cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5176
Views
10
Helpful
19
Replies

FlexConnect Client Connectivity Issue

muranskycotech
Beginner
Beginner

I've begun implementing FlexConnect in my environment. So far, so good... everything is working mostly as expected.

However, I now have a number of devices... certain smartphones so far... that will NOT connect to a FlexConnect AP if it's a 1262AGN AP, but my older 1242G AP will accept the devices without issue. Same SSID, same encryption standards.

If I connect the devices to my guest network (no security), they will connect just fine to both APs, and Non-FlexConnect 1242 and 1262 APs will both accept the devices without issue using my private network.

In other words, it seems to be an issue specific to 1262AGN with my encryption security.

My security is WPA2/AES with PSK. No additional security on the SSID.

Any ideas why these devices won't connect?

1 Accepted Solution

Accepted Solutions

1. Yes, TKIP was initially enabled (which I though had been disabled previously, so I apologize for the confusion). Disabling it had no effect, however, per best practice I will leave it disabled. I've never used WEP or WPA, only WPA2.

>The only reason I suggest this, is because I know from experience that this causes client connectivity issues

2. FT has been enabled with FT PSK since January 1. Yes, I have always been aware that devices must support it to work. So with that said, here's a breakdown of what I'm using...

All of my laptops are Dell or HP with Windows 7 x64 with the latest drivers and do not have any issues (even now). Their drivers were updated at the time of implementation in January. They are all working fine with FlexConnect and FT enabled.

> It's typlically the hardware that also needs to be able to support this.  Many devices do not support this which means latest firmware doesn't make a device support 802.11r

I have a variety of smartphones/tablets... Apple, Android, and Windows devices of varying types. I always require users to update to the latest firmware, mostly because of Apple's bugginess supporting Exchange. So far, I've not had any trouble with tablets... my Surface RT and a user's iPad are connected just fine.

> See this link http://support.apple.com/kb/HT5535

I was testing with a Nokia Lumia 920 (Windows Phone 8) and experiencing issues yesterday, however, as I said before it was working prior to enabling FlexConnect, and to the best of my knowledge it IS 802.11r supported... If it's not, then I'm not sure how it was working previously which is where the issue comes in. I don't have any Apple or Android devices handy for testing until business hours tomorrow, but I will verify whether they have any issues.

> You need to pull the data sheet to see if its supported.  From what I have searched, I don't see anything saying it does support 802.11r.

In the meantime, I've disabled FT on my guest and data WLAN in order to ensure everyone can connect. My voice WLAN, however, still has FT enabled for use with my 7921 and 7925 phones, which I believe to support 802.11r using firmware 1.4.3 SR1. Please correct me if I'm wrong on that, although again, with FT and FlexConnect enabled... I'm not seeing any issues on either style AP.

> I don't know if the 7921 or 7925 support 802.11r.  If they associate, I guess they do.

3. Cisco 5508 running 7.4.100.60 software, 1242G's with 12.4(25e)JAM1$, and 1262AGN's with 15.2(2)JB1$. If there is a major difference in functionality with this setup, I realize it's probably the difference in 12.4 and 15.2 IOS on these APs, but if FT/FC are not actually applied to the 1242G, can you please provide the documentation of that? Everything I've seen suggests I should be fine.

> Again, hardware has to support 802.11r.  You can reference this link which explains the debug commands to see if the device is using FT or not.

http://wireless-richard.blogspot.com/2012/09/80211r-support-in-ios-6.html

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

19 Replies 19

Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Your using WPA2/AES... TKIP is not enabled either correct. Can you post your show WLAN

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Actually, yes, TKIP is also enabled. I can try disabling it if that makes a difference. Fast Transition is also enabled, although I'd prefer to not disable that one.

Well TKIP should be disabled and FT only works with clients that support FT. Clients that don't support FT will not connect.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Understood, but this has been running for more than 8 months now, and only the change to FlexConnect has affected connectivity, and only on the 1262AGN AP's.

Even now, I have a 1262AGN outside my office door with FlexConnect, and yet my smartphone is connected to the 1242G down the hall instead (turned Wi-Fi off for a few minutes and then back on to force a change). I can also prove the case by rebooting the 1242G so that only the 1262AGN is in range... and then it won't connect at all.

If I turn the AP back to Local mode, it connects right away.

UPDATE: Turning off FT does allow the AP to connect to the 1262AGN in FlexConnect mode. So, now it seems the key is 1262AGN + FT + FlexConnect. Possibly a bug?

Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Not really... The standard is for WPA is to use TKIP. For WPA2 you use AES. The standard doesn't support a mix. Even though it worked, its not best practice as Apple devices have issues connecting with a mixed encryption. When you use WPA2-Personal or WPA2-Enterprise, it uses WPA2/AES and not TKIP.

For FT, it's not a bug... If your devices don't support FT, they will not connect.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Can you mark the questioned answered so it helps other when they search.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

I'll be happy to mark it answered when it's answered.

TKIP is now disabled... WPA2 (only) with AES (only).

Devices are clearly FT capable or they wouldn't connect at all, per your own comments and my own reading of FT documentation when I enabled it.

However, they DO connect but only to non-1262AGN APs in this condition. That's NOT normal.

Well... A 1242???? And pre-shared key???

Those are not supported in 802.11r. That's why it worked with your old AP's because they had no clue what to do.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

I'm sorry to disagree, but I don't believe that you're correct on this.

I've had this setup for several months now with no prior issue, and it was implemented under direction from TAC. This is a simple setup here... there's nothing special about it. Standard SSID with WPA2/AES PSK, FT is enabled with the FT PSK option, and the only change now is enabling FlexConnect. 27 APs (only 2 of which are 1262) at one site and 3 1262s at the other site.

If I assume you're correct on the FT issue with 1242, then these devices would not have connected at the second site with 1262s alone at any point in the past several months, and yet they did.

If there's documentation to explain it, I'd appreciate the link to that information. Otherwise, can we get over the "not supported" claim and figure out what's going on? If I'm better off opening a TAC case, then I will do so.

Many of the folks here try to help out others on our own time, and many of the folks don't work for Cisco.  If there is an urgent need to get something fixed or told that something doesn't work, then opening a TAC case is your best bet.  Per the release notes:

802.11r Fast Transition is now supported on FlexConnect APs in central and locally switched WLANs.

I also asked you to provide the show wlan which you did not, so its hard for anyone to troubleshoot without seeing the show run-config of accessing the WLC like what TAC would do.  Now if TAC told you to enable 802.11r FT, well they must of told you that non-802.11r devices will not join, because you get a warning when you enable either FT 802.1x or FT PSK.  I have tested this and many devices don't support 802.11r, but maybe all your devices are brand new... again, I have to assume that since you didn't really mention how old your devices that are connecting or what devices they are in general.  We have to assume a lot of things when information is provided.  I gave you information that is best practice, yet you didn't appreciate that.  We only can help as much as what information the OP provides us.

This is what you provided in your initial post:

My security is WPA2/AES with PSK. No additional security on the SSID.

Well, that wasn't all of it, you then replied:

Actually, yes, TKIP is also enabled. I can try disabling it if that makes a difference. Fast Transition is also enabled, although I'd prefer to not disable that one.

This is why many of us request to see the show run-config or any other additonal information.

Now I just tested 802.11r on a FlexConnect AP using FT 802.11x and had no issues connecting to the wireless.  I also spent time to test FT PSK on a FlexConnect an also had no issues.  Now my device I know is supported because its an iPhone 5 along with my iPad gen 3 frunn iOS6.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered" 

-Scott
*** Please rate helpful posts ***

Just to show you.... and I know my other configuration is correct:

Two SSID's FT 802.1x has always been working for me and my test FT PSK

My AP is in FlexConnect

My Client has successfully associated and is authenticated

Local switching and in the RUN state

FT-PSK is being used

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

First of all thank you, and I apologize if I offended you, because I'm not attacking you or your expertise. I very much appreciate your time in helping... I just want more detail than "not supported" because I believe I'm doing the right thing and need help to identify why it may not be.

So, to the issue...

1. Yes, TKIP was initially enabled (which I though had been disabled previously, so I apologize for the confusion). Disabling it had no effect, however, per best practice I will leave it disabled. I've never used WEP or WPA, only WPA2.

2. FT has been enabled with FT PSK since January 1. Yes, I have always been aware that devices must support it to work. So with that said, here's a breakdown of what I'm using...

All of my laptops are Dell or HP with Windows 7 x64 with the latest drivers and do not have any issues (even now). Their drivers were updated at the time of implementation in January. They are all working fine with FlexConnect and FT enabled.

I have a variety of smartphones/tablets... Apple, Android, and Windows devices of varying types. I always require users to update to the latest firmware, mostly because of Apple's bugginess supporting Exchange. So far, I've not had any trouble with tablets... my Surface RT and a user's iPad are connected just fine.

I was testing with a Nokia Lumia 920 (Windows Phone 8) and experiencing issues yesterday, however, as I said before it was working prior to enabling FlexConnect, and to the best of my knowledge it IS 802.11r supported... If it's not, then I'm not sure how it was working previously which is where the issue comes in. I don't have any Apple or Android devices handy for testing until business hours tomorrow, but I will verify whether they have any issues.

In the meantime, I've disabled FT on my guest and data WLAN in order to ensure everyone can connect. My voice WLAN, however, still has FT enabled for use with my 7921 and 7925 phones, which I believe to support 802.11r using firmware 1.4.3 SR1. Please correct me if I'm wrong on that, although again, with FT and FlexConnect enabled... I'm not seeing any issues on either style AP.

3. Cisco 5508 running 7.4.100.60 software, 1242G's with 12.4(25e)JAM1$, and 1262AGN's with 15.2(2)JB1$. If there is a major difference in functionality with this setup, I realize it's probably the difference in 12.4 and 15.2 IOS on these APs, but if FT/FC are not actually applied to the 1242G, can you please provide the documentation of that? Everything I've seen suggests I should be fine.

4. Here is the show wlan config currently in use (wlan 1 is data, wlan 3 is voice), as I overlooked your request for it earlier.


(Cisco Controller) >show wlan 1


WLAN Identifier.................................. 1
Profile Name..................................... SWH
Network Name (SSID).............................. SWH
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
  Client Profiling Status ....................... Disabled
   DHCP ......................................... Disabled
   HTTP ......................................... Disabled
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 23
Exclusionlist.................................... Disabled
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ 300 seconds

User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... SWH-WLC
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ wlan-data
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
Quality of Service............................... Gold
Per-SSID Rate Limits............................. Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Per-Client Rate Limits........................... Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0

Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Enabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=5)
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... 802.11b and 802.11g only
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ Disabled
   Accounting.................................... Disabled
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled

Security

   802.11 Authentication:........................ Open System
   FT Support.................................... Disabled
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
                                                               Auth Key Management
         802.1x.................................. Disabled
         PSK..................................... Enabled
         CCKM.................................... Disabled
         FT-1X(802.11r).......................... Disabled
         FT-PSK(802.11r)......................... Disabled
         PMF-1X(802.11w)......................... Disabled
         PMF-PSK(802.11w)........................ Disabled
      FT Reassociation Timeout................... 20
      FT Over-The-DS mode........................ Enabled
      GTK Randomization.......................... Disabled
      SKC Cache Support.......................... Disabled

      CCKM TSF Tolerance......................... 1000
   WAPI.......................................... Disabled
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   FlexConnect Local Switching................... Enabled
   flexconnect Central Dhcp Flag................. Disabled
   flexconnect nat-pat Flag...................... Disabled
   flexconnect Dns Override Flag................. Disabled
   FlexConnect Vlan based Central Switching ..... Disabled
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Enabled
   Client MFP.................................... Optional
   PMF........................................... Disabled
   PMF Association Comeback Time................. 1
   PMF SA Query RetryTimeout..................... 200
   Tkip MIC Countermeasure Hold-down Timer....... 60
AVC Visibilty.................................... Disabled

AVC Profile Name................................. None
Flow Monitor Name................................ None
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled

Mobility Anchor List
WLAN ID     IP Address            Status
-------     ---------------       ------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

(Cisco Controller) >show wlan 3


WLAN Identifier.................................. 3
Profile Name..................................... WLC-Voice
Network Name (SSID).............................. SWHV
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Disabled
AAA Policy Override.............................. Disabled
Network Admission Control
  Client Profiling Status ....................... Disabled
   DHCP ......................................... Disabled
   HTTP ......................................... Disabled
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 94
Exclusionlist.................................... Disabled
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ 300 seconds

User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... SWH-WLC
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ wlan-voice
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
Quality of Service............................... Platinum
Per-SSID Rate Limits............................. Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Per-Client Rate Limits........................... Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0

Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Required
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Enabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... ap-cac-limit
Wired Protocol................................... 802.1P (Tag=6)
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... 802.11b and 802.11g only
DTIM period for 802.11a radio.................... 2
DTIM period for 802.11b radio.................... 2
Radius Servers
   Authentication................................ Disabled
   Accounting.................................... Disabled
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled

Security

   802.11 Authentication:........................ Open System
   FT Support.................................... Enabled
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
                                                               Auth Key Management
         802.1x.................................. Disabled
         PSK..................................... Enabled
         CCKM.................................... Disabled
         FT-1X(802.11r).......................... Disabled
         FT-PSK(802.11r)......................... Enabled
         PMF-1X(802.11w)......................... Disabled
         PMF-PSK(802.11w)........................ Disabled
      FT Reassociation Timeout................... 20
      FT Over-The-DS mode........................ Enabled
      GTK Randomization.......................... Disabled
      SKC Cache Support.......................... Disabled

      CCKM TSF Tolerance......................... 1000
   WAPI.......................................... Disabled
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   FlexConnect Local Switching................... Enabled
   flexconnect Central Dhcp Flag................. Disabled
   flexconnect nat-pat Flag...................... Disabled
   flexconnect Dns Override Flag................. Disabled
   FlexConnect Vlan based Central Switching ..... Disabled
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Enabled
   Client MFP.................................... Optional
   PMF........................................... Disabled
   PMF Association Comeback Time................. 1
   PMF SA Query RetryTimeout..................... 200
   Tkip MIC Countermeasure Hold-down Timer....... 0
AVC Visibilty.................................... Disabled

AVC Profile Name................................. None
Flow Monitor Name................................ None
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled

Mobility Anchor List
WLAN ID     IP Address            Status
-------     ---------------       ------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

So one thing that never occurred to me... and maybe this is significant or not...

I've always had my WLAN security setup this way with both PSK and FT PSK checked. When I just checked my voice WLAN clients (7921 and 7925) phones... I notice they aren't showing the FT PSK connection, but they are just connected by WPA2/AES.

Now, I'm assuming from that tidbit that most of my clients haven't been connecting by FT PSK at all and just continuing to use PSK.

In fact, I just disabled PSK and left FT PSK on and all my clients fell off (and after a period of 3 minutes didn't reconnect). I'm not on site today to verify why, but nevertheless it confirms the theory that FT probably hasn't actually been in use.

So, now I'm left with the fact that FT is probably my entire issue and not necessarily FlexConnect. At the very least, it's something I need to read up a bit more on.

It's still curious to me why my phone (and presumably other clients) would connect fine without FlexConnect enabled but suddenly acted up with it in place. I appreciate any thoughts you have.

I only test with my iPhone 5 and my iPad 3rd gen to test FT because they only support it with the iOS6.  My wifes Samsung GIII will connect but will not auth using FT-802.1x but with 802.1x.  Not too many devices support 802.11r, but Apple has jumped in first.  My wife's MacAir doesn't connect to my ssid set for FT-8021.x so she associates with another ssid that strictly 802.1x.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: