topic ACL Issue on 9800CL in Wireless

ACL Issue on 9800CL

bryanavl — Tue, 05 May 2026 15:25:26 GMT

I am working with a 9800cl WLC running 17.15.4d. I am having an issue with clients not connecting whenever I apply my ACL. So for troubleshooting I have created a very simple psk wlan and applying the acl via the default-policy-profile.

Extended IP access list: ACLONE
20 permit udp any any eq bootps
30 permit udp any any eq domain
40 permit ip any any
50 permit udp any any eq bootpc

I have tried two different client devices with the same result. On the client side they will give an error message when trying to connect. As soon as I remove the acl from the policy profile the two clients connect with no issues. I have captured a radiotrace client log with both the acl and without the acl.

I show in the log file with failure (with acl) the following message:

2026/05/05 13:01:46.890544779 {wncd_x_R0-0}{1}: [sanet-shim-translate] [15821]: (ERR): c0b5.d735.f027 : Policy resolution failure in sanet, code = 2, ACL Failure

Not sure why the ACL is failing. I am attaching the radiotrace log file. timestamp 13:01 is with acl and timestamp 13:09 is without acl. Any help would be greatly appreciated!

Re: ACL Issue on 9800CL

Stefan Mihajlov — Tue, 05 May 2026 15:29:14 GMT

@bryanavl problem is permit ip any any ... u must move this line to very end of ur ACL or u can use permit ip any any only after client has successfully transitioned to Run state

Re: ACL Issue on 9800CL

aleabrahao — Tue, 05 May 2026 15:41:21 GMT

IOS‑XE requires explicit bidirectional DHCP rules with correct source/destination ports.

Try this configuration.

ip access-list extended ACLONE
10 permit udp any eq bootpc any eq bootps
20 permit udp any eq bootps any eq bootpc
30 permit udp any any eq domain
40 permit tcp any any eq domain
50 permit ip any any

Re: ACL Issue on 9800CL

bryanavl — Tue, 05 May 2026 16:21:52 GMT

I tried both of the above suggestions and still getting the same result.

The windows PC states "cannot connect"
The iphone states " incorrect password"

Re: ACL Issue on 9800CL

aleabrahao — Tue, 05 May 2026 16:28:16 GMT

The ACL wouldn't affect the password issue; at most, you might connect but not be able to receive an IP address or not be able to resolve DNS.

Could you send a screenshot of where you're applying it in the profile?

Re: ACL Issue on 9800CL

aleabrahao — Tue, 05 May 2026 16:43:16 GMT

I personally don't use ACLs directly on server 9800 except for the Guest portal.

But it seems something is failing in the onboarding process.

Try this ACL.

ip access-list extended ACLONE
5 permit eapol any any
10 permit arp any any
20 permit udp any eq bootpc any eq bootps
30 permit udp any eq bootps any eq bootpc
40 permit udp any any eq domain
50 permit tcp any any eq domain
60 permit ip any any

But I really recommend that you debug the client to see which process is causing the failure.

Re: ACL Issue on 9800CL

bryanavl — Tue, 05 May 2026 16:53:46 GMT

thank you for digging deeper. see screenshots.

Re: ACL Issue on 9800CL

Stefan Mihajlov — Tue, 05 May 2026 18:09:44 GMT

@bryanavl this confirm what im saying... move ur permit ip any any to bottom of the list.. then verify ACL name matches Policy Profiles Ingress/Egress rilter settings

Re: ACL Issue on 9800CL

bryanavl — Tue, 05 May 2026 18:51:24 GMT

@Stefan Mihajlov I made the change to the acl per your recommendation and verified it is being used on the policy profile. I am still getting the same result (client will not connect)

Re: ACL Issue on 9800CL

aleabrahao — Tue, 05 May 2026 18:57:06 GMT

Hi @bryanavl,

Have you tested this?

Re: ACL Issue on 9800CL

aleabrahao — Tue, 05 May 2026 19:00:51 GMT

Could you also collect these logs?

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215523-quick-start-guide-on-what-logs-and-debug.html#toc-hId-748860550

Re: ACL Issue on 9800CL

Stefan Mihajlov — Tue, 05 May 2026 19:39:36 GMT

@bryanavl rewrite ACLTHREE so that DHCP rules (Sequence 10 & 30) have "any" for both source and destination ports.. if not.. do show tech support 🙂

Re: ACL Issue on 9800CL

bryanavl — Tue, 05 May 2026 19:41:05 GMT

@aleabrahao answering your question. I tried an acl similiar to your recommendation, however I was not able to explicitly allow arp and eapol in the ip access list. see the image of the actual acl i tried. The client failed when i tried this.

I will collect the logs and post

Re: ACL Issue on 9800CL

Stefan Mihajlov — Tue, 05 May 2026 19:56:13 GMT

@bryanavl if you want send me PM

show tech-support

Re: ACL Issue on 9800CL

bryanavl — Wed, 06 May 2026 00:31:51 GMT

The radioactive trace files have been attached up above.

I am attaching the embedded capture (pcap). Looking through it shows the client repeatedly gets deauthed when the acl is applied to the policy profile.

Re: ACL Issue on 9800CL

Devendra Jadeja — Wed, 06 May 2026 02:30:22 GMT

@bryanavl , can you create one test ACL with permit any any & test it . as you mentioned when you removed ACL from policy profile it works fine , so just want make sure no issue with ACL rule sequenece and ACL name .

Re: ACL Issue on 9800CL

Aref Alsouqi — Wed, 06 May 2026 08:43:42 GMT

I can't see how that ACL can affect the clients connections because your ACL does have a permit ip any any which is basically the same as not applying that ACL at all. Please share the screenshots of the relevant configs on the WLC and where you applied that ACL for review.

Re: ACL Issue on 9800CL

Stefan Mihajlov — Wed, 06 May 2026 12:03:27 GMT

@bryanavl after tech support i can see:
FlexConnect local switching is the issue — traffic is switched at AP, so ACL must be pre-provisioned on AP via flex profile

Fix ->add acl-policy ACLONE under wireless profile flex default-flex-profile to provision ACL on the AP, and ipv4 acl ACLONE in under wireless profile policy default-policy-profile to enforce it on connecting clients

Re: ACL Issue on 9800CL

bryanavl — Wed, 06 May 2026 12:04:10 GMT

@Devendra Jadeja

I just created an acl 'TestPermitAll' which is permit ip any any. This still gives the same result (client is not able to connect when TestPermitAll is applied).

Something I just discovered:

If I apply this same acl "TestPermitAll" to an open security wlan then the client is able to connect. However when using a wlan with wpa2 psk for security it does not allow the client to connect with the acl applied.

I am attaching screenshots for more detail.

thank you!

Re: ACL Issue on 9800CL

aleabrahao — Wed, 06 May 2026 12:11:55 GMT

@bryanavl

Looking more closely, I don't believe it's a problem with the ACL itself, but it might be something related to the Flexprofile.

Try adding the ACL to the Policy ACL of your Flexprofile.