Solved: 9800-40/80 17.15.4 drops all MDNS advertisements

jasonm002 · ‎08-29-2025

9800-40/80 17.15.4 running local MDNS gateway drops all MDNS advertisements, services are being learned and cached correctly from wired sources but advertisements are always being dropped before they go out to clients. Can observe this happening in mdns trace logs after setting mdns trace level to verbose for wncd of interest, looks like it's failing to inject the MDNS packet for delivery by the hardware -or- in some specific configurations it's thinking that it's receiving an AAA override for mdns profile which it is verifiably not.

I have a TAC case open, but anyone else experiencing this or able to verify? Worked in 17.12.4, broken in 17.15.4. There was a behavior change in release notes involving SVIs for mdns services learned from wired hosts but I tried removing the SVI -- no change.

Saikat Nandy · ‎09-07-2025

Further update - we have removed both affected codes 17.15.4 nd 17.12.6 from CCO. We are working on new codes which will take some time. For the time being fall back to 17.15.3 or 17.12.5

View solution in original post

MHM Cisco World · ‎08-29-2025

mDNS what is relate to AAA?

mDNS server is connect to same vlan of wifi client?

MHM

MHM Cisco World · ‎08-30-2025

Show mdns-sd cache <<- I need to see output of this

MHM

Mark Elsen · ‎08-29-2025

- @jasonm002 Possible cause : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh37134

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

trapasso · ‎08-30-2025

Hello,

I have the exact same thing happening. Thursday evening I upgrade from 17.12.5 to 17.15.4. Friday morning I received a complain for a lab which used mdns no working. Glad I too the chance to do general search on the internet on this problem.

The lab does not have any wired components. It is just an isolated SSID on a separate vlan running mdns, all devices are wireless. Thursday the lab was working fine, Friday the devices cannot discover the other devices advertisements.

I opened a TAC case late Friday but I will be escalating since this lab equipment is part of University program and the term is starting next week.

If you want to share your TAC case I will share mine and maybe we can get our Engineers to talk.

jasonm002 · ‎08-31-2025

Hey can you try adding an SVI for that SSID's VLAN? I'm seeing this in MDNS traces on the WNCDs, looks like there was a behavior change in 17.15 related to this, wondering if it solves the problem if you try (in order):

1) just configure an SVI at all for that SSID's VLAN and shut it down

2) configure a valid IPV4 address for that SSID's VLAN and unshut it

3) configure valid mdns-sd gateway service policy on that SSID's SVI

seen in traces if you set mdns tracing level to verbose and then do an RA trace with "internal" enabled for a client:

(verbose): fetching src vlan for pref vlan 670

(ERR): Invalid bidb handle for vlan: 670

(debug): SVI IPv4 address not present for vlan 670, falling to default src intf

(verbose): src vlan 600 of default src intf as no mdns src intf or SVI

(ERR): L2_INJECT: Could not find client role for client :f6a1.707e.4055 <-- seems to be not the reason for the failure in my testing

(ERR): False from ioctl : lfts

(ERR): Unable to inject mdns packet

MHM Cisco World · ‎08-31-2025

Show vlan breif

If vlan 670 not seeing add it by below

vlan 670
name VLAN670

trapasso · ‎08-31-2025

Hi

Thanks for your suggestion. In my case I already had the SVI configured for the vlan with mDNS.

MHM Cisco World · ‎08-31-2025

The SVI can config but you need to make sure the vlan and SVI is UP

Remember you do reboot after upgrading so it can vlan db is remove

MHM

jasonm002 · ‎08-31-2025

I tried on a PSK WLAN on my end and created the SVI for that VLAN (671), gave it an IP, made sure it was up, and I also tried configuring the source-interface for mdns-sd gateway as WMI (Vlan600) globally, in each case the mdns trace with verbose level shows:

2025/08/31 14:04:55.456538587 {wncd_x_R0-0}{2}: [mdns] [20948]: (verbose): src vlan id 600 of src intf configured
2025/08/31 14:04:55.456539254 {wncd_x_R0-0}{2}: [mdns] [20948]: (verbose): Source IP4=10.3.20.4
2025/08/31 14:04:55.456541028 {wncd_x_R0-0}{2}: [mdns] [20948]: (ERR): L2_INJECT: Could not find client role for client :<mac>
2025/08/31 14:04:55.456543170 {wncd_x_R0-0}{2}: [mdns] [20948]: (ERR): False from ioctl : lfts
2025/08/31 14:04:55.456543482 {wncd_x_R0-0}{2}: [mdns] [20948]: (ERR): Unable to inject mdns packet

and

8/31 13:46:53.752760085 {wncd_x_R0-0}{2}: [mdns] [20948]: (verbose): fetching src vlan for pref vlan 671
2025/08/31 13:46:53.752761283 {wncd_x_R0-0}{2}: [mdns] [20948]: (verbose): src vlan id 671 of SVI for IPv4
2025/08/31 13:46:53.752762002 {wncd_x_R0-0}{2}: [mdns] [20948]: (verbose): Source IP4=10.4.119.254
2025/08/31 13:46:53.752766097 {wncd_x_R0-0}{2}: [mdns] [20948]: (ERR): L2_INJECT: Could not find client role for client : <mac>
2025/08/31 13:46:53.752769970 {wncd_x_R0-0}{2}: [mdns] [20948]: (ERR): False from ioctl : lfts
2025/08/31 13:46:53.752770498 {wncd_x_R0-0}{2}: [mdns] [20948]: (ERR): Unable to inject mdns packet

so it is complaining about client role, maybe the issue is it's triggering a code path for AAA override for MDNS inappropriately. I tried having AAA server send cisco-av-pair=role=something and in that case it STILL fails, but in that case it thinks it should receive an AAA override for mdns-sd policy which it does not receive because I don't want to do mdns-sd policy from AAA server, so AAA server never sends it.

MHM Cisco World · ‎08-31-2025

https://bst.cisco.com/quickview/bug/CSCwd59093

Check this bug

Use workaround of this bug

MHM

Rich R · ‎08-31-2025

That's the same advice as in the link I provided @MHM Cisco World

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

trapasso · ‎09-02-2025

So just an update.
I worked with Cisco TAC today and it looks like a bug may have been discovered.
So a change in behavior was documented in the release notes between 17.15.3 and 17.15.4. even going through all the troubleshooting was not able to resolve the issue.
Rolling back to 17.15.3 and hoping mdns behaves. If not tomorrow night 17.12.5.

jasonm002 · ‎09-02-2025

Thanks. What bug did TAC think it was, or are they creating a new one?

To everyone else: I don't think it's CSCwd59093 because I already have multicast link-local disabled.

trapasso · ‎09-02-2025

They should be creating a new bug and I will post when I get the bug #