Re: Flexconnect on Slow Links

Mohammed al Baqari · ‎05-09-2023

Hi,

We had a deployment of centralised WLC (earlier 3504) with flexconnect configured for remote sites (centralized auth, local switching, ISE CWA. ISE, WAPs and clients are on same LAN). These sites are connected to the controller using satellite links (latency 700-800 msec). That was working without issues.

We migrated the WLC to 9800-CL on Azure (same latency) and started facing issues with CAPWAP throttling by the controller.

My questions:

- Are these messages triggered by the latency between WAPs and WLC.?

- Are there any tweaks for timers to overcome these errors? Please suggest.

- In 9800 can we have local auth or it has to be center (this was a must in 3504)?

Here are sample messages:

May 8 09:58:41.373: %CAPWAPAC_SMGR_TRACE_MESSAGE-4-AP_MSG_THRESHOLD: Chassis 1 R0/0: wncd: Warning : Mac: 1cfc.17c6.5440 Session-IP:x.x.x.x[5273] x.x.x.x[5246] Capwap messages are queued for longer than 21 seconds, turning on client throttling. Queued messages : 36

May 8 09:58:58.661: %CAPWAPAC_SMGR_TRACE_MESSAGE-4-AP_MSG_THRESHOLD: Chassis 1 R0/0: wncd: Warning : Mac: 10a8.2980.1da0 Session-IP: x.x.x.x[5275] x.x.x.x[5246] Capwap messages are queued for longer than 20 seconds, turning on client throttling. Queued messages : 26

May 8 09:59:04.104: %CAPWAPAC_SMGR_TRACE_MESSAGE-4-AP_MSG_THRESHOLD: Chassis 1 R0/0: wncd: Warning : Mac: 70b3.1780.37e0 Session-IP:x.x.x.x[5264] x.x.x.x[5246] Capwap messages are queued for longer than 20 seconds, turning on client throttling. Queued messages : 23

marce1000 · ‎05-09-2023

- I am presuming the APs are still in Flexconnect mode ? Have a checkup review of the 9800-CL configuration with the CLI command show tech wireless ; have the output reviewed with : https://cway.cisco.com/wireless-config-analyzer/

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Flavio Miranda · ‎05-09-2023

Hello

"- Are these messages triggered by the latency between WAPs and WLC.?"

If could be. But when we see logs like this "Capwap messages are queued for longer than 20 seconds", also make think about processing and memory. Usually WLC have no problem with CPU and memory so delay on the link can be one possibility.

"- Are there any tweaks for timers to overcome these errors? Please suggest."

I would take a look on the Link Latency paramenter on the WLC. You may extend the value to the maximum allowed.

"- In 9800 can we have local auth or it has to be center (this was a must in 3504)?"

Support both

"This document describes how to configure FlexConnect with central or local authentication on Catalyst 9800 Wireles LAN controller."

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213921-flexconnect-configuration-with-central-a.html

Mohammed al Baqari · ‎05-09-2023

Many thx Flavio. With regards to local authentication, I read this one but I am using MAB for guest portal provided by ISE. The document is describing dot1x only. Is MAB supported using local authentication as well? If there is any document will be g8.

Flavio Miranda · ‎05-10-2023

Hi

Take a look here, maybe it can help you

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213922-configure-mac-authentication-ssid-on-cis.html

Jolly99er · ‎09-20-2023

What do you mean by "I would take a look on the Link Latency paramenter on the WLC. You may extend the value to the maximum allowed." Can you provide some documentation?