04-18-2021 08:18 PM - edited 07-05-2021 01:10 PM
Hello,
I have catalyst 9130AXI connected to Catalyst 9800-CL (OS 16.12.5) installed on my Virtual Machine.
I configured Mac Address Bypass on this version and it works well, but there are problem with 5Ghz radio, it keep restarting 5Ghz radio on catalyst 9130AXI. the AP show this error before restarting the radios:
[*03/25/2021 10:17:59.8668] DOT11_DRV[1]: Beacon Stuck - reset radio for recovery [*03/25/2021 10:17:59.8669] DOT11_DRV[1]: *** Triggered FW assert for radio failure (Beacons stuck) [*03/25/2021 10:17:59.8669] [*03/25/2021 10:17:59.8736] DOT11_DRV[1]: *** Resetting Radio 1 [*03/25/2021 10:17:59.8736] DOT11_DRV[1]: Stop Radio1 - Begin [*03/25/2021 10:17:59.8898] DOT11_DRV[1]: Stop Radio1 - End
and so I try software version for 17.3.3 for this implementation.
in this software version, the issue on 5Ghz radio is solved but there is another issue on Mac Address Bypass.
I've configure Mac Address Bypass on 1 SSID, but I unable to connect my Laptop(with registered mac address).
On the vWLC, there are some log that show this error:
Apr 16 03:20:19.934: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (94db.c903.9372) on Interface capwap_9000000c AuditSessionID 0000000000001061D89DEDDE. Failure reason: Authc fail. Authc failure reason: AAA Server Down. Apr 16 03:20:20.999: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (94db.c903.9372) on Interface capwap_90000005 AuditSessionID 0000000000001062D89DF206. Failure reason: Authc fail. Authc failure reason: AAA Server Down. Apr 16 03:20:21.935: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (94db.c903.9372) on Interface capwap_9000000c AuditSessionID 0000000000001063D89DF5AE. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
Please advice regarding this issue.
Thanks.
note:
Solved! Go to Solution.
09-27-2021 08:23 PM
Hi All,
I want to give my update regarding this issue.
it turn out that it was a bug on 17.3 software (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv43870) that the entry format for the mac address must be without any separator.
Thanks all for all your suggestion and input.
04-19-2021 12:10 AM
- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs86066
M.
04-19-2021 12:30 AM
Hi marce1000,
thanks for the reply.
we've overcome the problem regarding "Beacon Stuck" on 5Ghz radio by installing version 17.3.3.
but there are another problem occur as I mention above regarding Mac Address Bypass.
do you have any advice regarding issue with Mac Address Bypass?
04-27-2021 07:26 AM
The error message TELLS you what the problem is: "AAA Server Down".
So check your config and work out why the WLC cannot connect to your radius server! config/routes/ACL/source interface etc
09-26-2021 09:14 AM
Did anyone manage to fix this MAC filter problem, or found a version in 17.x that works ?
Failure reason: Authc fail. Authc failure reason: AAA Server Down.
I'm also following the steps in this article, https://0x2142.com/how-to-catalyst-9800-mac-filtering/
Same error.
I have done exactly the same create the MAC address list local within wlc, so the error message seems like a bug.
09-26-2021 02:51 PM
Have you checked https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz30708 ?
09-27-2021 05:14 AM - edited 09-27-2021 05:15 AM
I just had a read of CSCvz30708 and rebooted the wlc as per the resolution.
Still no good.
Example here's the whole chain of events when a device attempt to connect.
2021/09/27 21:47:30.477303 {wncd_x_R0-0}{1}: [client-orch-sm] [25006]: (note): MAC: xxxx.xxxx.xxxx Association received. BSSID b838.xxxx.xxxx, WLAN testssid, Slot 1 AP b838.xxxx.xxxx, AP72
2021/09/27 21:47:30.477394 {wncd_x_R0-0}{1}: [client-orch-state] [25006]: (note): MAC: xxxx.xxxx.xxxx Client state transition: S_CO_INIT -> S_CO_ASSOCIATING
2021/09/27 21:47:30.477500 {wncd_x_R0-0}{1}: [dot11-validate] [25006]: (ERR): MAC: xxxx.xxxx.xxxx Validating Samsung Device Info subtypes failed
2021/09/27 21:47:30.477663 {wncd_x_R0-0}{1}: [client-orch-state] [25006]: (note): MAC: xxxx.xxxx.xxxx Client state transition: S_CO_ASSOCIATING -> S_CO_MACAUTH_IN_PROGRESS
2021/09/27 21:47:30.477673 {wncd_x_R0-0}{1}: [client-auth] [25006]: (note): MAC: xxxx.xxxx.xxxx MAB Authentication initiated. Policy VLAN 10, AAA override = 1, NAC = 0
2021/09/27 21:47:30.477685 {wncd_x_R0-0}{1}: [sanet-shim-translate] [25006]: (ERR): xxxx.xxxx.xxxx wlan_profile Not Found : Device information attributes not populated
2021/09/27 21:47:30.478165 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [25006]: (note): Authentication Success. Resolved Policy bitmap:11 for client xxxx.xxxx.xxxx
2021/09/27 21:47:30.478440 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [25006]: (ERR): SANET_AUTHC_FAILURE - AAA Server Down username 8cb8xxxxxxxx, audit session id 5501010A000000162714D7B1,
2021/09/27 21:47:30.478620 {wncd_x_R0-0}{1}: [errmsg] [25006]: (note): %SESSION_MGR-5-FAIL: Authorization failed or unapplied for client (xxxx.xxxx.xxxx) on Interface capwap_90000004 AuditSessionID 5501010A000000162714D7B1. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
2021/09/27 21:47:30.478687 {wncd_x_R0-0}{1}: [client-orch-state] [25006]: (note): MAC: xxxx.xxxx.xxxx Client state transition: S_CO_MACAUTH_IN_PROGRESS -> S_CO_ASSOCIATING
2021/09/27 21:47:30.478692 {wncd_x_R0-0}{1}: [dot11] [25006]: (ERR): MAC: xxxx.xxxx.xxxx Failed to assoc failure tr state entry. Incorrect validation status value :1
2021/09/27 21:47:30.479444 {wncd_x_R0-0}{1}: [dot11] [25006]: (ERR): MAC: xxxx.xxxx.xxxx Dot11 update co assoc fail. Sent assoc failure to CO. delete reason: 9, CO_CLIENT_DELETE_REASON_MAB_FAILED
Strange error to have when the AAA is local wlc itself.
Unfortunately can't try to upgrade higher version, old access point this is the highest it can support.
09-27-2021 06:44 AM
Then I think you need to open a case with Cisco TAC and keep us updated on what they say.
09-27-2021 08:23 PM
Hi All,
I want to give my update regarding this issue.
it turn out that it was a bug on 17.3 software (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv43870) that the entry format for the mac address must be without any separator.
Thanks all for all your suggestion and input.
09-28-2021 04:29 AM
Brilliant this is exactly the solution.
Cisco should have coded the error log much better, it's no MAC matching, not AAA server down.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide