Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
789
Views
25
Helpful
3
Replies

CSCvo66931 - IOS APs losing FlexConnect ACLs

joe.fodor
Level 1
Level 1

‎04-01-2019 12:59 PM

I believe I am hitting this bug on 8.5.135.0 with my 3802i APs. Most of the APs are only getting one or two of the flexconnect ACLs. I tried removing the ACL from flexconnect group and re added it which still did not help. 

1 person had this problem
Labels:
3 Replies 3

markfaul79
Level 1
Level 1

‎04-02-2019 07:43 AM - edited ‎04-02-2019 07:43 AM

We are also on 8.5.135.  I want to say we hit this bug in December of last year with a single 3802.  Slowly, more and more APs have been affected.  Our network consists mainly of 3702 and 3802 APs.  As of last week, we have had around 9 APs with the issue.  

 

We have been able to resolve the issue, to a certain degree, by either performing a factory reset through the WLC (Clear All Config option in the AP's 'General' tab), or by flashing the AP and reloading the IOS manually.  Both methods call for a reconfig, adding it to the proper AP groups, high availability, and all that, etc...  It has worked on 7 of the 9 affected, and has shown stability for about a week.  Most port bounces or manual reboots of the AP may fix the issue for a few hours to a max of 2 days before they lose their ACL.  

 

Something I noticed, is that the affected APs will reboot on their own prior to coming back up with no ACL.  Logs do not indicate any issue prior to the reboot, however.  I was able to catch this happening on 3 of the affected APs, but cannot say for certain that all of them exhibit this behavior prior to ACL loss.

joe.fodor
Level 1
Level 1
In response to markfaul79

‎04-02-2019 09:49 AM

Good news! 

 

I found the fix for this issue. Put in the below command on your controller and reload the aps that are having issues and it will then download all the ACLs. this is a known issue and this command will be on by default for all version 8.6  and above. 

 

config advanced capwap-message-aggregation enable

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-8/config-guide/b_cg88/flexconnect_security.html

 

markfaul79
Level 1
Level 1
In response to joe.fodor

‎04-08-2019 10:33 AM

Good Man. Good find.

Implemented the line Wednesday of last week. Wanted to give it a few days to spot check. No errors since Wednesday evening.
Customers Also Viewed These Support Documents