Solved: WLAN clients can't communicate since update from 17.3.3 to 17.3.4c

Bernd Nies · ‎04-11-2022

Hello,

We have Catalyst 9800-40 WLAN controllers and 90 Catalyst 9120AXI access points. Three weeks ago we upgraded from 17.3.3 to 17.3.4c. But instead of fixing a bug, it got exchanged with a new one: Since then all the WLAN clients can't communicate with each other. The WLAN is configured for central switching. Now it behaves like peer-blocking is enabled, but we had it disabled on purpose. It's an office wlan with 802.1x authentication and not a public wlan. Connectivity between wireless and wired LAN works fine.

Traffic analysis shows that the access point does not reveal the MAC addresses of other WLAN clients when one wants to reach them. Even two clients connected to the same access point can't communicate to each other.

Anyone else having this issue or are we the first one to upgrade to 17.3.4c?

Regards,

Bernd

Bernd Nies · ‎07-04-2022

Summary: This was finally the fix that brought intra WLAN client comminication back to life after the update:

=======================================|=====================================
C9800-40, IOS XE 17.3.3  (working)     | C9800-40, IOS XE 17.3.5a (working)
C9800-40, IOS XE 17.3.4c (not working) |  
=======================================|=====================================
                                       | vlan configuration 115,118-119,900
                                       |   arp broadcast
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
interface Vlan119                      | interface Vlan119
  description mDNS snooping            |   description mDNS snooping
                                       |   no ip proxy-arp
  ...                                  |   ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
wireless profile policy WLAN_Office    | wireless profile policy WLAN_Office
  vlan office                          |   vlan 119
  ...                                  |   ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

View solution in original post

ammahend · ‎04-12-2022

Haven’t run into this issue but certainly not immune to bugs on this, one of them was crashing WLC every 3-4 days, we eventually ended up getting special engineering image to fix it, since then it’s been stable, I understand the pain.
This one seems buggy, try different options, may be try p2p forward upstream as temporary fix, let us know if it works, eventually you will need to work with TAC I think.

-hope this helps-

Bernd Nies · ‎04-12-2022

Actually, Cisco TAC is on it for three weeks but with no result.

marce1000 · ‎04-12-2022

- Although this is a new problem which appeared after the upgrade

, always useful is to have a configuration check with (CLI) show tech wireless , have the output analyzed with :

Cloud Version

look for warnings and errors (anyway) , sometimes tweaking or correcting them. may help.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

patoberli · ‎04-13-2022

By now 17.3.5a is out, you might want to try this. Please note, it requires a hotfix to be added after the installation.

Otherwise, what happens if you enable p2p blocking and afterwards disable it again?

Bernd Nies · ‎04-13-2022

I upgraded our backup WLAN controller to C9800-40-universalk9_wlc.17.03.05a.SPA.bin plus hotfix C9800-universalk9_wlc.17.03.05a.CSCwb13784.SPA.smu.bin and connected an access point. There it works again. Seems 17.3.4c is a bad release, although it is starred in the download portal.

Update: It works only partially. I joined two AP to the updated WLC.

On AP1

Ping between two notebooks on same AP does not work.
Ping from notebook to any other WLAN device connected to other APs from primary controller does work.

On AP2

Ping from notebook to any other WLAN device does not work

Rich R · ‎04-18-2022

Have you tried?

ipv4 arp-proxy

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_arp_proxy.html

Also note: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/release-notes/rn-17-3-9800.html#Cisco_Concept.dita_9e01664a-322e-4753-b915-a8f875a0d73d

Behavior Change

From Cisco IOS XE Amsterdam 17.3.5a onwards, rate limiting is performed for ARP packets for each client to prevent a denial-of-service attack. If a client sends an ARP storm, then the client is excluded. To configure rate limiting, use the ip arp-limit rate command at the policy profile level.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Bernd Nies · ‎04-18-2022

Thanks for the hint. The ARP proxy setting probably didn't made it yet to the web UI. Also it was introduced in 17.3.1 and we were at 17.3.3. I tried it, no improvement. ARP resolution from a WLAN client for non-WLAN clients in same VLAN works.

Bernd Nies · ‎05-22-2022

Cisco confirmed this to be a bug and is working on a solution. I wonder if we are the only ones that ever have upgraded beyond 17.3.3 or are all the others not using intra WLAN client communication?

patoberli · ‎05-22-2022

Thanks for the update. I guess most people indeed don't (anymore) use client to client communication and solely client to server.

Bernd Nies · ‎05-25-2022

Yes. We're probably the only ones who had to add all HP printers to WLAN because we were not allowed to install LAN cables through the office's false floor.

Rich R · ‎05-23-2022

Thanks for the update @Bernd Nies

Did Cisco give you the bug id?

If not, can you ask them for it and share with us please?

It will be useful to see what other releases might be affected.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Bernd Nies · ‎05-23-2022

Got no bug ID. Support could reproduce it in lab. Issue exists on 17.3.4c and 17.3.5a with Catalyst 9800-40 WLC and 9120 APs. Don't know if the hardware platform is relevant.

Rich R · ‎05-23-2022

Keep pushing them for the bug id.

I've seen this happen lately - even after TAC reproduce the problem they won't open a bug for it until the BU give permission to do so and that can take weeks (or even months if you don't maintain pressure). I don't know why they're doing this but I suspect it's about managing developers bonus targets because BU don't have to start working on the problem until after the bug is opened and by delaying the opening of the bug they can appear to respond more quickly when it's opened (even if it has taken weeks or months).

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Bernd Nies · ‎06-01-2022

Finally, 69 days after opening the ticket on 24 March 2022: Cisco TAC opened BEMS and is waiting on BU engineer to accept and respond.