Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1204
Views
5
Helpful
5
Replies

Cisco vWLC 9800 .11r cache information not propagated from WLC to APs

Kalin Hristov
Level 1
Level 1

‎02-07-2023 12:50 PM

Hello,

I hope you can help me stop banging my head about very strange problem.

I have a test setup with vWLC 9800 and two APs, 9120AX and 9130AX. I have WLAN that is doing dot1x with TLS and RADIUS server, which works fine. The only problem is that 801.11r is not working properly. For some reason the PMK cache information is not propagated from the WLC to the APs and as you can imagine the roaming does not work. When I try to move to another AP, the AP complains about PMK-r0 is not found in the cache and 802.11i slow roaming occurs. 

When I check at the controller everything looks fine:

WLC#show wireless pmk-cache
Number of PMK caches in total : 3

Type Station Entry Lifetime VLAN Override IP Override Accounting-Session-Id Audit-Session-Id Username
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
DOT11R 50ed.3c2c.a723 669 1 0x00000000 FD0AA8C0000042C52D8EFE7B apple
DOT11R 64b5.f2cc.a861 1480 1 0x00000000 FD0AA8C0000042C42D897BB9 samsung

But then on the AP:

9120AX#show flexconnect pmk

Total number of PMK cache entries: 0

HW Address Life Time(s) BSSID vlanOverride aclOverride ipv6AclOverride qosOverride iPSK
9120AX#show flexconnect dot11r

Total number of DOT11R cache entries: 0

HW Address Life Time(s) BSSID R0KhId R1KhId vlanOverride aclOverride ipv6AclOverride qosOverride iPSK

Both APs are in the same FlexConnect group and site tag. If I disable FT+802.1x and enable 802.1x+AES256, the devices are doing 802.11i fast roaming without any problems.

I am testing with Samsung S23 (Qualcomm) and Samsung S21 (Exynos) and the behavior is the same

What I am missing?

 

Thanks

Labels:
0 Helpful
5 Replies 5

Scott Fella
Hall of Fame
Hall of Fame

‎02-07-2023 02:34 PM

Don't know what version you are on, but make sure you look at this guide as some items are specific if using FlexConnect.

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Dublin 17.10.x - 802.11r BSS Fast Transition [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco

-Scott
*** Please rate helpful posts ***

Kalin Hristov
Level 1
Level 1
In response to Scott Fella

‎02-07-2023 02:58 PM

Hi

Thanks for the reply. I am using 17.10.1, yes with WPA3

Am I understanding correctly this document implies, that for .11r and dot1x+ft I need to use only local auth. Now I have central auth, with local switching flexconnect?

0 Helpful

Kalin Hristov
Level 1
Level 1

‎02-07-2023 11:54 PM

Okay,

I found the problem. I just created a new site tag and assigned the APs to it. For some reason, the WLC does not want to propagate .11r information to default site tag 

0 Helpful

Rich R
VIP
VIP

‎02-12-2023 09:29 AM - edited ‎02-12-2023 09:29 AM

That's a general rule with 9800 ...
https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#Designingwithsitetagsinmind
1.     Use custom site tags and not the default site tag

Make sure you're familiar with everything in that guide.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Kalin Hristov
Level 1
Level 1
In response to Rich R

‎02-12-2023 09:33 AM

For large deployments, yes

But I don't see anywhere in this document, that if I use default site tag, the controller will not propagate cache information

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card