Re: 5508 8.0.140.0 ipad dropping connection

the-lebowski · ‎01-19-2018

Hi, have an issue with HA 5508 running 8.0.140.0 and ipads dropping wifi. When it happens the end user has turn off wifi and turn it back on to be able to reconnect to the SSID. We are not doing client load balancing, session timeout is set to 28800 seconds and both client user idle timeout and threshold are disabled.

Has anyone seen this before?

Sandeep Choudhary · ‎01-19-2018

paste the output of sh wlan <id> command

the-lebowski · ‎01-19-2018

(Cisco Controller) >show wlan 2


WLAN Identifier.................................. 2
Profile Name..................................... USERWIFI
Network Name (SSID).............................. USERWIFI
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
    Radius Profiling ............................ Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
    Local Profiling ............................. Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200

--More-- or (q)uit
Number of Active Clients......................... 18
Exclusionlist.................................... Disabled
Session Timeout.................................. 28800 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ wlan32
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... xxxxxxx
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
    PMIPv6 MAG Profile........................... Unconfigured
    PMIPv6 Default Realm......................... Unconfigured

--More-- or (q)uit
    PMIPv6 NAI Type.............................. Hexadecimal
    PMIPv6 MAG location.......................... WLC
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Per-Client Rate Limits........................... Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None

--More-- or (q)uit
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ xxxxxxx 1812
   Authentication................................ xxxxxxx 1812
   Accounting.................................... Disabled
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Security

   802.11 Authentication:........................ Open System
   FT Support.................................... Enabled
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled

--More-- or (q)uit
         AES Cipher.............................. Enabled
      Auth Key Management
         802.1x.................................. Enabled
         PSK..................................... Disabled
         CCKM.................................... Disabled
         FT-1X(802.11r).......................... Disabled
         FT-PSK(802.11r)......................... Disabled
         PMF-1X(802.11w)......................... Disabled
         PMF-PSK(802.11w)........................ Disabled
      FT Reassociation Timeout................... 20
      FT Over-The-DS mode........................ Disabled
      GTK Randomization.......................... Disabled
      SKC Cache Support.......................... Disabled
      CCKM TSF Tolerance......................... 1000
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web Authentication Timeout.................... 300
   Web-Passthrough............................... Disabled
   Mac-auth-server............................... 0.0.0.0
   Web-portal-server............................. 0.0.0.0
   Conditional Web Redirect...................... Disabled

--More-- or (q)uit
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   FlexConnect Local Switching................... Disabled
   FlexConnect Central Association............... Disabled
   flexconnect Central Dhcp Flag................. Disabled
   flexconnect nat-pat Flag...................... Disabled
   flexconnect Dns Override Flag................. Disabled
   flexconnect PPPoE pass-through................ Disabled
   flexconnect local-switching IP-source-guar.... Disabled
   FlexConnect Vlan based Central Switching ..... Disabled
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Enabled
   Client MFP.................................... Optional
   PMF........................................... Disabled
   PMF Association Comeback Time................. 1
   PMF SA Query RetryTimeout..................... 200
   Tkip MIC Countermeasure Hold-down Timer....... 60
   Eap-params.................................... Disabled
AVC Visibilty.................................... Enabled
AVC Profile Name................................. Silver
Flow Monitor Name................................ Accelops
Split Tunnel Configuration
    Split Tunnel................................. Disabled

--More-- or (q)uit
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Disabled
802.11v BSS Max Idle Service..................... Enabled
DMS DB is empty
Band Select...................................... Enabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled

 Mobility Anchor List
 WLAN ID     IP Address            Status
 -------     ---------------       ------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

--More-- or (q)uit

Local Policy
----------------
Priority  Policy Name

Saravanan Lakshmanan · ‎01-19-2018

Are fast ssid enabled globally on all WLCs that this client tries to roam to. are other clients fine.
post WLC debug output showing issue - debug client <MAC-addr-of-ipad>

the-lebowski · ‎01-19-2018

Attached are the debugs for one of the ipads and the WLC. I tried to paste them here but they are way too long.

Saravanan Lakshmanan · ‎01-20-2018

Don't see the fresh association if ipad were manually reset/w.less re-connect, Provide the time stamp of the issue repro.

Line 73: *apfMsConnTask_2: Jan 19 14:31:27.516: [SA] 78:7b:8a:1e:a9:2e Reassociation received from mobile on BSSID 84:78:ac:c1:43:3e AP HQ-C1-AP.03
Line 266: *apfMsConnTask_1: Jan 19 14:31:38.640: [SA] 78:7b:8a:1e:a9:2e Reassociation received from mobile on BSSID 84:78:ac:8c:55:56 AP HQ-C1-AP.05
Line 458: *apfMsConnTask_1: Jan 19 14:32:12.031: [SA] 78:7b:8a:1e:a9:2e Reassociation received from mobile on BSSID 84:78:ac:8c:55:5e AP HQ-C1-AP.05
Line 672: *apfMsConnTask_1: Jan 19 14:38:29.051: [SA] 78:7b:8a:1e:a9:2e Reassociation received from mobile on BSSID 84:78:ac:8c:55:51 AP HQ-C1-AP.05
Line 914: *apfMsConnTask_4: Jan 19 14:39:51.516: [SA] 78:7b:8a:1e:a9:2e Reassociation received from mobile on BSSID 84:78:ac:c1:15:16 AP HQ-C1-AP.12

the-lebowski · ‎01-21-2018

I don't think the problem occurred while I was debugging. Do I just need to debug it 24/7 until it does? Or is there some easier way to do this?

Scott Fella · ‎01-21-2018

You need to reproduce the issue.

-Scott
*** Please rate helpful posts ***

Saravanan Lakshmanan · ‎01-21-2018

Either leave the debug session going on under ssh session(be sure pc not getting in sleep/power-save mode, ssh session not timing out on client side, wlc session set to 0 and PC hard wired) OR forward output to syslog server.

Forwarding WLC debug output to external syslog server:

(Cisco Controller) >config logging syslog host 10.0.0.222
System logs will be sent to 10.0.0.222 from now on

(Cisco Controller) >show logg
- Host 0....................................... 10.0.0.222
- Host 1.......................................
- Host 2.......................................

To remove config after troubleshooting:-
(Cisco Controller) >config logging syslog host 10.0.0.222 delete
System logs will not be sent to 10.0.0.222 anymore

Note: Confirm, WLC debug log output getting forwarded to the external intended server(s) properly.

Also, enable client event traps and foward the output to external trap log server to understand the impact.

Leo Laohoo · ‎01-21-2018

@the-lebowski wrote:

I don't think the problem occurred while I was debugging.

I honestly don't think there is one.

I believe the iPads has gone to sleep and they were "awoken" by the users.

Saravanan Lakshmanan · ‎01-21-2018

Good point!
can suggest to increase the user idle timeout for idle-client. And of course follow apple best practices.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0100110.html#concept_F70A46E44FFB41CA9C2A4FC60A81B0A2
https://mrncciew.files.wordpress.com/2013/03/entbp-appmobdevs-on-wlans.pdf

the-lebowski · ‎01-21-2018

I don't follow, are you saying there isn't a problem at all or the problem didn't occur when I was debugging that MAC?

Saravanan Lakshmanan · ‎01-21-2018

Issue didn't occur while debugging,
suspecting that ipad could be going into power-save/sleep mode and the user requires to re-connect to WLC as the previous auth no longer valid. To prevent this behavior, user-idle timeout should be increased globally or per wlan basis to avoid it.

the-lebowski · ‎01-22-2018

I don't have it configured it at all.

Client user idle timeout is not checked and threshold is set to 0 on this WLAN. What impact if any would it have for me to enable it? And how long should I enable it for?

Scott Fella · ‎01-22-2018

Your client idle timer should be set to default to be honest, which is 300. Then disable your session timer. I don’t think that is the issue, but go ahead and give that a try.

-Scott
*** Please rate helpful posts ***