Troubleshoot Wireless- Software Defined Access on Cisco DNA Center

Introduction

This document describes the wireless FAQs and how to troubleshoot Software-Defined Access on Cisco DNA Center.

Command Cheat Sheet for Fabric

These are the command cheat sheet for fabric on Control Node, Edge Node, Wireless Lan Controller (WLC), and Access Point (AP).

Control Node:

• show lisp instance-id <L2 ap instance id> ethernet server - MAC to Endpoint Identification (EID) Mapping
• show lisp instance-id <L3 ap instance id> ipv4 server - IP to EID Mapping
• show lisp instance-id 8188 ethernet server address-resolution - MAC to IP Mapping for a specific instance ID
• show lisp site
• show tech-support
• show tech-support lisp

Edge Node:

• show lisp instance-id <L2 ap instance id> ethernet database wlc
• show lisp instance-id <L2 client instance id> ethernet database wlc
• show access-tunnel summary
• show platform software fed switch active ifm interfaces access-tunnel
• show platform software access-tunnel switch active R0
• show platform software access-tunnel switch active R0 statistics
• show platform software access-tunnel switch active F0
• show platform software access-tunnel switch active F0 statistics
• show platform software object-manager switch active F0 statistics
• show platform software object-manager switch active F0 pending-issue-update
• show platform software object-manager switch active F0 pending-ack-update
  
• show platform software object-manager switch active F0 error-object
• show tech-support
• show tech-support lisp

WLC (AireOS):

• show fabric ap summary
• show fabric summary
• show fabric map-server summary
• show run-config
• show run-config commands
• show tech

WLC (IOS-XE)

• show ap summary
• show fabric ap summary
• show wireless fabric summary
• show wireless client summary
• show tech-support wireless
• show tech-support wireless fabric
• show tech-support lisp (If Fabric in a box or Embedded wireless running on 9300/9400/9500)
• show tech-support (If Fabric in a box or Embedded wireless running on 9300/9400/9500)

Access Point: 

• show ip tunnel fabric
• show tech-support

AireOS WLC Config Push from Cisco DNA Center 

Here it shows the AireOS WLC config push from Cisco DNA Center after Provisioning (Note: Using Reference as 3504 WLC).

show radius summary after WLC Provisioning:

(sdawlc3504) >show radius summary 

Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Accounting Call Station Id Type.................. Mac Address
Auth Call Station Id Type........................ AP's Radio MAC Address:SSID
Extended Source Ports Support.................... Enabled
Aggressive Failover.............................. Disabled
Keywrap.......................................... Disabled
Fallback Test:
    Test Mode.................................... Passive
    Probe User Name.............................. cisco-probe
    Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen
RADIUS Authentication Framed-MTU................. 1300 Bytes

Authentication Servers

Idx  Type  Server Address    Port    State     Tout  MgmtTout  RFC3576  IPSec - state/Profile Name/RadiusRegionString
---  ----  ----------------  ------  --------  ----  --------  -------  -------------------------------------------------------
1  * NM    192.168.2.193     1812    Enabled   2     5         Enabled   Disabled - /none
2    M     172.27.121.193    1812    Enabled   2     5         Enabled   Disabled - /none

WLAN Config Push is seen under show wlan summary.

(sdawlc3504) >show wlan summary 

Number of WLANs.................................. 7

WLAN ID  WLAN Profile Name / SSID                                                 Status    Interface Name        PMIPv6 Mobility
-------  -----------------------------------------------------------------------  --------  --------------------  ---------------
1        Test / Test                                                              Enabled   management            none        
17       dnac_guest_F_global_5dfbd_17 / dnac_guest_206                            Disabled  management            none        
18       dnac_psk_2_F_global_5dfbd_18 / dnac_psk_206                              Disabled  management            none        
19       dnac_wpa2__F_global_5dfbd_19 / dnac_wpa2_206                             Enabled   management            none        
20       dnac_open__F_global_5dfbd_20 / dnac_open_206                             Enabled   management            none        
21       Test!23_F_global_5dfbd_21 / Test!23                                      Disabled  management            none 

WLC Config Push from Cisco DNA Center

Here it shows the WLC config push from Cisco DNA Center after WLC is added to Fabric.

How to Check if Map-Server is Reachable?

show fabric map-server summary after WLC is added to Fabric.

(sdawlc3504) >show fabric map-server summary 

MS-IP     Connection status 

--------------------------------

192.168.4.45    UP                   

192.168.4.66    UP 

Debug Fabric Map-Server Connectivity

Control Plane (CP) connectivity can go down or stay down due to various reasons.

• If CP went down. (which is not in this case)
• Intermediate nodes going down which are connecting WLC to CP, for example, fusion router.
• If CP connectivity to WLC went down due to link down. This can be WLC to an immediate neighbor or CP to an immediate neighbor towards WLC.

show fabric map-server detailed

show fabric TCP creation-history <Map-Server IP>

Debugs which may provide further information

debug fabric lisp map-server tcp enable

debug fabric lisp map-server all enable

How to Check that Fabric is Enabled and What is the Expected Output?

show fabric summary after WLC is added to Fabric.

(sdawlc3504) >show fabric summary 

Fabric Support................................... enabled

Enterprise Control Plane MS config
--------------------------------------

Primary Active MAP Server
IP Address....................................... 192.168.4.45

Secondary Active MAP Server
IP Address....................................... 192.168.4.66

Guest Control Plane MS config
-------------------------------

Fabric TCP keep alive config
----------------------------

Fabric MS TCP retry count configured ............ 3
Fabric MS TCP timeout configured ................ 10
Fabric MS TCP keep alive interval configured .... 10
Fabric Interface name configured .............. management

Fabric Clients registered ..................... 0

Fabric wlans enabled .......................... 3

Fabric APs total Registration sent ............ 30

Fabric APs total DeRegistration sent .......... 9

Fabric AP RLOC reguested ...................... 15

Fabric AP RLOC response received .............. 30

Fabric AP RLOC send to standby ................ 0

Fabric APs registered by WLC .................. 6

VNID Mappings configured: 4 

Name                              L2-Vnid     L3-Vnid     IP Address/Subnet         
--------------------------------  ----------  ----------  ---------------------------------
182_10_50_0-INFRA_VN              8188        4097        182.10.50.0 / 255.255.255.128
10_10_10_0-Guest_Area             8190        0           0.0.0.0 / 0.0.0.0
182_10_100_0-DEFAULT_VN           8191        0           0.0.0.0 / 0.0.0.0
182_11_0_0-DEFAULT_VN             8189        0           0.0.0.0 / 0.0.0.0

Fabric Flex-Acl-tables           Status
-------------------------------- -------
DNAC_FABRIC_FLEX_ACL_TEMPLATE    Applied

Fabric Enabled Wlan summary
WLAN ID  SSID                              Type  L2 Vnid     SGT     RLOC IP          Clients  VNID Name 
-------  --------------------------------  ----  ----------  ------  ---------------  -------  -------------------------------- 
 19      dnac_wpa2_206                     WLAN  8189        0       0.0.0.0          0         182_11_0_0-DEFAULT_VN           
 20      dnac_open_206                     WLAN  8189        0       0.0.0.0          0         182_11_0_0-DEFAULT_VN   

WLAN Config Push from Cisco DNA Center

WLAN config push from Cisco DNA Center is seen under show fabric wlan summary after WLC is added to Fabric and client IP Pool is assigned to Fabric Wireless LAN (WLAN) under Provision > Fabric > Host Onboarding.

show fabric wlan summary after Fabric provisioning.

(sdawlc3504) >show fabric wlan summary 

WLAN ID  SSID                              Type  L2 Vnid     SGT     RLOC IP          Clients  VNID Name 
-------  --------------------------------  ----  ----------  ------  ---------------  -------  -------------------------------- 
 19      dnac_wpa2_206                     WLAN  8189        0       0.0.0.0          0         182_11_0_0-DEFAULT_VN           
 20      dnac_open_206                     WLAN  8189        0       0.0.0.0          0         182_11_0_0-DEFAULT_VN 

Debug Wireless Issues

AP Join Debugging/Access Tunnel Formation Debugging

1. Check if AP got IP address.

show ip dhcp snooping binding → On Fabric Edge

If it doesn't show an IP for the attached AP interface, please enable these debugs on Switch and check whether AP is getting IP or not.

debug ip dhcp snooping packet

debug ip dhcp snooping event

Sample Log File attached below → 

Example:

Floor_Edge-6#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
0C:75:BD:0D:46:60 182.10.50.7 670544 dhcp-snooping 1021 GigabitEthernet1/0/7 → AP interface should be having an IP

2. Check if AP joins WLC.

• show ap summary → On WLC
• show ap join stat summary → On WLC

If AP has never joined WLC, enable these debugs on WLC.

• debug capwap events enable
• debug capwap errors enable

3. If AP forms CAPWAP but no access-tunnels are formed between AP and Switch, please perform these checks

Step 1. Do APs in WLC have RLOC IPs or not, if not please checkpoint 1 here.

1. In order to make the Fabric control plane protocol more resilient, it's important that a specific route to the WLC is present in each fabric node's global routing table. The route to WLC's IP address be should be either redistributed into the underlay IGP protocol at the Border or configured statically at each node. In other words, the WLC should not be reachable through the default route.

Step 2. If APs in WLC shows correct RLOCs and under show fabric summary it shows RLOC requested with RLOC received all good, please check these steps

2. Check on Control Plane node, show lisp instance-id <L2 ap instance id> ethernet server→ It should contain Base Radio MAC for AP.

    Check on the Fabric Edge node, show lisp instance-id <L2 ap instance id> ethernet database wlc → It should contain Base Radio MAC for AP and not the ethernet MAC of AP.

If the above 2 commands don't show Base Radio MAC of AP and access-tunnels are not forming. Enable debug lisp control-plane all on Control plane and search for Base Radio MAC in logging.

Note: debug lisp control-plane all on Control plane is really chatty, please disable console logging before turning on the debugs.

If you see authentication failure as shown here, please check the authentication key between WLC and CP node.

Dec  7 17:42:01.655: LISP-0: MS Site EID IID 8188 prefix any-mac SVC_VLAN_IAF_MAC site site_uci, Registration failed authentication for more specific 2c0b.e9c6.ec80/48

Dec  7 17:42:01.659: LISP-0: Building reliable registration message registration-rejected for IID 8188  EID 2c0b.e9c6.ec80/48 , Rejection Code: authentication failure/2.

How to check authentication key on Fabric configuration between WLC and CP.

On WLC, please check on GUI under Controller > Fabric Configuration > Control Plane > (Pre Shared Key)

On CP, please check on switch using sh running-config | b map-server session CP#sh running-config | b map-server session map-server session passive-open WLC site site_uci description map-server configured from apic-em authentication-key <hidden> (Ensure that the Pre shared key on WLC should match with this authentication key on CP)

Note: Generally Cisco DNA Center pushes this key so don't change it unless required and know what is configured on CP/WLC]

4. General checks and show commands for Access-tunnels.

• show access-tunnel summary

Floor_Edge-6#sh access-tunnel summary 

Access Tunnels General Statistics:
 Number of AccessTunnel Data Tunnels = 5 


Name SrcIP SrcPort DestIP DstPort VrfId 
------ --------------- ------- --------------- ------- ----
Ac4 192.168.4.68 N/A 182.10.50.6 4789 0 
Ac24 192.168.4.68 N/A 182.10.50.5 4789 0 
Ac19 192.168.4.68 N/A 182.10.50.8 4789 0 
Ac15 192.168.4.68 N/A 182.10.50.7 4789 0 
Ac14 192.168.4.68 N/A 182.10.50.2 4789 0 


Name IfId Uptime 
------ ---------- --------------------
Ac4 0x00000037 2 days, 20:35:29 
Ac24 0x0000004C 1 days, 21:23:16 
Ac19 0x00000047 1 days, 21:20:08 
Ac15 0x00000043 1 days, 21:09:53 
Ac14 0x00000042 1 days, 21:03:20 

• show platform software fed switch active ifm interfaces access-tunnel
  

Floor_Edge-6#show platform software fed switch active ifm interfaces access-tunnel 
Interface                   IF_ID               State             
----------------------------------------------------------------
Ac4                         0x00000037          READY             
Ac14                        0x00000042          READY             
Ac15                        0x00000043          READY             
Ac19                        0x00000047          READY             
Ac24                        0x0000004c          READY             

Floor_Edge-6#

If Access-tunnels under command b) are higher than a), that is an issue. Here Fed entries were not cleared correctly by Fabric Edge and thus there are multiple access-tunnel entries on Fed compared to IOS. Compare Dest IP after executing the command shown here. If multiple access-tunnel share the same Destination IP, that's the issue with programming.

• show platform software fed switch active ifm if-id <Each AP IF-ID> 

Note: Each IF-ID can be fetched from the previous command.

Floor_Edge-6#show platform software fed switch active ifm if-id 0x00000037  
Interface IF_ID         : 0x0000000000000037
Interface Name          : Ac4
Interface Block Pointer : 0xffc0b04c58
Interface State         : READY
Interface Status        : ADD
Interface Ref-Cnt       : 2
Interface Type          : ACCESS_TUNNEL
        Tunnel Type       : L2Lisp
        Encap Type        : VxLan
        IF_ID             : 0x37

        Port Information
        Handle ............ [0x2e000094]
        Type .............. [Access-tunnel]
        Identifier ........ [0x37]
        Unit .............. [55]
        Access tunnel Port Logical Subblock
                Access Tunnel id  : 0x37
                Switch Num        : 1
                Asic Num          : 0
                PORT LE handle    : 0xffc0b03c58
                L3IF LE handle    : 0xffc0e24608
                DI handle         : 0xffc02cdf48
                RCP service id    : 0x0
                HTM handle decap  : 0xffc0e26428
                RI handle decap   : 0xffc0afb1f8
                SI handle decap   : 0xffc0e26aa8
                RCP opq info      : 0x1
                L2 Brdcast RI handle  : 0xffc0e26808
                GPN               : 3201
                Encap type        : VXLAN
                L3 protocol       : 17
                Src IP            : 192.168.4.68
                Dest IP           : 182.10.50.6
                Dest Port         : 4789
                Underlay VRF      : 0
                XID cpp handle    : 0xffc03038f8
        Port L2 Subblock
                Enabled ............. [No]
                Allow dot1q ......... [No]
                Allow native ........ [No]
                Default VLAN ........ [0]
                Allow priority tag ... [No]
                Allow unknown unicast  [No]
                Allow unknown multicast[No]
                Allow unknown broadcast[No]
                Allow unknown multicast[Enabled]
                Allow unknown unicast  [Enabled]
                IPv4 ARP snoop ....... [No]
                IPv6 ARP snoop ....... [No]
                Jumbo MTU ............ [0]
                Learning Mode ........ [0]
        Port QoS Subblock
                Trust Type .................... [0x7]
                Default Value ................. [0]
                Ingress Table Map ............. [0x0]
                Egress Table Map .............. [0x0]
                Queue Map ..................... [0x0]
        Port Netflow Subblock
        Port CTS Subblock
                Disable SGACL .................... [0x0]
                Trust ............................ [0x0]
                Propagate ........................ [0x1]
        %Port SGT .......................... [-180754391]
Ref Count : 2 (feature Ref Counts + 1)
IFM Feature Ref Counts
        FID : 91, Ref Count : 1
No Sub Blocks Present

• show platform software access-tunnel switch active R0

Floor_Edge-6#show platform software access-tunnel switch active R0        
Name     SrcIp            DstIp             DstPort   VrfId    Iif_id  
---------------------------------------------------------------------
Ac4      192.168.4.68     182.10.50.6        0x12b5  0x0000  0x000037  
Ac14     192.168.4.68     182.10.50.2        0x12b5  0x0000  0x000042  
Ac15     192.168.4.68     182.10.50.7        0x12b5  0x0000  0x000043  
Ac19     192.168.4.68     182.10.50.8        0x12b5  0x0000  0x000047  
Ac24     192.168.4.68     182.10.50.5        0x12b5  0x0000  0x00004c  

•   show platform software access-tunnel switch active R0 statistics

Floor_Edge-6#show platform software access-tunnel switch active R0 statistics 
Access Tunnel Counters   (Success/Failure)
------------------------------------------
Create                  6/0
Create Obj Download     6/0
Delete                  3/0
Delete Obj Download     3/0
NACK                    0/0

• show platform software access-tunnel switch active F0

Floor_Edge-6#show platform software access-tunnel switch active F0 
Name     SrcIp            DstIp             DstPort  VrfId    Iif_id    Obj_id  Status        
--------------------------------------------------------------------------------------------
Ac4      192.168.4.68     182.10.50.6        0x12b5  0x000  0x000037  0x00d270  Done          
Ac14     192.168.4.68     182.10.50.2        0x12b5  0x000  0x000042  0x03cbca  Done          
Ac15     192.168.4.68     182.10.50.7        0x12b5  0x000  0x000043  0x03cb9b  Done          
Ac19     192.168.4.68     182.10.50.8        0x12b5  0x000  0x000047  0x03cb6b  Done          
Ac24     192.168.4.68     182.10.50.5        0x12b5  0x000  0x00004c  0x03caf4  Done  

•   show platform software access-tunnel switch active F0 statistics

Floor_Edge-6#show platform software access-tunnel switch active F0 statistics 
Access Tunnel Counters   (Success/Failure)
------------------------------------------
Create                  0/0
Delete                  3/0
HW Create               6/0
HW Delete               3/0
Create Ack              6/0
Delete Ack              3/0
NACK Notify             0/0

• show platform software object-manager switch active f0 statistics

Floor_Edge-6#show platform software object-manager switch active f0 statistics        
Forwarding Manager Asynchronous Object Manager Statistics

Object update: Pending-issue: 0, Pending-acknowledgement: 0
Batch begin:   Pending-issue: 0, Pending-acknowledgement: 0
Batch end:     Pending-issue: 0, Pending-acknowledgement: 0
Command:       Pending-acknowledgement: 0
Total-objects: 987
Stale-objects: 0
Resolve-objects: 3
Error-objects: 1
Paused-types: 0

• show platform software object-manager switch active f0 pending-issue-update
• show platform software object-manager switch active f0 pending-ack-update
• show platform software object-manager switch active f0 error-object

5. Traces and Debugs which need to be collected.

Step 1. Collect Archive logs before enabling traces/debugs

request platform software trace archive target flash:<Filename>

Floor_Edge-6#request platform software trace archive target flash:Floor_Edge-6_12_14_18
Waiting for trace files to get rotated.
Creating archive file [flash:Floor_Edge-6_12_14_18.tar.gz]
Done with creation of the archive file: [flash:Floor_Edge-6_12_14_18.tar.gz]

Step 2.  Increase logging buffer and disable the console.

Floor_Edge-6(config)#logging buffered 214748364
Floor_Edge-6(config)#no logging console 

Step 3. Set Traces.

• set platform software trace forwarding switch active R0 access-tunnel verbose
• set platform software trace forwarding switch active F0 access-tunnel verbose
• set platform software trace fed switch active ifm_main debug
• set platform software trace fed switch active access_tunnel verbose
• set platform software trace forwarding-manager switch active F0 aom verbose

Step 4. Enable Debugs.

• debug l2lisp all
• debug lisp control-plane all
• debug platform software l2lisp events

Step 5.  shut/no shut interface port where AP is connected.

Step 6. Collect Archive logs same as Step 1. with a different filename.

Step 7.  Redirect logging file to flash.

Floor_Edge-6#show logging | redirect flash:<Filename>

Floor_Edge-6#show logging | redirect flash:console_logs_Floor_Edge-6_12_14_18

Client Debugging

Debug Wireless client's issues on SDA FEW can become tricky.

Please follow this workflow to eliminate one device at a time.

1. WLC

2. Fabric Edge

3. Access Point (if debugging on Fabric Edge points to AP)

4. Intermediate/Border node. (If data path issue)

5. Control Plane Node. (If Control path issue)

WLC Debugging

For client connectivity issues, please begin debugging by collecting information on WLC which includes show commands and debugs.

AireOS WLC show commands:

• show run-config
• show tech
• show wlan summary
• show wlan <id> --> Collect this output for all SSIDs, at least 1 for working and non-working
• show fabric summary
• show fabric map-server summary
• show client summary
• show client detail <mac_id>

AireOS WLC Debug commands:

• debug client <mac1> --> Client assoc, roaming, debugs.
• debug fabric client detail enable --> This provides information fabric registration messages

Fabric Edge Debugging

Once debugged on WLC and observed there are no control-plane path-related issues for the client. The client moves from Assoc, Authentication, and runs the state with correct SGT tagging or AAA parameters, move to this step to further isolate the issue.

Another thing to verify is the access-tunnel programming is correct as described in the above AP debugging section.

show commands to verify:

Find L2 lisp instance ID from (show client detail <mac_id> from above)

show lisp instance-id <L2_LISP> ethernet database wlc --> This lists all WLC associated clients for that specific L2 lisp instance ID. A number of sources should match the number of Control plane nodes in the network
show lisp instance-id <L2_LISP> ethernet database wlc <client mac in h.h.h> --> This shows the detail for the specific client
show device-tracking database | i Vl --> Find Specific SVI where the client is connected and needs to be present.
show device-tracking database | i <mac> --> Find the client entry, should be against correct VLAN, Interface, State, and Age.
show mac address-table dynamic vlan <VLAN-ID> --> The entry for the mac should match the device-tracking database, if it does please check mac address entry on FED
show ip dhcp snooping binding vlan <vlan_where_client_is_connected>
show ip arp vrf <VN>
show mac address-table vlan <vlan_where_client_is_connected>
show platform software fed switch active matm macTable vlan <vlan_where_client_is_connected> --> If this is correct, programming for wireless client is happening correctly on local switch.
show platform software matm switch active F0 mac <mac_id>

Debug commands on Fabric Edge

Need to collect Fed traces if there is an issue in the programming of the client entry on Fabric Edge. There are 2 ways to do the same after enabling these debugs.

Debugs and set commands need to be enabled regardless of the method.

• set platform software trace fed switch active all-modules emergency
• set platform software trace fed switch active l2_fib_entry verbose
• set platform software trace fed switch active l2_fib_adj verbose
• set platform software trace fed switch active inject verbose
• set platform software trace fed switch active matm verbose

debug (Make sure to disable console logging and increase logging buffer)

• debug device-tracking
• debug lisp control-plane all
• debug platform fhs all
• debug platform software l2lisp events
• debug matm all

Method 1. Collect radio active tracing logs for specific client after enabling debugs.

Note: if DHCP issue, please do not use this method]

Wait for the issue to re-produce

• debug platform condition mac <mac-id> control-plane
• debug platform condition start
• debug platform condition stop
• request plat soft trace filter-binary wireless context mac <mac-id>

Redirect the console logs to flash after the issue is reproduced.

Method 2. Collect archive trace logs after enabling debugs.

Wait for the issue to re-produce

request platform software trace archive

Collect the file decode the logs and analyze fed, ios, fman logs for the client mac.

Redirect the console logs to flash after the issue is reproduced.

Access Point Debugging

Debugs on 2800/3800/1562 AP Models:

For the AP side issues, please ensure to collect all the WLC show commands and logs before collecting AP side logs and attach to SR.

Please follow these steps in order to debug data-related issues on the client-side.

1. Collect AP show commands: (2-3 times, before and after completion of the tests)

• show clock
• term len 0
• term mon
• show tech
• show logging
• show controllers nss stats show controllers nss status
• show ip tunnel fabric

If CWA Issue, please collect below logs as well in addition to the top commands. Below commands needs to be collected once before and after completion of test.

• show client access-lists pre-auth all <client mac>
• show client access-lists post-auth all <client mac>
• show ip access-lists
• show controller d [0/1] client
• show capwap cli detailrcb
• show tech support

2. AP debugs (filter per MAC Address)

CWA Issues:

• debug capwap client avc all
• debug capwap client acl
• debug client <client mac>
• debug dot11 client level info address <mac>
• debug dot11 client level events address <mac>
• debug flexconnect pmk

Use Case Debugging

Client CWA Debugging

Things to note:

• When deploying CWA in SDA, always use DNAC to deploy the configuration.
• Once deployed using DNAC, Authorization Policy, Authentication Policy, and Authorization Profile would be deployed on ISE by DNAC as well.
• Identities for authentication needs to be configured manually as done for Dot1x

Find out at what stage the issue is observed.

Step 1. Is the client getting an IP address and moving to Webauth Pending?

1. If yes, move to the next step.
2. If no, the issue is at the initial joining stage.
3. Check the configuration on WLC and AP.
4. Check ACL is being pushed on AP and matches what is on WLC
5. If the ACL is not pushed correctly, reload the AP and make sure is it an interim state where config is not pushed. Once confirmed on 1 AP, make sure Provisioning of APs are done through DNAC.

Step 2. Is client able to load the redirect page?

1. If yes, move to the next step.
2. If no, the issue may be at multiple places.
3. Check the configuration on WLC and AP.
4. Check ACL is being pushed on AP and matches what is on WLC
5. If the ACL is not pushed correctly, reload the AP and make sure is it an interim state where config is not pushed. Once confirmed on 1 AP, make sure Provisioning of APs are done through DNAC.
6. Check reachability from WLC to ISE and Switch where AP is connected to ISE. Make sure no firewall in between
7. Check DNS is configured correctly.

Step 3. Is client able to see the Webpage but the issue is with logging in and moving to success?

1. Ensure to double-check Step 1 and Step 2 configurations.
2. Ensure Authorization profile, authentication policy and authorization policy are correct.
3. Check ISE Live logs
4. Ensure that the username/password is correctly configured in ISE identities.
5. Collect debugs on WLC and AP as below if everything looks good.

1. Debugs on WLC:

• Collect below show commands for AireOS and Polaris respectively:

AireOS:

• show run-config
• show wlan summary
• show wlan <id_for_Guest>
• show flexconnect acl summary
• show flexconnect acl detailed <ACl_from_previous_command>

Polaris:

• show running
• show tech-support wireless
• show tech-support wireless fabric 
• show wlan summary
• show wlan id <id_for_guest>
• show ap name <AP_name> config general
• show running-config | sec ACL
• show wireless profile flex summary
• show wireless profile flex detailed <profile_name_from_above>
  
  
• Enable these debugs on AireOS and Polaris.
  
  

AireOS: 

• debug client <client_mac>
• debug aaa all enable
• Reproduce the issue
• Collect console/ssh/telnet logs

Polairs (9300/9400/9500):

set platform software trace wncd switch active r0 all-modules debug

Reproduce the issue

show platform software trace message wncd switch active R0 reverse | redirect flash:<filename>

request platform software trace archive

Collect both files from flash

2. Debugs on AP:

Collect ACL information:

show ip access-lists

Collect below debugs from AP:

• debug capwap client avc all
• debug capwap client acl
• debug client <client mac>
• debug dot11 client level info address <mac>
• debug dot11 client level events address <mac>
• debug flexconnect pmk

Client DHCP Debugging

Some Issues can be debugged using these debugs.

1. Not seeing DHCP Discover messages on Switch.

2. Wireless Client not getting DHCP Offer back. DHCP Discover is observed under debug ip dhcp snooping packet logs.

3. Collect the packet capture on the port connected to AP, the uplink port, and the port connected to the DHCP server on the fusion side.

Debugs/Show commands which can be:  

1. Check on Cisco DNA Center if SSID is assigned to IP Pool.

2. Check if WLAN is enabled on WLC.

3. Check if radios are enabled and both 802.11a and 802.11b networks are enabled.

Client Performance Debugging on AP

1. Narrow down the issue to wired or wireless or affected both. Test the same traffic on a client connected to wireless on the same VNID and test the same traffic on wired on the same VNID.

2. If wired clients in Fabric on the same VN are not experiencing issues but wireless clients are, the issue is on the AP side.

3. To debug on the AP side for any client performance or traffic-related issue, make sure client connectivity is not the issue, to begin with.

4. Make sure using debug client on WLC that client is observing degradation during roaming, session-timeout, or stable connection to same AP.

5. Once narrowed down that the issue is on the same AP, follow these steps to collect debugs on 3800/2800/4800 APs along with packet capture on the switch connected to AP and over-the-air packet captures.

Step 1. Make sure traffic used to reproduce the issue is actually mimicking the issue.

Step 2. Over-the-air packet capture needs to be set up on the customer’s side where the test is been performed.

Instructions for collecting over-the-air packet captures:

Here you find the guide how to set up an Over-The-Air packet capture, you can use a windows client machine, apple client machine or configure a sniffer mode AP (suggested).
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/80211/200527-Fundamentals-of-802-11-Wireless-Sniffing.html
 
There are few things we need to consider:
+Use an Open L2/L3 security SSID to avoid encryption on the packets through the air.
+Set client-serving-AP and sniffer AP on the same channel.
+Sniffer AP should be close enough to capture what serving-client-AP is receiving or sending.
 
SPAN session should be taken at the same time than OTA pcap for a proper analysis, how to configure a SPAN session (swport traffic mirroring):
 
Nexus switches:
https://www.cisco.com/c/en/us/support/docs/switches/nexus-7000-series-switches/113038-span-nexus-config.html
IOS switches:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/network_management/configuration_guide/b_nm_15ex_2960-x_cg/b_nm_15ex_2960-x_cg_chapter_0111.html

Step 3. Debug client from WLC and packet capture from switch where AP is connected. Switch EPC captures can be leveraged to capture these logs.

Step 4. Debugs from 3800 AP ssh/telnet session

Logs to be collected from 3800 AP:

A) Run following commands once before starting the test. [Once all commands are tested, copy all commands in a text file so that it is easy to copy and paste on devshell, we would need multiple iterations of this command outputs during the test]

Step A
Devshell commands on AP - Use SSH.
--------------------------------------------------
1) To Get wired0 input packet count

date
cd /click/fromdev_wired0/
cat icounts ocounts calls

2) Fabric gateway and clients

cat /click/client_ip_table/cli_fabric_clients
cd /click/fabric_tunnel/
cat show_fabric_gw

3) Tunnel Decap stats

cd /click/tunnel_decap/
cat icounts ocounts tunnel_decap_stats tunnel_decap_no_match decap_vxlan_stats
cat tunnel_decap_list

4) Tunnel Encap stats

cd /click/tunnel_encap/
cat icounts ocounts tunnel_encap_stats encap_vxlan_stats tunnel_encap_discard
cat get_mtu eogre_encap_list


5) Wireless client stats

Note: need to issue these last set of commands on the correct radio vap combo. For example if client is on radio 1, vap 1: cat /click/client_ip_table/list = From the output, Check client connected port/interface aprXvY, use the same to obtain below output. cd /click/fromdev_ apr1v3/ cat icounts ocounts calls cd /click/todev_ apr1v3/ cat icounts ocounts calls Steps B – E B) Start OTA between AP. Client. And Start Wired PCAP(Spanning AP port where the client is connected). (Both wired and wireless pcap needed for analysis.) C) Use Open-Auth WLAN(no security to analyze OTA pcap). Start iperf test and keep it running for 10-15mins, continuously. D) Repeat Step A every two min using the date command. Take 5 or more iterations. E) After the test is completed - Collect show tech from AP.

AP Onboarding

Traditional Method/Steps:

It is considered that AP Vlan Scope has option 43 or option 60 pointing to WLC.

1. Select Authentication as No Authentication.

2. Configure Infra_VN with AP IP Pool and Default_VN with Wireless Client IP Pool.

3. Configure Edge Interface Ports where APs are connected with Infra_VN.

4. Once AP gets the IP and joins WLC, it is discovered in the device inventory.

5. Select the AP and assign it to a specific site and provision AP.

6. Once provisioned, AP is assigned to the AP group created during adding WLC to Fabric.

Plug and Play/ Zero-Touch AP Provisioning

It is considered AP Vlan Scope has option 43 pointing to Cisco DNA Center. Follow DNAC guide to configure AP PNP

Fabric Edge Side:

Enable these debugs.

• debug ip dhcp snooping packet
• debug ip dhcp snooping event
  

Related Information

• Wireless Configuration Guides for each Release
• SD Wireless Deployment Guide
• Wireless Best Practice Guide
• Technical Reference Documents for Wireless
• Compatibility Matrix for SDA
• Cisco DNA Center User Guides for each Release