Cisco Wireless WLC and AP - remote site complains of large number of drops
I am not seeing a smoking gun on the WLC in the logs nor in radius (Cisco ACS). They're on the other side of the globe and communication is tough. What logging or troubleshooting can you recommend on the WLC/AP side. I've reviewed RADIUS logging and that looks largely normal - EAP MS-CHAP2/AD. There are a number of log messages concerning rogues. 200 or so rogues. But I don't think they'd be a problem. Cisco Clean Air b/g/b shows a worst case 91. a/n/c has avg 99 min 99 - and i think they're largely attaching via a/n/c.
Tue May 23 20:42:07 2017 Rogue AP : 5a:be:f5:3e:20:8b removed from Base Radio MAC : 08:cc:68:52:ab:a0 Interface no:0(802.11n(2.4 GHz))
5 Tue May 23 20:41:39 2017 Rogue AP: 04:a1:51:10:ef:40 detected on Base Radio MAC: 08:cc:68:52:cd:10 Interface no: 0(802.11n(2.4 GHz)) Channel: 11 RSSI: -90 SNR: 4 Classification: unclassified, State: Alert, RuleClassified : N, Severity Score: 0, RuleName: N.A. ,Classified AP MAC: 00:00:00:00:00:00 ,Classified RSSI: 0
Tue May 23 20:42:07 2017 Rogue AP : 5a:be:f5:3e:20:8b removed from Base Radio MAC : 08:cc:68:52:ab:a0 Interface no:0(802.11n(2.4 GHz))
5 Tue May 23 20:41:39 2017 Rogue AP: 04:a1:51:10:ef:40 detected on Base Radio MAC: 08:cc:68:52:cd:10 Interface no: 0(802.11n(2.4 GHz)) Channel: 11 RSSI: -90 SNR: 4 Classification: unclassified, State: Alert, RuleClassified : N, Severity Score: 0, RuleName: N.A. ,Classified AP MAC: 00:00:00:00:00:00 ,Classified RSSI: 0
ASKER
The clients are "disconnecting" according to their local consultant. AIR-CAP3502I-I-K9 Local Mode.
Ok at the WLC CLI do:
debug client <client mac>
Let the client connect then watch what happens at the WLC. Post the output for a 5-10 minute session here when the issue occurs.
debug client <client mac>
Let the client connect then watch what happens at the WLC. Post the output for a 5-10 minute session here when the issue occurs.
ASKER
Cool thank you.
It sounds like you have these APs in local mode even though it's on the other side of the globe. I would highly recommend switching it to flexconnect (or h-reap if you have older controller software). When an AP is in flexconnect mode it does the switching for wireless clients locally and only talks to the controller to authenticate users and check-in ever so often. In local mode all data to and from the wireless users out there has to travel to your WLC and back, I can see how there would be a lot of drops and it's probably very slow. We don't use local unless the controller and the AP are on the same LAN. There are some additional settings for flexconnect, like matching ssids to vlans and setting the native vlan. You will also need to set the switch ports that your APs are on to trunk if you are using muliple vlans at the site. Make sure the native vlan on the trunk is the vlan you want to manage the AP on.
ASKER
Thanks for that idea Andy. The WLC and the APs are on the same site in the middle east. The WLC does phone home to Cisco Prime.
Local mode APs operate just the same as FlexConnect mode APs as far as client management traffic is concerned. The AP still needs to form a CAPWAP tunnel to the WLC even if it is in FlexConnect mode. Yes, client data traffic will be switched locally in FlexConnect mode, but APs still need CAPWAP and when the CAPWAP tunnel breaks, so does client connectivity.
If the clients are disconnecting you need to establish whether it's a local problem in terms of RF or something else first. Doing a debug will help you determine that.
Obviously here it's not an issue though, as the APs and WLC are local.
If the clients are disconnecting you need to establish whether it's a local problem in terms of RF or something else first. Doing a debug will help you determine that.
Obviously here it's not an issue though, as the APs and WLC are local.
I'm sorry but that's just not true, if the capwap tunnel breaks with a flexconnect ap, you lose management of the ap, but the clients DON'T disconnect like they do when the ap is in local mode. Any new clients trying to connect won't be able to authenticate unless you setup the flexconnect ap to authenticate locally but currently connected clients will still have connectivity until the session timeout hits. The default session timeout is 30 minutes.
Andy, read what I said...
I will concede though, my following statement may have sounded confusing...
Allow me to clarify...
You are correct in that when CAPWAP breaks, connected-clients will remain connected to the same AP. However, once the session dies the client can NOT reconnect unless a PSK or local RADIUS server is used, or the CAPWAP tunnel comes back up.
Sorry for the confusion.
So, going back to my earlier point...
We have established that the APs are in the same site as the WLC, so the likelihood of them being in FlexConnect mode is slim. Therefore, back to my earlier point... doing a debug to see what the client is doing from the WLC's point-of-view. It may also be a good idea to do a spectrum analysis at the site to see if there's any RF interference, either from foreign sources or from your own APs. Co-channel interference can cause client issues just as much as foreign wifi and non-802.11 sources can. This is often the first place to look.
Local mode APs operate just the same as FlexConnect mode APs as far as client management traffic is concerned.
I will concede though, my following statement may have sounded confusing...
but APs still need CAPWAP and when the CAPWAP tunnel breaks, so does client connectivity.
Allow me to clarify...
You are correct in that when CAPWAP breaks, connected-clients will remain connected to the same AP. However, once the session dies the client can NOT reconnect unless a PSK or local RADIUS server is used, or the CAPWAP tunnel comes back up.
Sorry for the confusion.
So, going back to my earlier point...
We have established that the APs are in the same site as the WLC, so the likelihood of them being in FlexConnect mode is slim. Therefore, back to my earlier point... doing a debug to see what the client is doing from the WLC's point-of-view. It may also be a good idea to do a spectrum analysis at the site to see if there's any RF interference, either from foreign sources or from your own APs. Co-channel interference can cause client issues just as much as foreign wifi and non-802.11 sources can. This is often the first place to look.
However since the APs and the controller are both local, your right that is probably not the problem, I was under the impression they were checking in with a wlc halfway across the world
ASKER
Adding a comment to keep alive after the long weekend. Lots of ticket backup!
go for active survey.
Did you do a debug?
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
What mode are the APs in? Local or Flexconnect?