Solved: Re: Wireless Clients Unable to Ping C3850

J0se · ‎04-02-2025

Hello all,

I have a C3850 setup with the attached config, 3850 is the WLC with an attached 3802 AP. This is a test setup I am working on and I am having an issue with the wireless clients. They are able to connect to the WLAN (vlan30) and successfully receive a DHCP address (10.30.0.0 network) from the 3850. However, they are not able to ping anything else on the network including the DHCP server. If multiple wireless clients are connected, they can not ping each other either. When I plug those same devices into a vlan30 switch port, everything works fine. It can connect to everything on the network and the internet. I have some Cisco experience from back in high school but it has been a while and I am just getting back into this all.

Thank you for taking a look at this and any help you can provide is greatly appreciated!

-Joe

Rich R · ‎04-03-2025

1. Cisco quietly killed off the Converged Access wireless product which is what you're using on the 3850, because it was hardly used and had numerous problems which they couldn't easily resolve.
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-5/release_notes/ol-16-5-3850.html#pgfId-1291287

Converged Access (CA) is not supported beyond Cisco IOS XE Denali 16.3.x.
On the Cisco Catalyst 3850 Series Switches, CA is supported in the Cisco IOS XE Denali 16.3.x software release, which has extended support for 40 months.

So this is a very old, unsupported product which you are trying to use!

2. You have a 3802 AP - why not just use that to run Mobility Express instead? Also old now, but at least it can run up to AireOS 8.10.196.0 - the final release of AireOS last year.
https://software.cisco.com/download/home/286304536/type/286289839/release/8.10.196.0
https://www.cisco.com/c/en/us/support/wireless/mobility-express/series.html
https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/mobility-express/q-and-a-c67-734485.html

3. You could also use 9800-CL (virtual) WLC so that you're running the latest IOS-XE WLC technology which is well documented and supported and used by many of us so plenty of help available.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

ulineosan · ‎04-02-2025

Is the AP connected to the 3850 on Gi1/0/44? If so, try removing portfast, configuring it as a trunk, and allowing both Vlan 11 and 30.

J0se · ‎04-02-2025

Unfortunately when I configure the port as a trunk for vlan 11 and 30 the AP doesn't ever connect to the 3850. My understanding is that the port should be set as an access port for the wireless management vlan and that the CAPWAP tunnel carries the other tagged traffic to the WLC. I have included the looping output from the AP console below showing what happens when I connect it to a trunk port for vlans 11 and 30.

[*07/22/2020 04:31:51.8117]
[07/22/2020 04:31:53.9200] wired0 emac 0: link up
[07/22/2020 04:31:53.9700] wired0: link up
[07/22/2020 04:31:54.0200] wired0: started
[*07/22/2020 04:31:54.0764] aptrace_register_sysproc_fn: duplicate registeration for 'wired'
[*07/22/2020 04:31:54.0771] Waiting for uplink IPv4/IPv6 configuration
[*07/22/2020 04:31:59.0781] Waiting for uplink IPv4/IPv6 configuration
[*07/22/2020 04:32:04.0790] Waiting for uplink IPv4/IPv6 configuration
[*07/22/2020 04:32:09.0798] Resetting wired0, if[07/22/2020 04:32:09.1000] wired0: stopped
config down up

J0se · ‎04-02-2025

I just realized the date on the output above, could that be causing this? Does the AP not sync its time to the WLC?

edit: Disregard, the clock is correct. After I plugged it into an access port again it connected to the WLC everything synced.

AP780C.F018.06FA#show clock
*04:57:23 UTC Thu Apr 3 2025

ulineosan · ‎04-02-2025

You are correct about the CAPWAP tunnel. I'm not sure about the NTP part.

ulineosan · ‎04-02-2025

Could you check under the wlan Dot1x_Test configuration, the "client vlan 0030" line. Does this command accept a vlan ID argument? Could you try entring just "30" instead of "0030", or try specifying a vlan name?

3850(config)# vlan 30
3850(config-vlan)# name WLAN_CLIENT
3850(config-vlan)# wlan Dot1x_Test 1 Dot1x_test
3850(config-wlan)# client vlan WLAN_CLIENT

Rich R · ‎04-03-2025

1. Cisco quietly killed off the Converged Access wireless product which is what you're using on the 3850, because it was hardly used and had numerous problems which they couldn't easily resolve.
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-5/release_notes/ol-16-5-3850.html#pgfId-1291287

Converged Access (CA) is not supported beyond Cisco IOS XE Denali 16.3.x.
On the Cisco Catalyst 3850 Series Switches, CA is supported in the Cisco IOS XE Denali 16.3.x software release, which has extended support for 40 months.

So this is a very old, unsupported product which you are trying to use!

2. You have a 3802 AP - why not just use that to run Mobility Express instead? Also old now, but at least it can run up to AireOS 8.10.196.0 - the final release of AireOS last year.
https://software.cisco.com/download/home/286304536/type/286289839/release/8.10.196.0
https://www.cisco.com/c/en/us/support/wireless/mobility-express/series.html
https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/mobility-express/q-and-a-c67-734485.html

3. You could also use 9800-CL (virtual) WLC so that you're running the latest IOS-XE WLC technology which is well documented and supported and used by many of us so plenty of help available.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

J0se · ‎04-03-2025

I was trying to use just the hardware I was given for this experiment. That being said, I did try creating a 9800-CL vm to make sure this was not some issue with the AP. I was able to create the WLAN and get everything kind of working in a round about way. The two issues I had there were: 1.) I had to have the AP plugged into a vlan 10 (the regular user vlan for the rest of the network) access port on my switch. The wireless management vlan 11 would not work, the AP would never connect and loop just like my reply above. 2.) With the 9800-CL, the AP would reset the connection to the WLC every minute or two. The whole wireless network would drop out and then I had to wait for the AP to connect back to the WLC before I could connect a client. I felt that test showed me the AP was working and I decided to go back to the 3850 config and see if I could find the issue with that.

Rich R · ‎04-03-2025

Sounds like you had something fundamentally wrong with your 9800-CL config too!
Use the Config Analyzer (link below) to check your 9800 config but I wouldn't waste time on the Converged Access solution.
We'd have to see the WLC and AP logs to understand why the AP kept dropping on 9800.
Also take note of the TAC recommended code version link below.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Scott Fella · ‎04-03-2025

@J0se I agree with @Rich R in that, you should use the 9800-CL. There is no reason to use Converged Access, as that is pretty much dead. Search the internet for "cisco 9800-CL installation video" and look at a few for your hypervisor you are using. As long as the vlan's are being trunked to your hypervisor host, you should be okay to centrally switch, but if your hypervisor is not connected to a trunk port, then use FlexConnect local switching. This way traffic from devices will egress from the ap to the switch, not transversing back to the controller.

There are a lot of blogs and videos for the 9800-CL install, configuration, and even FlexConnect. That is what I would use if you have not setup many of these in the past.

-Scott
*** Please rate helpful posts ***