Solved: Re: After 2-3 hours users are unable to access to internet - WLC9800+I

Scott12 · ‎04-18-2023

Dear Community,

I' struggling with this strange case, we have deployed a new WLC 9800 in our company and the migration is going well so far, but now the users are being complating that they are experiencing disconnection from the corporate SSID, they are unable to get internet access or access to other internal web page, for examen payroll system, SAP and so on.

We could notice that the users still having IP address and they can ping the default gateway, DHCP servers and other internal services, but they webpages don't display.

The Corporate SSID is authenticating the users throught 802.1x using Cisco ISE, the behaivor only ocurr on this SSID, the Guest portal and another SSID with PSK are working fine.

Any tought?

Some captures

Thank you

Scott Fella · ‎04-19-2023

I think you are okay, because you did not have WPA enabled. Are you pushing out the profiles to the clients? Have you checked that to validate the profile? Does the device authenticate successfully in ISE?

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎04-18-2023

The WLAN looks okay, but when you say migration, what do you mean? You have a mix of ap's on older controllers and the new 9800's? Need a little more info on what you mean by migration.

Also, did you have Fast Transition enabled on the old setup? You should validate that all setting in the WLAN are the same and don't introduce anything new.

-Scott
*** Please rate helpful posts ***

Flavio Miranda · ‎04-18-2023

Hi,

Looks like you have some direction when you say only ssid with 802.1x have problem .Probably Users sessions is getting lost at some point, maybe in the migration. It can be related to NAT table, ARP table or authentication session . Try to disable/enable SSID and/or reload the AP after hours.

ammahend · ‎04-18-2023

show wireless stats trace-on-failure

this should show you most common client failure reasons, however based on your description it does not seem like a wireless issue, something upstream.

Since you are in migration, do you know the last change before issue started ?

-hope this helps-

marce1000 · ‎04-19-2023

- Have a checkup review of the WLC 9800 configuration with the CLI command : show tech wireless , have the output analyzed with : https://cway.cisco.com/wireless-config-analyzer/
Checkout these tools concerning analyzing clients : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Scott12 · ‎04-19-2023

Many thanks for your time in responding on this issue,

Regarding the migration before we had a 3506 WLC, we turn off the old wlc and the 2800 series APs, now we are only working with the 9800 WLC and 9100 APs series.
This is odd because we configured the SSID like the old wlc and this behavior only happends with the corporate SSID (802.1x auth with ISE).
I will execute the command that you provide,
another thing, is it possible to get logs regarding these disconnections into the wlc?

Scott Fella · ‎04-19-2023

You mean you had a 3504 controller? You migrated to a 9800-L or a different model? You should really check if your SSID was exactly the same or not, because what I have seen in the past is that SSID's that used WPA+WPA2 has changed to just WPA2 with AES. If these are Windows machines that are domaines joined or MDM managed, you should review the wireless profile.

If you want to decipher logs, debug the client Mac address and search online for the "Cisco WLC debug analyzer tool". If these are Windows machines, you can look at the netsh wlan show wlanreports. Look that up online for more info and how to run the command on a Windows machine.

-Scott
*** Please rate helpful posts ***

Scott12 · ‎04-19-2023

Yes, that's correct I configured the new 9800 L following the same configuration of 3504. I didn't know the WPA+WPA2 had changed for this new wlc.
I attached the configuration of the 3504 wlc, section WLAN configuration

If I go to WLAN section in 9800 wlc I can see this,

What exactly is the configuration you mention regarding WPA on 9800 wlc?

Regards

Scott Fella · ‎04-19-2023

I think you are okay, because you did not have WPA enabled. Are you pushing out the profiles to the clients? Have you checked that to validate the profile? Does the device authenticate successfully in ISE?

-Scott
*** Please rate helpful posts ***

Rich R · ‎04-19-2023

Also make sure your software version is up to date as per TAC recommended link below:

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

After 2-3 hours users are unable to access to internet - WLC9800+ISE