Re: Migrating from 5760 to 9800 WLC - DHCP issue VLAN ID failure, excl

VijayHarripersad · ‎10-14-2023

Hello team,

I have two sites, both have WLC CT5760. Each site directly connects to the internet and also has a MPLS link.

Each WLC has the same SSID name for both sites, VLAN ID also same, however the subnets for each of these are different.

Site A - Still running CT5760 / Site B - upgraded to WLC 9800 with configurations from the old CT5760 previously at site B replicated.

Clients at Site A and Site B connects fine.

I noticed sometimes when clients leave Site A, and comes to Site B the next day, some of them get "unable to connect" to the Staff WiFi (802.1x). WireShark shows that these clients are still looking for their DHCP at site A. The WLC 9800 at site B then reports VLAN failure and excludes the client.

Before upgrading to the 9800, both sites would have the same CT5760 WLC and same SSID without any issues at all.

What am I doing wrong here, what can I do to make this work?

balaji.bandi · ‎10-14-2023

before when the Client move from site B to Site A , what IP address user get ?

example the user connect site B and got ip address 10.10.10.100, when he move to Site A will he get same IP address before when the both controllers are same model ?

I know you mentioned - however the subnets for each of these are different. (does this mean when the user move from Site A to Site B - he will re-authenticate and get new IP address right ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

VijayHarripersad · ‎10-14-2023

Hello,

We both sites had the CT5760, the subnets for clients were different so the clients would get different IP addresses at either site.

When we upgraded site B to the 9800 while site A remained with the 5760, the subnets above continued to apply. Meaning no changes here, both site A and site B subnets are different, so the clients continue to get different IP addresses based on their site.

Wire Shark is showing that a client who moved from site A to site B, still tries to get the subnet at site A, WLC shows VLAN failure and client excluded.

Yes to your answer, he will reauthenticate and get a new IP when moving between the two sites.

balaji.bandi · ‎10-14-2023

Is the issue same on both sites move :

example Site A user move to Site B you have this issue and when Site B user move to Site A you have same issue :

what code running on AirOS and IOS XE ?

check below threads : anything that helps you ?

https://community.cisco.com/t5/wireless/17-9-x-clients-failing-to-join-due-to-vlan-failure-fix/td-p/4854072

https://community.cisco.com/t5/wireless/cisco-catalyst-9800-client-exclusion-server-reason-vlan-failure/td-p/4822147

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

VijayHarripersad · ‎10-14-2023

Hello,

We have not received reports for users who moved back from site B (9800) to site A (5760) thus far. 9800 IOS XE is 17.9.3. 5760 AIROS is 3.6.8E.

For one of the articles you share, this does not apply as our policy profile is configured with the client VLAN.

For the other article, I did come across this where they are asking to remove the SVI from the 9800 and maybe place it on an upstream switch. This wasnt in the Cisco best practise document though, so not sure if I should be doing it.

Futher information, all my WLCs used the internal DHCP for client ip addressing.

balaji.bandi · ‎10-14-2023

For the other article, I did come across this where they are asking to remove the SVI from the 9800 and maybe place it on an upstream switch. This wasnt in the Cisco best practise document though, so not sure if I should be doing it

reading the different documents, that what is suggested. But keep open for others to comment.

But as per your comment before there is no Mobility between these site, they work on different IP address space ?

but at the same time if this is urgent, contact TAC and asking their suggestion is best.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

marce1000 · ‎10-14-2023

>... shows that these clients are still looking for their DHCP at site A.
- Difficult to define , the client just does a DHCP broadcast to get an address.

For the native 9800 environment(s) consider : https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#DHCPbridgingandDHCPrelay

Client behavior on the 9800 from connection onwards can be fully analyzed with instructions found in :
https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
You can have Radio Active traces (client debugs) analyzed with : https://cway.cisco.com/wireless-debug-analyzer
You can also get statistics on client behavior with commands mention in : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5

Also (important) ; have a checkup of the WLC 9800 with the CLI command show tech wireless ; feed the output into
Wireless Config Analyzer

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

eglinsky2012 · ‎10-14-2023

Were both the old controllers in a mobility group together?

VijayHarripersad · ‎10-14-2023

Site B old 5760 controllers were in a mobility peer, 2 nodes at that site. Site A, the only mobility setting I see is mobility peer configured as Site A has two 5760 in mobility peers. See the screenshots below for the 5760 current mobility configs.

Rich R · ‎10-15-2023

1. Update to current TAC recommended release as per link below (currently 17.9.4)

2. Not recommended to use DHCP on the WLC and that might be a factor in the problem you're seeing - it is supported but Cisco may not ever have tested the particular configuration you're using so rather remove that from the equation altogether.

3. Then you can remove the SVI altogether (you need it for WLC DHCP) which *is* the recommended approach on 9800
https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#Wirelessclientinterfaces
Wireless client interfaces
"For centrally switched traffic, it is mandatory to configure a Layer 2 VLAN (or a pool of VLANs) mapped to the SSID, but the corresponding Layer 3 interface (SVI) is not needed. This is different from AireOS, in which a dynamic interface (Layer 3 interface and related IP address) is required. The recommendation for C9800 is not to configure an SVI for client VLAN, unless: ..."

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Migrating from 5760 to 9800 WLC - DHCP issue VLAN ID failure, excluded