Note on Cisco 9800 IOS-XE WLC re IPv6 enabled by default

[Dieselboy]

Had an impactful issue during a cutover to 9800 WLC which were implemented to replace EOL WLCs. Symptoms were, wireless clients would work for 300 seconds and then drop off while from both client and WLC perspective, they had an active session with session timers incrementing (client not disconnecting but wireless connectivity seemingly vanished after 300s).

Issue is because the 9800 WLC has IPv6 enabled for wireless clients only. If you issue a "show run | inc ipv6" then you dont see anything related to ipv6 because it's a default configuration. When I engaged tac about this multiple times, they informed me that ipv6 is definitely not enabled because "ipv6 unicast routing" is not enabled in the config.

Additionally, the WLC AirOS config was ran through the cisco-provided configuration migration converter tool so as to be able to boot up a 9800WLC with existing working configurations. However, the converter tool did not convert, implement or provide an equivalent configuration where IPv6 was fully disabled on the existing working configuration, hence the issue caused.

We did not have any issues with modern wifi clients. They did self-configure themselves with fe80:: addresses but continued to work. The specific clients which had issues with the 300s drop are old clients that are used for a specific purpose with critical functionality that are contractually provided by a 3rd party running Windows CE 6.0 OS which is pretty old and probably unique-ish to an extent.

In terms of client issue, they only have an issue when they self-configure with link-local FE80 addresses. Once I was able to properly turn off ipv6 for the wireless clients, they no longer self-configured and no longer had any connectivity issues. With ipv6 being enabled for wireless clients, packet captures show the WLC sending IPv6 RA's and the clients attempting to obtain DHCPv6.
Being that the clients are old, I suggest that they have an old and out of date IPv6 implementation. The clients could be around 15 years old. The org has around 2500 of them to suit a specific purpose and nothing more. The specific purpose was being fulfilled until the 9800 WLC was installed as described.
Given the type of device, available local device logging is approximately about ZERO content. So I've needed to join some dots and make assumptions here with regards to out of date IPV6 implementation.

Lastly, to top this one off, the official Cisco configuration reference is incorrect with regards to the command needed to turn off ipv6. It was easy to realise the problem because of the contextual help available on the IOS. The working command was "no wireless ipv6 client" whereas cisco documentation says the command is "no wireless client ipv6".


Long story short, Cisco have semi-enabled IPv6 on the 9800 WLC and it caused an outage.

Waiting to hear more about it from them, specifically, the intent and use-case for semi-enabling ipv6 in this way. 

[deanwebb]

Those old CE devices aren't that unique, given what I've seen in many a customer warehouse/shop floor environment.

As for Cisco scoring another own-goal, how many does this one make now?

[Dieselboy]

That's good to know, at least it means that my post isnt useless to others

I'd like to understand better the risk score to an org. running or relying on old Windows CE 6.0 machines. Aside from being older UI, old wifi standard and reluctance to roam they do the job they're supposed to do.

In terms of own goal, I'm open to the possibility that there is a use-case for releasing equipment as described or having the WLC config converter seemingly ignore this config entirely.

[deanwebb]

The risk score is impacted by how connected those devices are to the Internet or if there are inroads an attacker could make from the Internet to those devices.