Solved: Re: ACL Issue on 9800CL - Page 2

bryanavl · ‎05-05-2026

I am working with a 9800cl WLC running 17.15.4d. I am having an issue with clients not connecting whenever I apply my ACL. So for troubleshooting I have created a very simple psk wlan and applying the acl via the default-policy-profile.

Extended IP access list: ACLONE
20 permit udp any any eq bootps
30 permit udp any any eq domain
40 permit ip any any
50 permit udp any any eq bootpc

I have tried two different client devices with the same result. On the client side they will give an error message when trying to connect. As soon as I remove the acl from the policy profile the two clients connect with no issues. I have captured a radiotrace client log with both the acl and without the acl.

I show in the log file with failure (with acl) the following message:

2026/05/05 13:01:46.890544779 {wncd_x_R0-0}{1}: [sanet-shim-translate] [15821]: (ERR): c0b5.d735.f027 : Policy resolution failure in sanet, code = 2, ACL Failure

Not sure why the ACL is failing. I am attaching the radiotrace log file. timestamp 13:01 is with acl and timestamp 13:09 is without acl. Any help would be greatly appreciated!

aleabrahao · ‎05-06-2026

@bryanavl

Looking more closely, I don't believe it's a problem with the ACL itself, but it might be something related to the Flexprofile.

Try adding the ACL to the Policy ACL of your Flexprofile.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Devendra Jadeja · ‎05-05-2026

@bryanavl , can you create one test ACL with permit any any & test it . as you mentioned when you removed ACL from policy profile it works fine , so just want make sure no issue with ACL rule sequenece and ACL name .

Aref Alsouqi · ‎05-06-2026

I can't see how that ACL can affect the clients connections because your ACL does have a permit ip any any which is basically the same as not applying that ACL at all. Please share the screenshots of the relevant configs on the WLC and where you applied that ACL for review.

Stefan Mihajlov · ‎05-06-2026

@bryanavl after tech support i can see:
FlexConnect local switching is the issue — traffic is switched at AP, so ACL must be pre-provisioned on AP via flex profile

Fix ->add acl-policy ACLONE under wireless profile flex default-flex-profile to provision ACL on the AP, and ipv4 acl ACLONE in under wireless profile policy default-policy-profile to enforce it on connecting clients

bryanavl · ‎05-06-2026

@Devendra Jadeja

I just created an acl 'TestPermitAll' which is permit ip any any. This still gives the same result (client is not able to connect when TestPermitAll is applied).

Something I just discovered:

If I apply this same acl "TestPermitAll" to an open security wlan then the client is able to connect. However when using a wlan with wpa2 psk for security it does not allow the client to connect with the acl applied.

I am attaching screenshots for more detail.

thank you!

bryanavl · ‎05-06-2026

I was set to local switching and did not have the acl built out properly in the flexconnect configuration. thanks for all the help!!