>We upgraded our 9800 WLC firmware Friday 1st March from version 17.3.6 to 17.9.4.
  - Go a step further to 17.9.4a + latest APSP (too) ; this is important in cases like this (17.9.4a is current advisory)

   Whether previously working or not , have a checkup of the 9800 WLC configuration with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer

  For testing if you know to which AP a particular gun will connect (and or in a test setup) ; issue this command first on the AP:
                          show  ap client-trace events mac aa:bb:cc:01:02:03 (the latter mac address must of course be changed accordingly ). Then during the connecting process (and later) follow up on the outputs shown or check the logs on the AP

   - Further engage in full client debugging according to https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , these debugs can be analyzed with Wireless Debug Analyzer

  - Outputs from the commands mentioned in https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#toc-hId-866973845 can also be useful

 - Review this thread for other hints : https://community.cisco.com/t5/wireless/disconnections-handheld-android-10-with-cisco-9800/td-p/4607901

 M.

Hi Dan,

Based on your description, it is clearly looks like a 1542AP and 17.9.4 code related issues. Best to work with TAC and find out any specific bugs causing it. Sometime may be worth 17.9.5 code and see (TAC can advice if that helps)

HTH
Rasika
*** Pls rate all useful responses ***

For the sake of consistency, please upgrade to 17.9.5 and try again.  

As an update we have updated the WLC to 17.9.5 and this has not solved the issue.

We have narrowed down the issue to the use of the scan gun SSID with the AIR-AP1542D-E-K9 APs.  Other findings:

1.) Corporate PC, Corporate Mobile Phone, and Guest Wireless SSIDs seem to work via the AIR-AP1542D-E-K9.

2.) The Scan gun SSID connects fine to the C9105AXI-E and C9124AXI APs (as do the Corporate PC, Corporate Mobile Phone, and Guest Wireless SSIDs)

The issue seems to be specific to the connection, from the scan guns, to the scan gun SSID via the AIR-AP1542D-E-K9.

One of teh Team ran a Radioactive trace on that MAC and the logs provided teh following:

MAC: a1b2.c3d4.e5f6  Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_CLIENT_EAP_TIMEOUT_FAILURE

(Note: MAC does not reflect true address)

We are continuing to review and may review the AP firmware.

Hello All

Update

We believe we have managed to solve this now as all scan guns are able to connect to the required wireless SSID via the AIR-AP1542D-E-K9 APs.

It seems that during the upgrade the Layer 2 Security for the Scanners SSID was set to WPA2 + WPA3.  We changed this is WPA + WPA2 and the scan guns connect to the AIR-AP1542D-E-K9 APs now (see screen shot of before change).

On checking the AIR-AP1542D-E-K9 data sheet the APs don't seem to support WPA3 whereas the others do.  The scan guns were connecting to other APs, which support WPA2 and WPA3, without an issue.  Our AIR-AP1542D-E-K9 APs are deployed in the warehouse areas where the scan guns are primarily used so very inconvenient.

From Data Sheets:

Cisco Aironet 1540 Series Outdoor Access Points Data Sheet

Wireless Access

• 802.11i, Wi-Fi Protected Access 2 (WPA2), and WPA

Cisco Catalyst 9105 Series Access Points Data Sheet

Security:

• 802.11i, Wi-Fi Protected Access 2 (WPA2), WPA3

We believe that the scan guns are seemingly unable to transition between APs that are capable of running WPA2 + WPA3 and those that can only run WPA + WPA2 and hence our issue.

Thanks to all those that contributed.

Dan