Solved: Re: ACL Issue on 9800CL

bryanavl · ‎05-05-2026

I am working with a 9800cl WLC running 17.15.4d. I am having an issue with clients not connecting whenever I apply my ACL. So for troubleshooting I have created a very simple psk wlan and applying the acl via the default-policy-profile.

Extended IP access list: ACLONE
20 permit udp any any eq bootps
30 permit udp any any eq domain
40 permit ip any any
50 permit udp any any eq bootpc

I have tried two different client devices with the same result. On the client side they will give an error message when trying to connect. As soon as I remove the acl from the policy profile the two clients connect with no issues. I have captured a radiotrace client log with both the acl and without the acl.

I show in the log file with failure (with acl) the following message:

2026/05/05 13:01:46.890544779 {wncd_x_R0-0}{1}: [sanet-shim-translate] [15821]: (ERR): c0b5.d735.f027 : Policy resolution failure in sanet, code = 2, ACL Failure

Not sure why the ACL is failing. I am attaching the radiotrace log file. timestamp 13:01 is with acl and timestamp 13:09 is without acl. Any help would be greatly appreciated!

Stefan Mihajlov · ‎05-06-2026

@bryanavl after tech support i can see:
FlexConnect local switching is the issue — traffic is switched at AP, so ACL must be pre-provisioned on AP via flex profile

Fix ->add acl-policy ACLONE under wireless profile flex default-flex-profile to provision ACL on the AP, and ipv4 acl ACLONE in under wireless profile policy default-policy-profile to enforce it on connecting clients

View solution in original post

aleabrahao · ‎05-06-2026

@bryanavl

Looking more closely, I don't believe it's a problem with the ACL itself, but it might be something related to the Flexprofile.

Try adding the ACL to the Policy ACL of your Flexprofile.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

bryanavl · ‎05-06-2026

I was set to local switching and did not have the acl built out properly in the flexconnect configuration. thanks for all the help!!

View solution in original post

Stefan Mihajlov · ‎05-05-2026

@bryanavl problem is permit ip any any ... u must move this line to very end of ur ACL or u can use permit ip any any only after client has successfully transitioned to Run state

aleabrahao · ‎05-05-2026

IOS‑XE requires explicit bidirectional DHCP rules with correct source/destination ports.

Try this configuration.

ip access-list extended ACLONE
10 permit udp any eq bootpc any eq bootps
20 permit udp any eq bootps any eq bootpc
30 permit udp any any eq domain
40 permit tcp any any eq domain
50 permit ip any any

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

bryanavl · ‎05-05-2026

I tried both of the above suggestions and still getting the same result.

The windows PC states "cannot connect"
The iphone states " incorrect password"

aleabrahao · ‎05-05-2026

The ACL wouldn't affect the password issue; at most, you might connect but not be able to receive an IP address or not be able to resolve DNS.

Could you send a screenshot of where you're applying it in the profile?

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

aleabrahao · ‎05-05-2026

I personally don't use ACLs directly on server 9800 except for the Guest portal.

But it seems something is failing in the onboarding process.

Try this ACL.

ip access-list extended ACLONE
5 permit eapol any any
10 permit arp any any
20 permit udp any eq bootpc any eq bootps
30 permit udp any eq bootps any eq bootpc
40 permit udp any any eq domain
50 permit tcp any any eq domain
60 permit ip any any

But I really recommend that you debug the client to see which process is causing the failure.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

bryanavl · ‎05-05-2026

thank you for digging deeper. see screenshots.

Stefan Mihajlov · ‎05-05-2026

@bryanavl this confirm what im saying... move ur permit ip any any to bottom of the list.. then verify ACL name matches Policy Profiles Ingress/Egress rilter settings

bryanavl · ‎05-05-2026

@Stefan Mihajlov I made the change to the acl per your recommendation and verified it is being used on the policy profile. I am still getting the same result (client will not connect)

aleabrahao · ‎05-05-2026

Hi @bryanavl,

Have you tested this?

ip access-list extended ACLONE
5 permit eapol any any
10 permit arp any any
20 permit udp any eq bootpc any eq bootps
30 permit udp any eq bootps any eq bootpc
40 permit udp any any eq domain
50 permit tcp any any eq domain
60 permit ip any any

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

aleabrahao · ‎05-05-2026

Could you also collect these logs?

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215523-quick-start-guide-on-what-logs-and-debug.html#toc-hId-748860550

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Stefan Mihajlov · ‎05-05-2026

@bryanavl rewrite ACLTHREE so that DHCP rules (Sequence 10 & 30) have "any" for both source and destination ports.. if not.. do show tech support 🙂

bryanavl · ‎05-05-2026

@aleabrahao answering your question. I tried an acl similiar to your recommendation, however I was not able to explicitly allow arp and eapol in the ip access list. see the image of the actual acl i tried. The client failed when i tried this.

I will collect the logs and post

Stefan Mihajlov · ‎05-05-2026

@bryanavl if you want send me PM

show tech-support

bryanavl · ‎05-05-2026

The radioactive trace files have been attached up above.

I am attaching the embedded capture (pcap). Looking through it shows the client repeatedly gets deauthed when the acl is applied to the policy profile.