04-18-2023 03:59 PM
Dear Community,
I' struggling with this strange case, we have deployed a new WLC 9800 in our company and the migration is going well so far, but now the users are being complating that they are experiencing disconnection from the corporate SSID, they are unable to get internet access or access to other internal web page, for examen payroll system, SAP and so on.
We could notice that the users still having IP address and they can ping the default gateway, DHCP servers and other internal services, but they webpages don't display.
The Corporate SSID is authenticating the users throught 802.1x using Cisco ISE, the behaivor only ocurr on this SSID, the Guest portal and another SSID with PSK are working fine.
Any tought?
Some captures
Thank you
Solved! Go to Solution.
04-19-2023 01:09 PM
I think you are okay, because you did not have WPA enabled. Are you pushing out the profiles to the clients? Have you checked that to validate the profile? Does the device authenticate successfully in ISE?
04-18-2023 04:17 PM - edited 04-18-2023 04:18 PM
The WLAN looks okay, but when you say migration, what do you mean? You have a mix of ap's on older controllers and the new 9800's? Need a little more info on what you mean by migration.
Also, did you have Fast Transition enabled on the old setup? You should validate that all setting in the WLAN are the same and don't introduce anything new.
04-18-2023 04:54 PM
Hi,
Looks like you have some direction when you say only ssid with 802.1x have problem .Probably Users sessions is getting lost at some point, maybe in the migration. It can be related to NAT table, ARP table or authentication session . Try to disable/enable SSID and/or reload the AP after hours.
04-18-2023 07:17 PM
show wireless stats trace-on-failure
this should show you most common client failure reasons, however based on your description it does not seem like a wireless issue, something upstream.
Since you are in migration, do you know the last change before issue started ?
04-19-2023 12:06 AM
- Have a checkup review of the WLC 9800 configuration with the CLI command : show tech wireless , have the output analyzed with : https://cway.cisco.com/wireless-config-analyzer/
Checkout these tools concerning analyzing clients : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
M.
06-20-2024 02:02 PM
Thank you for this!!!!! We were having issues with our corp ssid after moving to new 9800 WLC's and the wireless-config-analyzer tool and "show tech wireless" command helped me resolve the issue in 10 minutes. Very helpful indeed. You are brilliant!
04-19-2023 06:10 AM
Many thanks for your time in responding on this issue,
Regarding the migration before we had a 3506 WLC, we turn off the old wlc and the 2800 series APs, now we are only working with the 9800 WLC and 9100 APs series.
This is odd because we configured the SSID like the old wlc and this behavior only happends with the corporate SSID (802.1x auth with ISE).
I will execute the command that you provide,
another thing, is it possible to get logs regarding these disconnections into the wlc?
04-19-2023 06:17 AM
You mean you had a 3504 controller? You migrated to a 9800-L or a different model? You should really check if your SSID was exactly the same or not, because what I have seen in the past is that SSID's that used WPA+WPA2 has changed to just WPA2 with AES. If these are Windows machines that are domaines joined or MDM managed, you should review the wireless profile.
If you want to decipher logs, debug the client Mac address and search online for the "Cisco WLC debug analyzer tool". If these are Windows machines, you can look at the netsh wlan show wlanreports. Look that up online for more info and how to run the command on a Windows machine.
04-19-2023 07:16 AM
Yes, that's correct I configured the new 9800 L following the same configuration of 3504. I didn't know the WPA+WPA2 had changed for this new wlc.
I attached the configuration of the 3504 wlc, section WLAN configuration
If I go to WLAN section in 9800 wlc I can see this,
What exactly is the configuration you mention regarding WPA on 9800 wlc?
Regards
04-19-2023 01:09 PM
I think you are okay, because you did not have WPA enabled. Are you pushing out the profiles to the clients? Have you checked that to validate the profile? Does the device authenticate successfully in ISE?
04-19-2023 08:53 AM
Also make sure your software version is up to date as per TAC recommended link below:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide