Re: WLC 9800 Flex APs won't go standalone on wan link failure

pallaruelo · ‎04-20-2020

Dear Community,

I've recently installed some 9800 WLCs for one of my customers. 1 central WLC cluster and some remote locations. All APs on remote locations are tagged with Flex profiles.

But it seems the APs won't turn standalone when there is a WAN failure on remote site. Wifi doesn't work.

In previous AireOS equipment (5508, 3504, etc..) it seems it was included.

Did I miss something when I configured Flex profile on the new 9800 WLC ? I think about the option "Flex Resilient" in Flex Profile, but infortunately there is no available documentation about this !!

Many thanks,

Franck.

Scott Fella · ‎04-20-2020

Have you followed this guide:

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213945-understand-flexconnect-on-9800-wireless.html#anc6

-Scott
*** Please rate helpful posts ***

pallaruelo · ‎04-20-2020

Hi @Scott Fella

Yes I did. FlexConnect works fine. But not when the WAN link is down.

The feature "Flex Resilient" is not clearly explained. Maybe that's the solution !

Scott Fella · ‎04-20-2020

In FlexConnect local switching, the standalone mode is the same as AireOS. If this is not the case, you should open a TAC case.

-Scott
*** Please rate helpful posts ***

p.lan · ‎01-04-2022

I saw that option and thought something similar, but it looks like "Flex Resilient" is referring to APs only in flex+bridge mode?

WLC-01(config-wireless-flex-profile)#?
  acl-policy           ACL policy description 
  arp-caching          enable arp-caching
  cts                  Enable/Disable cts features for all APs in this profile
--- Omitted --
  office-extend        Enables the OfficeExtend AP mode for a flexconnect AP
  predownload          enable predownload
  resilient            Enables/Disables Standalone mode in flex+bridge AP
  umbrella-profile     umbrella profile description
  vlan-name            Enter vlan name

I too can not find any additional documentation on that option.

glennnlxl · ‎07-06-2022

Did you manage to find a resolution? We're seeing a similar issue, in some cases the APs stop responding and require a reboot to reconnect after WAN /Connectivity to Controller is restored. (No DHCP on AP MGMT subnet may be a factor there)

p.lan · ‎04-10-2023

Super late on the reply, but yes, disabling all 4 WLAN switching options in the policy profile resulted in us having our flex APs remain up if the WLC was powered down/unreachable. We previously had Central Auth enabled and nothing else, and recent guides from Cisco now outline more clearly that if Central Association is not enabled, neither should Central Auth. Disabling that gave us the flex AP resilience to remain up if the WLC is down.

This means to disable Central Switching, Auth, DHCP and Association. The AP takes care of all of that. Be mindful if you are using AAA RADIUS, as disabling Central auth will result in AAA being sourced from each AP individually.

Scott Fella · ‎04-10-2023

Central authentication when using FlexConnect is fine to have. It really depends on what you want as your design. If for example a site WAN goes down, it doesn't matter if you are using central auth or have it disabled, 802.1x will still fail. Just keep in mind that there are options and you have to determine what works best for you. Guides are guides and recommendations differ from time to time and whom you speak with., but doesn't mean either are wrong, maybe one is preferred more than another.

-Scott
*** Please rate helpful posts ***