Solved: 9800 ARP

yuricyrino · ‎01-22-2025

Hello ALL
Morning
We are facing many disconections from clients, all points to Windows behaviour, but double checking this kind of log was identified in 9800 logging.

Have you guys faced this issue before?

WLC#show logging | i 28a0.6bXXXXXX
Jan 22 11:42:14.632: %SISF-4-EXCESS_ARP_ACTIVITY: Chassis 1 R0/3: wncd: Excessive ARP activity detected for the client 28a0.6bXXXXXX. client is brought down and added to the exclusion list
Jan 22 11:42:14.633: %CLIENT_EXCLUSION_SERVER-5-ADD_TO_EXCLUSIONLIST_REASON_DYNAMIC: Chassis 1 R0/0: wncmgrd: Client MAC: 28a0.6bXXXXXX was added to exclusion list associated with AP Name:XXXXX, BSSID:MAC: XXXXX, reason:Excessive ARP activity

Update: APs are running as Local Mode, using inteface on /23 subnet

yuricyrino · ‎01-24-2025

Hello All

Thanks for the tips.
We identified an behaviour in a software named Adaptiva, that is responsible for Windows Updates inside the company, the application downloads the patches from a central location. The distribution happens P2P betwen neighbors computers, the discovering process use ARP.
The appication was configured to seach in a /20 subnet 4096 IPs to perform ARP.
After a change to /24 subnet 256 IPs, there is no issues reported anymore.

In my point of view, we need do create a kind os assignature to classify the application to not identify like a theath.

9800#show wireless wps summary
Client Exclusion Policy
Excessive 802.11-association failures : Enabled
Excessive 802.1x-authentication : Enabled
Mac and IP-theft : Enabled
Excessive Web authentication failure : Enabled
Failed Qos Policy : Enabled
Excessive NDP Activity : Enabled
Excessive ARP Activity : Enabled

Management Frame Protection
Global Infrastructure MFP state : Enabled
AP Impersonation detection : Enabled
Key refresh interval : 24

View solution in original post

marce1000 · ‎01-22-2025

- What software version is the 9800 controller running ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

yuricyrino · ‎01-22-2025

Hello
Here is the version

#sh ver
Cisco IOS XE Software, Version V1712_4_ESW13
Cisco IOS Software [Dublin], C9800 Software (C9800_IOSXE-K9), Version 17.12.4, C UST-SPECIAL:V1712_4_ESW13
This software is supported for a limited time under special agreement with Cisco Systems, Inc. ESW13
Copyright (c) 1986-2024 by Cisco Systems, Inc.
Compiled Thu 21-Nov-24 09:34 by mcpre

Rich R · ‎01-22-2025

Well 17.12.4 ESW13 is fully up to date so that's good.

So check out the other things I mentioned below in my previous reply.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Rich R · ‎01-22-2025

First make sure your software version is up to date as per the TAC recommended list (link below).

Then make sure you have ARP proxy configured as per best practice guide:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#AddressResolutionProtocolARPproxy

Also make sure the Windows wireless drivers are up to date. If using Intel see:
https://www.intel.com/content/www/us/en/download/19351/intel-wireless-wi-fi-drivers-for-windows-10-and-windows-11.html

And finally check your WLC config with the Config Analyzer (link below) for any other possible issues.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

MHM Cisco World · ‎01-22-2025

No more PM promise you.

I am so respect you and Mr @marce1000 .

Have a nice day.

MHM

MHM Cisco World · ‎01-22-2025

client is brought down and added to the exclusion list <<- check why client is add to exclusion' moslty it casue by mismatch of re-auth timer and/or aaa server

MHM

Rich R · ‎01-22-2025

@MHM Cisco World The log already tells us the answer: reason:Excessive ARP activity

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

MHM Cisco World · ‎01-22-2025

Exclusion reason are

1- authc failure

2- IP-theft

I.e. there is no mention about arp rate led to exclusion.

He need to check authc failure if not

Then he will check ip theft'

Cisco recommends to reduce idle timeout of ssid to solve complicate of ip theft

MHM

Rich R · ‎01-22-2025

9800#show wireless wps summary
Client Exclusion Policy
Excessive 802.11-association failures : Disabled
Excessive 802.1x-authentication : Enabled
Mac and IP-theft : Enabled
Excessive Web authentication failure : Disabled
Failed Qos Policy : Enabled
Excessive NDP Activity : Enabled
Excessive ARP Activity : Enabled

But ARP seems to be always on by default because it is not configurable:
9800(config)#wireless wps client-exclusion ?
all Configure response to all of these events
dot11-assoc Configure response to excess 802.11 association failures
dot1x-auth Configure response to excess 802.1x credential failures
dot1x-timeout Configure response to excess 802.1x authentication timeout
ip-theft Configure response to IP theft or re-use
web-auth Configure response to excess web authentication failures

but it's definitely a whole lot more than just IP theft and auth failure <wink>

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

MHM Cisco World · ‎01-22-2025

He can more clarify reason by do

Show wireless exclusionlist <<- check if it ip theft or arp

MHM

Rich R · ‎01-22-2025

and:
9800#show wireless exclusionlist client mac-address 28a0.6ba9.c21b
but I expect that will just show exactly what the logs already say.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

yuricyrino · ‎01-24-2025

Hello All

Thanks for the tips.
We identified an behaviour in a software named Adaptiva, that is responsible for Windows Updates inside the company, the application downloads the patches from a central location. The distribution happens P2P betwen neighbors computers, the discovering process use ARP.
The appication was configured to seach in a /20 subnet 4096 IPs to perform ARP.
After a change to /24 subnet 256 IPs, there is no issues reported anymore.

In my point of view, we need do create a kind os assignature to classify the application to not identify like a theath.

9800#show wireless wps summary
Client Exclusion Policy
Excessive 802.11-association failures : Enabled
Excessive 802.1x-authentication : Enabled
Mac and IP-theft : Enabled
Excessive Web authentication failure : Enabled
Failed Qos Policy : Enabled
Excessive NDP Activity : Enabled
Excessive ARP Activity : Enabled

Management Frame Protection
Global Infrastructure MFP state : Enabled
AP Impersonation detection : Enabled
Key refresh interval : 24

Rich R · ‎01-24-2025

Another badly designed application written by a developer that doesn't understand networks! <sigh>

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

MHM Cisco World · ‎01-25-2025

You are so welcome,

Thanks for update us

Have a nice weekend

MHM