Solved: Re: Users unable to connect to Guest SSID

as03Goku · ‎12-12-2024

Hello, We have a WLC 9800 where some of the users are unable to connect to Guest SSID all of a sudden, it keeps on loading and says 'no internet, connected'. When I check the mac it says 'IP learn' in WLC client logs and hosts will be assigned with APIPA. Attached is the radioactive trace for one of the mac. Below is the version WLC is running on. We have a meraki at site which acts as a DHCP, core switch vlan is configured with dhcp relay.
Please advise

---------

sh version
Cisco IOS XE Software, Version 17.09.03
Cisco IOS Software [Cupertino], C9800 Software (C9800_IOSXE-K9), Version 17.9.3, RELEASE SOFTWARE (fc6)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2023 by Cisco Systems, Inc.

EDIT: RADIOACTIVE TRACE ATTACHED

as03Goku · ‎12-15-2024

ok I figured it out, looks like I had to add ip helper address config on SVI configured on WLC too. Adding just on core switch wasnt enough. My bad

View solution in original post

MHM Cisco World · ‎12-12-2024

Nothing wrong

You face dhcp pool exhaust

Reduce lease time or enlarge the Pool

MHM

as03Goku · ‎12-12-2024

hello, right now the pool is /23 and we have around 500 users at site. Lease time is 12 hours- hope this is ok

MHM Cisco World · ‎12-12-2024

500 users not meaning 500 IP' the one guest can get multi IP when it conn-disconn.

So double check the dhcp pool ip lease see how many IP free.

MHM

marce1000 · ‎12-12-2024

- APIPA stands for Automatic Private IP Addressing , (a link local address was assigned)
meaning that no effective DHCP server could be reached.
Feed the debugTrace........ into Wireless Debug Analyzer

For further insights,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

as03Goku · ‎12-12-2024

Hello Marce, Looks like Client is stuck in IP learn State

2024/12/12 16:26:14.850	client-orch-sm	Client roamed to a new AP/BSSID: BSSID 6cd6.e375.1a2f, WLAN TxGuest, Slot 1 AP 6cd6.e375.1a20, TIPL_AP_2F_IT, old BSSID 6cd6.e375.1a20
2024/12/12 16:26:14.850	client-orch-state	Entering IP learn state
2024/12/12 16:26:14.850	dot11	Association success for client, assigned AID is: 10. Client performed fast roam.
2024/12/12 16:26:14.856	client-auth	Client successfully completed Pre-shared Key authentication. Assigned VLAN: 889
2024/12/12 16:26:14.856	client-orch-state	Starting Mobility Anchor discovery for client
2024/12/12 16:26:14.856	client-orch-state	Entering IP learn state
2024/12/12 16:27:15.116	client-orch-sm	Controller initiated client deletion with code: CO_CLIENT_DELETE_REASON_CLIENT_DHCP_FAILURE. Explanation: Client reported DHCP error on deauth frame. Actions: Check DHCP server, and collect RA trace

marce1000 · ‎12-12-2024

- Client can 'not reach' the DHCP server ; check if it can be reached from the VLAN , the guests are arriving in,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

as03Goku · ‎12-12-2024

Hello Marce, I configured LAN port with Guest VLAN and I was able to get the IP address. The device is not getting IP only on Wireless

MHM Cisco World · ‎12-13-2024

I will send you PM check it

MHM

as03Goku · ‎12-15-2024

ok I figured it out, looks like I had to add ip helper address config on SVI configured on WLC too. Adding just on core switch wasnt enough. My bad

MHM Cisco World · ‎12-15-2024

You are welcome

MHM

Rich R · ‎12-24-2024

Why are you using SVI on 9800?
It is only required for specific features and introduces additional security risks and problems on the controller.
The recommended design for 9800 is pure layer 2 VLAN config on the controller with all helpers and other layer 3 config on the connected switch/router network.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#Wirelessclientinterfaces
SVI is required if you must do DHCP relay on the 9800 but note that there is a serious bug CSCwm73020 in 9800 if you relay to more than 1 DHCP server which can cause client failures (no IP).
Refer to https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#DHCPbridgingandDHCPrelay

> Cisco IOS XE Software, Version 17.09.03
Refer to TAC recommended releases link below and consider upgrading to a TAC recommended release.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390