cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
792
Views
25
Helpful
3
Replies

CSCvo66931 - IOS APs losing FlexConnect ACLs

joe.fodor
Level 1
Level 1

I believe I am hitting this bug on 8.5.135.0 with my 3802i APs. Most of the APs are only getting one or two of the flexconnect ACLs. I tried removing the ACL from flexconnect group and re added it which still did not help. 

3 Replies 3

markfaul79
Level 1
Level 1

We are also on 8.5.135.  I want to say we hit this bug in December of last year with a single 3802.  Slowly, more and more APs have been affected.  Our network consists mainly of 3702 and 3802 APs.  As of last week, we have had around 9 APs with the issue.  

 

We have been able to resolve the issue, to a certain degree, by either performing a factory reset through the WLC (Clear All Config option in the AP's 'General' tab), or by flashing the AP and reloading the IOS manually.  Both methods call for a reconfig, adding it to the proper AP groups, high availability, and all that, etc...  It has worked on 7 of the 9 affected, and has shown stability for about a week.  Most port bounces or manual reboots of the AP may fix the issue for a few hours to a max of 2 days before they lose their ACL.  

 

Something I noticed, is that the affected APs will reboot on their own prior to coming back up with no ACL.  Logs do not indicate any issue prior to the reboot, however.  I was able to catch this happening on 3 of the affected APs, but cannot say for certain that all of them exhibit this behavior prior to ACL loss.

Good news! 

 

I found the fix for this issue. Put in the below command on your controller and reload the aps that are having issues and it will then download all the ACLs. this is a known issue and this command will be on by default for all version 8.6  and above. 

 

config advanced capwap-message-aggregation enable

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-8/config-guide/b_cg88/flexconnect_security.html

 

Good Man. Good find.

Implemented the line Wednesday of last week. Wanted to give it a few days to spot check. No errors since Wednesday evening.