Solved: Flexconnect on wlc 9800

trondaker · ‎03-14-2024

Hi,

We have a pair of 9800s in HA/SSO. About to migrate our APs from 8540 to 9800. As im recreating our SSIDs to the new 9800s, we cant get the one flexconnect SSID to work. The 4 centrally switched SSIDs work as expected. I have followed the various blogs and configuration guides, and the SSID is presented in the air. The problem is, when the client is trying to connect, nothing happens - nothing in the logs or debugs that would indicate why the client cannot connect. From the 9800:

wlc-9800# show ap wlan summary
BSSID SSID WLAN profile name AP WLAN State AP WLAN Uptime Client Count AP Name IP Address Physical Capabilities AP Mode CAPWAP Path MTU Radio Uptime TxPwr Channel AP Up time Association Up time
------------------------------------------------------------------------------------------------------------------
dead.767f.beef flexconn flexssid Enabled 04:19:52 0 AP0001-001 1.1.1.1 5ghz-VHT FlexConnect 1485 04:19:52 *3/8 (16 dBm) (132)* 4 hours 21 minutes 50 seconds 4 hours 19 minutes 53 seconds

From the AP:

AP0001-001#show configuration wlan flexconn
SSID : flexssid
Radio Policy : 5GHz
Vlan Id : 111
Status : Enabled
Max Radio Clients : 200
SplitmacMode : Enabled
Capability : ESS PRIVACY SPEC_MGMT RADIO_MSMT
vap_mode : None
encryptPolicy : AES_CCM128
authType : WPA_8021X
rsnDataLen : 28
wpaDataLen : 0
rsnxe_len : 0
Broadcast SSID : Enabled
Band Steering : Disabled
Load Balancing : Disabled
11w MFP Capabilities : PMF_OPTIONAL
11w dot11wPmfAssocComebackTime : 1000
11w dot11wPmfSAQueryRetryTime : 200
aironetIeSupport : 0
dot11eBandwidth : 23437
otherFlags : DHCP_REQUIRED LS
DTIMPeriod : 1
vapSecOptFlags : 0
QoS : 3
QoS maxPriority : 6
default Unicast Priority : 6
default Multicast Priority : 6
kts_cac_policy : false
Multicast Buffer : Disabled
Multicast Buffer Size : 0
Client Idle Timeout : 300
Client Idle Threshold : 0
DHCP Profiling : 1
HTTP Profiling : 0
HTTP Profiling Timeout : 0
Dot11k neighbor list : 1
Passive Client : Disabled
Multicast mc2uc : Disabled
Fabric : Disabled
GPR Support : 0
Reauth Timeout : 1800
tkipHoldDownTimer : 0
Profile Name : flexconn

Profiles on the 9800:

wlc-9800#show ap name AP0001-001 config general

Cisco AP Name : AP0001-001
=================================================

Cisco AP Identifier : dead.767f.beef
Country Code : NO
Regulatory Domain Allowed by Country : 802.11bg:-E 802.11a:-E 802.11 6GHz:-E
AP Country Code : NO - Norway
AP Regulatory Domain
802.11bg : -E
802.11a : -E
MAC Address : dead.767e.beef
IP Address Configuration : DHCP
IP Address : 1.1.1.1
IP Netmask : 255.255.255.0
Gateway IP Address : 1.1.1.2
Fallback IP Address Being Used :
Domain :
Name Server :
CAPWAP Path MTU : 1485
Capwap Active Window Size : 1
Telnet State : Disabled
CPU Type : ARMv7 Processor rev 0 (v7l)
Memory Type : DDR3
Memory Size : 995328 KB
SSH State : Enabled
Serial Console State : Enabled
Cisco AP Location :
Site Tag Name : ap-with-flex
RF Tag Name : custom-radio-profile
Policy Tag Name : flexconn
AP join Profile : default-ap-profile
Flex Profile : default-flex-profile
Primary Cisco Controller Name : Not Configured
Primary Cisco Controller IP Address : 0.0.0.0
Secondary Cisco Controller Name : Not Configured
Secondary Cisco Controller IP Address : 0.0.0.0
Tertiary Cisco Controller Name : Not Configured
Tertiary Cisco Controller IP Address : 0.0.0.0
Administrative State : Enabled
Operation State : Registered
NAT External IP Address : 1.1.1.1
AP Certificate type : Manufacturer Installed Certificate
AP Certificate Expiry-time : 11/12/2037 15:00:17
AP Certificate issuer common-name : Cisco Manufacturing CA SHA2
AP Certificate Policy : Default
AP CAPWAP-DTLS LSC Status
Certificate status : Not Available
AP 802.1x LSC Status
Certificate status : Not Available
AP LSC authentication state : CAPWAP-DTLS

This specific example is from a 1832i AP, but same problem on the 9115, 9120 and 9130.

marce1000 · ‎03-14-2024

- Added reply

For testing purposes : if you know to which flexconnect-AP a particular client will connect (and or in a test setup) ; issue this command first on the AP:
show ap client-trace events mac <client-mac-address> . Then let the client connect or attempt to connect and follow up on the outputs shown or check the logs on the AP

- Further engage in full client debugging according to https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , these debugs can be analyzed with Wireless Debug Analyzer

- Outputs from the commands mentioned in https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5 can also be useful

- Check current software version being used on the HA-SSO pair , if somewhat older then go for 17.9.5

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

marce1000 · ‎03-14-2024

- Start with a checkup of the (primary) 9800 controller's configuration with the CLI command show tech wireless and feed the output into : Wireless Config Analyzer

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

trondaker · ‎03-14-2024

Done, have three errors/reds, but they are unrelated/SFP-related. Nothing regarding profiles/tags for the flexconnect-ssid.

marce1000 · ‎03-14-2024

- It is strongly advised to always correct red errors first before
proceeding.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

eglinsky2012 · ‎03-14-2024

Have you seen this guide in particular? I found it very helpful and it had everything I needed to get FlexConnect going here.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213945-understand-flexconnect-on-9800-wireless.html

marce1000 · ‎03-14-2024

- Added reply

For testing purposes : if you know to which flexconnect-AP a particular client will connect (and or in a test setup) ; issue this command first on the AP:
show ap client-trace events mac <client-mac-address> . Then let the client connect or attempt to connect and follow up on the outputs shown or check the logs on the AP

- Further engage in full client debugging according to https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , these debugs can be analyzed with Wireless Debug Analyzer

- Outputs from the commands mentioned in https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5 can also be useful

- Check current software version being used on the HA-SSO pair , if somewhat older then go for 17.9.5

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

trondaker · ‎03-28-2024

Thanks for the help - i deleted all relevant profiles and tags related to the faulty flex-ssid, re-created them after also upgrading to 17.9.5 from 17.9.4a. That seems to have done the trick.