Cisco Wireless :: Migrating 2 Standalone 5508 To One Mobility-group
Jan 23, 2012
for some reason our wlan-controllers were build up to be standalone instead of beeing one mobility-group. I would like to change this in order to use all features of HA.
let me describe our scenario: two WLCs 5508 running SW ver. 6
- same subnet
- both are running in master controller mode
- different hostnames, ip-addresses, etc
- all settings for WLANs and AP-groups (exept the APs themselves in these groups) are the same
- in total at this moment we are running around 100 LAPs configured one half on WLC#1, the other half on WLC#2
I don't know exactly why, but when that setting was installed, someone already configuredHA for each accesspoint... e.g.:
- AP#1 primary WLC#1, secondary WLC#2
- AP#2 primary WLC#2, secondary WLC#1 but without WLC#2 knowing the configuration for AP#1 it makes no sense, correct?
so my question is: how should I do the migration in the best way?
is it easy as:
- disabling master controller mode on WLC#2
- configuring both WLCs into one mobility group
--> WLCs are negotiating their configurations for the APs
I have to WLC's a 4402 and 5508 in a mobilty group. they are both running 7.0.116.0. They are configured to use Web Authentication. We are having complaints that Users are having to re-authenticate when moving around the office. My theory is they are moving from one WLC to the other and then requiring to re-authenticate.
I am setting up officeexten. I have placed the officeextend wlc in the dmz with an mgmt ip of 192.168.10.2. in the process of anchoring this to the internal wlc. Also the ip on the firewall for this interface is 192.168.10.1
1. does the mobility group need to match the same on the internal wlc ?
2. Now do i need a NAT transnational on the firewall for the external WAN ip (AP primed address say 66.10.10.10) to NAT back to 192.168.10.2 ?
3. The 5508 WLC is running on ver6.0.199.4 (license level base) - will this support office extend?
I read the configuration guide about the 7.3 release. And I figured out that you will need a hash key for establishing a mobility group relation between a controller and a virtual controller. The 7.3 release for the 5500 series works fine for me.But the latest release 7.0.235.0 for the wireless lan controller series 4400 does not have a functionality to add a hash key while creating a new mobility group member.The command "config mobility group member hash" is totally missing. How to establish a mobility group between a 4400 controller and a virtual then ?
I have a customer buys 12 x WISM and build up a mobility, when I add the final WLC to mobility, it prompts that there mobility group has reached the max of mobility member, but the total member is 23, according the configuration guide, it should be allow to 24 member, do I hit some bug? My using version is 7.0.98.0.
I read the configuration guide about the 7.3 release. And I figured out that you will need a hash key for establishing a mobility group relation between a controller and a virtual controller. The 7.3 release for the 5500 series works fine for me.
But the latest release 7.0.235.0 for the wireless lan controller series 4400 does not have a functionality to add a hash key while creating a new mobility group member. The command "config mobility group member hash" is totally missing.
how to establish a mobility group between a 4400 controller and a virtual then?
I have a Question i am testing mobility group with Failover for redundend connection between 2 Cisco 5500 Wlc.On both the controllers i got the mobility working And both the controllers have the same version.And configuration. But when i unplug the main controller the access-Points don't convers to the second one .The just keep on creaming can't find the main controllerAlso with this thus the second wlc need to have the same.Interface ip address like management.
We currently run six 4402 Wireless lan controllers - these are managed by a WCS server - soon to be replaced by Cisco Prime. We run a mixture of LAP1242 and LAP1142 wireless access points. I need to add more but have been told by my supplier that the both these AP's are now end of sale and cannot be purchased.
The replacement AP's are the 2600 series - but I have been told that these are not compatible with my existing 4402 controllers.
To make matters worse I was then advised that if I purchase the new 5580 controllers the older LAP1242 access points will not work with it and require replacing - this, for me, is a lot of access points.
What I need to know is:
What access points, if any, are currently available that are compatible with my 4402 controllers and a future 5508 installation?
I ssem to be in a situation now where I cannot buy any access points that will work with my 4402's but if I upgrade all my current 1242's will not funtion with the new 5508 controller!
1) Is it possible for 2 WLCs installed in seperate data centres with L3 seperation to be joined in a mobility group? We will have aps in the branch offices split between controllers so we want to make sure roaming work ok. Also all guest access should be anchored to data centre 2.
2) in flexconnect local switching mode, do I need to create flexconnect groups if I'm only using radius servers in the data centre with no requirement to use local radius as a backup?
I'm working on migrating autonomous WAPs to lightweight mode in a WLC 5508. Some of the older WAPs are being decommissioned at the same time.
One issue I have found is that after replacing an old WAP in autonomous mode with a new WAP (3502); some clients near the coverage of this new LWAPP are now connecting to another WAP in autonomous mode that has not been converted or replaced yet; but that is located quite far away from where these clients are, actually two floors down. Users on these clients have reported wifi dropouts, which is obvious due to the distance where the old WAP is. A workaround that seems to work is removing the wifi profiles in the client machines and recreating them again, which is not a good solution for all of the wifi profiles we have in place. At this point of time we still need to have the older WAPs until they are all replaced.
How can I get clients connecting to a LWAPP that is closer to their location? I'm wondering what causes those clients to look for an existing older WAP rather than connecting to the new LWAPP, which is broadcasting the same SSID closer to where they aree. Bear in mind that the new LWAPP is working fine and has live sessions working just fine.
I have two 5508, no anchor, only one SSID with internal web authentication using radius server.Under "Configuring Mobility Groups", Cisco guide says: "If a client roams in web authentication state, the client is considered as a new client on another controller instead of considering it as a mobile client".
I understand that if a client that has already autheticated via web roams between two LAPs that are associated with different WLCs, it has to reathenticate.
After upgrading my 5508s to 7.2.110.0, they are reporting mobility data path errors to one of my WiSMs running 7.0.235.0.
I get these messages on the 5508s reporting that it can't send a ping to the affected WiSM:
*ethoipSocketTask: Aug 08 21:15:41.175: %ETHOIP-3-PKT_RECV_ERROR: ethoip.c:341 ethoipSocketTask: ethoipRecvPkt returned error *ethoipSocketTask: Aug 08 21:15:41.175: %ETHOIP-3-PING_RESPONSE_TX_FAILED: ethoip_ping.c:312 Failed to tx a ping response to <ip address>, rc=5
But maybe there is another clue because I also see in the same log these errors referencing the same WiSM:
*bcastReceiveTask: Aug 08 21:15:45.310: %LOG-1-Q_IND: mm_dir.c:1969 Failed to recreate the SSH Rule for <ip address>. *mmSSHPeerRegister: Aug 08 21:15:44.829: %MM-1-SSHRULE_CREATE_FAILED: mm_dir.c:1969 Failed to recreate the SSH Rule for <ip address>.
Why is the controller trying to SSH to another controller? Was some SSH related feature added to 7.2 that has been accidentally enabled?
I have Cisco Wireless Lan Controller 5508 with 35 (3600 Series Access Points. Do i need to purchase Mobility Service Engine for this or no need? Do i need WCS server for this or no need?
I have 2 5508 controllers in a mobility group. Any good way to keep the configuration between the 2 controllers synched up?
I thought about copying the config from my primary controller to the secondary controller, but I would think there is a more elegant way to make this happen.
I am replacing an old 4400 series WLC running version 4.0.179.11 to a new 5508 WLC running version 7.2.110.0.
We currently have 70 x 1131 Access points on the 4400 WLC.
With this upgrade, do i need to upgrade the old 4400 to version 6.0 so the AP's get an up to date IOS or can i directly migrate all AP's over to the new 5508 without any version incompatabilities on the AP's?
I am abit worried that the AP's are running a very old IOS on the 4400 v.4.0.179.11 to go straight to the new 5508 v.7.2.110.0.
How do Mobility Groups work with internal DHCP scopes on a WLC 5508?We have a WLC 5508 with two internal DHCP scopes which redirect to captive portals for authentication. I am looking at putting in a second WLC in a mobility group setup to provide some WLC redundancy. The LWAPs will be setup so that every second AP is on the has the second WLC as its primary controller. If the primary WLC fails we want the secondary to be able to take over and issue IP's from the internal scope. How do you set this up with a Mobility group so the second WLC does not act as a rouge DHCP server while the primary WLC is still active?
We are in a warehouse type setting and have data centers on each side of warehouse with 5508 WLC's in each data center. Each side is on its own subnet with routing in between and a different set of SSID's for each set of WLC’s. Are goal is to have the ability to failover in the event that if one data center goes down AP’s will move to the controllers in the other DC and the clients will still be able to operate.
Our thought was to implement mobility groups between the controllers. While I saw documentation on setting this up when the controllers are on the same vlan, I didnt see any setup config when controllers are in different vlans. So I am wondering if mobility groups are even an option for what we want to accomplish. For the most part clients stay on their respected sides of the warehouse and so we are not necessarily needing roaming for clients between controllers in DC1 and DC2. But that does raise another question in that we do have a planned voice wlan that we would like to have the ability to roam between each side of the warehouse. But we have seen ip issues with this. In the past we have had both SSID's setup on each side and ran to issues with clients not renewing their IP address when moving to the controllers on the different subnets.
Can we setup mobility groups between controllers on different vlans/subnets? For failover purposes will mobility groups assist in our setup with 2 DC’s and different subnets/vlans? If the answer is yes we can setup mobility groups between different subnets, is there a way to setup the SSID's on all controllers and have the ability for clients to roam and renew their IP’s when moving to a different controller on a different subnet?
I have an AP group on a Cisco 5508 WLAN controller. Currently, it is populated with 13 Cisco 1142 lightweight access points. When I try to add a Cisco 3602i access point to the group, I get the following error in NCS: Error: OfficeExtend requires primary, secondary, or tertiary controller management IP to be set.I am using DNS to allow my AP's to find the controller and they work just fine. Is there a reason I can't add the 3600 series AP's to the AP group?
i have a WLC (5508) - trying to enable AP group vlans based on instructions from: url...however, my problem is that i don't have the 'ap group vlans feature enable' checkbox.
I'm looking for some input on RRM. I personally have NOT used it in a LONG TIME, since probably the 4.0 days and then very shortly due to massive issues it was causing and admittedly, in part due to my ignorance at the time. So, every since that point, I have always set all my channels and power manually but now feel I am getting to some points where RRM may be required / beneficial. So, I've invested some time and have begun researching and trying to get the ends and outs on it but I'm forseeing a potential issue in myworld anyways and am hoping for some clarification. Lets take the below example:
-WLC5508a and b - (2 100ap license controllers) - these hold the majority of the AP's for the main hospital.Lets say, 140AP's.
-WLC5508c and d - (1 100ap and 1 50ap licensed controllers) - These tend to hold our smaller sites and and buildings, not all connected and some a few miles from each other
-WLC4402a and b - (failover ready)
So, with RRM, I can set setting it up on the 5508A/B with out issue as this is one big large building. However,what about C and D? I suppose I can make them a separate RF Group, but how would RRM respond when it has16 AP's in Building X and then 3 AP's in Building Y 30 AP's in Building Z and sporadic buildings with 1's and 2's? Everything I've read so far, leads me to believe if these devices are separated it probably won't be an issue, however, I just don't want something causing a change in Building Z and Building X be affected because RRM decided it would try to fix it. My point is, I can't afford to have a separate RF Group (meaning separate controllers) for every location.
I have a network setup as live-ssid. It is using the Interface for VLAN 14. All APs under the default-group AP Group obviously allows clients to DHCP an address from VLAN 14. This is working fine.
I created a new AP Group called 3rd Floor. This has the live-ssid setup, but instead of using the Interface for VLAN 14 it is setup for the Interface for VLAN 50. I have all the APs on this floor moved to the 3rd Floor AP Group.
The problem is that 95% of the clients on 3rd Floor are still picking up DHCP addresses from VLAN 14. I checked and all the clients are connected to the APs on the 3rd Floor. Only 4 Clients are getting an address from VLAN 50.
I'm not sure if something is configured wrong or not since some devices pick up the new VLAN and the rest don't. I've manually reboot the APs on the 3rd floor to see if that would fix it.
I'm looking at creating WLANs using standalone APs for the first time. I know this can all be done with trivially a controller, but this project can't stretch to that...Can I use MAC filtering on standalone APs to restrict which clients associate?I think these will be 1240AG devices but I assume the answer is the same for all models?Can I mix MAC filtering with WEP/WPA? And use MAC filtering without encryption?
I have a Brand new AP that was bought for a site which has a controller, however it was never installed. I was wondering can you downgrade this AP to make it work in stand alone mode as a normal AP?
One of Cisco Wireless AP 1242 installed in my premises restarts itself; AP is getting power from Catalyst 2960 POE. I am using multiple SSID on this AP. I have issued the show tech-support. I have seen below in tech-support System was restarted by unknown reload cause - reason ptr 0xF, PC 0x46FEB8, address 0x0? what could be the reason of restarting of AP. AP is in production since 1 year and it restarts seldom.
I have an extra 521G standalone access point. My network jack is on the other side of the wall...so I am curious to see if I could use this access point as a bridge of some sorts to join my wireless network (on a UC520W-8U-4FXO-K9) and use the Ethernet jack on the AP as a bridge of some sorts so that I can connect my IP phone and laptop behind it. I've set up standalone AP's like this as base stations before, but I've never tried bridging and haven't had much luck just playing around with it.
I try to map LDAP Group to ASA Group policy following documentation:
[URL]
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"? ASA Log:
AAA retrieved user specific group policy (correct Policy) for user = XXX AAA retrieved default group policy (GPnoAccess) for user = XXX
I just installed an Aironet 1140 to replace a Netgear ProSafe access point that I had in my network prior. I'm having one issue that I can't figure out though. None of the client PCs can establish a connection to an external (over the internet) VPN server while on the Aironet wireless. If i unplug the AP and plug a PC into the same port that normall feeds the Aironet I can VPN just fine.
Is there any "VPN Passthrough" option that needs to be enabled somewhere on the 1140 that is blocking this traffic for some reason?
i'm running the following IOS BOOTLDR: C1140 Boot Loader (C1140-BOOT-M) Version 12.4(18a)JA3, RELEASE SOFTWARE (fc1) and I've included my running config below
Current configuration : 2092 bytes!version 12.4no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname ap!enable secret 5 [omitted]!no aaa new-model!!dot11 syslog!dot11 ssid MetroC authentication open authentication key-management wpa guest-mode mbssid guest-mode wpa-psk ascii 7 [omitted]!!!username Cisco password 7 [omitted]!!bridge irb!!interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm ! ssid MetroC ! antenna gain 0 speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 port-protected bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled!interface Dot11Radio1 no ip address no ip route-cache ! encryption mode ciphers aes-ccm ! ssid MetroC ! antenna gain 0 no dfs band block speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. channel width 40-above channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 port-protected bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled!interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto no keepalive bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled!interface BVI1 ip address 192.168.1.3 255.255.255.0 no ip route-cache!ip http serverno ip http secure-serverip http help-path [URL]
