Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1672
Views
0
Helpful
8
Replies

cisco wlc mac filtering not working when switchover to active

Go to solution
kmnii
Level 1
Level 1

‎08-19-2021 07:11 PM

Hi.

 

When switchover from backup to active, Some users could not access the ssid.

 

For example, there were 20 people on the macfiltering list, and about 10 of them did not use ssid.
However, as a solution to the problem, all were resolved with disable/re-enable.
Before the switchover, it was using it without any problem.

 

I do not understand the operation and attach the log and equipment information when it was not joined at the time.

 

Additionally, the redundancy state is sso mode.


[log]
%DOT1X-3-PSK_CONFIG_ERR: [PA]1x_ptsm.c:749 Client xx:xx:xx:xx:xx:xx may be using an incorrect PSK
Aug 13 13:56:35.610: [WARNING] apf_policy.c 4593: Either Vlan Name id Template invalid or no name to id mapping exist for interface 'management'

 

[show]
---------------Show boot---------------

Primary Boot Image............................... 8.5.140.0 (active)
Backup Boot Image................................ 8.3.143.0

---------------Show udi---------------
NAME: "Chassis" , DESCR: "Cisco 5520 Wireless Controller"
PID: AIR-CT5520-K9, VID: V01, SN:


Is there any problem you can guess?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni
In response to kmnii

‎08-23-2021 09:40 PM

Do you have Flex AP fast heart beat enabled? If not can you have it enabled and try again. 

Also in AireOS  I am yet to come across any documentation which says they support PSK+MAC Filter authentication. Most of the documentation where MAC filtering is referred uses No Layer 2 authentication. 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

View solution in original post

0 Helpful
8 Replies 8

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-19-2021 11:31 PM

Not sure at this stage, but look at the bug :

 

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvm61048

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Rich R
VIP
VIP

‎08-20-2021 10:01 AM

1. Upgrade to latest release: https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc10 or https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc4 (if all your APs are supported on 8.10).  If that fixes the problem - great.  If you still see the problem then ...

2. Open a case with Cisco TAC.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni

‎08-20-2021 03:34 PM

Did you check the bulk sync status before initialing the switchover? It is always recommended that you check the "show redundancy summary" command to make sure that you HA cluster health is perfect before initiating a failover. If the bulk sync status was pending or in-orogress when you initiated the failover the behavior you explained is expected. Bulk sync status shows whether the AP's and client information is synced to the hot standby wlc from the active wlc. When WLC standby boots up and forms HA with an Active WLC, the Active WLC will send the configuration to the standby unit. Depending on the size of the DB, like number of clients connected, APs joined, etc, it may take up to 20 mins to the configuration and database sync to complete.

 

As @Rich R advised please try to run the latest Cisco recommended releases as much as possible.

 

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

Go to solution
kmnii
Level 1
Level 1
In response to Arshad Safrulla

‎08-22-2021 08:01 PM

thank you for reply arshadsaf

 

We made sure the sync status was OK before making the switch.

Also, no action was taken for about 3 hours after the failure occurred, and the problem continued.

 

At first, I thought it would be a synchronization problem, but considering the fact that it was not resolved over time and that it occurred between the two transitions, it does not seem to be a synchronization problem.

 

Additionally, I have confirmed that the problem does not occur when active conversion from Unit 1 to Unit 2 occurs, and only occurs when active conversion from Unit 2 to Unit 1 occurs.

 

Lastly, I'm sorry I used Google Translate.

0 Helpful

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni
In response to kmnii

‎08-23-2021 12:49 PM

Is the AP's on Flex connect? 

Are you using multiple authentication for a client (PSK+MAC filter etc.)?

 

I would strongly suggest you to look @Rich R recommendation to consider a new AireOS with less bug as well.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

Go to solution
kmnii
Level 1
Level 1
In response to Arshad Safrulla

‎08-23-2021 06:49 PM

yes, AP is Flex mode and Our security policy is '[WPA2][Auth(PSK)], MAC Filtering'

0 Helpful

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni
In response to kmnii

‎08-23-2021 09:40 PM

Do you have Flex AP fast heart beat enabled? If not can you have it enabled and try again. 

Also in AireOS  I am yet to come across any documentation which says they support PSK+MAC Filter authentication. Most of the documentation where MAC filtering is referred uses No Layer 2 authentication. 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

Go to solution
Rich R
VIP
VIP

‎08-20-2021 04:48 PM

Good point @Arshad Safrulla and there are actually a number of bugs which can cause bulk-sync to get stuck in the older code - another reason to update.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card