Curious if anyone has tied this behavior in any way to Mac sleep issues- like this (just one example) https://discussions.apple.com/thread/251356663
Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e [email protected]<mailto:[email protected]> w its.syr.edu Campus Wireless Policy: https://answers.syr.edu/display/network/Wireless+Network+and+Systems SYRACUSE UNIVERSITY syr.edu From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Marcelo Maraboli Sent: Wednesday, October 28, 2020 9:08 AM To: [email protected] Subject: Re: [WIRELESS-LAN] MacOS Disconnections on Cisco Controllers Hi Jordan We've been having this exact problem for weeks now. It has been present only in MacOS and not seen in IOS,Andriod or Windows. We've done packet-captures on the MacOS, debugs on the WLC (5520 and 8540) with different WLC-OS (8.5.161, 8.5.164, 8.10.131) and are now with Cisco TAC doing some AP sniffing and with a local Reseller doing analysis with a WIFI Expert engineer. What we have is an eduroam SSID with 802.1X and a "session timeout" {SSID specific config in the Advanced Tab (("Enable Session timeout"))} at 600s This forces the 802.1X re-auth every 600s and after hours of Mac notebooks working OK with this, the WLC fails to put the client in "RUN MODE" and therefore blocks all IP traffic. The client (notebook) can still renew the DHCP lease if you want, but it has to wait 600s for the next re-auth and the WLC will enable the IP traffic or the notebook may turn the WIFI off then on to force a re-auth. There is no problem with the re-auth (radius, 802.1X, client). It is just the WLC that fails to put the client in RUN MODE. The workaround has to DISABLE the "Enable session timeout" and leave it to the default timeout which is 24 hours. We are waiting for a "recommended configuration" so we can flush idle sessions (notebooks just close up and leave) so the Radius and WLC won't fill up the session table. Hope this helps... cheers! On 26-10-20 12:37, Cox, Jordan D wrote: Good morning, We have been working with Cisco TAC to troubleshoot an issue where our MacOS clients will randomly lose connectivity to the default gateway (and thus internet etc.). The wireless will stay connected in the run state, but the Mac will send out repeated ARP requests for the default gateway during the outages. The outages last between 20 seconds to 5 minutes and is resolved once the client gets an ARP response from the gateway. We have packet captures showing ARP requests going through the CAPWAP tunnel to the controller but NOT leaving the controller to the gateway during the outages. TAC has acknowledged the problem is on the controller, and I'm waiting to hear back from them. I'm wondering if anyone else has seen similar issues? More details: * WLC is two 5508 in HA configuration * WLC was running 8.5.161.0 and we upgraded to 8.5.161.7 to troubleshoot * 250 APs are running in local mode (the issue does not happen when testing in Flexconnect mode with local switching) * Default gateway is a Palo Alto firewall * The MacOS client sends an ARP broadcast to find the gateway every 20 minutes but the outage doesn't happen every 20 minutes * It seems like the issue appears during high utilization on the controller since I didn't see any issues when testing over a campus break when many students were gone * I've seen the issue on multiple SSID's including a test SSID which only had my clients on it * Client debug on the controller shows no issues * This doesn't seem to affect Windows machines Thank you! [cid:[email protected]] Jordan Cox Network Admin II, Information Technology P: 651-882-3995 [email protected]<mailto:[email protected]> | www.unwsp.edu<http://www.unwsp.edu/> Equipping Christ-centered learners and leaders to invest in others and impact the world. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community -- Marcelo Maraboli Rosselott Subdirector de Redes y Seguridad Dirección de Informática Pontificia Universidad Católica de Chile http://informatica.uc.cl/ https://www.linkedin.com/in/marcelomaraboli/ -- Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul Santiago, Chile Teléfono: (56) 22354 1341 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
