Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7078
Views
3
Helpful
2
Replies

Cisco Catalyst 9800 %CLIENT_EXCLUSION_SERVER reason:VLAN failure

Go to solution
Thomas Zenz
Level 1
Level 1

‎04-26-2023 05:31 AM

We are in transsion from Cisco WLC 5520 to Catalyst 9800 (17.9.3).
We are also changeing very old APs from 3600 to CW9166I.

Some handheld unseing windows embeded cannot connect to the new APs. It's 2.4GHz. On the controller we only see this log error:

2023/04/26 11:39:39.363976694 {wncmgrd_R0-0}{1}: [errmsg] [19020]: (note): %CLIENT_EXCLUSION_SERVER-5-ADD_TO_EXCLUSIONLIST_REASON_DYNAMIC: R0/0: wncmgrd: Client MAC: b40e.de19.f294 was added to exclusion list associated with AP Name:EIS_Test, BSSID:MAC: 6c8d.772e.a503, reason:VLAN failure

The wlan is useing PSK/WPA2

Other Clients like Phones or WLAN Tester are working.

Any Ideas?

Thanks for help
Tom

Labels:
Preview file
81 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Thomas Zenz
Level 1
Level 1
In response to marce1000

‎04-27-2023 04:15 AM

Hi Marce,

Thank you for the anwswer. Nice tool, didn't know that.

We found the problem:

The VLAN Associoation was not correct. 
Configuration -> Tags & Profiles -> Policy 
under Accrss Policies, the VLAN Goup was still pointing to management.

Strange, that the IPhone and the Tester did work. But now everything is working and makes sense.

View solution in original post

2 Replies 2

Go to solution
marce1000
VIP
VIP

‎04-26-2023 06:16 AM - edited ‎04-26-2023 06:18 AM

 

 - Below you will find the output from the debugTrace when processed with : https://cway.cisco.com/wireless-debug-analyzer/ , Show All flag was checked :  - Have a checkup-review of your  9800   Controller current configuration too with the CLI command : show tech wireless  , have the output analyzed with : https://cway.cisco.com/wireless-config-analyzer
                                         Checkout all advisories!

                                           Output from wireless debug analyzer ; note the Client policy failure

Connection attempt #1
Connection attempt #2
2023/04/26 11:34:59.865 client-orch-sm Client made a new Association to an AP/BSSID: BSSID 6c8d.772e.a503, WLAN an:messe, Slot 0 AP 6c8d.772e.a500, EIS_Test
2023/04/26 11:34:59.866 dot11 Association success for client, assigned AID is: 3
2023/04/26 11:34:59.901 client-keymgmt Negotiated the following encryption mechanism: AKM:PSK Cipher:CCMP WPA Version: WPA2
2023/04/26 11:34:59.901 client-auth Client successfully completed Pre-shared Key authentication. Assigned VLAN: 1050
2023/04/26 11:34:59.901 client-orch-state Starting Mobility Anchor discovery for client
2023/04/26 11:35:02.903 client-orch-state Entering IP learn state
2023/04/26 11:35:03.873 client-iplearn Client got IP: 172.20.76.250, discovered through: ARP
2023/04/26 11:35:03.874 client-orch-sm Controller initiated client deletion with code: CO_CLIENT_DELETE_REASON_EXCLUDE_POLICY_FAILURE. Code means: Client policy failure
Connection attempt #3
2023/04/26 11:36:27.408 client-orch-sm Client made a new Association to an AP/BSSID: BSSID 6c8d.772e.a503, WLAN an:messe, Slot 0 AP 6c8d.772e.a500, EIS_Test
2023/04/26 11:36:27.409 dot11 Association success for client, assigned AID is: 1
2023/04/26 11:36:27.423 client-keymgmt Negotiated the following encryption mechanism: AKM:PSK Cipher:CCMP WPA Version: WPA2
2023/04/26 11:36:27.424 client-auth Client successfully completed Pre-shared Key authentication. Assigned VLAN: 1050
2023/04/26 11:36:27.424 client-orch-state Starting Mobility Anchor discovery for client
2023/04/26 11:36:30.427 client-orch-state Entering IP learn state
2023/04/26 11:36:31.383 client-iplearn Client got IP: 172.20.76.250, discovered through: ARP
2023/04/26 11:36:31.384 client-orch-sm Controller initiated client deletion with code: CO_CLIENT_DELETE_REASON_EXCLUDE_POLICY_FAILURE. Code means: Client policy failure
Connection attempt #4
2023/04/26 11:38:04.842 client-orch-sm Client roamed to a new AP/BSSID: BSSID 6c8d.772e.a503, WLAN an:messe, Slot 0 AP 6c8d.772e.a500, EIS_Test
2023/04/26 11:38:04.843 dot11 Association success for client, assigned AID is: 1
2023/04/26 11:38:04.859 client-keymgmt Negotiated the following encryption mechanism: AKM:PSK Cipher:CCMP WPA Version: WPA2
2023/04/26 11:38:04.859 client-auth Client successfully completed Pre-shared Key authentication. Assigned VLAN: 1050
2023/04/26 11:38:04.860 client-orch-state Starting Mobility Anchor discovery for client
2023/04/26 11:38:07.864 client-orch-state Entering IP learn state
2023/04/26 11:38:08.892 client-iplearn Client got IP: 172.20.76.250, discovered through: ARP
2023/04/26 11:38:08.893 client-orch-sm Controller initiated client deletion with code: CO_CLIENT_DELETE_REASON_EXCLUDE_POLICY_FAILURE. Code means: Client policy failure
Connection attempt #5
2023/04/26 11:39:35.425 client-orch-sm Client made a new Association to an AP/BSSID: BSSID 6c8d.772e.a503, WLAN an:messe, Slot 0 AP 6c8d.772e.a500, EIS_Test
2023/04/26 11:39:35.426 dot11 Association success for client, assigned AID is: 1
2023/04/26 11:39:35.447 client-keymgmt Negotiated the following encryption mechanism: AKM:PSK Cipher:CCMP WPA Version: WPA2
2023/04/26 11:39:35.447 client-auth Client successfully completed Pre-shared Key authentication. Assigned VLAN: 1050
2023/04/26 11:39:35.447 client-orch-state Starting Mobility Anchor discovery for client
2023/04/26 11:39:38.450 client-orch-state Entering IP learn state
2023/04/26 11:39:39.363 client-iplearn Client got IP: 172.20.76.250, discovered through: ARP
2023/04/26 11:39:39.364 client-orch-sm Controller initiated client deletion with code: CO_CLIENT_DELETE_REASON_EXCLUDE_POLICY_FAILURE. Code means: Client policy failure
Connection attempt #6
2023/04/26 11:41:00.588 client-orch-sm Client made a new Association to an AP/BSSID: BSSID 6c8d.772e.a503, WLAN an:messe, Slot 0 AP 6c8d.772e.a500, EIS_Test
2023/04/26 11:41:00.589 dot11 Association success for client, assigned AID is: 1
2023/04/26 11:41:00.589 client-orch-sm Client started layer 2 authentication (either dot1X or PSK)
2023/04/26 11:41:00.596 client-keymgmt Sent M1 for EAPOL 4-Way Handshake
2023/04/26 11:41:00.601 client-keymgmt Received and validated M2 for EAPOL 4-Way Handshake
2023/04/26 11:41:00.601 client-keymgmt Sent M3 for EAPOL 4-Way Handshake
2023/04/26 11:41:00.605 client-keymgmt Received and validated M4 for EAPOL 4-Way Handshake
2023/04/26 11:41:00.605 client-keymgmt Negotiated the following encryption mechanism: AKM:PSK Cipher:CCMP WPA Version: WPA2
2023/04/26 11:41:00.605 client-auth Client successfully completed Pre-shared Key authentication. Assigned VLAN: 1050
2023/04/26 11:41:00.605 client-orch-sm Client passed layer 2 authentication
2023/04/26 11:41:00.606 client-orch-state Starting Mobility Anchor discovery for client
2023/04/26 11:41:03.608 avc-afc AVC is enabled for the client session

 

  M.

 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
Thomas Zenz
Level 1
Level 1
In response to marce1000

‎04-27-2023 04:15 AM

Hi Marce,

Thank you for the anwswer. Nice tool, didn't know that.

We found the problem:

The VLAN Associoation was not correct. 
Configuration -> Tags & Profiles -> Policy 
under Accrss Policies, the VLAN Goup was still pointing to management.

Strange, that the IPhone and the Tester did work. But now everything is working and makes sense.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card