03-14-2024 04:55 AM
Hi,
We have a pair of 9800s in HA/SSO. About to migrate our APs from 8540 to 9800. As im recreating our SSIDs to the new 9800s, we cant get the one flexconnect SSID to work. The 4 centrally switched SSIDs work as expected. I have followed the various blogs and configuration guides, and the SSID is presented in the air. The problem is, when the client is trying to connect, nothing happens - nothing in the logs or debugs that would indicate why the client cannot connect. From the 9800:
wlc-9800# show ap wlan summary
BSSID SSID WLAN profile name AP WLAN State AP WLAN Uptime Client Count AP Name IP Address Physical Capabilities AP Mode CAPWAP Path MTU Radio Uptime TxPwr Channel AP Up time Association Up time
------------------------------------------------------------------------------------------------------------------
dead.767f.beef flexconn flexssid Enabled 04:19:52 0 AP0001-001 1.1.1.1 5ghz-VHT FlexConnect 1485 04:19:52 *3/8 (16 dBm) (132)* 4 hours 21 minutes 50 seconds 4 hours 19 minutes 53 seconds
From the AP:
AP0001-001#show configuration wlan flexconn
SSID : flexssid
Radio Policy : 5GHz
Vlan Id : 111
Status : Enabled
Max Radio Clients : 200
SplitmacMode : Enabled
Capability : ESS PRIVACY SPEC_MGMT RADIO_MSMT
vap_mode : None
encryptPolicy : AES_CCM128
authType : WPA_8021X
rsnDataLen : 28
wpaDataLen : 0
rsnxe_len : 0
Broadcast SSID : Enabled
Band Steering : Disabled
Load Balancing : Disabled
11w MFP Capabilities : PMF_OPTIONAL
11w dot11wPmfAssocComebackTime : 1000
11w dot11wPmfSAQueryRetryTime : 200
aironetIeSupport : 0
dot11eBandwidth : 23437
otherFlags : DHCP_REQUIRED LS
DTIMPeriod : 1
vapSecOptFlags : 0
QoS : 3
QoS maxPriority : 6
default Unicast Priority : 6
default Multicast Priority : 6
kts_cac_policy : false
Multicast Buffer : Disabled
Multicast Buffer Size : 0
Client Idle Timeout : 300
Client Idle Threshold : 0
DHCP Profiling : 1
HTTP Profiling : 0
HTTP Profiling Timeout : 0
Dot11k neighbor list : 1
Passive Client : Disabled
Multicast mc2uc : Disabled
Fabric : Disabled
GPR Support : 0
Reauth Timeout : 1800
tkipHoldDownTimer : 0
Profile Name : flexconn
Profiles on the 9800:
wlc-9800#show ap name AP0001-001 config general
Cisco AP Name : AP0001-001
=================================================
Cisco AP Identifier : dead.767f.beef
Country Code : NO
Regulatory Domain Allowed by Country : 802.11bg:-E 802.11a:-E 802.11 6GHz:-E
AP Country Code : NO - Norway
AP Regulatory Domain
802.11bg : -E
802.11a : -E
MAC Address : dead.767e.beef
IP Address Configuration : DHCP
IP Address : 1.1.1.1
IP Netmask : 255.255.255.0
Gateway IP Address : 1.1.1.2
Fallback IP Address Being Used :
Domain :
Name Server :
CAPWAP Path MTU : 1485
Capwap Active Window Size : 1
Telnet State : Disabled
CPU Type : ARMv7 Processor rev 0 (v7l)
Memory Type : DDR3
Memory Size : 995328 KB
SSH State : Enabled
Serial Console State : Enabled
Cisco AP Location :
Site Tag Name : ap-with-flex
RF Tag Name : custom-radio-profile
Policy Tag Name : flexconn
AP join Profile : default-ap-profile
Flex Profile : default-flex-profile
Primary Cisco Controller Name : Not Configured
Primary Cisco Controller IP Address : 0.0.0.0
Secondary Cisco Controller Name : Not Configured
Secondary Cisco Controller IP Address : 0.0.0.0
Tertiary Cisco Controller Name : Not Configured
Tertiary Cisco Controller IP Address : 0.0.0.0
Administrative State : Enabled
Operation State : Registered
NAT External IP Address : 1.1.1.1
AP Certificate type : Manufacturer Installed Certificate
AP Certificate Expiry-time : 11/12/2037 15:00:17
AP Certificate issuer common-name : Cisco Manufacturing CA SHA2
AP Certificate Policy : Default
AP CAPWAP-DTLS LSC Status
Certificate status : Not Available
AP 802.1x LSC Status
Certificate status : Not Available
AP LSC authentication state : CAPWAP-DTLS
This specific example is from a 1832i AP, but same problem on the 9115, 9120 and 9130.
Solved! Go to Solution.
03-14-2024 10:03 AM
- Added reply
For testing purposes : if you know to which flexconnect-AP a particular client will connect (and or in a test setup) ; issue this command first on the AP:
show ap client-trace events mac <client-mac-address> . Then let the client connect or attempt to connect and follow up on the outputs shown or check the logs on the AP
- Further engage in full client debugging according to https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , these debugs can be analyzed with Wireless Debug Analyzer
- Outputs from the commands mentioned in https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5 can also be useful
- Check current software version being used on the HA-SSO pair , if somewhat older then go for 17.9.5
M.
03-14-2024 06:10 AM
- Start with a checkup of the (primary) 9800 controller's configuration with the CLI command show tech wireless and feed the output into : Wireless Config Analyzer
M.
03-14-2024 06:45 AM
Done, have three errors/reds, but they are unrelated/SFP-related. Nothing regarding profiles/tags for the flexconnect-ssid.
03-14-2024 07:25 AM
03-14-2024 07:18 AM
Have you seen this guide in particular? I found it very helpful and it had everything I needed to get FlexConnect going here.
03-14-2024 10:03 AM
- Added reply
For testing purposes : if you know to which flexconnect-AP a particular client will connect (and or in a test setup) ; issue this command first on the AP:
show ap client-trace events mac <client-mac-address> . Then let the client connect or attempt to connect and follow up on the outputs shown or check the logs on the AP
- Further engage in full client debugging according to https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , these debugs can be analyzed with Wireless Debug Analyzer
- Outputs from the commands mentioned in https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5 can also be useful
- Check current software version being used on the HA-SSO pair , if somewhat older then go for 17.9.5
M.
03-28-2024 06:40 AM
Thanks for the help - i deleted all relevant profiles and tags related to the faulty flex-ssid, re-created them after also upgrading to 17.9.5 from 17.9.4a. That seems to have done the trick.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide