04-11-2022 09:53 PM
Hello,
We have Catalyst 9800-40 WLAN controllers and 90 Catalyst 9120AXI access points. Three weeks ago we upgraded from 17.3.3 to 17.3.4c. But instead of fixing a bug, it got exchanged with a new one: Since then all the WLAN clients can't communicate with each other. The WLAN is configured for central switching. Now it behaves like peer-blocking is enabled, but we had it disabled on purpose. It's an office wlan with 802.1x authentication and not a public wlan. Connectivity between wireless and wired LAN works fine.
Traffic analysis shows that the access point does not reveal the MAC addresses of other WLAN clients when one wants to reach them. Even two clients connected to the same access point can't communicate to each other.
Anyone else having this issue or are we the first one to upgrade to 17.3.4c?
Regards,
Bernd
Solved! Go to Solution.
07-04-2022 05:45 AM - edited 07-04-2022 09:31 PM
Summary: This was finally the fix that brought intra WLAN client comminication back to life after the update:
=======================================|===================================== C9800-40, IOS XE 17.3.3 (working) | C9800-40, IOS XE 17.3.5a (working)
C9800-40, IOS XE 17.3.4c (not working) | =======================================|===================================== | vlan configuration 115,118-119,900 | arp broadcast ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ interface Vlan119 | interface Vlan119 description mDNS snooping | description mDNS snooping | no ip proxy-arp ... | ... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ wireless profile policy WLAN_Office | wireless profile policy WLAN_Office vlan office | vlan 119 ... | ... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
04-12-2022 03:49 AM - edited 04-12-2022 03:58 AM
Haven’t run into this issue but certainly not immune to bugs on this, one of them was crashing WLC every 3-4 days, we eventually ended up getting special engineering image to fix it, since then it’s been stable, I understand the pain.
This one seems buggy, try different options, may be try p2p forward upstream as temporary fix, let us know if it works, eventually you will need to work with TAC I think.
04-12-2022 04:00 AM
Actually, Cisco TAC is on it for three weeks but with no result.
04-12-2022 12:07 PM
- Although this is a new problem which appeared after the upgrade
, always useful is to have a configuration check with (CLI) show tech wireless , have the output analyzed with :
look for warnings and errors (anyway) , sometimes tweaking or correcting them. may help.
M.
04-13-2022 07:56 AM
By now 17.3.5a is out, you might want to try this. Please note, it requires a hotfix to be added after the installation.
Otherwise, what happens if you enable p2p blocking and afterwards disable it again?
04-13-2022 10:39 AM - edited 04-13-2022 11:32 PM
I upgraded our backup WLAN controller to C9800-40-universalk9_wlc.17.03.05a.SPA.bin plus hotfix C9800-universalk9_wlc.17.03.05a.CSCwb13784.SPA.smu.bin and connected an access point. There it works again. Seems 17.3.4c is a bad release, although it is starred in the download portal.
Update: It works only partially. I joined two AP to the updated WLC.
On AP1
Ping between two notebooks on same AP does not work.
Ping from notebook to any other WLAN device connected to other APs from primary controller does work.
On AP2
Ping from notebook to any other WLAN device does not work
04-18-2022 05:06 AM
Have you tried?
ipv4 arp-proxy
From Cisco IOS XE Amsterdam 17.3.5a onwards, rate limiting is performed for ARP packets for each client to prevent a denial-of-service attack. If a client sends an ARP storm, then the client is excluded. To configure rate limiting, use the ip arp-limit rate command at the policy profile level.
04-18-2022 09:36 PM
Thanks for the hint. The ARP proxy setting probably didn't made it yet to the web UI. Also it was introduced in 17.3.1 and we were at 17.3.3. I tried it, no improvement. ARP resolution from a WLAN client for non-WLAN clients in same VLAN works.
05-22-2022 10:11 PM
Cisco confirmed this to be a bug and is working on a solution. I wonder if we are the only ones that ever have upgraded beyond 17.3.3 or are all the others not using intra WLAN client communication?
05-22-2022 11:15 PM
Thanks for the update. I guess most people indeed don't (anymore) use client to client communication and solely client to server.
05-25-2022 05:01 AM
Yes. We're probably the only ones who had to add all HP printers to WLAN because we were not allowed to install LAN cables through the office's false floor.
05-23-2022 03:55 AM
Thanks for the update @Bernd Nies
Did Cisco give you the bug id?
If not, can you ask them for it and share with us please?
It will be useful to see what other releases might be affected.
05-23-2022 04:03 AM
Got no bug ID. Support could reproduce it in lab. Issue exists on 17.3.4c and 17.3.5a with Catalyst 9800-40 WLC and 9120 APs. Don't know if the hardware platform is relevant.
05-23-2022 04:16 PM
Keep pushing them for the bug id.
I've seen this happen lately - even after TAC reproduce the problem they won't open a bug for it until the BU give permission to do so and that can take weeks (or even months if you don't maintain pressure). I don't know why they're doing this but I suspect it's about managing developers bonus targets because BU don't have to start working on the problem until after the bug is opened and by delaying the opening of the bug they can appear to respond more quickly when it's opened (even if it has taken weeks or months).
06-01-2022 12:51 AM
Finally, 69 days after opening the ticket on 24 March 2022: Cisco TAC opened BEMS and is waiting on BU engineer to accept and respond.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: