Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
781
Views
3
Helpful
11
Replies

Duplicate IPv6 Client getting exluded in WLC due to IPTheft feature

subodh goyal
Level 1
Level 1

‎04-02-2025 12:09 PM

Hello Team,

2 different client devices are using same IPV6 address due to which, WLC is deleting those clients due to IPTheft feature.

Two different clients (286b.35a9.477d and 5c3a.453a.a41b) are using the same IPv6 address, which is not allowed for the WLC, due to which they are disconnected and consequently added into the exclusion list.

Even when the DHCP server is not providing this type of IP information, clients are still asking for it

Can you please confirm why client is using same IPv6 address for 2 different machines?

Also we are using the same setup for all sites in flex connect but only 1 site is impacted due to this.

Model- C9800-40-K9

Version- 17.9.6

 

Debug Logs:-

2025/03/27 09:33:06.483611489 {wncd_x_R0-4}{1}: [errmsg] [19084]: (note): %CLIENT_ORCH_LOG-5-ADD_TO_EXCLUSIONLIST_REASON: R0/4: wncd: Client MAC: 286b.35a9.477d with IP: fe80::bf58:740c:22c5:43e0 was added to exclusion list, legit Client MAC: 5c3a.453a.a41b, IP: fe80::bf58:740c:22c5:43e0, reason: IP address theft

Labels:
0 Helpful
11 Replies 11

marce1000
Hall of Fame
Hall of Fame

‎04-02-2025 12:38 PM

 

  - Not sure about the clients behavior but you can allow overlapping IP addresses using this settings :
     https://community.cisco.com/t5/wireless/wlc-9800-cl-client-exclusion-issue/m-p/4700373/highlight/true#M246927
     OR
     https://community.cisco.com/t5/wireless/chromebooks-amp-quot-client-is-blacklisted-due-to-ip-address/m-p/4701579/highlight/true#M247003
                        (which provides the same info's)

   M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

subodh goyal
Level 1
Level 1
In response to marce1000

‎04-03-2025 05:16 AM

IP overlap is already enabled

subodhgoyal_0-1743682573861.png

0 Helpful

Rich R
VIP
VIP
In response to subodh goyal

‎04-03-2025 06:42 AM

You did not answer my previous question:
Are the clients at the same site (in which case your problem is a client addressing issue not a WLC issue) or at different sites?

And the follow on questions:
- Do you have unique site tags at each site?
- Is that Plant flex profile definitely applied to the APs in question?
"sh ap name <ap-name> tag detail" to confirm the tags applied to the AP.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

subodh goyal
Level 1
Level 1
In response to Rich R

‎04-03-2025 06:53 AM


Are the clients at the same site (in which case your problem is a client addressing issue not a WLC issue) or at different sites? we are having mulitple sites with same flex profile (Plant) but only 1 site is impacted with this issue.

And the follow on questions:
- Do you have unique site tags at each site? Yes
- Is that Plant flex profile definitely applied to the APs in question? Correct
"sh ap name <ap-name> tag detail" to confirm the tags applied to the AP.

9800-ESPed-WLC#sh ap name PIMAP19 tag detail
AP Name : PIMAP19
AP Mac : 9077.ee9f.a43a

Tag Type Tag Name
-----------------------------
Policy Tag Plants-policy-tag
RF Tag Global_RF_tag
Site Tag PIMAD

Policy tag mapping
------------------
WLAN Profile Name Policy Name VLAN Flex Central Switching IPv4 ACL IPv6 ACL
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
gb-cpd-wlan-profile GB-CPD_Flex_Profile 400 DISABLED Not Configured Not Configured
gbimbo-wlan-profile GBimbo_Flex_Profile 310 DISABLED Not Configured Not Configured
gbwifi-wlan-profile GBWifi_Flex_Profile 310 DISABLED Not Configured Not Configured
gbguest-wlan-profile GBGuest_Central_profile 330 ENABLED Not Configured Not Configured
gbmobile-wlan-profile GBMobile_Flex_Profile 310 DISABLED Not Configured Not Configured
gbguest_vip-wlan-profile GBGuest_Central_profile 330 ENABLED Not Configured Not Configured

Site tag mapping
----------------
Flex Profile : Plant
AP Profile : Iberia-Global
Local-site : No

RF tag mapping
--------------
6ghz RF Policy : default-rf-profile-6ghz
5ghz RF Policy : Iberia_Global_5Ghz
2.4ghz RF Policy : Iberia_Global_2.4Ghz
2.4ghz slot 0 Radio Policy : Not Configured
5ghz slot 1 Radio Policy : Not Configured
5ghz slot 2 Radio Policy : Not Configured
6ghz slot 2 Radio Policy : Not Configured
6ghz slot 3 Radio Policy : Not Configured

 

0 Helpful

Rich R
VIP
VIP
In response to subodh goyal

‎04-03-2025 07:22 AM

> Are the clients at the same site (in which case your problem is a client addressing issue not a WLC issue) or at different sites? we are having mulitple sites with same flex profile (Plant) but only 1 site is impacted with this issue.

Sorry but that still does not answer my question!
"Client MAC: 286b.35a9.477d with IP: fe80::bf58:740c:22c5:43e0 was added to exclusion list, legit Client MAC: 5c3a.453a.a41b, IP: fe80::bf58:740c:22c5:43e0"
There are 2 clients 286b.35a9.477d and 5c3a.453a.a41b. 
Are those 2 clients at the same site or on different sites?
Which WLAN are those clients on?

If they are at the same site, locally switched, then that is outside the control of the WLC and you need to investigate at the site because the WLC is just reporting what it's seeing.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Scott Fella
Hall of Fame
Hall of Fame

‎04-02-2025 12:38 PM

If you are not using ipv6, why not just disable it on the client or better yet on the controller.  Or else you are going to have to dig in to the clients and see how their ipv6, is it being auto configured or maybe static which I doubt.

-Scott
*** Please rate helpful posts ***
0 Helpful

subodh goyal
Level 1
Level 1
In response to Scott Fella

‎04-03-2025 06:55 AM

by default IPv6 is enabled on all endpoint devices but only 1 location is affected..

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to subodh goyal

‎04-03-2025 07:14 AM

It's an easy fix to disable it if you are not using it.  One site for now, but that will grow and might start to happen to other devices in the future.  There is no need to enable ipv6 unless you are using it.

-Scott
*** Please rate helpful posts ***
0 Helpful

Rich R
VIP
VIP

‎04-03-2025 02:57 AM

Are the clients at the same site (in which case your problem is a client addressing issue not a WLC issue) or at different sites?

If they're at different sites then this is clearly covered in multiple places in the Best Practices guide (link below).  You must ensure they use different site tags and you must enable "ip overlap" in the flex profile.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#FlexConnectsitetag
See the Overlapping Client IP Address in Flex Deployment section at https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m-sniffer-cg.html#proxy-arp-for-flex-wireless

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

subodh goyal
Level 1
Level 1
In response to Rich R

‎04-03-2025 05:17 AM

IP overlap is already enabled.

0 Helpful

marce1000
Hall of Fame
Hall of Fame
In response to subodh goyal

‎04-03-2025 06:38 AM

 

@subodh goyal  -    Do the clients effectively use and or need ipv6  addresses ?

     M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card