The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the wireless FAQs and how to troubleshoot Software-Defined Access on Cisco DNA Center.
These are the command cheat sheet for fabric on Control Node, Edge Node, Wireless Lan Controller (WLC), and Access Point (AP).
Control Node:
Edge Node:
WLC (AireOS):
WLC (IOS-XE)
Access Point:
Here it shows the AireOS WLC config push from Cisco DNA Center after Provisioning (Note: Using Reference as 3504 WLC).
show radius summary after WLC Provisioning:
(sdawlc3504) >show radius summary Vendor Id Backward Compatibility................. Disabled Call Station Id Case............................. lower Accounting Call Station Id Type.................. Mac Address Auth Call Station Id Type........................ AP's Radio MAC Address:SSID Extended Source Ports Support.................... Enabled Aggressive Failover.............................. Disabled Keywrap.......................................... Disabled Fallback Test: Test Mode.................................... Passive Probe User Name.............................. cisco-probe Interval (in seconds)........................ 300 MAC Delimiter for Authentication Messages........ hyphen MAC Delimiter for Accounting Messages............ hyphen RADIUS Authentication Framed-MTU................. 1300 Bytes Authentication Servers Idx Type Server Address Port State Tout MgmtTout RFC3576 IPSec - state/Profile Name/RadiusRegionString --- ---- ---------------- ------ -------- ---- -------- ------- ------------------------------------------------------- 1 * NM 192.168.2.193 1812 Enabled 2 5 Enabled Disabled - /none 2 M 172.27.121.193 1812 Enabled 2 5 Enabled Disabled - /none
WLAN Config Push is seen under show wlan summary.
(sdawlc3504) >show wlan summary Number of WLANs.................................. 7 WLAN ID WLAN Profile Name / SSID Status Interface Name PMIPv6 Mobility ------- ----------------------------------------------------------------------- -------- -------------------- --------------- 1 Test / Test Enabled management none 17 dnac_guest_F_global_5dfbd_17 / dnac_guest_206 Disabled management none 18 dnac_psk_2_F_global_5dfbd_18 / dnac_psk_206 Disabled management none 19 dnac_wpa2__F_global_5dfbd_19 / dnac_wpa2_206 Enabled management none 20 dnac_open__F_global_5dfbd_20 / dnac_open_206 Enabled management none 21 Test!23_F_global_5dfbd_21 / Test!23 Disabled management none
Here it shows the WLC config push from Cisco DNA Center after WLC is added to Fabric.
show fabric map-server summary after WLC is added to Fabric.
(sdawlc3504) >show fabric map-server summary MS-IP Connection status -------------------------------- 192.168.4.45 UP 192.168.4.66 UP
Control Plane (CP) connectivity can go down or stay down due to various reasons.
show fabric map-server detailed
show fabric TCP creation-history <Map-Server IP>
Debugs which may provide further information
debug fabric lisp map-server tcp enable
debug fabric lisp map-server all enable
show fabric summary after WLC is added to Fabric.
(sdawlc3504) >show fabric summary Fabric Support................................... enabled Enterprise Control Plane MS config -------------------------------------- Primary Active MAP Server IP Address....................................... 192.168.4.45 Secondary Active MAP Server IP Address....................................... 192.168.4.66 Guest Control Plane MS config ------------------------------- Fabric TCP keep alive config ---------------------------- Fabric MS TCP retry count configured ............ 3 Fabric MS TCP timeout configured ................ 10 Fabric MS TCP keep alive interval configured .... 10 Fabric Interface name configured .............. management Fabric Clients registered ..................... 0 Fabric wlans enabled .......................... 3 Fabric APs total Registration sent ............ 30 Fabric APs total DeRegistration sent .......... 9 Fabric AP RLOC reguested ...................... 15 Fabric AP RLOC response received .............. 30 Fabric AP RLOC send to standby ................ 0 Fabric APs registered by WLC .................. 6 VNID Mappings configured: 4 Name L2-Vnid L3-Vnid IP Address/Subnet -------------------------------- ---------- ---------- --------------------------------- 182_10_50_0-INFRA_VN 8188 4097 182.10.50.0 / 255.255.255.128 10_10_10_0-Guest_Area 8190 0 0.0.0.0 / 0.0.0.0 182_10_100_0-DEFAULT_VN 8191 0 0.0.0.0 / 0.0.0.0 182_11_0_0-DEFAULT_VN 8189 0 0.0.0.0 / 0.0.0.0 Fabric Flex-Acl-tables Status -------------------------------- ------- DNAC_FABRIC_FLEX_ACL_TEMPLATE Applied Fabric Enabled Wlan summary WLAN ID SSID Type L2 Vnid SGT RLOC IP Clients VNID Name ------- -------------------------------- ---- ---------- ------ --------------- ------- -------------------------------- 19 dnac_wpa2_206 WLAN 8189 0 0.0.0.0 0 182_11_0_0-DEFAULT_VN 20 dnac_open_206 WLAN 8189 0 0.0.0.0 0 182_11_0_0-DEFAULT_VN
WLAN config push from Cisco DNA Center is seen under show fabric wlan summary after WLC is added to Fabric and client IP Pool is assigned to Fabric Wireless LAN (WLAN) under Provision > Fabric > Host Onboarding.
show fabric wlan summary after Fabric provisioning.
(sdawlc3504) >show fabric wlan summary WLAN ID SSID Type L2 Vnid SGT RLOC IP Clients VNID Name ------- -------------------------------- ---- ---------- ------ --------------- ------- -------------------------------- 19 dnac_wpa2_206 WLAN 8189 0 0.0.0.0 0 182_11_0_0-DEFAULT_VN 20 dnac_open_206 WLAN 8189 0 0.0.0.0 0 182_11_0_0-DEFAULT_VN
1. Check if AP got IP address.
show ip dhcp snooping binding → On Fabric Edge
If it doesn't show an IP for the attached AP interface, please enable these debugs on Switch and check whether AP is getting IP or not.
debug ip dhcp snooping packet
debug ip dhcp snooping event
Sample Log File attached below →
Example:
Floor_Edge-6#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
0C:75:BD:0D:46:60 182.10.50.7 670544 dhcp-snooping 1021 GigabitEthernet1/0/7 → AP interface should be having an IP
2. Check if AP joins WLC.
If AP has never joined WLC, enable these debugs on WLC.
3. If AP forms CAPWAP but no access-tunnels are formed between AP and Switch, please perform these checks
Step 1. Do APs in WLC have RLOC IPs or not, if not please checkpoint 1 here.
1. In order to make the Fabric control plane protocol more resilient, it's important that a specific route to the WLC is present in each fabric node's global routing table. The route to WLC's IP address be should be either redistributed into the underlay IGP protocol at the Border or configured statically at each node. In other words, the WLC should not be reachable through the default route.
Step 2. If APs in WLC shows correct RLOCs and under show fabric summary it shows RLOC requested with RLOC received all good, please check these steps
2. Check on Control Plane node, show lisp instance-id <L2 ap instance id> ethernet server→ It should contain Base Radio MAC for AP.
Check on the Fabric Edge node, show lisp instance-id <L2 ap instance id> ethernet database wlc → It should contain Base Radio MAC for AP and not the ethernet MAC of AP.
If the above 2 commands don't show Base Radio MAC of AP and access-tunnels are not forming. Enable debug lisp control-plane all on Control plane and search for Base Radio MAC in logging.
Note: debug lisp control-plane all on Control plane is really chatty, please disable console logging before turning on the debugs.
If you see authentication failure as shown here, please check the authentication key between WLC and CP node.
Dec 7 17:42:01.655: LISP-0: MS Site EID IID 8188 prefix any-mac SVC_VLAN_IAF_MAC site site_uci, Registration failed authentication for more specific 2c0b.e9c6.ec80/48
Dec 7 17:42:01.659: LISP-0: Building reliable registration message registration-rejected for IID 8188 EID 2c0b.e9c6.ec80/48 , Rejection Code: authentication failure/2.
How to check authentication key on Fabric configuration between WLC and CP.
On WLC, please check on GUI under Controller > Fabric Configuration > Control Plane > (Pre Shared Key)
On CP, please check on switch using sh running-config | b map-server session
CP#sh running-config | b map-server session
map-server session passive-open WLC
site site_uci
description map-server configured from apic-em
authentication-key <hidden> (Ensure that the Pre shared key on WLC should match with this authentication key on CP)
Note: Generally Cisco DNA Center pushes this key so don't change it unless required and know what is configured on CP/WLC]
4. General checks and show commands for Access-tunnels.
Floor_Edge-6#sh access-tunnel summary Access Tunnels General Statistics: Number of AccessTunnel Data Tunnels = 5 Name SrcIP SrcPort DestIP DstPort VrfId ------ --------------- ------- --------------- ------- ---- Ac4 192.168.4.68 N/A 182.10.50.6 4789 0 Ac24 192.168.4.68 N/A 182.10.50.5 4789 0 Ac19 192.168.4.68 N/A 182.10.50.8 4789 0 Ac15 192.168.4.68 N/A 182.10.50.7 4789 0 Ac14 192.168.4.68 N/A 182.10.50.2 4789 0 Name IfId Uptime ------ ---------- -------------------- Ac4 0x00000037 2 days, 20:35:29 Ac24 0x0000004C 1 days, 21:23:16 Ac19 0x00000047 1 days, 21:20:08 Ac15 0x00000043 1 days, 21:09:53 Ac14 0x00000042 1 days, 21:03:20
Floor_Edge-6#show platform software fed switch active ifm interfaces access-tunnel Interface IF_ID State ---------------------------------------------------------------- Ac4 0x00000037 READY Ac14 0x00000042 READY Ac15 0x00000043 READY Ac19 0x00000047 READY Ac24 0x0000004c READY Floor_Edge-6#
If Access-tunnels under command b) are higher than a), that is an issue. Here Fed entries were not cleared correctly by Fabric Edge and thus there are multiple access-tunnel entries on Fed compared to IOS. Compare Dest IP after executing the command shown here. If multiple access-tunnel share the same Destination IP, that's the issue with programming.
Note: Each IF-ID can be fetched from the previous command.
Floor_Edge-6#show platform software fed switch active ifm if-id 0x00000037 Interface IF_ID : 0x0000000000000037 Interface Name : Ac4 Interface Block Pointer : 0xffc0b04c58 Interface State : READY Interface Status : ADD Interface Ref-Cnt : 2 Interface Type : ACCESS_TUNNEL Tunnel Type : L2Lisp Encap Type : VxLan IF_ID : 0x37 Port Information Handle ............ [0x2e000094] Type .............. [Access-tunnel] Identifier ........ [0x37] Unit .............. [55] Access tunnel Port Logical Subblock Access Tunnel id : 0x37 Switch Num : 1 Asic Num : 0 PORT LE handle : 0xffc0b03c58 L3IF LE handle : 0xffc0e24608 DI handle : 0xffc02cdf48 RCP service id : 0x0 HTM handle decap : 0xffc0e26428 RI handle decap : 0xffc0afb1f8 SI handle decap : 0xffc0e26aa8 RCP opq info : 0x1 L2 Brdcast RI handle : 0xffc0e26808 GPN : 3201 Encap type : VXLAN L3 protocol : 17 Src IP : 192.168.4.68 Dest IP : 182.10.50.6 Dest Port : 4789 Underlay VRF : 0 XID cpp handle : 0xffc03038f8 Port L2 Subblock Enabled ............. [No] Allow dot1q ......... [No] Allow native ........ [No] Default VLAN ........ [0] Allow priority tag ... [No] Allow unknown unicast [No] Allow unknown multicast[No] Allow unknown broadcast[No] Allow unknown multicast[Enabled] Allow unknown unicast [Enabled] IPv4 ARP snoop ....... [No] IPv6 ARP snoop ....... [No] Jumbo MTU ............ [0] Learning Mode ........ [0] Port QoS Subblock Trust Type .................... [0x7] Default Value ................. [0] Ingress Table Map ............. [0x0] Egress Table Map .............. [0x0] Queue Map ..................... [0x0] Port Netflow Subblock Port CTS Subblock Disable SGACL .................... [0x0] Trust ............................ [0x0] Propagate ........................ [0x1] %Port SGT .......................... [-180754391] Ref Count : 2 (feature Ref Counts + 1) IFM Feature Ref Counts FID : 91, Ref Count : 1 No Sub Blocks Present
Floor_Edge-6#show platform software access-tunnel switch active R0 Name SrcIp DstIp DstPort VrfId Iif_id --------------------------------------------------------------------- Ac4 192.168.4.68 182.10.50.6 0x12b5 0x0000 0x000037 Ac14 192.168.4.68 182.10.50.2 0x12b5 0x0000 0x000042 Ac15 192.168.4.68 182.10.50.7 0x12b5 0x0000 0x000043 Ac19 192.168.4.68 182.10.50.8 0x12b5 0x0000 0x000047 Ac24 192.168.4.68 182.10.50.5 0x12b5 0x0000 0x00004c
Floor_Edge-6#show platform software access-tunnel switch active R0 statistics Access Tunnel Counters (Success/Failure) ------------------------------------------ Create 6/0 Create Obj Download 6/0 Delete 3/0 Delete Obj Download 3/0 NACK 0/0
Floor_Edge-6#show platform software access-tunnel switch active F0 Name SrcIp DstIp DstPort VrfId Iif_id Obj_id Status -------------------------------------------------------------------------------------------- Ac4 192.168.4.68 182.10.50.6 0x12b5 0x000 0x000037 0x00d270 Done Ac14 192.168.4.68 182.10.50.2 0x12b5 0x000 0x000042 0x03cbca Done Ac15 192.168.4.68 182.10.50.7 0x12b5 0x000 0x000043 0x03cb9b Done Ac19 192.168.4.68 182.10.50.8 0x12b5 0x000 0x000047 0x03cb6b Done Ac24 192.168.4.68 182.10.50.5 0x12b5 0x000 0x00004c 0x03caf4 Done
Floor_Edge-6#show platform software access-tunnel switch active F0 statistics Access Tunnel Counters (Success/Failure) ------------------------------------------ Create 0/0 Delete 3/0 HW Create 6/0 HW Delete 3/0 Create Ack 6/0 Delete Ack 3/0 NACK Notify 0/0
Floor_Edge-6#show platform software object-manager switch active f0 statistics Forwarding Manager Asynchronous Object Manager Statistics Object update: Pending-issue: 0, Pending-acknowledgement: 0 Batch begin: Pending-issue: 0, Pending-acknowledgement: 0 Batch end: Pending-issue: 0, Pending-acknowledgement: 0 Command: Pending-acknowledgement: 0 Total-objects: 987 Stale-objects: 0 Resolve-objects: 3 Error-objects: 1 Paused-types: 0
5. Traces and Debugs which need to be collected.
Step 1. Collect Archive logs before enabling traces/debugs
request platform software trace archive target flash:<Filename>
Floor_Edge-6#request platform software trace archive target flash:Floor_Edge-6_12_14_18 Waiting for trace files to get rotated. Creating archive file [flash:Floor_Edge-6_12_14_18.tar.gz] Done with creation of the archive file: [flash:Floor_Edge-6_12_14_18.tar.gz]
Step 2. Increase logging buffer and disable the console.
Floor_Edge-6(config)#logging buffered 214748364 Floor_Edge-6(config)#no logging console
Step 3. Set Traces.
Step 4. Enable Debugs.
Step 5. shut/no shut interface port where AP is connected.
Step 6. Collect Archive logs same as Step 1. with a different filename.
Step 7. Redirect logging file to flash.
Floor_Edge-6#show logging | redirect flash:<Filename>
Floor_Edge-6#show logging | redirect flash:console_logs_Floor_Edge-6_12_14_18
Debug Wireless client's issues on SDA FEW can become tricky.
Please follow this workflow to eliminate one device at a time.
1. WLC
2. Fabric Edge
3. Access Point (if debugging on Fabric Edge points to AP)
4. Intermediate/Border node. (If data path issue)
5. Control Plane Node. (If Control path issue)
For client connectivity issues, please begin debugging by collecting information on WLC which includes show commands and debugs.
AireOS WLC show commands:
AireOS WLC Debug commands:
Once debugged on WLC and observed there are no control-plane path-related issues for the client. The client moves from Assoc, Authentication, and runs the state with correct SGT tagging or AAA parameters, move to this step to further isolate the issue.
Another thing to verify is the access-tunnel programming is correct as described in the above AP debugging section.
show commands to verify:
Find L2 lisp instance ID from (show client detail <mac_id> from above)
show lisp instance-id <L2_LISP> ethernet database wlc --> This lists all WLC associated clients for that specific L2 lisp instance ID. A number of sources should match the number of Control plane nodes in the network show lisp instance-id <L2_LISP> ethernet database wlc <client mac in h.h.h> --> This shows the detail for the specific client show device-tracking database | i Vl --> Find Specific SVI where the client is connected and needs to be present. show device-tracking database | i <mac> --> Find the client entry, should be against correct VLAN, Interface, State, and Age. show mac address-table dynamic vlan <VLAN-ID> --> The entry for the mac should match the device-tracking database, if it does please check mac address entry on FED show ip dhcp snooping binding vlan <vlan_where_client_is_connected> show ip arp vrf <VN> show mac address-table vlan <vlan_where_client_is_connected> show platform software fed switch active matm macTable vlan <vlan_where_client_is_connected> --> If this is correct, programming for wireless client is happening correctly on local switch. show platform software matm switch active F0 mac <mac_id>
Debug commands on Fabric Edge
Need to collect Fed traces if there is an issue in the programming of the client entry on Fabric Edge. There are 2 ways to do the same after enabling these debugs.
Debugs and set commands need to be enabled regardless of the method.
debug (Make sure to disable console logging and increase logging buffer)
Method 1. Collect radio active tracing logs for specific client after enabling debugs.
Note: if DHCP issue, please do not use this method]
Wait for the issue to re-produce
Redirect the console logs to flash after the issue is reproduced.
Method 2. Collect archive trace logs after enabling debugs.
Wait for the issue to re-produce
request platform software trace archive
Collect the file decode the logs and analyze fed, ios, fman logs for the client mac.
Redirect the console logs to flash after the issue is reproduced.
Debugs on 2800/3800/1562 AP Models:
For the AP side issues, please ensure to collect all the WLC show commands and logs before collecting AP side logs and attach to SR.
Please follow these steps in order to debug data-related issues on the client-side.
1. Collect AP show commands: (2-3 times, before and after completion of the tests)
If CWA Issue, please collect below logs as well in addition to the top commands. Below commands needs to be collected once before and after completion of test.
2. AP debugs (filter per MAC Address)
Client Datapath Issues:
Client AP traces:
CWA Issues:
Things to note:
Find out at what stage the issue is observed.
Step 1. Is the client getting an IP address and moving to Webauth Pending?
Step 2. Is client able to load the redirect page?
Step 3. Is client able to see the Webpage but the issue is with logging in and moving to success?
1. Debugs on WLC:
AireOS:
Polaris:
AireOS:
Polairs (9300/9400/9500):
set platform software trace wncd switch active r0 all-modules debug
Reproduce the issue
show platform software trace message wncd switch active R0 reverse | redirect flash:<filename>
request platform software trace archive
Collect both files from flash
2. Debugs on AP:
Collect ACL information:
show ip access-lists
Collect below debugs from AP:
Some Issues can be debugged using these debugs.
1. Not seeing DHCP Discover messages on Switch.
2. Wireless Client not getting DHCP Offer back. DHCP Discover is observed under debug ip dhcp snooping packet logs.
3. Collect the packet capture on the port connected to AP, the uplink port, and the port connected to the DHCP server on the fusion side.
Debugs/Show commands which can be:
1. Check on Cisco DNA Center if SSID is assigned to IP Pool.
2. Check if WLAN is enabled on WLC.
3. Check if radios are enabled and both 802.11a and 802.11b networks are enabled.
1. Narrow down the issue to wired or wireless or affected both. Test the same traffic on a client connected to wireless on the same VNID and test the same traffic on wired on the same VNID.
2. If wired clients in Fabric on the same VN are not experiencing issues but wireless clients are, the issue is on the AP side.
3. To debug on the AP side for any client performance or traffic-related issue, make sure client connectivity is not the issue, to begin with.
4. Make sure using debug client on WLC that client is observing degradation during roaming, session-timeout, or stable connection to same AP.
5. Once narrowed down that the issue is on the same AP, follow these steps to collect debugs on 3800/2800/4800 APs along with packet capture on the switch connected to AP and over-the-air packet captures.
Step 1. Make sure traffic used to reproduce the issue is actually mimicking the issue.
Step 2. Over-the-air packet capture needs to be set up on the customer’s side where the test is been performed.
Instructions for collecting over-the-air packet captures:
Here you find the guide how to set up an Over-The-Air packet capture, you can use a windows client machine, apple client machine or configure a sniffer mode AP (suggested). https://www.cisco.com/c/en/us/support/docs/wireless-mobility/80211/200527-Fundamentals-of-802-11-Wireless-Sniffing.html There are few things we need to consider: +Use an Open L2/L3 security SSID to avoid encryption on the packets through the air. +Set client-serving-AP and sniffer AP on the same channel. +Sniffer AP should be close enough to capture what serving-client-AP is receiving or sending. SPAN session should be taken at the same time than OTA pcap for a proper analysis, how to configure a SPAN session (swport traffic mirroring): Nexus switches: https://www.cisco.com/c/en/us/support/docs/switches/nexus-7000-series-switches/113038-span-nexus-config.html IOS switches: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/network_management/configuration_guide/b_nm_15ex_2960-x_cg/b_nm_15ex_2960-x_cg_chapter_0111.html
Step 3. Debug client from WLC and packet capture from switch where AP is connected. Switch EPC captures can be leveraged to capture these logs.
Step 4. Debugs from 3800 AP ssh/telnet session
Logs to be collected from 3800 AP: A) Run following commands once before starting the test. [Once all commands are tested, copy all commands in a text file so that it is easy to copy and paste on devshell, we would need multiple iterations of this command outputs during the test] Step A Devshell commands on AP - Use SSH. -------------------------------------------------- 1) To Get wired0 input packet count date cd /click/fromdev_wired0/ cat icounts ocounts calls 2) Fabric gateway and clients cat /click/client_ip_table/cli_fabric_clients cd /click/fabric_tunnel/ cat show_fabric_gw 3) Tunnel Decap stats cd /click/tunnel_decap/ cat icounts ocounts tunnel_decap_stats tunnel_decap_no_match decap_vxlan_stats cat tunnel_decap_list 4) Tunnel Encap stats cd /click/tunnel_encap/ cat icounts ocounts tunnel_encap_stats encap_vxlan_stats tunnel_encap_discard cat get_mtu eogre_encap_list 5) Wireless client stats
Note: need to issue these last set of commands on the correct radio vap combo. For example if client is on radio 1, vap 1: cat /click/client_ip_table/list = From the output, Check client connected port/interface aprXvY, use the same to obtain below output. cd /click/fromdev_ apr1v3/ cat icounts ocounts calls cd /click/todev_ apr1v3/ cat icounts ocounts calls Steps B – E B) Start OTA between AP. Client. And Start Wired PCAP(Spanning AP port where the client is connected). (Both wired and wireless pcap needed for analysis.) C) Use Open-Auth WLAN(no security to analyze OTA pcap). Start iperf test and keep it running for 10-15mins, continuously. D) Repeat Step A every two min using the date command. Take 5 or more iterations. E) After the test is completed - Collect show tech from AP.
It is considered that AP Vlan Scope has option 43 or option 60 pointing to WLC.
1. Select Authentication as No Authentication.
2. Configure Infra_VN with AP IP Pool and Default_VN with Wireless Client IP Pool.
3. Configure Edge Interface Ports where APs are connected with Infra_VN.
4. Once AP gets the IP and joins WLC, it is discovered in the device inventory.
5. Select the AP and assign it to a specific site and provision AP.
6. Once provisioned, AP is assigned to the AP group created during adding WLC to Fabric.
It is considered AP Vlan Scope has option 43 pointing to Cisco DNA Center. Follow DNAC guide to configure AP PNP
Fabric Edge Side:
Enable these debugs.