Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
658
Views
4
Helpful
6
Replies

9130AXI EWC Clients Get DHCP Address But Can't Reach Internet

rommonster
Level 1
Level 1

‎01-03-2025 01:59 AM - edited ‎01-03-2025 02:15 AM

Labbing with a 9130AXI-B EWC and I am unsure what is causing the issue I am seeing. Running 17.12.4.

Wireless Clients ---- EWC-AP "employee" PSK SSID --- C3850 --- Firepower ASA --- Internet

Wired Clients ---- C3850 --- Firepower ASA --- Internet

All VLAN interfaces/gateways on the 3850. Default route on 3850 to Firepower ASA for internet access

  • EWC web gui and SSH is reachable from anywhere on the network (including inter-vlan traffic reaching the native management IP and web gui of the EWC)
  • EWC-AP gets DHCP address from scope defined on server in different VLAN, reachable inter-vlan.
  • Wireless clients connect to SSID and get DHCP address from scope defined on server in different vlan
  • Wired clients can ping/web to management IPs and web gui of EWC in management VLAN, but can't reach clients associated to SSID
  • Wireless client can reach other wireless clients, but are unable to reach anything not connected to the SSID (can't reach wired clients, can't reach internet, can't reach default gateway, can't reach management IP of EWC, can't ping DHCP servers they RECEIVED A DHCP ADDRESS FROM)
  • Cisco wireless debug tool (https://cway.cisco.com/wireless-debug-analyzer/) shows no issues with clients, association works fine, they receive DHCP address from a server outside the wireless subnet, and reach run state. However they are then unable to communicate to anything outside the same subnet off the EWC (includes the DHCP server it got the address from, also can't ping the gateway for the VLAN).
  • Wired client in an access port on the wireless vlan is able to communicate to the internet and inter-vlan without issue.

On Firepower ASA, no traffic is seen from wireless clients associated to the SSID attempting to reach the internet, so traffic is never making it to the 3850 switch and being routed to the Firepower. So the EWC seems to somehow be limiting clients from reaching outside the SSID/subnet.

If I replace the 9130AXI with a 9115AXI we had previously or a 3802i running Mobility Express, they work without issue in similar setup (trunking multiple vlans with native vlan for management).

i do have a site and flex policy configured with the VLANs I am trunking including the native VLAN and it is applied to the EWC AP.

What am I missing here? Is something with 9130AX different? Or am I missing a configuration step somewhere I am not seeing? Pulling my hair out, any help would be greatly appreciated.

 

Preview file
179 KB
6 Replies 6

Flavio Miranda
VIP
VIP

‎01-03-2025 02:42 AM

@rommonster 

 Sounds like Bug. There are few bugs that could cause this issue in 17.12.4 and privious version. I would try to change the version. 

It does make sense does not work with 9130 if work with 9115. 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/release-notes/rn-17-12-9800.html#open-caveats-for-cisco-ios-xe-dublin-17.12.4

 

rommonster
Level 1
Level 1
In response to Flavio Miranda

‎01-03-2025 08:50 PM - edited ‎01-03-2025 10:04 PM

Yes, this must be the case.

Unfortunately I don't have access to the ESW13 release of 17.12.4 that Rich mentioned below (for some reason it requires a contract, whereas the regular EWC images do not). So instead I downgraded to 17.9.6 (the other recommended release I can download). As soon as the 9130 came online it was at least routing traffic, just not for the right VLANs.

Thanks!

0 Helpful

Rich R
VIP
VIP

‎01-03-2025 06:11 AM

Although you might be using the same EWC config on the 9115 and 9130 have you checked that you have the same tags applied to the AP in both cases? How are you applying the tags?
show ap tag summ
show ap name <ap-name> tag detail

Have you checked the EWC config using the Config Analyzer (link below)?

Also make sure you're using the latest ESW13 release of 17.12.4 as per the TAC Recommended link below:
https://software.cisco.com/download/specialrelease/b5170408cc94b5cb4ffce878e044cf6e

 

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

rommonster
Level 1
Level 1
In response to Rich R

‎01-03-2025 10:35 PM - edited ‎01-03-2025 10:52 PM

Hi Rich,

So after downgrading to 17.9.6 (I'm unable to download the ESW for 17.12.4 currently) I am getting some connectivity on clients but not the way I intended...

I have 3 VLANs that I'm trunking to the 9130 EWC: 2, 3, and 10. Native VLAN is 2.

2 is for the EWC/AP management to use (native vlan)
3 is for DMZ/Guest Network
10 is for internal traffic (where LAN clients should sit)

I have two SSIDs configured. One for Guest (VLAN 3) and one for "Employee" (internal LAN access, VLAN 10).

Currently all clients, regardless of which SSID they connect to, get an IP in VLAN 2.

I am unsure how this is happening as I double checked and it appears as if all of my tags are applied correctly.

I thought that the Flex profile vlan tab defines the VLANs in use and that allows for multiple SSIDs in different VLANs on EWC since the VLAN and VLAN Group tabs don't exist in Layer 2 menu on EWC? The VLANs defined in the Flex config are properly configured in the Policy-Profiles for each SSID.

Maybe you were right and I somehow have tags applied (or configured) incorrectly? Do you have any idea where there may be an error?

When I use the config checker I don't see any major errors, nothing related to VLANs or Flex.

 

Preview file
78 KB
0 Helpful

Rich R
VIP
VIP
In response to rommonster

‎01-27-2025 07:31 AM

Hard to say without seeing your entire config and "show ap tag summ".

Defining VLANs in flex profile is not essential unless you want to use VLAN names.  You can use VLAN ID (number) in the WLAN profile without any flex definition of the VLAN and it will just work.

Have you checked your switch port config?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to rommonster

‎01-27-2025 08:26 AM

I would try to validate the vlans on the switch.  An example would be to create an access vlan 3 and an access vlan 10 on the switch the ap is connected to.  Then connect your laptop to each port and validate if you get the right dhcp address.  If not, then you might not be spanning the vlans, thus getting dropped in the native vlan.

-Scott
*** Please rate helpful posts ***
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card