Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
1
Helpful
6
Replies

Guest users connected to SSID but no Internet

Rajesh Kumar Reddy
Level 1
Level 1

‎04-10-2025 05:13 PM

Hello Team,

I have an issue my guest users where 

They are getting authenticated via webauth and receiving the IP address but device is showing as "No Internet" with globe symbol.

This is ransom and happening on all the devices like Apple IPAD, MAC, Surface, windows laptop.

When I collected the debug logs and run it in analyzer I could see the error as "Controller initiated client deletion with reason as "CO_CLIENT_DELETE_REASON_L3AUTH_FAIL.

But I could see that authentication is successful and client is receiving the IP and getting connected to SSID and only issue is with he is not getting IP address

Can someone suggest what troubleshooting steps to be done and what config changes are required.

I am attaching debug logs FYR.

Preview file
174 KB
Preview file
3871 KB
0 Helpful
6 Replies 6

Saikat Nandy
Cisco Employee
Cisco Employee

‎04-10-2025 05:38 PM

It looks like you are doing LWA - which means ip address assignment will happen first followed by the auth. From the RA I can see an instance of successful connection - 

2025/04/09 18:12:14.499935867 {wncd_x_R0-0}{1}: [client-orch-sm] [19943]: (note): MAC: 5a4b.4256.75e4 Re-Association received. BSSID e44e.2d04.81aa, WLAN wcguest_Global_NF_37beac82, Slot 1 AP e44e.2d04.81a0, TAMLOAP0301, Site tag TAMPA_ST, Policy tag TAMPA_PT, Policy profile wcguest_Global_NF_37beac82, Switching Central, old BSSID e44e.2d04.82c5, Socket delay 0ms
2025/04/09 18:12:14.500067385 {wncd_x_R0-0}{1}: [client-orch-state] [19943]: (note): MAC: 5a4b.4256.75e4 Client state transition: S_CO_L3_AUTH_IN_PROGRESS -> S_CO_L3_AUTH_IN_PROGRESS
2025/04/09 18:12:14.500770041 {wncd_x_R0-0}{1}: [dot11] [19943]: (note): MAC: 5a4b.4256.75e4 Association success. AID 18, Roaming = True, WGB = False, 11r = False, 11w = False Fast roam = False
2025/04/09 18:12:14.501248568 {wncd_x_R0-0}{1}: [client-orch-state] [19943]: (note): MAC: 5a4b.4256.75e4 Client state transition: S_CO_L3_AUTH_IN_PROGRESS -> S_CO_L2_AUTH_IN_PROGRESS
2025/04/09 18:12:14.502702913 {wncd_x_R0-0}{1}: [client-orch-sm] [19943]: (note): MAC: 5a4b.4256.75e4 Mobility discovery triggered. Client mode: Local
2025/04/09 18:12:14.502706983 {wncd_x_R0-0}{1}: [client-orch-state] [19943]: (note): MAC: 5a4b.4256.75e4 Client state transition: S_CO_L2_AUTH_IN_PROGRESS -> S_CO_MOBILITY_DISCOVERY_IN_PROGRESS
2025/04/09 18:12:14.502955846 {wncd_x_R0-0}{1}: [mm-client] [19943]: (note): MAC: 5a4b.4256.75e4 Mobility Successful. Roam Type None, Sub Roam Type MM_SUB_ROAM_TYPE_INTRA_INSTANCE, Previous BSSID MAC: e44e.2d04.82c5 Client IFID: 0xa000004f, Client Role: Local PoA: 0x9000000e PoP: 0x0
2025/04/09 18:12:14.503295428 {wncd_x_R0-0}{1}: [client-auth] [19943]: (note): MAC: 5a4b.4256.75e4 ADD MOBILE sent. Client state flags: 0x76 BSSID: MAC: e44e.2d04.81aa capwap IFID: 0x9000000e, Add mobiles sent: 1
2025/04/09 18:12:14.503468103 {wncd_x_R0-0}{1}: [client-orch-state] [19943]: (note): MAC: 5a4b.4256.75e4 Client state transition: S_CO_MOBILITY_DISCOVERY_IN_PROGRESS -> S_CO_DPATH_PLUMB_IN_PROGRESS
2025/04/09 18:12:14.503704336 {wncd_x_R0-0}{1}: [client-orch-state] [19943]: (note): MAC: 5a4b.4256.75e4 Client state transition: S_CO_DPATH_PLUMB_IN_PROGRESS -> S_CO_IP_LEARN_IN_PROGRESS
2025/04/09 18:12:14.503998470 {wncd_x_R0-0}{1}: [client-orch-state] [19943]: (note): MAC: 5a4b.4256.75e4 Client state transition: S_CO_IP_LEARN_IN_PROGRESS -> S_CO_L3_AUTH_IN_PROGRESS

So technically the flow at high level should be - endpoint will get ip address > WLC will present the portal page to the endpoint > endpoint need to put the credential(if consent then accept) > WLC will authenticate the client and move to RUN state.
2025/04/09 18:12:14.504126407 {wncd_x_R0-0}{1}: [client-auth] [19943]: (note): MAC: 5a4b.4256.75e4 L3 Authentication initiated. LWA
2025/04/09 18:12:40.687356114 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [19943]: (note): Authentication Success. Resolved Policy bitmap:4 for client 5a4b.4256.75e4
2025/04/09 18:12:40.688223398 {wncd_x_R0-0}{1}: [sanet-shim-miscellaneous] [19943]: (ERR): authc policy update from SANet vlan 192
2025/04/09 18:12:40.688390130 {wncd_x_R0-0}{1}: [client-auth] [19943]: (note): MAC: 5a4b.4256.75e4 L3 Authentication Successful. ACL:[]
2025/04/09 18:12:40.688844663 {wncd_x_R0-0}{1}: [client-auth] [19943]: (note): MAC: 5a4b.4256.75e4 ADD MOBILE sent. Client state flags: 0x78 BSSID: MAC: e44e.2d04.81aa capwap IFID: 0x9000000e, Add mobiles sent: 1
2025/04/09 18:12:40.689119256 {wncd_x_R0-0}{1}: [client-orch-state] [19943]: (note): MAC: 5a4b.4256.75e4 Client state transition: S_CO_L3_AUTH_IN_PROGRESS -> S_CO_RUN

0 Helpful

Rajesh Kumar Reddy
Level 1
Level 1
In response to Saikat Nandy

‎04-10-2025 10:08 PM

Hi Sanandy,

what would be the solution to this.

as I have stated, Users are able to receive IP address, Authenticate and gets connected to SSID but they are not getting connected to the Internet.

what things should be checked to get this sorted.

Thanks.

0 Helpful

marce1000
Hall of Fame
Hall of Fame
In response to Rajesh Kumar Reddy

‎04-10-2025 11:36 PM

 

 @Rajesh Kumar Reddy            >...what things should be checked to get this sorted.
                                                Check if the VLAN subnet from the WLAN/VLAN pair has an open path to  the Internet,

  M.
                                    



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Saikat Nandy
Cisco Employee
Cisco Employee
In response to Rajesh Kumar Reddy

‎04-11-2025 09:38 AM - edited ‎04-11-2025 09:38 AM

Well your statement and logs are not complimenting each other. Your log says most of the time auth failed.

If your statement (client gets ip, gets authenticated successfully and moving to RUN state) is indeed true, then you need to check the vlan (if that has internet access, easily can be checked with a laptop on same vlan in the wired network), DNS server or any ACL.

Can I have the output of 'show wireless client mac-address <mac addr> detail' command from WLC CLI of the test user in failed state.

Rajesh Kumar Reddy
Level 1
Level 1
In response to Saikat Nandy

‎04-11-2025 10:04 AM

Hi

accept your statement but client is initially getting connected to Internet..he is not having the internet connection I believe when he is in idle state.

0 Helpful

Saikat Nandy
Cisco Employee
Cisco Employee
In response to Rajesh Kumar Reddy

‎04-11-2025 10:09 AM

Thanks for the feedback. Now the problem description has changed even more. I am trying to connect the dots and there is one config which could be relevant - Idle timeout inside the Policy Profile (Advanced Tab). By default the idle timeout is 300 secs=5Mins. You can increase it to 10-15mins and see if that helps you in anyway. Note - Increasing the idle timeout to a huge number can cause stale client entries in your WLC too. So please plan it accordingly.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card