Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
601
Views
0
Helpful
3
Replies

client cannot get TCP syn-ack message in CWA using cisco 9800/ISE

atifali.zaidi1
Level 1
Level 1

‎09-16-2025 07:00 AM - edited ‎09-16-2025 08:25 AM

i have the below setup in the lab 

foreign and anchor (both 9800) connected to the same L3 switch, mobility tunnel built and is UP (remote site but same country)

the L3 switch connects to the Prisma SDWAN device (WAN)

prisma wan device hosts the Guest subnet L3 / DHCP scope / ISP DNS - 10.x.x.x

cisco ISE in the DC (same country) --------- we are using CWA

redirect ACL present on both the controllers and both added to ISE as mentioned below

10 deny udp any any eq bootpc
20 deny udp any any eq bootps
50 deny ip any host <ISE-IP>
60 deny ip host <ISE-IP> any
90 deny udp host <dns-ip> eq domain any range 0 65535
100 deny udp any range 0 65535 host <dns-ip> eq domain
110 deny tcp host <dns-ip> eq domain any range 0 65535
120 deny tcp any range 0 65535 host <dns-ip> eq domain
170 permit tcp any range 0 65535 any eq www

client connects to the ap , foreign wlc performs MAB via ISE <<<<< success

client gets an IP address via the prisma wan ---- success

client performs dns lookup to captive.apple.com , dns response recieved with the IP address of captive.apple.com ---- success

client initiates TCP syn packet <<<< this packet should be intercepted by anchor wlc and anchor wlc should reply back with a TCP syn ack message , TCP syn packet re-transmissions keep happening and then nothing happens further.  i took pcaps on both foreign and anchor wlc and then i can see that the TCP syn packet which the client sends , the destination is showing as prisma sdwan device, which is fine but then shouldnt the anchor wlc intercept this packet this syn packet and send back syn-ack ?  do i need to configure an additional L3 interface of guest on the anchor wlc ?

please suggest how this could be solved.

Labels:
0 Helpful
3 Replies 3

aaronO
Level 1
Level 1

‎09-17-2025 12:47 AM

Hello,

Interesting. So you are seeing the TCP SYN message from client on the anchor and the anchor is not reacting to it correct? 

  • Do you mind sharing the packet captures and WLC configs?  
  • While client is waiting for TCP SYNC Response, what is the status of the client in the anchor and foreign WLC? 

I would try to debug on both controllers to understand why the TCP Is not being answered. 

debug wireless mac aaaa.bbbb.cccc to-file bootflash:debug-client.txt 

  • have you tried to enter ISE IP address on client browser? what is the result? 
  • have you tried another browser? 

The ACL looks fine to me. Can you confirm ACL is being apply by WLC on client details? 

Cheers, Aaron 

0 Helpful

atifali.zaidi1
Level 1
Level 1
In response to aaronO

‎09-25-2025 05:06 AM

the foreign wlc talks to ISE , ise sends access accept + redirect acl + redirect URL .  the status of client on foreign controller says "run" and on the anchor it says "webauth pending"  and i can also see anchor wlc applying redirect acl and redirect acl , clients does dns lookup to anything and gets a response from the dns server , now the client sends TCP syn packet destined toward its gateway which ideally should be intercepted by anchor controller and it should respond back with a syn ack message but i keep seeing TCP re-transmissions happening .  we opened ports 80,443 and 8443 from Guest client subnet towards ISE .  what seems to be issue ?  sorry i cannot upload pcaps or RA trace.

0 Helpful

Rich R
VIP
VIP

‎09-22-2025 03:00 PM

Software version @atifali.zaidi1 ?

What about pre-auth ACL?

As @aaronO said you need RA trace of the client ...

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card