Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
4
Helpful
6
Replies

CWA intermittent issue

thms
Community Member

‎04-14-2026 02:34 AM

Hi all,

First time posting here.

I’m facing an intermittent issue with CWA on a Cisco Catalyst 9800 (17.12.4) and packetfence, only impacting FlexConnect deployments, central switching works fine.

Issue:
About once a week, can happen more than once though, CWA breaks:

  • Clients connect to the SSID but show “no internet”
  • No redirection to the captive portal
  • No clear errors or relevant logs

Observations:

  • Modifying the redirect ACL even just a description immediately restores service
  • QoS policy changes can trigger the issue
  • An EEM ACL refresh helps as a temporary workaround, but because the failure is silent and generates no usable logs, I have to rely on a daily cron job, which still impact the end users.

Troubleshooting:

  • Client trace shows no anomalies
  • Logs seen in some cases: Redirect ACL failure / Authorization failed  but not during failure window

Questions:

  • Known bugs in 17.12.4 related to CWA / redirect ACL / FlexConnect?
  • Possible ACL/policy desync between WLC and AP?
  • Recommended debugs to catch this during failure?

Thanks in advance

Labels:
0 Helpful
6 Replies 6

Mark Elsen
Hall of Fame
Hall of Fame

‎04-14-2026 03:44 AM

 

     - @thms               No direct insights here , but also relating to intermittent issues ; have a try with the
                                                                                                   latest advisory for  17.12  ,= 17.12.6a

    M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

thms
Community Member
In response to Mark Elsen

‎04-14-2026 07:49 AM

@Mark Elsen that's not currently possible as there are still some APs in our infrastructure that don't support version 17.12.6a

0 Helpful

Mark Elsen
Hall of Fame
Hall of Fame
In response to thms

‎04-14-2026 07:59 AM - edited ‎04-14-2026 08:07 AM


 
          - @thms            Yes they will  , let me clarify , all your access points working on the current 
                                   17.12 release will work with 17.12.6a ; cisco did no longer  update the compatibility
                                   matrix after 17.12.3 because the versions after .3 where not sufficiently back tested
                                   on the older access points (also using 17.12.x).    But that has no impact

   M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

thms
Community Member

‎04-14-2026 08:07 AM

@Mark Elsen I checked this compatibility matrix and did not find the series of some of the APs that are still in our infra, do you suggest I go ahead and update to version 17.12.6a ? 

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html#:~:text=Cisco%20IOS%20XE%2017.12.6a

0 Helpful

Mark Elsen
Hall of Fame
Hall of Fame
In response to thms

‎04-14-2026 08:19 AM

 

    - @thms                 Yes .      they are omitted in that Table , for the reasons I previously explained

  M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

thms
Community Member
In response to Mark Elsen

‎04-15-2026 01:49 AM

@Mark Elsen I will do some testing in a lab environment and will get back to you if the issue is resolved.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card