topic Re: 9800L-F / 2802i Flexconnected AP / VPN: Guest SSID Users can't con in Wireless

9800L-F / 2802i Flexconnected AP / VPN: Guest SSID Users can't connect

perrymcgrew — Wed, 02 Oct 2024 18:00:30 GMT

9800L-F running 17.12.02 in the Corp Data center. Large WAN sites connected via Cisco 8x00 SD-WAN devices. Small sites have S2S VPN connection to the corp datacenter using 3rd party Firewall. All remote sites APs are Flexconnected and registered to 9800L-F. The Guest SSID subnet lives in the Corp Datacenter and DHCP assigned by the data center core. Guest SSID uses MAC Auth and Web Auth w/ external redirect. The MAC auth is used for devices that can't display Web Auth splash page like ROKUs etc. Web Auth is for devices that can. Neither auth method is working for the S2S VPN clients.

So, the SD-WAN sites all work for Guest SSID. The sites that are connected with S2S VPN do not. The Guest clients at the VPN sites are stuck in IP Learn state.

So took a debug and PCAP on the 9800L-F. In the PCAP I see the DHCP DIscover and the DHCP Offer for the failing client. The DHCP Offer does not make it back to the client.

I can't see any drops in the Firewall logs -- but since I believe the traffic is inside the CAPWAP tunnel between the 9800 and the site's Flexconnected AP makes it hidden from running captures on the Firewall.

TAC says it's the Firewall since the 9800 is seeing the DHCP traffic.

Anyone have ideas what the cause is or where to look next?

TIA

Re: 9800L-F / 2802i Flexconnected AP / VPN: Guest SSID Users can't con

MHM Cisco World — Wed, 02 Oct 2024 18:22:07 GMT

If it flexconn then traffic not pass to wlc unless you use dhcp central

MHM

Re: 9800L-F / 2802i Flexconnected AP / VPN: Guest SSID Users can't con

perrymcgrew — Wed, 02 Oct 2024 19:28:46 GMT

All The remote SD-WAN flexconn sites get DHCP for Guest SSID. Central DHCP is activated in the Guest Policy. Plus, the pcap taken on the 9800-L-F clearly showed the DHCP Discover and Offer from the remote site's device trying to access Guest SSID. The device stays in IP Learn state.

Re: 9800L-F / 2802i Flexconnected AP / VPN: Guest SSID Users can't con

Haydn Andrews — Wed, 02 Oct 2024 23:33:35 GMT

you can do a packet capture at the WLC to see traffic going through it

Re: 9800L-F / 2802i Flexconnected AP / VPN: Guest SSID Users can't con

perrymcgrew — Sat, 05 Oct 2024 00:06:29 GMT

I have taken pcaps & debugs on the 9800. The device that use MAC auth gets an IP but is still prevented from accessing network despite being in Run state. The Firewall does complain about some Identity Awareness issue. I’m working with that 3rd party TAC on that issue. The other client uses Web Auth and I still see the DHCP Discover & Offer on the 9800. But the client is stuck in IP Learn and doesn’t get the IP address or display the login web page for the Guest network

Re: 9800L-F / 2802i Flexconnected AP / VPN: Guest SSID Users can't con

Rich R — Sun, 20 Oct 2024 11:46:23 GMT

Did you make any progress on this?
It seems clear the problem must be the 3rd party firewall but it could also be an MTU and/or fragmentation issue.
Can't you do a pcap on the egress from the firewall to confirm the packets are leaving the firewall (or not)? As long as you don't have CAPWAP data encryption turned on you should be able to see all the packets in the CAPWAP data tunnel. If you do have CAPWAP data encryption turned on (pointless if you're running it over a VPN anyway) then turn it off for troubleshooting at least.