Ok, thank you for your help, as our WLC is a global one, we will have to schedule ASAP an upgrade then.

Another question, I've just noticed that the 5GHZ RF profile is set for DCA in 20 Mhz channel width:

As the 2.4Ghz are in 20Mhz channel width, I assume, could it cause some troubles or issues ?

Yes it's supported, we need the B radio because we have some RFID Zebra MC9190 scanners that need this radio to be able to associate. If we disable all data rates below 12 mbps with 12 mbps mandatory, or use 802.11g only then the MC9190 times out when it try to associate to an AP.

that is odd?

the integrators manual report this device is 802.11a/b/g capable?

 does also this happen with an "out-of-box" device? or only with a scanner application installed?

in last situation the app may configure some wlan settings that interferes with 802.11g only.

it looks like this scanner only searches for beacons on 802.11b (on 1Mbit) but it should also be able to connect connect to 802.11g and even 802.11a!

have you contact the manufacturer about this? the device may need some wlan driver update

the release notes (i only checked one version) mentions some issues reolved

• SPR 31247 - Fixed an issue in which the WLAN radio fails to roam sometimes when Fast Transition (802.11r) is enabled on the infrastructure.
• SPR 30135 - Resolved an issue in which WLAN radio does not roam to DFS channels that resulted in stickiness or disconnect.

Yes I know I've already searched about that, and it seems strange behaviour. MC9190 have the last fusion drivers and MC9090 also (old scanners I used for test), and they cannot connect if we don't enable one B data rates.

I'm wondering if maybe some packets are dropped or corrupted in the capwap tunnel, I see that DTLS encryption is configured on the capwap tunnel, but not on APs, should it be set ?

in the section Restrictions on Data Encryption in the configuration guide, cisco advices negative.

• DTLS data encryption is enabled automatically for OfficeExtend access points but disabled by default for all other access points. Most access points are deployed in a secure network within a company building, so data encryption is not necessary. In contrast, the traffic between an OfficeExtend access point and the controller travels through an unsecure public network, so data encryption is more important for these access points. When data encryption is enabled, traffic is encrypted at the access point before it is sent to the controller and at the controller before it is sent to the client.

   

• Encryption limits throughput at both the controller and the access point, and maximum throughput is desired for most enterprise networks

Ok, capwap tunnel data channel is automatically encrypted ?

I mean, our configuration seems to be like that (I have sniffed a APs port with wireshark) :

WLC -> CAPWAP tunnel 5247 UDP port data encrypted packets -> APs (3802I or E)

APs (3802I or E) -> CAPWAP tunnel 5248 UDP port NO data encrypted packets -> WLC

As our APs have not Data Encryption enable.

Is this a normal configuration ?

I have found this setting on our WLC:

And we can read this warning, at the bottom of the page

We are doing Flexconnect with Local switching. Could this multicast setting cause some troubles ? I don't understand why this setting is enabled if it's not supported in Flexconnect mode ?

In fact Multicast on WLC is disabled globally, so I assume this setting is not taken in account.

But in the Wireshark analyze log, I can see sometimes the AP is trying to do multicast and join the same multicast group IP there is in the General tab of Controller in WLC: