Re: Clients losing connectivity to guest wireless network - Page 2

igor.hamzic81 · ‎09-30-2024

Hello all,

I have an issue where wireless users that are connecting to the guest wireless network by entering their credentials through the guest portal are losing connectivity at random intervals(usually within 1 minute of connecting).

From the user side it looks fine the 1st time they enter their credentials in the portal but at a random time the machine loses connectivity and to restore it usually user needs to re-enter their credentials but the problem persists and they have to re-enter their credentails again. This behaviour continues in a loop and effectively the user cannot work on the network.

On the event log on the WLC I see the following events on the client event log(in attachment).

Info on the devices:
WLC 3504, version 8.10.190.0
APs - mostly 2702 APs with several 1832 and 1702 APs
For RADIUS we use Cisco ISE, version 3.2.0.542, patch 5

igor.hamzic81 · ‎10-01-2024

I managed to upgrade the WLC to the latest recommended version but the situation remains unchanged. The guest clients keep de-authenticating within 10-20 seconds of authorizing on the network.

The users remain connected to the network but need to re-enter their credentials.

MHM Cisco World · ‎10-03-2024

debug client <mac address>

Share this for any client loss connection

MHM

Rich R · ‎10-04-2024

1. Have you checked your WLC config using the Config Analyzer (link below)?

2. Do you have CoA enabled and working on the WLC so that ISE can send CoA to the WLC? Are your firewalls and ACLs allowing the CoA to reach the WLC?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

igor.hamzic81 · ‎10-04-2024

I have done the debug for one client and I think that I'm either hitting the bug CSCwa20143 or there is some weird interection between ISE and WLC for client timeout.

After removing session timeout on the WLC(was set to 28800s) the client connection is stable.

Altough I would like to keep the session timeout as a security measure as this is a guest network.

The logs from the WLC are attached.

Rich R · ‎10-04-2024

Interesting - don't think I'd seen that bug before.
And thinking about it we might have seen something similar to this before too, a while back, and couldn't explain it.
Next week I'll have a closer look at the one where we had the issue reported.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

igor.hamzic81 · ‎10-09-2024

Just an update as I have been fiddling with this on both ISE and WLC.

It seems that the main problem is the mismatch between ISE and WLC regarding Reauthentication timers. Before I had this set only on the WLC to 28800s but after looking at the debug you could see that the ISE was sending value of 65k.

After setting the Reauthentication timer on the ISE authorization profiles to the WLC value the problem was gone and the whole thing behaved as expected.

It really looks like that the timers on the new versions of ISE and WLC must now match(or be off on the WLC) for this to work properly.

If I manage I will test with different values on ISE and WLC to see if there are any combos that will work if the values are different.