Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4071
Views
3
Helpful
21
Replies

9800-CL WLC Repeated Client Exclusion for Wrong PSK

CARL90
Level 1
Level 1

‎02-05-2024 08:58 AM

I've recently inherited a 9800-CL WLC with a somewhat questionable configuration.  It seems to be working as expected, however reviewing the Syslog shows regular repeated errors.  The error in question is:

%CLIENT_EXCLUSION_SERVER-5-ADD_TO_EXCLUSIONLIST_REASON_DYNAMIC: Chassis 1 R0/0: wncmgrd: Client MAC: dcb5.XX was added to exclusion list associated with AP Name:AP013, BSSID:MAC: 84f1.XX, reason:Wrong PSK

I'm seeing these appear about once per minute or more.  The error is thrown repeatedly for the same device every few minutes it appears with a decent number of devices causing the error while on-site.  Oddly enough there haven't been any reported issues with disconnects or failure to connect.  From what I've found, based on the MAC address every device being reported is an Apple device, almost certainly to be an iPhone that is issued to users.  Is there any specific configuration that may have been misconfigured that might cause this issue?  Any ideas would be greatly appreciated.

Labels:
0 Helpful
21 Replies 21

CARL90
Level 1
Level 1
In response to Rich R

‎02-12-2024 05:58 AM

Currently running 17.8.1 

0 Helpful

jagan.chowdam
Spotlight
Spotlight

‎02-12-2024 06:48 AM

Cisco IOS XE 17.8.1 is a short-lived release with no MRs planned. For all features and hardware supported starting 17.8.1, you are recommended to use 17.9.4 + SMU_CSCwh87343 + APSP(as needed) OR 17.9.4a + APSP(as needed).

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214749-tac-recommended-ios-xe-builds-for-wirele.html#toc-hId--897198255

I would upgrade WLC to stable 17.9.4a code to make sure I'm not hitting any bugs.

Jagan Chowdam

/**Please rate helpful responses**/

 

eglinsky2012
Level 4
Level 4

‎08-10-2024 08:40 PM - edited ‎08-10-2024 08:45 PM

@CARL90- Did you find a resolution to this? I'm having the same issue with some older Paciolan-supplied ticket scanners after moving APs from 8540 to 9800. It's only an issue with these specific scanners. Newer Android-based scanners and my iPhone are able to connect, so I know that the PSK, VLAN, etc. are configured correctly. I did try enabling fast transition with "PSK" and "FT-PSK" as mentioned in another thread with no luck.

We attempted the 9800 migration with 17.9.4 last summer, and we opted to move the needed APs back to the 8540 to get through the school year. We're trying again and it continues on 17.9.5 APSP5. As soon as we move the APs back to the 8540, the scanners connect successfully.

From the debug analyzer:

2024/08/10 22:03:34.524dot11Association success for client, assigned AID is: 2. Client performed fast roam.
2024/08/10 22:03:34.540client-keymgmtCould not validate MIC received in M2 message
2024/08/10 22:03:34.540client-keymgmtFast roam key validation failure on M2
2024/08/10 22:03:35.539client-keymgmtCould not validate MIC received in M2 message
2024/08/10 22:03:35.539client-keymgmtFast roam key validation failure on M2
2024/08/10 22:03:36.557client-keymgmtCould not validate MIC received in M2 message
2024/08/10 22:03:36.557client-keymgmtFast roam key validation failure on M2
2024/08/10 22:03:37.536client-keymgmtReached maximum retries for M1
2024/08/10 22:03:37.536client-orch-smController initiated client deletion with code: CO_CLIENT_DELETE_REASON_EXCLUDE_WRONG_PSK. Explanation: Client excluded due to wrong PSK password. Actions: Check PSK configuration on client
0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to eglinsky2012

‎08-10-2024 11:56 PM

@eglinsky2012 

This is beginning to look like CSCvz96924.

0 Helpful

eglinsky2012
Level 4
Level 4
In response to Leo Laohoo

‎08-15-2024 07:01 AM

I don't know if that's the issue since the AP had just rebooted as part of the controller move/code upgrade.

0 Helpful

Rich R
VIP
VIP
In response to eglinsky2012

‎08-11-2024 04:52 PM

presume you've tried obvious things like different PSK - change/remove special characters, shorten the length of the string etc?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

eglinsky2012
Level 4
Level 4
In response to Rich R

‎08-15-2024 07:11 AM - edited ‎08-15-2024 07:20 AM

@Rich R- Thanks, good thoughts. The PSK is 48 characters with only numbers and letters. I thought it might be an issue with inputting to the tiny box in the GUI, so I tried with CLI instead with no luck. And, it does work with other devices. Maybe I'll give shortening it a try, though that would require a lot of coordination with the users as there are a couple dozen of these devices.

This brings me back to something that a Wyebot sensor informed me about a while back when we were testing it. We inadvertently had had one of several APs on an 8540 instead of a 9800 in the room the Wyebot was in, and the Wyebot warned about a discrepancy in encryption/security between the same SSID broadcasted between the 8540 AP and the 9800 APs, even though they both had identical configuration on both WLCs, and no clients (that I'm aware of) have an issue connection to the SSID on either controller, except these ticket scanners on the 9800s. The discrepancy was between WPA2-Enterprise SSIDs and not WPA2-Personal, but perhaps that difference applies to Personal as well. Unfortunately, I no longer have access to the Wyebot to see if the difference applies to PSK SSIDs and what exactly the discrepancy was. Thought I'd bring this up in case anyone else knows anything more about this discrepancy.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card