08-01-2021 01:03 AM
I have Wireless network with AIR-AP1832 APs and CT-3504 controller (OS Ver.: 8.10.130.0). All is working fine except iPhone 12 Pro Max with iOS 14.5.1, which disconnects from network frequently.
Can anyone help in this regard? WLC Config is attached
08-01-2021 01:32 AM
What does the debug say?
08-01-2021 02:50 AM
- Have the controller-config , as you posted in attachment, analyzed with : https://cway.cisco.com/tools/WirelessAnalyzer/
(I will attach the controller and ap part in the next section of this answer) , you can also do client debugging with : https://cway.cisco.com/tools/WirelessDebugAnalyzer/
Here's the result from your attachment (from : https://cway.cisco.com/tools/WirelessAnalyzer/ ) - rerun to get complete reports , you will also then get the color indicators indicating severity.
Level | Message |
---|---|
30122 |
RLDP: RLDP is enabled for all AP types. This may have severe impact on voice applications, and lower performance for general data. It is advisable to use the option of monitor mode Aps if this is a security requirement, or disable it
Action: RLDP should be configured to use only Monnitor mode APs, please check your WPS configuration. This may have severe impact on performance
|
30012 |
AP Manager: AP manager interfaces count less than number of active ports, and no LAG, not supported configuration
Action: For non LAG scenarios, all active physical ports should have a AP manager interface associated, otherwise there can be traffic issues, or CAPWAP errors. Check active port assignment on the interfaces
|
120003 |
Security: It is recommended to monitor all channels for rogue detection. Band(s): 2.4GHz,5GHz
Action: None
|
30071 |
Fast SSID: Fast SSID enabled is recommended for networks that may have Apple IOS client devices
Action: Fast SSID allows easier client jump between WLANS, and it is highly recommended for networks with Apple devices. It should not be used in combination with NAC policies. Command: config network fast-ssid-change enable
|
30076 |
NTP: Controller without time source, please configure a valid NTP server
Action: No time source detected for this controller. It could be incomplete configuration, check that NTP servers are configured. Command: config time ntp server
|
30077 |
Security: Controller with telnet enabled, this is not advisable from security point of view
Action: For security reasons, it is not recommended to use Telnet for CLI access to the controller, use SSH instead
|
30112 |
Multicast: The IPv6 Multicast/Broadcast mode is on Unicast.
Action: For performance optimizations, it is recommended to use multicast transport mode. Please enable in general multicast settings
|
30119 |
NTP: NTP Polling Interval is set, but no NTP Server is configured. Controller should have time source
Action: Please check the NTP time sync status, as having a proper time source is critical for several features
|
120001 |
Security: It is recommended to disable Management over wireless, if the feature is needed, ensure you have a proper CPU ACL
Action: In Config/network, you can enable/disable this feature. Use only when needed
|
120004 |
Security: No WLAN with WPA2/802.1x was detected, it is recommended to use proper authentication for security reasons. This may not be applicable on some deployment models
Action: It is expected to see at least one network with L2 security policies enable. This is just a general check to confirm if this is a status done intentionally
|
120009 |
Security: No CPU ACL detected, it is recommended it, to restrict management access to the controller
Action: In some scenarios, a CPU ACL can be set to improve security. This may need testing, so use with care
|
120014 |
Security: The following Management Password policies are not enabled: Position Check,Case Digit Check
Action: This is optional security best practice
|
120015 |
Security: HTTP access to management is enabled, it is recommended to only allow https for security reasons
Action: This is optional security best practice
|
60020 |
RF: WLC has 12.5% of APs with failed Interference Profile for 2.4GHz Band
Action: None
|
30097 |
RRM: TPC is not set to Auto. For general deployments it is recommended to use RRM. Band(s): 2.4 GHz,5 GHz
Action: None
|
30057 |
RF: Legacy rate in Global in use. Disabling low data rates/11b can help to optimise the channel utilisation on the 2.4 band. Depending on RF coverage, or if using legacy clients, this may cause problems. Please validate before enforcing the changes, as this may have important RF dependencies.
Action: In most scenarios, it is good idea to disable 11b data rates (1,2,5.5,11), as they would use more RF time, and be more sensible to interference, it is advisable to only enable 11g rates, unless you need to support legacy devices. Command:config 802.11b rate disabled X
|
30064 |
Authentication: EAPoL request timeout larger than 400 ms. EAP key requests may benefit for faster recovery, and better behavior on bad RF, by using higher counts, lower retry timeout. Please validate on your specific client types before enforcing the changes
Action: EAPoL request timer found to be higher than 400ms. In most scenarios, 400 would allow faster recovery in case of problems. Some devices may need longer timers, so always check. Use command: config advanced eap eapol-key-timeout, to adjust
|
30067 |
Rogue Detection: Minimum Rogue RSSI detection threshold should be set to -80 or higher, unless mandated by your security policies
Action: Min RSSI feature allows to filter out unwanted rogues from the network (out of building). It is advisable to use -70 to -80 depending on your physical location and security policies. Command: config rogue detection min-rssi
|
30083 |
High Availability: High Availability is a recommended redundancy solution for supported platforms
Action: This is general recommendation to use HA feature when possible, to improve network reliability
|
30084 |
Webauth: Virtual Gateway IP is not on 192.0.2.0/24 , 198.51.100.0/24 , 203.0.113.0/24 networks, change to recommended to avoid overlapping with Internet Allocated addresses. RFC5737
Action: Virtual GW address must not match any Internet Routable address, as it could lead to controller absorving traffic for it. Use one of the recommended addresses
|
30111 |
DHCP: It is recommended to have the DHCP proxy enabled.
Action: This is purely a general recommendation, please validate if applicable in your environment
|
30081 |
Load Balancing: Enterprise: Aggressive Load Balancing is a recommended best practice for enterprise environments with proper AP density, for local mode APs. Do not use for WLANs with interactive applications (voice/video)
Action: Load Balancing could help on load distribution on some scenarios, it must be avoided for networks with interactive traffic like voice or video. Command: config wlan load-balance allow enable ID
|
30082 |
Client Profiling: Local Profiling is a recommended best practice for better client visibility
Action: Local profiling is recommended in general, unless using NAC profiling. To enable: config wlan profiling local all enable ID
|
30130 |
Security: WLC is not vulnerable to CVE-2017-13082 802.11r/FT
Action: Informational message about vulnerability exposure
|
30125 |
WLAN: Disabled WLAN, no checks run. WLAN(s): Senior Officer
Action: None
|
Level | Message |
---|---|
20024 |
WCAE: Missing configuration.
APS: MConf-Room
Action: This is indication of incomplete or corrupted config file. Try to capture using transfer upload command
|
20017 |
Syslog: Syslog to broadcast.
APS: More than 10 APs affected, use standalone tool for more details
Action: AP syslog is set to broadcast destination (default). It is recommended to configure unicast server, for security and ease of troubleshooting. Command: config ap syslog host global
|
60029 |
RF: AP shows low coverage (all neighbors < -75 dBm) on 5GHz band. This could affect roaming and be indication of poor RF design or NDP issues.
APS: AP-ROOM-205-CORRIDOR
Action: None
|
20007 |
CAPWAP: Invalid primary switch config.
APS: More than 10 APs affected, use standalone tool for more details
Action: The AP has configured a controller name which is not present in the analyzed config file. This may also indicate an error in the AP configuration.
|
20028 |
RRM: Assigned channel not in DCA list.
APS: AP-Research-Room-02,AP-SECTT-1
Action: Current assigned channel is not on the DCA list, this could cause problems on roaming or reaction to DFS events. It is recommended to match the DCA channel list to the AP assigned channels
|
60030 |
RF: AP has asymmetric nearby between radios, if the antennas per band are the same, this could indicate a radio hang .
APS: AP-Room-88
Action: For non DFS channels, if the antennas are same between both radios, if the AP has neighbors better than -77 in one radio, and none in the other, this could be indication of radio hang, and should be investigated
|
60027 |
RF: AP is isolated (no neighbors) on 5GHz band. This could be expected on single AP scenarios, but could be indication of poor RF design or NDP issues.
APS: AP-Room-88
Action: None
|
30050 |
High Density: RX-SOP in use.
APS: More than 10 APs affected, use standalone tool for more details
Action: This is informational message, no action required, if this was changed intentionally
|
60013 |
RF: AP side channel interference above threshold.
APS: More than 10 APs affected, use standalone tool for more details
Action: None
|
60011 |
RF: AP Cochannel interference above threshold, 2.4 GHz Band.
APS: AP-Room-88,AP-Room-274,AP-Room-213
Action: None
|
60005 |
RF: Interference Profile Failed, 2.4GHz Band.
APS: AP-Room-213,AP-ROOM-265,AP-Room-114,AP-CT-1Flr-Room-10,AP-Room-261
Action: None
|
20032 |
Rogue Containment: AP used for Containment .
APS: AP-ROOM-205-CORRIDOR
Action: AP has been used for containment. This is a security feature, but its usage on client serving AP have severe impact on WLAN service availability. If containment is required, use dedicated APs to lower network impact
|
60012 |
RF: AP Cochannel interference above threshold, 5 GHz Band.
APS: More than 10 APs affected, use standalone tool for more details
Action: None
|
60014 |
RF: AP high channel utilization. Band 2.4GHz.
APS: AP-CT-1Flr-Room-12
Action: None
|
08-01-2021 05:47 AM
Any specific reason that you have multiple country codes(AR,BD,GB,MY,PK) and AP's from multiple regulatory domains (C,A & H)?
Also did you do a RF survey at the site? Most of your AP's are in UNII-3 excluding 2 AP's and and 1 AP has it's 5GHz radio disabled. So it is recommended that you do a RF survey and I can see AP's from multiple regulatory domain are RF neighbors. So depending on the country you have deployed this setup you may be violating your regulatory set rules.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide