I am setting up my first ME-project.
When adding new AP's to ME, clients cannot get internet connection and they loose connection to WLAN intermittent.
Here is part of my ME-WLC config:

DHCP Info

Total Leases: 15
Host Name MAC IP Lea se Time Remaining
* 00:00:00:00:00:00 192.168.48.246 8 9 days 23 hours 53 minutes 28 seconds
* 00:00:00:00:00:00 192.168.48.128 8 9 days 22 hours 52 minutes 57 seconds
android-b63a7240ab92e794 00:00:00:00:00:00 192.168.19.117 4 hours 47 minutes 12 seconds
LAPTOP-MWA 00:00:00:00:00:00 192.168.14.41 23 hours 41 minutes 10 seconds
HUAWEI_MediaPad_T3_10 00:00:00:00:00:00 192.168.14.99 22 hours 3 minutes 44 seconds
android 00:00:00:00:00:00 192.168.19.249 3 hours 1 minute 58 seconds
* 00:00:00:00:00:00 192.168.95.34 4 hours 42 minutes 59 seconds
* 00:00:00:00:00:00 192.168.48.186 8 9 days 21 hours 51 minutes 38 seconds
johanness-Air 00:00:00:00:00:00 192.168.95.232 2 hours 51 minutes 13 seconds
* 00:00:00:00:00:00 192.168.95.213 2 hours 50 minutes 48 seconds
MikeSharp-S21 00:00:00:00:00:00 192.168.14.15 22 hours 13 minutes 59 seconds
Chromecast 00:00:00:00:00:00 192.168.14.144 2 1 hours 50 minutes 21 seconds
* 00:00:00:00:00:00 192.168.48.190 9 9 days 23 hours 59 minutes 57 seconds
* 00:00:00:00:00:00 192.168.48.119 8 9 days 22 hours 15 minutes 18 seconds
* 00:00:00:00:00:00 192.168.48.98 89 days 21 hours 49 minutes 28 seconds

Mobility Express DHCP Server

Scope: GrCorporate

Enabled.......................................... Yes
Lease Time....................................... 86400 (1 day )
Pool Start....................................... 192.168.14.10
Pool End......................................... 192.168.14.254
Network.......................................... 192.168.14.0
Netmask.......................................... 255.255.255.0
DHCP Server...................................... 192.168.14.254
Vlan............................................. 14
Management Scope................................. No
Central-Nat...................................... No
Default Routers.................................. 192.168.14.1 0.0.0.0 0.0.0.0
DNS Domain.......................................
DNS.............................................. 8.8.8.8 8.8.4.4 0.0.0.0

Mobility Express DHCP Server

Scope: GrGuests

Enabled.......................................... Yes
Lease Time....................................... 18000 (5 hours )
Pool Start....................................... 192.168.19.10
Pool End......................................... 192.168.19.254
Network.......................................... 192.168.19.0
Netmask.......................................... 255.255.255.0
DHCP Server...................................... 192.168.19.254
Vlan............................................. 19
Management Scope................................. No
Central-Nat...................................... No
Default Routers.................................. 192.168.19.1 0.0.0.0 0.0.0.0
DNS Domain.......................................
DNS.............................................. 8.8.8.8 8.8.4.4 0.0.0.0

Mobility Express DHCP Server

Scope: GrTech

Enabled.......................................... Yes
Lease Time....................................... 8640000 (100 days )
Pool Start....................................... 192.168.48.10
Pool End......................................... 192.168.48.254
Network.......................................... 192.168.48.0
Netmask.......................................... 255.255.255.0
DHCP Server...................................... 192.168.48.254
Vlan............................................. 48
Management Scope................................. No
Central-Nat...................................... No
Default Routers.................................. 192.168.48.1 0.0.0.0 0.0.0.0
DNS Domain.......................................
DNS.............................................. 8.8.8.8 8.8.4.4 0.0.0.0

Mobility Express DHCP Server

Scope: GrMembers

Enabled.......................................... Yes
Lease Time....................................... 18000 (5 hours )
Pool Start....................................... 192.168.95.10
Pool End......................................... 192.168.95.254
Network.......................................... 192.168.95.0
Netmask.......................................... 255.255.255.0
DHCP Server...................................... 192.168.95.254
Vlan............................................. 95
Management Scope................................. No
Central-Nat...................................... No
Default Routers.................................. 192.168.95.1 0.0.0.0 0.0.0.0
DNS Domain.......................................
DNS.............................................. 8.8.8.8 8.8.4.4 0.0.0.0

DHCP Opt-82 RID Format: <AP radio MAC address>
DHCP Opt-82 Format: binary
DHCP Proxy Behaviour: disabled

NAT Configuration Info

** DHCP Configuration **
Scope Name Enabled Nat Status Default Router VLAN
GrCorporate Yes Disabled 192.168.14.1 14
GrGuests Yes Disabled 192.168.19.1 19
GrTech Yes Disabled 192.168.48.1 48
GrMembers Yes Disabled 192.168.95.1 95

** WLAN Configuration **
ID SSID Status Scope Name Nat Status P2PBlocking VLAN
1 GrCorporate Enabled GrCorporate Disabled Disabled 14
2 GrGuests Enabled GrGuests Disabled Disabled 19
3 GrTech Enabled GrTech Disabled Disabled 48
4 GrMembers Enabled GrMembers Disabled Disabled 95

Exclusion List ConfigurationUnable to retrieve exclusion-list entry

CDP Configuration
cdp version v2

Country Channels Configuration

Configured Country............................. NO - Norway
KEY: * = Channel is legal in this country and may be configured manually.
A = Channel is the Auto-RF default in this country.
. = Channel is not legal in this country.
C = Channel has been configured for use by Auto-RF.
x = Channel is available to be configured for use by Auto-RF.
(-,-) = (indoor, outdoor) regulatory domain allowed by this country.
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-
802.11bg :
Channels : 1 1 1 1 1
: 1 2 3 4 5 6 7 8 9 0 1 2 3 4
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-
NO (-E ,-E A * * * * A * * * * A * * .
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
802.11a : 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
Channels : 3 3 3 4 4 4 4 4 5 5 6 6 0 0 0 1 1 2 2 2 3 3 4 4 4 5 5 6 6 6 7
: 4 6 8 0 2 4 6 8 2 6 0 4 0 4 8 2 6 0 4 8 2 6 0 4 9 3 7 1 5 9 3
-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
NO (-E ,-E . A . A . A . A A A A A A A A A A A A A A A A . . . . . . . .

WPS Configuration Summary

Auto-Immune
Auto-Immune.................................... Disabled
Auto-Immune by aWIPS Prevention................ Disabled

Client Exclusion Policy
Excessive 802.11-association failures.......... Enabled
Excessive 802.11-authentication failures....... Enabled
Excessive 802.1x-authentication................ Enabled
IP-theft....................................... Enabled
Excessive Web authentication failure........... Enabled
Maximum 802.1x-AAA failure attempts............ 3

Signature Policy
Signature Processing........................... Enabled

Management Frame Protection
Global Infrastructure MFP state................ DISABLED (*all infrastructure settings are overridden)
AP Impersonation detection..................... Disabled
Controller Time Source Valid................... True

WLAN Client
WLAN ID WLAN Name Status Protection
------- ------------------------- --------- ----------
1 GrCorporate Enabled Optional
2 GrGuests Enabled Optional
3 GrTech Enabled Optional
4 GrMembers Enabled Optional

Custom Web Configuration

Radius Authentication Method..................... PAP
Cisco Logo....................................... Enabled
CustomLogo....................................... None
Custom Title..................................... None
Custom Message................................... None
Custom Redirect URL.............................. None
Web Authentication Login Success Page Mode....... Default
Web Authentication Type.......................... Internal Default
Logout-popup..................................... Enabled
External Web Authentication URL.................. None
QR Code Scanning Bypass Timer.................... 0
QR Code Scanning Bypass Count.................... 0

Configuration Per Profile:

Core dump Configuration

Core Dump upload is disabled

Core Dump file on flash:

Rogue AP Configuration

Rogue Detection Security Level................... high
Rogue Pending Time............................... 60 secs
Rogue on wire Auto-Contain....................... Disabled
Rogue using our SSID Auto-Contain................ Disabled
Valid client on rogue AP Auto-Contain............ Disabled
Rogue AP timeout................................. 1200
Rogue Detection Report Interval.................. 30
Rogue Detection Min Rssi......................... -80
Rogue Detection Transient Interval............... 300
Rogue Detection Client Num Threshold............. 0
Validate rogue AP against AAA.................... Disabled
Rogue AP AAA validation interval................. 0 secs
Total Rogues(AP+Ad-hoc) supported................ 200
Total Rogues classified.......................... 5

MAC Address Class State #Det #Rogue #Highest RSSI #RSSI #Channel #Second Highest #RSSI #Channel
Aps Clients det-Ap RSSI Det-Ap
----------------- ------------ -------------------- ---- ------- --------------- -- ------ --------------- ----------------- ------ ---------------
32:5c:96:29:54:48 Unclassified Alert 2 1 00:6b:f1:92:a2: 80 -58 unknown 00:c8:8b:60:80:70 -68 unknown
84:1e:a3:92:f5:4a Unclassified Alert 1 0 00:6b:f1:92:a2: 80 -70 1
b0:98:2b:72:c9:ce Unclassified Alert 1 0 00:6b:f1:92:a2: 80 -78 1
d0:6e:de:94:47:23 Unclassified Alert 1 0 00:6b:f1:92:a2: 80 -78 1
f6:da:5e:f0:c3:7f Unclassified Alert 2 1 00:6b:f1:92:a2: 80 -57 6 00:c8:8b:60:80:70 -63 6

Rogue AP RLDP Configuration

Rogue Location Discovery Protocol................ Enabled & Monitor-Only
RLDP Schedule Config............................. Disabled
RLDP Scheduling Operation........................ Disabled
RLDP Retry....................................... 1

RLDP Start Time RLDP End Time Day
--------------- ------------- ---

Rogue Auto Contain Configuration

Containment Level................................ 0(auto)
monitor_ap_only.................................. false

Adhoc Rogue Configuration

Detect and report Ad-Hoc Networks................ Enabled
Auto-Contain Ad-Hoc Networks..................... Disabled

Total Rogues(Ad-Hoc+AP) supported ............... 200
Total Ad-Hoc entries ............................ 0

Client MAC Address Adhoc BSSID State # APs Last Heard
------------------ ------------------ ----------------- ------ ------------- ----------

Rogue Client Configuration

Validate rogue clients against AAA............... Disabled
Validate rogue clients against MSE............... Enabled
Total Rogue Clients supported.................... 400
Total Rogue Clients present...................... 3

MAC Address State # APs Last Heard
----------------- ------------------ ----- -----------------------
54:2a:1b:c5:ad:e0 Alert 1 Tue Mar 22 19:49:30 2022
84:c5:a6:d4:09:b3 Alert 1 Tue Mar 22 20:01:07 2022
f0:79:60:24:dd:92 Alert 2 Tue Mar 22 20:03:07 2022

Ignore List Configuration

MAC Address
-----------------

Rogue Rule Configuration

Priority Rule Name Rule state Class Type Notify Stat e Match Hit Count
-------- -------------------------------- ----------- ----------- -------- ----- --- ------ ---------

Rogue Rule Detailed Configuration
Rogue containment Configuration

Rogue containment flexconnect.................... disabled
Rogue containment auto-rate...................... enabled

Media-Stream Configuration

Multicast-direct State........................... disable
Allowed WLANs....................................

Stream Name Start IP End IP Operation Status
------------- --------------------------------------- -------------------------- ------------- ----------------

URL..............................................
E-mail...........................................
Phone............................................
Note.............................................
State............................................ disable

2.4G Band Media-Stream Configuration

Multicast-direct................................. Enabled
Best Effort...................................... Disabled
Video Re-Direct.................................. Enabled
Max Allowed Streams Per Radio.................... Auto
Max Allowed Streams Per Client................... Auto
Max Video Bandwidth.............................. 0
Max Voice Bandwidth.............................. 75
Max Media Bandwidth.............................. 85
Min PHY Rate..................................... 6000
Max Retry Percentage............................. 80

5G Band Media-Stream Configuration

Multicast-direct................................. Enabled
Best Effort...................................... Disabled
Video Re-Direct.................................. Enabled
Max Allowed Streams Per Radio.................... Auto
Max Allowed Streams Per Client................... Auto
Max Video Bandwidth.............................. 0
Max Voice Bandwidth.............................. 75
Max Media Bandwidth.............................. 85
Min PHY Rate..................................... 6000
Max Retry Percentage............................. 80
Number of Clients................................ 0

Client Mac Stream Name Stream Type Radio WLAN QoS Status
----------------- ----------- ----------- ---- ---- ------ -------
WLC Voice Call Statistics
WLC Voice Call Statistics for 802.11b Radio

WMM TSPEC CAC Call Stats
Total num of Calls in progress................. 0
Num of Roam Calls in progress.................. 0
Total Num of Calls Admitted.................... 0
Total Num of Roam Calls Admitted............... 0
Total Num of exp bw requests received.......... 0
Total Num of exp bw requests Admitted.......... 0
Total Num of Calls Rejected.................... 0
Total Num of Roam Calls Rejected............... 0
Num of Calls Rejected due to insufficent bw.... 0
Num of Calls Rejected due to invalid params.... 0
Num of Calls Rejected due to PHY rate.......... 0
Num of Calls Rejected due to QoS policy........ 0
SIP CAC Call Stats
Total Num of Calls in progress................. 0
Num of Roam Calls in progress.................. 0
Total Num of Calls Admitted.................... 0
Total Num of Roam Calls Admitted............... 0
Total Num of Preferred Calls Received.......... 0
Total Num of Preferred Calls Admitted.......... 0
Total Num of Ongoing Preferred Calls........... 0
Total Num of Calls Rejected(Insuff BW)......... 0
Total Num of Roam Calls Rejected(Insuff BW).... 0
KTS based CAC Call Stats
Total Num of Calls in progress................. 0
Num of Roam Calls in progress.................. 0
Total Num of Calls Admitted.................... 0
Total Num of Roam Calls Admitted............... 0
Total Num of Calls Rejected(Insuff BW)......... 0
Total Num of Roam Calls Rejected(Insuff BW).... 0

WLC Voice Call Statistics for 802.11a Radio

WMM TSPEC CAC Call Stats
Total num of Calls in progress................. 0
Num of Roam Calls in progress.................. 0
Total Num of Calls Admitted.................... 0
Total Num of Roam Calls Admitted............... 0
Total Num of exp bw requests received.......... 0
Total Num of exp bw requests Admitted.......... 0
Total Num of Calls Rejected.................... 0
Total Num of Roam Calls Rejected............... 0
Num of Calls Rejected due to insufficent bw.... 0
Num of Calls Rejected due to invalid params.... 0
Num of Calls Rejected due to PHY rate.......... 0
Num of Calls Rejected due to QoS policy........ 0
SIP CAC Call Stats
Total Num of Calls in progress................. 0
Num of Roam Calls in progress.................. 0
Total Num of Calls Admitted.................... 0
Total Num of Roam Calls Admitted............... 0
Total Num of Preferred Calls Received.......... 0
Total Num of Preferred Calls Admitted.......... 0
Total Num of Ongoing Preferred Calls........... 0
Total Num of Calls Rejected(Insuff BW)......... 0
Total Num of Roam Calls Rejected(Insuff BW).... 0
KTS based CAC Call Stats
Total Num of Calls in progress................. 0
Num of Roam Calls in progress.................. 0
Total Num of Calls Admitted.................... 0
Total Num of Roam Calls Admitted............... 0
Total Num of Calls Rejected(Insuff BW)......... 0
Total Num of Roam Calls Rejected(Insuff BW).... 0

And here is the config for my switch:

version 16.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname GRSW01
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5
!
no aaa new-model
switch 1 provision ws-c3650-48pd
!
!
!
!
ip routing
!
ip dhcp excluded-address 192.168.10.1 192.168.10.50
ip dhcp excluded-address 192.168.11.1 192.168.11.20
!
ip dhcp pool Management
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
option 43 ip 192.168.10.10
dns-server 8.8.8.8 255.255.255.255
!
ip dhcp pool LAN_Network
network 192.168.11.0 255.255.255.0
default-router 192.168.11.1
dns-server 8.8.8.8
!
!
!
no login on-success log
!
!
!
!
!
vtp mode transparent
!
crypto pki trustpoint TP-self-signed-2303880951
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2303880951
revocation-check none
rsakeypair TP-self-signed-2303880951
!
!
crypto pki certificate chain TP-self-signed-2303880951
certificate self-signed 01
quit
!
!
!
diagnostic bootup level minimal
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
redundancy
mode sso
!
!
transceiver type all
monitoring
!
vlan 10
name Management
!
vlan 11
name LAN_Network
!
vlan 14
name GrCorporate
!
vlan 19
name GrGuests
!
vlan 48
name GrTech
!
vlan 50
name WLAN-AP
!
vlan 95
name GrMembers
!
vlan 101
name DATA
!
vlan 107
name VOICE
!
vlan 109
name WLAN
!
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
description DHCP Snooping, EWLC control, EWCL data
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, Crypto Control, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-system-critical
description System Critical and Gold
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/3
description **Master AP - ME WLC**
switchport trunk native vlan 10
switchport trunk allowed vlan 10,11,14,19,48,95
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/4
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport access vlan 11
spanning-tree portfast
!
interface GigabitEthernet1/1/1
no switchport
ip address 192.168.5.1 255.255.255.252
!
interface GigabitEthernet1/1/2
switchport trunk native vlan 10
switchport trunk allowed vlan 10,11,14,19,48,95
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
!
interface Vlan11
ip address 192.168.11.1 255.255.255.0
!
interface Vlan14
ip address 192.168.14.1 255.255.255.0
!
interface Vlan19
ip address 192.168.19.1 255.255.255.0
!
interface Vlan48
ip address 192.168.48.1 255.255.255.0
!
interface Vlan95
ip address 192.168.95.1 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.5.2
!
!
!
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
line vty 5 15
login
!
!
!
!
!
!
!
end

Is there anyone who can see if I have made an obvious mistake?

I have tried with ap2802i and ap3702i and I get the same error where clients cannot get internet connection.

Any help would be highly appreciated.