Wireless Access

Hi,

Running a mobility master environment I came across the WAN health check service.

Is this something that should be enabled on each mobility device to check the status? Should it be set to UDP and to ping a host like say google DNS? 8.8.8.8 to ensure the uplink for each MD is up and able to get out to the internet or is this not the purpose of this feature?

Thanks

Hi Scott,

The WAN health check feature is used to determine reachability/Latency to the master via various WAN links (Configured for redundancy).

The main purpose is to let the branch devices know if their master is reachable or not.

There are two modes to verify reachability,

1.) Using Ping probes 

2.) Using UDP probes

you can check if they are configured in the running config , the default config looks more or less like the one below

(A_RAK)#show running-config | include “ip probe”

ip probe "default"

  mode              ping

  burst-size         10

  frequency       10

!

ip probe "health-check"

  mode            udp

  burst-size      10

  frequency      10

!

The major difference between these modes is that for UDP port 4500 is used whcih is usually not blocked, while ICMP may be blocked on a network for security concerns.

You can also verify the reachability using the command "show ip health-check <probe ip>" which gives more details regards to the health of the link.

The Master's public IP is usually configured for the probe.

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

Great detail given on this thank you!

We don't have a public IP set on our master we have it going across our site-to-site VPNs - the mobility master has created tunnels on port udp 4500 however when i tried to set the health check probe mode to UDP it showed 3 or 4 sites unreachable even though they were still up on the MM and locally.

Hi Scott,

What is the output of the command show ip probe? Are there new health check profiles mapped or are you using the default ones?

This can be checked using the command " show ip health-check ". 

What is the state of the probe IP in the previous command.

If the state is showing as down, then try issuing the command show ip health-check <ip probe ip address> for a more detailed output.

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

Hi,

Show IP probe returns

IP Probe Entries

----------------

Name          Probe Mode  Frequency(in sec)  Retries  Burst size

----          ----------  -----------------  -------  ----------

default       Ping        10                 3        5

health-check  Ping        10                 3        5

data-vpnc     Udp         10                 3        5

show ip health-check <mobility master IP> or <google dns> doesn't return anything

show ip health-check returns

IP Health-check Entries

-----------------------

Probe IP      Src Interface  Vpnc IP  State  Probe-Profile  Avg RTT(in ms)

--------      -------------  -------  -----  -------------  --------------

8.8.8.8       vlan 9                  Up     health-check   5.531

192.168.23.1                          Up     default        0.000

Hi Scott,

For the probe ip 192.168.23.1 the " default " health-check profile is used.

It is by default configured for ping probes. 

I see that you have created "data-vpnc" for UDP probes.

Could you try mapping data-vpnc profile to the probe ip 192.168.23.1

Also, check to see if the uplink health-feature is enabled/ disabled. Issue the command "Show uplink" to verify this.

Check to see if the " Uplink Health-check ip " (from the previous command) is showing the expected uplink IP to which the probes are to be sent.

Issue the command " uplink health-check enable " to enable the health check in case it is disabled.

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.