Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2233
Views
20
Helpful
14
Replies

Wireless clients dropping layer 3 conectivity when connected to WiFi

Martin
Level 1
Level 1

‎07-20-2020 01:51 AM - edited ‎07-05-2021 12:18 PM

I have a WLC-2504 with 3 AP's connected which are AIR-AP3802I-E, software level on the controller is 8.5.103.

Untill recently everything has been working perectly, with in the last couple of weeks I am geting random clients (Microsoft Windows Laptops and also Apple iPad and iPhones) dropping there layer 3 connectivity, they still stay conncetd to the controller but get no internet access.  If i disconect the WiFi and reconect it all then works fine.

 

I have the controller connected to the switch with a 4x etherchannel.

 

Need an naswer for this, bit confused about this one

 

Thanks

Martin

0 Helpful
14 Replies 14

marce1000
VIP
VIP

‎07-20-2020 02:07 AM

 

               Ref : https://developer.cisco.com/docs/wireless-troubleshooting-tools/

 

 - Use https://cway.cisco.com/tools/WirelessAnalyzer/ for a sanity check of your controller configurationhttps://cway.cisco.com/tools/WirelessDebugAnalyzer/ can be used for client debugging

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Martin
Level 1
Level 1
In response to marce1000

‎07-20-2020 03:38 AM

done the cotroler check and this is the output, is there anything obvious causing my issue

 

 

WLC Config Analyzer - Report

 

 

Controller Messages

MartyNet-WiFi

10023,Parsing error catch while generating WLANs per AP slot.

10011,Error parsing AP Groups, 5 GHz band..................

10011,Error parsing AP Groups, Capwap Prefer Mode....

10023,Parsing error catch while generating WLANs per AP slot.

10011,Error parsing RF Profiles. Line Transmit Power Threshold v1

10011,Error parsing RF Profiles. Line 802.11g 54M Rate...................

10011,Error parsing RF Profiles. Line 802.11b/g 1M Rate..............

10019,General: Error while parsing, Duplicated AP name:isco AP Name...................

30111,General: It is recommended to have the DHCP proxy enabled.

30057,General: Disabling low data rates/11b can help to optimize the channel utilization on the 2.4 band. Depending on RF coverage, or if using legacy clients, this may cause problems. Please validate before enforcing the changes, as this may have important RF dependencies. Global Configuration

30057,General: Disabling low data rates/11b can help to optimize the channel utilization on the 2.4 band. Depending on RF coverage, or if using legacy clients, this may cause problems. Please validate before enforcing the changes, as this may have important RF dependencies.. For RF Profile: Low-Client-Density-802.11bg

30064,General: EAPoL request timeout larger than 400ms. EAP key requests may benefit for faster recovery, and better behavior on bad RF, by using higher counts, lower retry timeout. Please validate on your specific client types before enforcing the changes

30065,General: EAP request retries lower than 3. EAP requests may benefit for faster recovery, and better behavior on bad RF, by using higher counts, lower retry timeout. Please validate on your specific client types before enforcing the changes

30067,General: Minimum Rogue RSSI detection threshold should be set to -80 or higher, unless mandated by your security policies. Current Value: -90

30101,General: Detected channels on band 100-140 as not in use for DCA. If country regulations allows it, it is advisable to enable to improve channel distribution on 802.11a band

120003,Security: It is recommended to monitor all channels for rogue detection. Band:5 GHz

120003,Security: It is recommended to monitor all channels for rogue detection. Band:2.4 GHz

120009,Security: it is recommended to set a CPU ACL, to control the management access to the controller

120015,Security: HTTP access to management is enabled, it is recommended to only allow https for security reasons

120016,Security: High encryption for management is not enabled

120001,Security: It is recommended to disable Management over wireless for security reasons

120013,Security: Minimum management password length should be 8 or higher

110011,BYOD: It is recommended to have EAPOL Request Timeout less than 3 seconds.

10011,Exception catch parsing file . Partially missing configuration for AP: Kitchen-AP

10011,Exception catch parsing file . Partially missing configuration for AP: isco AP Name...................

120012,Security: it is recommended to set policy to reject WiFi Direct clients for security purposes. Be aware this will impact association on some smartphone models. WLAN:MartyNet

110001,BYOD: Radius NAC should be enabled to allow Radius Change of Authorization between ISE and WLC. WLAN: 1

110002,BYOD: MAC filter is recommended to enable. WLAN: 1

110003,BYOD: AAA override is recommended to enable. WLAN: 1

110005,BYOD: Longer session timeout is better for AAA load up to a value of 86400 seconds for 802.1x SSIDs or 65535 seconds for open/CWA SSIDs, shorter is better from security point of view. Do not leave the session timeout unset as ISE will remove ''inactive sessions'' after 5 days leading to a possible session miss-match between ISE and the WLC for long lasting connections. WLAN: 1

110006,BYOD: Interim Accounting should be disabled to prevent unneeded accounting load on ISE Exception is for ISPs, which provide tracking on byte based services. WLAN: 1

110008,BYOD: Recommended Client Exclusion value with ISE is 180 sec, to prevent misconfigured clients cause intensive radius traffic for ISE. WLAN: 1

110001,BYOD: Radius NAC should be enabled to allow Radius Change of Authorization between ISE and WLC. WLAN: 2

110002,BYOD: MAC filter is recommended to enable. WLAN: 2

110003,BYOD: AAA override is recommended to enable. WLAN: 2

110005,BYOD: Longer session timeout is better for AAA load up to a value of 86400 seconds for 802.1x SSIDs or 65535 seconds for open/CWA SSIDs, shorter is better from security point of view. Do not leave the session timeout unset as ISE will remove ''inactive sessions'' after 5 days leading to a possible session miss-match between ISE and the WLC for long lasting connections. WLAN: 2

110006,BYOD: Interim Accounting should be disabled to prevent unneeded accounting load on ISE Exception is for ISPs, which provide tracking on byte based services. WLAN: 2

110008,BYOD: Recommended Client Exclusion value with ISE is 180 sec, to prevent misconfigured clients cause intensive radius traffic for ISE. WLAN: 2

120012,Security: it is recommended to set policy to reject WiFi Direct clients for security purposes. Be aware this will impact association on some smartphone models. WLAN:KidsNet

110001,BYOD: Radius NAC should be enabled to allow Radius Change of Authorization between ISE and WLC. WLAN: 3

110002,BYOD: MAC filter is recommended to enable. WLAN: 3

110003,BYOD: AAA override is recommended to enable. WLAN: 3

110005,BYOD: Longer session timeout is better for AAA load up to a value of 86400 seconds for 802.1x SSIDs or 65535 seconds for open/CWA SSIDs, shorter is better from security point of view. Do not leave the session timeout unset as ISE will remove ''inactive sessions'' after 5 days leading to a possible session miss-match between ISE and the WLC for long lasting connections. WLAN: 3

110006,BYOD: Interim Accounting should be disabled to prevent unneeded accounting load on ISE Exception is for ISPs, which provide tracking on byte based services. WLAN: 3

110008,BYOD: Recommended Client Exclusion value with ISE is 180 sec, to prevent misconfigured clients cause intensive radius traffic for ISE. WLAN: 3

120012,Security: it is recommended to set policy to reject WiFi Direct clients for security purposes. Be aware this will impact association on some smartphone models. WLAN:IoT

110001,BYOD: Radius NAC should be enabled to allow Radius Change of Authorization between ISE and WLC. WLAN: 4

110002,BYOD: MAC filter is recommended to enable. WLAN: 4

110003,BYOD: AAA override is recommended to enable. WLAN: 4

110005,BYOD: Longer session timeout is better for AAA load up to a value of 86400 seconds for 802.1x SSIDs or 65535 seconds for open/CWA SSIDs, shorter is better from security point of view. Do not leave the session timeout unset as ISE will remove ''inactive sessions'' after 5 days leading to a possible session miss-match between ISE and the WLC for long lasting connections. WLAN: 4

110006,BYOD: Interim Accounting should be disabled to prevent unneeded accounting load on ISE Exception is for ISPs, which provide tracking on byte based services. WLAN: 4

110008,BYOD: Recommended Client Exclusion value with ISE is 180 sec, to prevent misconfigured clients cause intensive radius traffic for ISE. WLAN: 4

30081,Enterprise: Aggresive Load Balancing is a recommended best practice for enterprise environments with proper AP density, for local mode APs. Do not use for WLANs with interactive applications (voice/video)

120004,Security: No 802.1x WLAN was detected, it is recommended to use proper authentication for security reasons. This may not be applicable on some deployment models

 

AP Messages

UpStairs-AP

20024,AP: Missing configuration, information not present in file. Possible corrupted file

20017,AP: Syslog messages are sent to broadcast address, if there are errors reported by many APs, and there are too many APs per vlan, this can cause broadcast storms. For best practices, it is better to configure to individual server

120008,Security: AP Local credentials to access point CLI are not configured. For best security practices, it is desirable to configure to Username/passwords to all APs

20029,AP: TCP-MSS feature should be enabled

120011,Security: if high security is needed, AP should use dot1x authentication towards switch port. AP:UpStairs-AP

60014,RF: AP has channel utilization for 2.4 GHz radio higher than a threshold of 29%. Effect depends on RF conditions

DownStairs-AP

20017,AP: Syslog messages are sent to broadcast address, if there are errors reported by many APs, and there are too many APs per vlan, this can cause broadcast storms. For best practices, it is better to configure to individual server

120008,Security: AP Local credentials to access point CLI are not configured. For best security practices, it is desirable to configure to Username/passwords to all APs

20029,AP: TCP-MSS feature should be enabled

120011,Security: if high security is needed, AP should use dot1x authentication towards switch port. AP:DownStairs-AP

60014,RF: AP has channel utilization for 2.4 GHz radio higher than a threshold of 29%. Effect depends on RF conditions

60005,RF: Interference Profile Failed in radio 2.4GHz, per controller profile settings

Kitchen-AP

20024,AP: Missing configuration, information not present in file. Possible corrupted file

120008,Security: AP Local credentials to access point CLI are not configured. For best security practices, it is desirable to configure to Username/passwords to all APs

20029,AP: TCP-MSS feature should be enabled

isco AP Name...................

20024,AP: Missing configuration, information not present in file. Possible corrupted file

120008,Security: AP Local credentials to access point CLI are not configured. For best security practices, it is desirable to configure to Username/passwords to all APs

20029,AP: TCP-MSS feature should be enabled

 

 

Use at your own risk

Report Generated at:11:36:02 20/07/2020

Questions?: WLC Config Analyzer Mail List.

 

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎07-20-2020 04:01 AM

8.5.103.0 < --- I'd start with that.
0 Helpful

Martin
Level 1
Level 1
In response to Leo Laohoo

‎07-20-2020 04:03 AM

only problem with that is i cant download the latest version, my CCO does not have enough rights to download latest version. can anyone send me the latest version?

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Martin

‎07-20-2020 04:21 AM

@Martin wrote:

my CCO does not have enough rights to download latest version

A-ha!  You got a CCO account, right? 

1.  Go HERE.

2.  Trawl through the list and look for something scary but make sure it applies to AireOS.  

3.  Each page has a section called Customers Without Service Contracts.

4.  Read that section very, very carefully.

Martin
Level 1
Level 1
In response to Leo Laohoo

‎07-20-2020 05:26 AM

looked at that, and it wants me to call them to get the software, they will charge a fortune for this, no other way to obtain this?

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Martin

‎07-20-2020 05:40 AM

@Martin wrote:

and it wants me to call them to get the software, they will charge a fortune for this, no other way to obtain this?

Read the section VERY, VERY CAREFULLY.  
Now tell me which bit does it say Cisco will charge you for the firmware. 

Martin
Level 1
Level 1
In response to Leo Laohoo

‎07-20-2020 05:46 AM

  • Numbers with an asterisk (*) have special dial instructions.
    1. Dial the Local Access number.
    2. After the chime, dial the Card number and PIN number 5689.
    3. After you hear a few beeps, dial *99.
    4. If dialing *99 doesn't work, the operator will ask you what number you wish to dial; use the card number.
  • Numbers with a double asterisk (**) may not be available from all mobile phones.

its asking for card numbers before even speaking to them

 

So you saying they wont charge for the software?

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Martin

‎07-20-2020 06:07 AM

W.  T.  F.  

You CALLED Cisco TAC?

In case you didn't really, really read the Customers Without Service Contracts, let me spell it out:  

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Please read and understand the highlighted section (above).  Pay close attention to the last two words of the sentence.  

NOTE:  Of all the people I have helped to get free updates, this is the first time someone actually called Cisco TAC.  (Image trying to verbally give TAC the website.)

Martin
Level 1
Level 1
In response to Leo Laohoo

‎07-20-2020 06:16 AM

No I havent called them,

 

When i clicked the link on the customers without service contracts it just took me to the page wirh all the numbers on it.

 

I dont want to call them, but i dont see a way of doing it online, if you could provide a little more guidance on how to get it online, i would be gratefull

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Martin

‎07-20-2020 06:19 AM

Send an email to TAC

Martin
Level 1
Level 1
In response to Leo Laohoo

‎07-20-2020 06:49 AM

Just did that, thanks

0 Helpful

Martin
Level 1
Level 1
In response to Martin

‎07-20-2020 07:50 AM

Just got an emil back they are sending the software, many thanks for the help.

 

Lets just hope it fixes it now

0 Helpful

emslinsa76140
Level 1
Level 1

‎04-01-2021 05:30 PM - edited ‎04-01-2021 05:31 PM

Can we try it with dynamic page? I'm working for the project that hosted on WordPress and I want to test it for the blog of wireless dropping.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card