Troubleshoot Embedded Wireless Controller

Introduction

This document describes how to Troubleshoot Embedded Wireless Controller.

Prerequisites

Requirements

Cisco recommends that you have knowledge on Embedded Wireless Controller.

Components Used

The following components were used:

• Embedded Wireless Controller version Cisco IOS 17.9.5
• 9120AXI Access Point

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Potential Problems

GUI is not Accessible

•  When converting an AP to an Embedded Wireless Controller (EWC), it is often due to a configuration issue due to the fact that you are not able to access to GUI.  During the process, make sure to assign different IPs for the controller and the AP. You need two IP addresses: one for the AP and another for GUI management access.
• If the GUI is taking two much time to load, try clearing the browser cookies and monitor the outcome.
• If specific sections of the GUI, such as Administration Management, are inaccessible (example., continuous spinning or buffering), collect the HAR file from the browser. Check if there are any issues with HTTP responses, such as breaks in JSON, HTML, CSS, so on. Once you have the HAR file, look for any delays or breaks in responses. If anything seems broken or slow, investigate possible bugs in the current software version and consider performing a switchover or reload.
• You can also tune the http servers and monitor.

Upgrading the EWC

Upgrading the Embedded Wireless Controller (EWC) to the latest version is important for several reasons: - Bug fixes, Improved Performance, New features,Compliance.

• To successfully perform an upgrade, it is essential to understand how the upgrade process works and the overall flow involved.
• The typical upgrade flow in an EWC includes:

      - Initiate -> WLC upgrade download -> AP image download -> Network upgrade -> Activate -> Reload.

• Tftp/ftp server is required to upgrade the controller.
• During the upgrade, it is crucial to track where the process can get stuck.
• While upgrading the controller if you encounter this error :

   Error: `FAILED: install_add : Default profile addition failed due to no response from wireless side and If the ap predownload got stuck due to config error

   Ensure you run these commands:

# install remove profile default
# clear ap predownload statistics
# reload

If the mentioned steps did not resolved the issue, perform factory reset of EWC AP.

To upgrade the EWC from the starting via console,
enter these commands:

conf t
  wireless ewc-ap image-download parallel 
  wireless profile image-download default
  image-download-mode tftp
  tftp-image-server <server_ip>
  tftp-image-path <path>
  end

If the AP pre-download got stuck in middle of the upgrade. Initiate pre-download again by using commands:

clear ap predownload statistics
install remove profile default
install add profile default
show wireless ewc-ap predownload status
show wireless ewc-ap ap image predownload status
show wireless ewc-ap redundancy summary

------------Once download is complete-----------

install activate
show install summary
install commit

If you encounter an error while activating the image:

Error- FAILED: install_activate : Configured preferred master does not point to the active controller. Please remove or fix the configuration and try install activate again

Tip: Enter the wireless ewc-ap preferred-master < AP name> command  in config mode, then initiate the download again.

If the previous scenarios do not resolve the issue, try these steps:

1. Upgrade a spare AP to the desired version, then migrate the APs to this spare AP configured as the EWC. Be sure to schedule downtime for this process.
2. Alternatively, log in to AP mode from the active controller (in production). Ensure you have console access to the AP and backup configurations before pushing the desired image from the TFTP server to perform the upgrade.
3. The restrictions are outlined in the Convert Catalyst 9100 Access Points to Embedded Wireless Controller.

Static IP is not Pinging on the capwap ap/ EWC

1. After assigning a static IP to the Cisco 9115AXI-D device (capwap), it takes some time to reflect in the running configuration.

    To resolve this, assign the IP multiple times (2-3) for it to show in the running-config.
2. On the EWC side, after assigning the IP, it shows in the running config. However, sometimes the self IP is not pingable, but the capwap IP and capwap self IP can reach the gateways.

Note: The default gateways are configured. As a workaround, reboot the device or wait for some time.

Clients are Unable to Connect

1. Check SSID Configurations: Verify the configurations of the specific SSID. If it uses dot1x Security, review the policy profile settings and SSID-related AAA configurations. Once verified, collect RA traces to identify any issues or errors.
2. Collect WLAN Report: Simultaneously, gather the WLAN report to get an overview of the clients communication with the AP and SSID.
3. Adjust AP Operational Status: Change the operational status of the AP to down and check if the clients can still see the SSID.
• If the SSID is visible, check the NTP server and ensure it is syncing properly.
• Try re-adding the server with the hostname and verify its reachability.
  

  Note: If the server does not sync quickly, allow 2 to 3 hours for synchronization.

Logs :

show ntp associations
show ntp status
show ntp config
show ntp packets

Debugs:

debug ntp all
term monitor

• Verify Client Connectivity: Once synchronization is successful then check if the clients are able to connect.
• If it’s not related to NTP server synchronization, proceed with collecting the uplink captures, client traces, ISE live logs so on.

No Internet

If it’s new setup, it could be a NAT issue on the ISP level / configuration issue. If this issue is intermittent or all a sudden stopped working:

1. Client is losing the IP (either lease time expired or gateway reachability lost).
2. As EWC doesn’t support central switching.It’s sent directly to the AP uplink.
3. In this case,collect:

•  Wireshark captures of the client end while trying to ping the gateway continuously.
• Radioactive traces (with internal and without internal).
• Ap uplink captures.
• Client traces on the ap level.
• OTA- If any packet is getting drop or not reaching the client.
  

  Note: For OTA, it’s best to use an open SSID most of the time; otherwise, the packets is encrypted .

Webauth

• Begin by checking the configuration to confirm that authorization is set to local. Next, verify at which point the client is encountering issues.
• Flow :- Start--L2 authentication--DHCP/static IP assignment--L3 authentication--Run
• If the client is stuck at IP learning, validate the issue from the DHCP side.
• If the client is stuck at web authentication, check for :-

    - Any pre-authentication ACLs configured

    - DNS issues

    - Security concerns on the client side (example., mini browser), which must require adjustments to the captive portal bypass.

• Collect a packet capture (PCAP) from the client side and check for any session resets. If needed, restart the HTTP server and HTTP secure server.

End of Support/ End of Life

Stop supporting EWC on ap for all the new releases starting from 17.16.x. Still supported on the 17.6.x, 17.9.x,17.12.x and 17.15.x.

Reference Information

• Cisco Embedded Wireless Controller White Paper
• Cisco Embedded Wireless Controller on Catalyst Access Points Configuration Guide
• End-of-Sale and End-of-Life Announcement for the Cisco Wireless Embedded Wireless Controller (EWC) on Access Point.