cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
453
Views
3
Helpful
7
Replies

client fails to roam seamlessly on 9136i on Cisco 9800 running 17.9.5

atifali.zaidi1
Level 1
Level 1

hello experts , i have a very strange issue 

i have HP G8 laptops which connect to 9136i ap's on the wlan which is enabled for 802.1x using EAP-TLS with cisco ISE 3.2.  the controller is 9800 which is running 17.9.5 .  the wlan is enabled with FT enabled + FT 802.1x .  when client roams from one ap to other it is getting dropped and i can see the following on the debug trace.  the ssid is only enabled with 5GHZ and 2.4/6 GHZ is disabled.  should i disable 802.11r and FT 802.1x and then test ?

sometimes the client does a full 802.1x when it gets roamed to the new ap and sometimes it just completes 4-way and gets an IP address

i did a lot of digging and we have tried increasing the EAP timers, still the issue persists. should we disable 

1st condition 

the client associates, gets authenticated, completes 4-way handshake, gets an IP address then gives the below message and gets deleted

2024/10/01 12:02:48.895225671 {wncd_x_R0-1}{1}: [dot11] [18633]: (info): MAC: xxx.xxx.xxx DOT11 state transition: S_DOT11_ASSOCIATED -> S_DOT11_TO_DELETE
2024/10/01 12:02:48.895451358 {wncd_x_R0-1}{1}: [client-orch-sm] [18633]: (info): MAC: xxx.xxx.xxx Deleting the client, reason: 69, CO_CLIENT_DELETE_REASON_CLIENT_EAP_TIMEOUT_FAILURE, Client state S_CO_RUN
2024/10/01 12:02:48.895528142 {wncd_x_R0-1}{1}: [client-orch-sm] [18633]: (note): MAC: xxx.xxx.xxx Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_CLIENT_EAP_TIMEOUT_FAILURE, details: , fsm-state transition 00|00|00|00|00

2nd condition

the client associates, gets authenticated, completes 4-way handshake, gets an IP address then gives the below message and gets deleted

2024/10/01 12:02:49.531774651 {wncd_x_R0-1}{1}: [client-orch-sm] [18633]: (ERR): MAC: xxx.xxx.xxx Mobility failure during fast roam, as policy is not received from handoff and PMK do not have policy as well.
2024/10/01 12:02:49.531781613 {wncd_x_R0-1}{1}: [client-orch-sm] [18633]: (info): MAC: xxx.xxx.xxx Deleting the client, reason: 232, CO_CLIENT_DELETE_REASON_FASTROAM_MOBILITY_FAILURE, Client state S_CO_MOBILITY_DISCOVERY_IN_PROGRESS
2024/10/01 12:02:49.531800769 {wncd_x_R0-1}{1}: [client-orch-sm] [18633]: (note): MAC: xxx.xxx.xxx Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_FASTROAM_MOBILITY_FAILURE, details: , fsm-state transition 00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|01|07|15|1a|1b|2c|36|

 

 

7 Replies 7

Leo Laohoo
Hall of Fame
Hall of Fame

@atifali.zaidi1 wrote:
i have HP G8 laptops

What is wireless NIC and the wireless NIC drivers?

latest drivers have been installed recently. dont have the exact NIC info


@atifali.zaidi1 wrote:
latest drivers have been installed recently. dont have the exact NIC info

I repeat:  What is wireless NIC and the wireless NIC drivers?

atifali.zaidi1
Level 1
Level 1

one more thing to add is 802.11k is enabled on the ssid with prediction optimization + neighbor list

marce1000
VIP
VIP

 

   - Note that you can have these and other (full) client debugs analyzed with : Wireless Debug Analyzer
     + Have a checkup of the 9800 controller's configuration with the CLI command 
       show tech wireless (not simple 'show tech') and feed the output from that into
       Wireless Config Analyzer

   - As 17.9.x is gradually getting EOL now consider upgrading to17.12.3
     You may find these info's useful :
                          https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214749-tac-recommended-ios-xe-builds-for-wirele.html
                          https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214855-ios-xe-wireless-feature-list-per-release.html

    M.
                 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

marce1000
VIP
VIP

 

  - Take note https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214749-tac-recommended-ios-xe-builds-for-wirele.html#toc-hId-2052757410

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

JPavonM
VIP
VIP

Are your clients running Win10? Look if you maybe impacted by this Windows defect:
https://community.meraki.com/t5/Wireless/Wireless-Invalid-MIC-EAPoL-4-way-handshake-is-failling/m-p/243560?utm_source=communitymembers&utm_medium=email&utm_campaign=immediate_general%27#M33500

Try how does it like by disabling any roaming algorythm (802.11r and OKC with "no okc") and relying in full reauthentications.

Review Cisco Networking for a $25 gift card