RE: [WIRELESS-LAN] WLC 8.10.121 Deferred
Rolling back to 8.10.113.0 fixed the issue. Cisco gave us a bug ID of CSCvt38486: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt38486 -Original Message- From: Paul Smith Sent: Tuesday, June 30, 2020 10:52 AM To: The EDUCAUSE Wireless Issues Community Group Listserv Subject: RE: [WIRELESS-LAN] WLC 8.10.121 Deferred Cisco is advising us to roll back to 8.10.113. I'll update when we've had a chance to do so and test. ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: [WIRELESS-LAN] WLC 8.10.121 Deferred
Cisco is advising us to roll back to 8.10.113. I'll update when we've had a chance to do so and test. ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [EXTERNAL] Re: [WIRELESS-LAN] WLC 8.10.121 Deferred
We have WPA2 and WPA3 checked at this time. The only issue we have seen have been with Windows 10 devices. We have a handful of Android 10 devices that as far as I know are mainly Pixel and Samsung that have not had issues. No Mac issues that I have heard about. Jason Mallon Network Engineer, OIT The University of Alabama jemal...@ua.edu On Jun 26, 2020 5:12 PM, Paul Smith wrote: Q. Are you by any chance running WPA2 + WPA3 Enterprise with both the WPA2 and WPA3 boxes checked? We are currently on 8.10.121 and seeing this issue as well primarily with Windows devices. I have not seen any issues with Macs and authentication. A. No. WPA2 + WPA3, but only WPA2 is checked. I will experiment with this when I get back to the office. The big problem is it's impacting Windows 10 PCs. We have not seen the issue with iPhones or Android devices, but there may not be enough of them on campus right now to say for sure (we don't have a summer semester). We do have Mac's having a similar issue, but forgetting the SSID and re-selecting fixes any auth issues we see there. Q. FYI: I noticed that "over-the-ds" setting changed when we upgraded from 8.5 to 8.10.121.0. There may be other settings that changed as well. A. One of the engineers mentioned another setting was different (sorry, can't remember which it was), but then he called me right back and said that wasn't the issue. I believe there was something he found in the logs based on the conversation, so hopefully we'll have more info soon. It might've been beacon related, but I could have that planted in my head from an earlier post. Q. There was a memory leak in the AP. Clients were not moving from authentication to the AP through the association phase on the controller.(these terms seem backwards to me backwards -- authentication is finding the AP, association is the 802.1x/radius part). The AP was not forwarding the association PDU to the controller (so the radius servers never got to see request let alone send a rejection). Rebooting the AP at the time /might/ fix the problem, but if a large number of clients immediately connected to the newly rebooted AP it ran out memory and became semi-operational again. I'd check the AP rather than the controller logs to see what it's reporting. A. There's not an AP model on the campus that we've found the behavior any different. In our office where we test, it's a 2802 ... but the issue exists with the 3800's and even the new 9100's as well. Q. Have you tested your Android devices with FT disabled? (instead of FT Adaptive). I would be curious to hear what results you get. A. We haven't seen any issues with Android devices (yet), but we don't have enough on the campus to say for sure. We did go Adaptive at the suggestion of Cisco and a Presidio engineer because of some issues with iPads. So, I wouldn't be keen to change that. ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] WLC 8.10.121 Deferred
Interesting. For us it’s like one particular area with one particular mode of AP we don’t have anyplace else. It magically went away again today too. Nick Sent from my iPhone > On Jun 26, 2020, at 5:12 PM, Paul Smith wrote: > > *EXTERNAL EMAIL* > > Q. Are you by any chance running WPA2 + WPA3 Enterprise with both the WPA2 > and WPA3 boxes checked? We are currently on 8.10.121 and seeing this issue > as well primarily with Windows devices. I have not seen any issues with Macs > and authentication. > > A. No. WPA2 + WPA3, but only WPA2 is checked. I will experiment with this > when I get back to the office. The big problem is it's impacting Windows 10 > PCs. We have not seen the issue with iPhones or Android devices, but there > may not be enough of them on campus right now to say for sure (we don't have > a summer semester). We do have Mac's having a similar issue, but forgetting > the SSID and re-selecting fixes any auth issues we see there. > > Q. FYI: I noticed that "over-the-ds" setting changed when we upgraded from > 8.5 to 8.10.121.0. There may be other settings that changed as well. > > A. One of the engineers mentioned another setting was different (sorry, can't > remember which it was), but then he called me right back and said that wasn't > the issue. I believe there was something he found in the logs based on the > conversation, so hopefully we'll have more info soon. It might've been beacon > related, but I could have that planted in my head from an earlier post. > > Q. There was a memory leak in the AP. Clients were not moving from > authentication to the AP through the association phase on the > controller.(these terms seem backwards to me backwards -- authentication is > finding the AP, association is the 802.1x/radius part). The AP was not > forwarding the association PDU to the controller (so the radius servers never > got to see request let alone send a rejection). Rebooting the AP at the time > /might/ fix the problem, but if a large number of clients immediately > connected to the newly rebooted AP it ran out memory and became > semi-operational again. I'd check the AP rather than the controller logs to > see what it's reporting. > > A. There's not an AP model on the campus that we've found the behavior any > different. In our office where we test, it's a 2802 ... but the issue exists > with the 3800's and even the new 9100's as well. > > Q. Have you tested your Android devices with FT disabled? (instead of FT > Adaptive). I would be curious to hear what results you get. > > A. We haven't seen any issues with Android devices (yet), but we don't have > enough on the campus to say for sure. We did go Adaptive at the suggestion of > Cisco and a Presidio engineer because of some issues with iPads. So, I > wouldn't be keen to change that. > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: [WIRELESS-LAN] WLC 8.10.121 Deferred
Q. Are you by any chance running WPA2 + WPA3 Enterprise with both the WPA2 and WPA3 boxes checked? We are currently on 8.10.121 and seeing this issue as well primarily with Windows devices. I have not seen any issues with Macs and authentication. A. No. WPA2 + WPA3, but only WPA2 is checked. I will experiment with this when I get back to the office. The big problem is it's impacting Windows 10 PCs. We have not seen the issue with iPhones or Android devices, but there may not be enough of them on campus right now to say for sure (we don't have a summer semester). We do have Mac's having a similar issue, but forgetting the SSID and re-selecting fixes any auth issues we see there. Q. FYI: I noticed that "over-the-ds" setting changed when we upgraded from 8.5 to 8.10.121.0. There may be other settings that changed as well. A. One of the engineers mentioned another setting was different (sorry, can't remember which it was), but then he called me right back and said that wasn't the issue. I believe there was something he found in the logs based on the conversation, so hopefully we'll have more info soon. It might've been beacon related, but I could have that planted in my head from an earlier post. Q. There was a memory leak in the AP. Clients were not moving from authentication to the AP through the association phase on the controller.(these terms seem backwards to me backwards -- authentication is finding the AP, association is the 802.1x/radius part). The AP was not forwarding the association PDU to the controller (so the radius servers never got to see request let alone send a rejection). Rebooting the AP at the time /might/ fix the problem, but if a large number of clients immediately connected to the newly rebooted AP it ran out memory and became semi-operational again. I'd check the AP rather than the controller logs to see what it's reporting. A. There's not an AP model on the campus that we've found the behavior any different. In our office where we test, it's a 2802 ... but the issue exists with the 3800's and even the new 9100's as well. Q. Have you tested your Android devices with FT disabled? (instead of FT Adaptive). I would be curious to hear what results you get. A. We haven't seen any issues with Android devices (yet), but we don't have enough on the campus to say for sure. We did go Adaptive at the suggestion of Cisco and a Presidio engineer because of some issues with iPads. So, I wouldn't be keen to change that. ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] WLC 8.10.121 Deferred
All, FYI: I noticed that "over-the-ds" setting changed when we upgraded from 8.5 to 8.10.121.0. There may be other settings that changed as well. Christina Klam Network Engineer Institute for Advanced Study 1 Einstein Dr Princeton, NJ 08540 (m) +1 609-751-7899 (o) +1 609-734-8154 ck...@ias.edu From: "Mallon, Jason" To: "The EDUCAUSE Wireless Issues Community Group Listserv" Sent: Friday, June 26, 2020 10:24:20 AM Subject: Re: [WIRELESS-LAN] WLC 8.10.121 Deferred Paul, Are you by any chance running WPA2 + WPA3 Enterprise with both the WPA2 and WPA3 boxes checked? We are currently on 8.10.121 and seeing this issue as well primarily with Windows devices. I have not seen any issues with Macs and authentication. Jason Mallon Network Engineer III, OIT [ https://www.ua.edu/ | The University of Alabama ] [ mailto:jemal...@ua.edu | jemal...@ua.edu ] From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Paul Smith Sent: Friday, June 26, 2020 9:44 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [EXTERNAL] Re: [WIRELESS-LAN] WLC 8.10.121 Deferred We were running 8.10.121 on our 5520 and began having authentication issues. It is weird because radius isn't even seeing the attempts (or weren't logging rejections). The behavior persists even using local authentication. Eventually we can get the clients to connect, but it takes a number of attempts. It's very frustrating. Cisco had us upgrade to 8.10.122, but the problem still persists. We would roll back, but we have 9130's on the campus now and we need 8.10.122 to manage them. Such a headache right now. Paul Smith Network Administrator Marian University psmi...@marian.edu 317.955.6069 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at [ https://www.educause.edu/community | https://www.educause.edu/community ] ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at [ https://www.educause.edu/community | https://www.educause.edu/community ] ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] WLC 8.10.121 Deferred
We had the EXACT same issue in April. TAC was useless. We just rolled back to the earlier train, 8.5.161 in order to get everyone connecting again. As we are hoping to move back to the 8.10.X train this summer to get the DNAC benefits again, I will continue to watch this thread. Christina Klam Network Engineer Institute for Advanced Study 1 Einstein Dr Princeton, NJ 08540 (m) +1 609-751-7899 (o) +1 609-734-8154 ck...@ias.edu From: "Paul Smith" To: "The EDUCAUSE Wireless Issues Community Group Listserv" Sent: Friday, June 26, 2020 9:44:32 AM Subject: Re: [WIRELESS-LAN] WLC 8.10.121 Deferred We were running 8.10.121 on our 5520 and began having authentication issues. It is weird because radius isn't even seeing the attempts (or weren't logging rejections). The behavior persists even using local authentication. Eventually we can get the clients to connect, but it takes a number of attempts. It's very frustrating. Cisco had us upgrade to 8.10.122, but the problem still persists. We would roll back, but we have 9130's on the campus now and we need 8.10.122 to manage them. Such a headache right now. Paul Smith Network Administrator Marian University psmi...@marian.edu 317.955.6069 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
