07-20-2020 01:51 AM - edited 07-05-2021 12:18 PM
I have a WLC-2504 with 3 AP's connected which are AIR-AP3802I-E, software level on the controller is 8.5.103.
Untill recently everything has been working perectly, with in the last couple of weeks I am geting random clients (Microsoft Windows Laptops and also Apple iPad and iPhones) dropping there layer 3 connectivity, they still stay conncetd to the controller but get no internet access. If i disconect the WiFi and reconect it all then works fine.
I have the controller connected to the switch with a 4x etherchannel.
Need an naswer for this, bit confused about this one
Thanks
Martin
07-20-2020 02:07 AM
Ref : https://developer.cisco.com/docs/wireless-troubleshooting-tools/
- Use https://cway.cisco.com/tools/WirelessAnalyzer/ for a sanity check of your controller configuration. https://cway.cisco.com/tools/WirelessDebugAnalyzer/ can be used for client debugging
M.
07-20-2020 03:38 AM
done the cotroler check and this is the output, is there anything obvious causing my issue
10023,Parsing error catch while generating WLANs per AP slot.
10011,Error parsing AP Groups, 5 GHz band..................
10011,Error parsing AP Groups, Capwap Prefer Mode....
10023,Parsing error catch while generating WLANs per AP slot.
10011,Error parsing RF Profiles. Line Transmit Power Threshold v1
10011,Error parsing RF Profiles. Line 802.11g 54M Rate...................
10011,Error parsing RF Profiles. Line 802.11b/g 1M Rate..............
10019,General: Error while parsing, Duplicated AP name:isco AP Name...................
30111,General: It is recommended to have the DHCP proxy enabled.
30057,General: Disabling low data rates/11b can help to optimize the channel utilization on the 2.4 band. Depending on RF coverage, or if using legacy clients, this may cause problems. Please validate before enforcing the changes, as this may have important RF dependencies. Global Configuration
30057,General: Disabling low data rates/11b can help to optimize the channel utilization on the 2.4 band. Depending on RF coverage, or if using legacy clients, this may cause problems. Please validate before enforcing the changes, as this may have important RF dependencies.. For RF Profile: Low-Client-Density-802.11bg
30064,General: EAPoL request timeout larger than 400ms. EAP key requests may benefit for faster recovery, and better behavior on bad RF, by using higher counts, lower retry timeout. Please validate on your specific client types before enforcing the changes
30065,General: EAP request retries lower than 3. EAP requests may benefit for faster recovery, and better behavior on bad RF, by using higher counts, lower retry timeout. Please validate on your specific client types before enforcing the changes
30067,General: Minimum Rogue RSSI detection threshold should be set to -80 or higher, unless mandated by your security policies. Current Value: -90
30101,General: Detected channels on band 100-140 as not in use for DCA. If country regulations allows it, it is advisable to enable to improve channel distribution on 802.11a band
120003,Security: It is recommended to monitor all channels for rogue detection. Band:5 GHz
120003,Security: It is recommended to monitor all channels for rogue detection. Band:2.4 GHz
120009,Security: it is recommended to set a CPU ACL, to control the management access to the controller
120015,Security: HTTP access to management is enabled, it is recommended to only allow https for security reasons
120016,Security: High encryption for management is not enabled
120001,Security: It is recommended to disable Management over wireless for security reasons
120013,Security: Minimum management password length should be 8 or higher
110011,BYOD: It is recommended to have EAPOL Request Timeout less than 3 seconds.
10011,Exception catch parsing file . Partially missing configuration for AP: Kitchen-AP
10011,Exception catch parsing file . Partially missing configuration for AP: isco AP Name...................
120012,Security: it is recommended to set policy to reject WiFi Direct clients for security purposes. Be aware this will impact association on some smartphone models. WLAN:MartyNet
110001,BYOD: Radius NAC should be enabled to allow Radius Change of Authorization between ISE and WLC. WLAN: 1
110002,BYOD: MAC filter is recommended to enable. WLAN: 1
110003,BYOD: AAA override is recommended to enable. WLAN: 1
110005,BYOD: Longer session timeout is better for AAA load up to a value of 86400 seconds for 802.1x SSIDs or 65535 seconds for open/CWA SSIDs, shorter is better from security point of view. Do not leave the session timeout unset as ISE will remove ''inactive sessions'' after 5 days leading to a possible session miss-match between ISE and the WLC for long lasting connections. WLAN: 1
110006,BYOD: Interim Accounting should be disabled to prevent unneeded accounting load on ISE Exception is for ISPs, which provide tracking on byte based services. WLAN: 1
110008,BYOD: Recommended Client Exclusion value with ISE is 180 sec, to prevent misconfigured clients cause intensive radius traffic for ISE. WLAN: 1
110001,BYOD: Radius NAC should be enabled to allow Radius Change of Authorization between ISE and WLC. WLAN: 2
110002,BYOD: MAC filter is recommended to enable. WLAN: 2
110003,BYOD: AAA override is recommended to enable. WLAN: 2
110005,BYOD: Longer session timeout is better for AAA load up to a value of 86400 seconds for 802.1x SSIDs or 65535 seconds for open/CWA SSIDs, shorter is better from security point of view. Do not leave the session timeout unset as ISE will remove ''inactive sessions'' after 5 days leading to a possible session miss-match between ISE and the WLC for long lasting connections. WLAN: 2
110006,BYOD: Interim Accounting should be disabled to prevent unneeded accounting load on ISE Exception is for ISPs, which provide tracking on byte based services. WLAN: 2
110008,BYOD: Recommended Client Exclusion value with ISE is 180 sec, to prevent misconfigured clients cause intensive radius traffic for ISE. WLAN: 2
120012,Security: it is recommended to set policy to reject WiFi Direct clients for security purposes. Be aware this will impact association on some smartphone models. WLAN:KidsNet
110001,BYOD: Radius NAC should be enabled to allow Radius Change of Authorization between ISE and WLC. WLAN: 3
110002,BYOD: MAC filter is recommended to enable. WLAN: 3
110003,BYOD: AAA override is recommended to enable. WLAN: 3
110005,BYOD: Longer session timeout is better for AAA load up to a value of 86400 seconds for 802.1x SSIDs or 65535 seconds for open/CWA SSIDs, shorter is better from security point of view. Do not leave the session timeout unset as ISE will remove ''inactive sessions'' after 5 days leading to a possible session miss-match between ISE and the WLC for long lasting connections. WLAN: 3
110006,BYOD: Interim Accounting should be disabled to prevent unneeded accounting load on ISE Exception is for ISPs, which provide tracking on byte based services. WLAN: 3
110008,BYOD: Recommended Client Exclusion value with ISE is 180 sec, to prevent misconfigured clients cause intensive radius traffic for ISE. WLAN: 3
120012,Security: it is recommended to set policy to reject WiFi Direct clients for security purposes. Be aware this will impact association on some smartphone models. WLAN:IoT
110001,BYOD: Radius NAC should be enabled to allow Radius Change of Authorization between ISE and WLC. WLAN: 4
110002,BYOD: MAC filter is recommended to enable. WLAN: 4
110003,BYOD: AAA override is recommended to enable. WLAN: 4
110005,BYOD: Longer session timeout is better for AAA load up to a value of 86400 seconds for 802.1x SSIDs or 65535 seconds for open/CWA SSIDs, shorter is better from security point of view. Do not leave the session timeout unset as ISE will remove ''inactive sessions'' after 5 days leading to a possible session miss-match between ISE and the WLC for long lasting connections. WLAN: 4
110006,BYOD: Interim Accounting should be disabled to prevent unneeded accounting load on ISE Exception is for ISPs, which provide tracking on byte based services. WLAN: 4
110008,BYOD: Recommended Client Exclusion value with ISE is 180 sec, to prevent misconfigured clients cause intensive radius traffic for ISE. WLAN: 4
30081,Enterprise: Aggresive Load Balancing is a recommended best practice for enterprise environments with proper AP density, for local mode APs. Do not use for WLANs with interactive applications (voice/video)
120004,Security: No 802.1x WLAN was detected, it is recommended to use proper authentication for security reasons. This may not be applicable on some deployment models
20024,AP: Missing configuration, information not present in file. Possible corrupted file
20017,AP: Syslog messages are sent to broadcast address, if there are errors reported by many APs, and there are too many APs per vlan, this can cause broadcast storms. For best practices, it is better to configure to individual server
120008,Security: AP Local credentials to access point CLI are not configured. For best security practices, it is desirable to configure to Username/passwords to all APs
20029,AP: TCP-MSS feature should be enabled
120011,Security: if high security is needed, AP should use dot1x authentication towards switch port. AP:UpStairs-AP
60014,RF: AP has channel utilization for 2.4 GHz radio higher than a threshold of 29%. Effect depends on RF conditions
20017,AP: Syslog messages are sent to broadcast address, if there are errors reported by many APs, and there are too many APs per vlan, this can cause broadcast storms. For best practices, it is better to configure to individual server
120008,Security: AP Local credentials to access point CLI are not configured. For best security practices, it is desirable to configure to Username/passwords to all APs
20029,AP: TCP-MSS feature should be enabled
120011,Security: if high security is needed, AP should use dot1x authentication towards switch port. AP:DownStairs-AP
60014,RF: AP has channel utilization for 2.4 GHz radio higher than a threshold of 29%. Effect depends on RF conditions
60005,RF: Interference Profile Failed in radio 2.4GHz, per controller profile settings
20024,AP: Missing configuration, information not present in file. Possible corrupted file
120008,Security: AP Local credentials to access point CLI are not configured. For best security practices, it is desirable to configure to Username/passwords to all APs
20029,AP: TCP-MSS feature should be enabled
20024,AP: Missing configuration, information not present in file. Possible corrupted file
120008,Security: AP Local credentials to access point CLI are not configured. For best security practices, it is desirable to configure to Username/passwords to all APs
20029,AP: TCP-MSS feature should be enabled
Use at your own risk
Report Generated at:11:36:02 20/07/2020
Questions?: WLC Config Analyzer Mail List.
07-20-2020 04:01 AM
07-20-2020 04:03 AM
only problem with that is i cant download the latest version, my CCO does not have enough rights to download latest version. can anyone send me the latest version?
07-20-2020 04:21 AM
@Martin wrote:
my CCO does not have enough rights to download latest version
A-ha! You got a CCO account, right?
1. Go HERE.
2. Trawl through the list and look for something scary but make sure it applies to AireOS.
3. Each page has a section called Customers Without Service Contracts.
4. Read that section very, very carefully.
07-20-2020 05:26 AM
looked at that, and it wants me to call them to get the software, they will charge a fortune for this, no other way to obtain this?
07-20-2020 05:40 AM
@Martin wrote:
and it wants me to call them to get the software, they will charge a fortune for this, no other way to obtain this?
Read the section VERY, VERY CAREFULLY.
Now tell me which bit does it say Cisco will charge you for the firmware.
07-20-2020 05:46 AM
its asking for card numbers before even speaking to them
So you saying they wont charge for the software?
07-20-2020 06:07 AM
W. T. F.
You CALLED Cisco TAC?
In case you didn't really, really read the Customers Without Service Contracts, let me spell it out:
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Please read and understand the highlighted section (above). Pay close attention to the last two words of the sentence.
NOTE: Of all the people I have helped to get free updates, this is the first time someone actually called Cisco TAC. (Image trying to verbally give TAC the website.)
07-20-2020 06:16 AM
No I havent called them,
When i clicked the link on the customers without service contracts it just took me to the page wirh all the numbers on it.
I dont want to call them, but i dont see a way of doing it online, if you could provide a little more guidance on how to get it online, i would be gratefull
07-20-2020 06:19 AM
Send an email to TAC.
07-20-2020 06:49 AM
Just did that, thanks
07-20-2020 07:50 AM
Just got an emil back they are sending the software, many thanks for the help.
Lets just hope it fixes it now
04-01-2021 05:30 PM - edited 04-01-2021 05:31 PM
Can we try it with dynamic page? I'm working for the project that hosted on WordPress and I want to test it for the blog of wireless dropping.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide