I've been having issues with wireless on my 2.4Ghz network. So I decided to create a 5Ghz SSID, and I'm unable to connect to it. I went ahead and removed PSK and opened up access, but I'm still unable to connect to that SSID. Error states connection failed.
I'm running a vWLC, version 8.2.110.0 on ESXi with Cisco 3700 APs with the short stub external antenna.
I've configured -
Radio Policy: 802.11a only
Broadcast SSID: enabled
FlexConnect Local Switching: Enabled
Somebody told me it could be a channel issue, but I don't believe so as my new 5Ghz SSID is running on channel 36,40 and my 2.4Ghz SSID is running on channel 11.
I'm at a loss why creating a new SSID wouldn't work.
Is there anything in between the WLC, AP, and test device? Could be interference, especially if there's a lot of metal or old walls (which usually had a lot of metal in them).
Do the APs show up registered in the WLC? If yes, it could be client settings on the test device.
Sometimes I get refusal to connect because the device has cached configuration for an SSID and the cache does not match what the AP/WLC is expecting. Have you tried "forget network" and setting up again on the device?
If that fails, then as mentioned this can be caused by interference. Every wifi AP within an area needs to be on a different channel. Maybe you are using the same channel as some other wifi device nearby which is causing the interference. Try changing the channel.
Also you say you're using 36,40. This is 40mhz-wide. Maybe you have a little bit older wifi client and it cant use the 40mhz channel. Change it back to 20mhz and then try and see if you can connect after "forgetting" the wifi network.
In the WLC you may be able to view logging to tell you the reason for the connection failures.
just ran across this article this morning
How to fix Wi-Fi interference
https://www.networkworld.com/article/2215287/coping-with-wi-fi-s-biggest-problem-interference.html
SQ
Does your wireless NIC Support 5G?
Thanks so much guys for the quick reply! You guys have been so helpful, and given me some paths to take on tshooting this issue.
@deanwebb
So I believe there is definitely some kind of interference, as on my 2.4Ghz SSID my NEST cameras have been cutting out and it keeps saying some kind of interference is affecting the connection. When I attempt to stream video, at random times it will cut out. As far as what's between them, there isn't much that would cause interference to my knowledge.
The AP does indeed show registered in the WLC.
@dieselboy
I did try forgetting the network, and attempt to reconnect to it. So I'm thinking changing the channel would be a good idea. So, do I have to be cognizant on which channel I choose? I did change it back to 40mhz for some increased performance, but let me put that back down to 20mhz.
I didn't see any logs in the WLC. Maybe I'm looking in the wrong place, but it came up empty. Am I able to see those logs if I console into the WLC? View them just like I would on a Cisco switch?
@ristau5741
I will check out that link. Thank you!
So my main devices that connect to the WiFi are MacBooks, iPads, and iPhones. So it would just be the iPhone that could do 5G, which I must say does save me at times.
I thought about dumping the whole Cisco WLC setup, and switching to Ubiquiti. But I'm thinking the issues might in fact be the same, if it truly was an interference issue. The whole WiFi setup is pretty great, as it's enterprise grade. I'm going to change the channels, as I noticed earlier today there are a ton of other WiFi networks in the area, I'm talking about 25+ SSIDs.
if you are using Cisco, it's probably a bug!
:hankhill:
This doesn't surprise me. Also, I must say I know I'm running an older version of the wireless controller. So it might be a good idea to upgrade the WLC. I'm just worried something will tank, and then I'm really in trouble. I haven't upgraded a WLC before, but I'm thinking it shouldn't be much different than a switch. I wonder if I can just do it from the GUI? I will poke around now and verify.
So just so I'm understanding this, the channel I choose is open to choose I just need to verify if other things are on it. Like I've scanned SSIDs around me, and they are all on the standard 11 and the other norms people deploy by default. So can I choose any other one of my choosing?
Anon, if you have an Android device then go grab this free (and possibly dodgy) app which I use all the time for exact things like this: https://play.google.com/store/apps/details?id=com.farproc.wifi.analyzer&hl=en&gl=US
Note: The app will not work until you allow the permissions: Storage and GPS access.
I say "possibly dodgy" because the app needs those permissions to work and I don't really know why. I just install when I need then remove it once I am done.
In the app. you can show 2.4GHz and 5GHz wifi bands and neighbouring AP's and their broadcasting channels.
Some things to note that are worth remembering:
- all wifi AP's need to be on their own unique channel. This means each of your AP's as well as your neighbours. This easily becomes a problem on 2.4GHz band where there are mostly only 3 unique and non-overlapping channels.
- AP's that broadcast the same SSID need to have the same authentication/authorization settings
///
With your issue specifically I wonder if the wifi is in fact fine but there's no underlying DHCP server within the layer 2 network to provide the wifi client an IP address and concequently internet access so in turn your smart iPhone is ignoring the wifi and putting it in the "bad" box? I've had a similar issue when my home internet went down and I Was unable to control my smart lights because the phone was outright refusing to do anything on the wifi due to the internet being down - even though the lights were controllable. I needed to select "use network anyway" on my Android phone.
Funny have it I just picked up an Android device the other day, so let me fire that up and take a look.
I was thinking this could be a layer 2 issue, as I have my networks separated. By separated, I mean that my APs sit on it's own VLAN on 10.10.20.x /24 and my devices on another VLAN on 172.17.70.x /24. Now, all I did was add a second SSID to the network controller, which I would think would just sit on the device VLAN as the first SSID does, right? I believe it is, as I see here under All APs > HallwayAP > VLAN Mappings with the appropriate VLAN ID.
I switched it to channel 100 too, and still no luck.
I noticed a lot of rogue AP messages under the Trap Logs, but I have a feeling this is normal on the 2.4Ghz frequency. It looks something like this, which per the MAC address OUI is a Netgear device.
Rogue AP: e4:f4:c6:19:56:7b detected on Base Radio MAC: 5c:83:8f:c7:c2:30 Interface no: 1(802.11ac) Channel: 153 RSSI: -73 SNR: 22 Classification: unclassified, State: Alert, RuleClassified : N, Severity Score: 0, RuleName: N.A. ,Classified AP MAC: 00:00:00:00:00:00 ,Classified RSSI: 0
Your OP states flexconnect = enabled.
What this does is locally switch wifi traffic to the local wired lan on the AP's. So in your case you will need to trunk this VLAN to the AP and map the SSID to the VLAN to allow the local bridging / switching.
The other option is to turn off flexconnect. This will send all client wifi traffic back to the controller over an encrypted tunnel. However you may not be able to do this if you are running a controller VM (I don't know, havent used the VM but I have used mobility express which uses a software WLC so I am adding 2+2 and getting 6 here :) ). Flexconnect is usually turned off on WLCs. So maybe this is why it is enabled for you.
If you use vlan 100, maybe you can make this the native vlan on that port and see if you get wifi access onto that native vlan (ie vlan "1"). Or you'll need to set up the vlan 100 in the AP so that the AP will trunk (tag) wifi client traffic with vlan 100.
You will get a rogue AP log for every AP detected by your system where those detected APs are not part of your WLC system. Hope that makes sense?
:)
That's correct, I had to enable flexconnect because it's running as a virtual machine. I know on our other WLC the flexconnect option is not enabled.
So I thought you had something, as that would be a great catch. But I confirmed I do indeed have the correct VLAN Mappings for the native vlan, and the inheritance is set for WLAN-Specific just like the working SSID.
The MacBook states the network is not available, and the iPad states the password is incorrect. So weird.
On the plus side, I did change the channel on the 2.4Ghz SSID and the interference appears to have stopped. I switched it to channel 6 for the 2.4Ghz network.
But the 5Ghz SSID ... :headache:
OK so lets say you have VLAN 100 configured on the LAN. You need to understand whether this is a tagged VLAN or not (native). Basically native means remove the tag when traffic leaves the switch port or add the tag when any untagged traffic arrives. You can only have one native VLAN for this reason.
Have you considered using 1 SSID (1 VLAN) on the WLC side and then using your VLAN on the switch port as either access mode or native VLAN as a test? You probably need the AP IP address to be in the same VLAN as the wifi client traffic so that the AP can get an IP and then talk to the WLC. I think this will let the wifi AP work as a test with 5GHz.
Another way to say the same thing -> have only one untagged VLAN on the switch port and then on the WLC add the VLAN number but mark it as native.
For example in a remote office I use VL33 for LAN traffic and wifi. The AP has an IP in the same VLAN. on the WLC I have WLAN to VLAN mapping making vl 33 the native VLAN.
Forgive me if I'm missing it, but I don't think this would be an issue since the AP is on the correct VLAN, tagged appropriately as well as the user VLAN, which can indeed get an addressed assigned. But this is only the case on the 2.4Ghz SSID. If I add the 5Ghz SSID to the vWLC using that same AP, that's associated to the same AP Group I would think it would be a L2 issue. Or am I wrong in that statement?
Within the AP Group, the only different is it has a different WLAN ID, with the corresponding Profile Name(SSID Name) but inside the settings, for L2 and L3 options, it's purely security related (ie WPA+WPA2, Encryption, PSK athentication) options like this.
If you're adding a new SSID then you need to map that to a VLAN. You may be able to map it to the same VLAN ID on the LAN - I'm not sure.
Why not just enable the 5G network on the existing and working 2.4GHz WLAN? Having a separate 2.4 and 5G SSID means that clients wont automatically roam to the best one which is a downside. Also having separate 2.4 and 5 SSIDs mean you are bridging to different VLANs and so you must have unique SSID names else a client could roam between the SSIDs but the client IP address will be wrong.
The only use case I've found for configuring and using separate SSIDs for the two frequency bands is when you need to force (ie stick) clients to either the 2.4 or 5GHz band. ISPs send out their pre-configured home routers with separate -2.4G and -5G wifi SSIDs. I generally just rename both of these SSIDs to get the same name so that the client will roam to the best one (ie 5GHz when it can and fall back to 2.4G when it's a bit far from the AP). Some home ISP routers wont let you do this which is poor.
Just so I'm not missing it, when you say map that VLAN. Where do I do that at? I have the VLAN set, or mapped under FlexConnect on under the Wireless tab. You said separate 2.4Ghz and 5Ghz SSIDs means I'm bridging two different VLANs, but they are actually configured as the same VLAN and I never created a new VLAN for 5Ghz. Maybe that's my problem overall that I didn't separate them that way, as I didn't know. I just added the 2nd SSID to the same VLAN and just configured the SSID.
So the radio policy is indeed set for 'ALL' but my MacBook is right next to the AP and it's still preferring 2.4Ghz. So that's why I thought I would create a dedicated 5Ghz. I've never seen a device get on the 5Ghz network on it's own. I think I'm missing a configuration if this is the case that it will choose the best band, because it for sure should be choosing the 5Ghz SSID since it's so close to the AP.
Thanks so much for continuing the help me. I'm learning more and helps to talk it out, as the walls haven't been of much help.
When you created the new SSID, I think it automatically gives it vlan 1 in the ssid to vlan mappings.
Also in the SSID you configured (in the WLANs section) you need to have the SSID enabled for "FlexConnect Local Switching" which is in the Advanced tab.
I found this link which goes through setting up a new SSID and enabling it for flexconnect. Can you check this to see if it aligns with your config? https://community.cisco.com/t5/wireless-mobility-documents/wireless-lan-flexconnect-configuration-example/ta-p/3112924
Point 11 is about what I mentioned above.
The next section mentions about setting the vlan to ssid mapping. You can do this either on the AP directly or in a flexconnect group. Can you check this and see if the new SSID on the AP is showing the correct VLAN number or just default to `1`?
///
For the 5GHz issue check if 5G is enabled under "Wireless > 802.11a/n/ac > network". Then at the top find "802.11a Network Status" is enabled.
Are you using any "AP group"?
Hope that helps :)
Wow, just wow as I have all those setting correctly set. That document was super helpful, and easily able to confirm. So I guess this is the end of the road for me with the Cisco vWLC. Unreal!
Something with the 5Ghz overall is an issue, as I have it enabled on the first SSID. But not device will automatically detect the 5Ghz channel and favor to use it.
Quote from: anon on March 03, 2021, 06:22:42 PM
So I guess this is the end of the road for me with the Cisco vWLC. Unreal!
No I wouldnt say so just yet. Pick one issue and we can try some things to narrow it down. What is your switch that you are using for this? Can you run a span port for packet capturing? What is your AP that you are using?
Number of different things which can be tried or looked at:
- SSH into the AP and view the config (like a show run config). You'll need to enable SSH from the WLC and set a username/password there also. Then you can ssh into the AP and get some limited commands. You can do a "sh run | red ftp://some-server/som-config-name.txt" and that should send the running config to a text file over ftp, providing that command is actually there. You could just do "sh run" and then copy it from the terminal into notepad.
In the config I'd be checking to see what has been applied to the WLC in terms of BVI (bridge group) number on the Gi0/0 port (LAN port) and see the matching SSID with BVI.
- if you can run a span or monitor port then you could plug your laptop into the switch and use wireshark to inspect the packets to and from the WLC switch port. I'd be checking this for packets sending and receiving with VLAN ID (or without VLAN ID if you have native VLAN set)
- for the 5G not working on original SSID issue, I'd use the android app to view that the 5G SSID was actually broadcasting. Then if so, I'd check if the encryption settings are supported by the AP