you can ping the management ip address of the anchor ?
Just wanted to reply to this thread so if someone else has this issue my experience may be useful.
The issue for my instance of this problem was IP routing. Our WAN provider uses iBGP as the routing protocol. What was happening was out of business hours the single WAN link at campus locations was dropping (due to ISP maintenance or what not). This was causing a routing convergence issued with the data path and WLC anchor. EoIP wouldn't be able to recover from this. What i had the WAN provider do was create static routes on the WAN routers for when the link dropped and the iBGP peer was down. This would allow EoIP to continue to operate was it would have a route to the anchor.
If you look at your output, it seems like you forgot to add the other WLC in the mobility group. When you do an eping, the wlc response tells you it doesn't know if that ip address.
Sent from Cisco Technical Support iPhone App
There is an active mobility group called GUEST,
There are two active controllers in a mobility group which are not experiencing any issues. My new WLC is unable to establish a control/data patch.
Configuration parameters match existing mobility group configurations which makes the configuration pretty straight forward. I can ping from the new WLC back to the anchor but NO mping or eping.
My suspect I may have a FW inline that I'm unaware of as I am new to the organization. Then again, there is mention to rebooting the anchor WLC.
I read up on the mping and eping, not sure why they would fail but the standard ping (8) type would pass. Ports 97 and 16,666/16,667 verified with the network traffic sniffer.
Mping and eping appear to be a glorified extended ping with added functionality/multi host response tool.
This link will help you understand mping and eping.
Sent from Cisco Technical Support iPhone App
Are you positive that you anchored your WLAN on the foreign controller?
Is this Anchor controller used for guest anchoring with your other controllers?
Are you positive that you anchored your WLAN on the foreign controller? YES
Is this Anchor controller used for guest anchoring with your other controllers? YES
I read the Cisco doc and confirm eping and mping test the required ports.
Still...NOGO.....have a good night and I plan to respond with findings.
In my case this was the firewall. I had end-end IP connectivity, managed to establish mping successfully, but eping wasn't working. I had Data down between the anchors and the foreign WLCs. I had the 16666-7 capwap ports allowed back, but turned out I needed a rule returning for the snmp & protocol 97 traffic, despite having in on egress from the foreign side, they are needed on the anchor side as well for initiation, ie: it's bi-directional.
Facing the same issue here. Control Path up, Datapath down when Checkpoint firewall policy is pushed with SecureXL enabled.
What kind of firewalls are in between achor and foreign controller ?
I know this post is old but I came across it when I was really stuck with the same issue and thought I'd share what resolved it for me.
So controller in DMZ (anchor) would not respond to eping from foreign controller. mping and icmp were fine.
ASA was the firewall.
Much packet tracing and frustration followed as the rule to allow IP protocol 97 was in the ACL for both the DMZ interface and the inside interface.
In my case the problem was that I had added the UDP CAPWAP rule into the ACL's first, this allowed the control path to come up. Unfortunately, because the mobility group keep-alive is set to 10 seconds it kept the flow up between the two WLC's on the ASA. Therefore when I added the ACE for IP 97 it wasn't reflected because there was an existing flow between the two.
So, solution for me was this on the firewall..
clear conn add x.x.x.x add y.y.y.y
...where x.x.x.x equals the management IP of your DMZ controller and y.y.y.y is the management IP of the foreign controller.
Once this was done I could then eping succesfully. So frustraing seeing the correct ACL's in place and traffic still not passing, still - it's a lesson learned for me!
Hope this helps someone else in a similar situation in future.
I can confirm that likely you have found the proper solution (or workaround) for this issue. Yesterday we had the same issue with the mobility anchors whereas control path was up and data path was down and that was only applicable for random very selective controllers (whilst the others were fine) which didn't make sense at all.
Clearing the EoIP session on the firewall (Juniper in our case) has resolved the issue and restored data path.
Perhaps Adam has resolved this since then as well, however this forum is still very good for those who may experience the same.
Head Shot Dave, Your fix worked like a Charm.
Irrespective of ASA , Juniper or Checkpoint, clearing the connections always seemed to help.
Can't THANK YOU ENOUGH
I can confirm this still works, stuck with 'Data Path Down' until we cleared the connections. Similar scenario running 8.0 with an Anchor in a DMZ behind an ASA. Saved potentially hours of troubleshooting.
Thanks Dave. I know it's an old post but i've inherited a network and i've little wireless experience. Our ISP switched to new firewall and the data path failed to come up. After failing back to the original firewall, a Juniper for reference, it was still down so the common denominator was the firewall. We read this forum thread early on so the ISP rebooted the original firewall on day 1. This never worked so i've spent 4 days troubleshooting this. After pinpointing the firewall as the problem the ISP had another look and there was a hung session still on port 97. The reboot hadn't cleared it. Once it was cleared the data path came up immediately.
Also check the MAC addresses of the guest and anchor controllers. The tunnel is established by the lower of the two MAC addresses. We had an issue where one of our internal controllers was lower than the anchor controller and we had to tweak our Palo Alto firewall to get the packets to pass and not get dropped by the FW.
+5 JJ ...
I did not know that ...
Im having the same issue i have 10 controllers and 1 anchor mix of 4400 series and 5508's. All running 126.96.36.199 and Anchor is on 188.8.131.52.
Randomly data path goes down for x controller. If i reboot the anchor controller - all controllers data and control paths come up.
Anchor sits behind ASA 5520 on 8.4, i have ip any rule from the addresses of the foreigns to the anchor controller. Return traffic is permitted. Can't see any issue with ACL logic as the control and data path does work, at least for a time for some controllers. Should i change this to permit UDP CAPWAP first then IP Protocol 97 in a second rule?
I tried using the clear conn to see if it would come back when the data path is down for a specific controller, no cigar.