5508 WLC-6500 Series Switch Etherchannel

Similar Messages

• How to remove the WiSM2 from the Catalyst 6500 series switch?

  Hello, can you explain to me how to safely remove the WiSM2 from the Catalyst 6500 series switch?
  According to the documentation "Catalyst 6500 Series Wireless Services Module 2 Installation and Verification Note":
  To remove the WiSM2, perform these steps:
  Step1     Shut down the module by one of these methods:
  In privileged mode from the router prompt, enter the hw-mod module mod shutdown command. NoteIf you enter this command to shut down the module, you must enter the following commands in global configuration mode to restart (power down, and then power up) the module:
  Router# no power enable module modRouter# power enable module mod
  If the module does not respond to any commands, press the SHUTDOWN button located on the front panel of the module.
  Step2     Verify that the WiSM2 shuts down. Do not remove the module from the switch until the POWER LEDis off.
  But, in the case of Step1 (1st methods) I do not see a option "shutdown"  in the command "hw-mod module 3"...
  All I prompted to enter is:
  c6500#hw-module module 3 ?
  boot           Specify boot options for the module through Power Management Bus control register
  reset          Reset specified component
  simulate  Simulate options for the module
  Is it hidden options? IOS version of c6500 is 12.2(33)SXJ1
  In the case of Step2 (2nd methods) there is not any button on the front panel of the module?
  And yet, it is better to remove the module configuration manually or use the command module clear-config prior to removing the module?

  Good catch.
  Which one is true, will get back to you on this if i've something soon.
  http://www.cisco.com/en/US/docs/wireless/module/wism2/installation/note/WiSM_2.html#wp34727
  The above link is procedure to remove wism2. This procedure doesn’t look like wism2 is hot swapable.
  http://www.cisco.com/en/US/docs/wireless/module/wism2/installation/note/WiSM_2.html#wp34621
  All modules, including the supervisor engine (if you have redundant supervisor engines), support hot swapping. You can add, replace, or remove modules without interrupting the system power or causing other software or interfaces to shut down. For more information about hot-swapping modules, see the Catalyst 6500 Series Switch Module Installation Guide.

• APs unable to receive IP address from DHCP (core 6500 series switch)

  Dear Friends,
  a week ago I had stable wireless network APs were getting IPS from 6500 series switch (DHCP) but unfortunately some WISM got rebooted and now APs are unable to receive IP address from Core 6500 DHCP, to cater this issue  I have another DHCP server configured on windows 2008  i created another subnet and and put APs in that vlan now all APs are are successfully receiving IPS from windows DHCP server I don't know why APs are not able to receive IPs from core 6500 series DHCP.
  please advice
  Thanks
  Faysal

  Thanks george for stepping up here is DHCP config
  ip dhcp excluded-address 10.10.30.1 10.10.30.20
  ip dhcp excluded-address 10.10.8.1 10.10.8.10
  ip dhcp excluded-address 192.168.10.1 192.168.10.5
  ip dhcp excluded-address 10.9.20.1 10.9.20.30
  ip dhcp pool vlan_30
  network 10.10.30.0 255.255.254.0
  default-router 10.10.30.1
  option 60 ascii """"""""""""""""""""""""CiscoAPc1250""""""""""""""""""""""""
  option 43 hex f110.0a0a.1e0b.0a0a.1e0d.0a0a.1e0f.0a0a.1e11
  dns-server 10.10.2.11
  lease infinite
  ip dhcp pool WiSM1_SP
  network 192.168.10.0 255.255.255.248
  default-router 192.168.10.1

• Multicast in 6500 series switch

  We have one customer who have config Ipsec over GRE end to end for all remote locations.Now customer want to upload large file to all remote locations.So we have to config multicast in our backbone network.
  We have 6500 Series Switch thorough which all routing is done.But how multicast traffic will flow thorough IPsec tunnel.Is any one having such case pls let me know.
  TIA
  Regards
  SAM

  check out the following link Multicast over IPsec VPN Design Guide, this should help :
  http://www.cisco.com/application/pdf/en/us/guest/netsol/ns656/c649/cdccont_0900aecd80402f07.pdf

• Switch support for NAC CCA for 6500 series switch

  per the 4.0 document "switch support for Cisco NAC" there is a note that says
  Catalyst 6000/6500 on IOS do not support mac-notification
  Does this mean you cannot deploy layer 2 OOB mode, as snmp notification to the CAM will not happen with the 6k platform?

  Probably, the configuration guide will give you better idea about your problem.
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_book09186a00803f5611.html

• Vibration specification of the 6500 serie switch

  We are doing heavy contruction work near an important network room and we want to know what kind of vibration the 6509 switch can tolerate. In the specsheet  (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Chassis_Installation/Cat6500/6500_ins/01over.html), there are vibration specifications but it is unclear what is the permitted level during operation. I guess the vibration section is what I'm looking for:
  Operational—3 Hz to 500 Hz,
  Power Spectral Density (PSD)—0.0005 G2/Hz at 10 Hz and 200 Hz. 5 dB/octave roll off at each end. 0.5 hours per axis (1.12 Grms).
  I believe that the specified value refers to a test that is done on the unit (using in the specified PSD shape). The test is repeated in each axis for 0.5 hour. What about the 1.12Grms? I though it would be the sqare root of the intregration of the PSD from 3 to 500 Hz, but it doesn't seem to add up.
  That being said, would it be right to use the PSD shape a the vibration limit not to go over?
  thank you.

  We are doing heavy contruction work near an important network room and we want to know what kind of vibration the 6509 switch can tolerate. In the specsheet  (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/hardware/Chassis_Installation/Cat6500/6500_ins/01over.html), there are vibration specifications but it is unclear what is the permitted level during operation. I guess the vibration section is what I'm looking for:
  Operational—3 Hz to 500 Hz,
  Power Spectral Density (PSD)—0.0005 G2/Hz at 10 Hz and 200 Hz. 5 dB/octave roll off at each end. 0.5 hours per axis (1.12 Grms).
  I believe that the specified value refers to a test that is done on the unit (using in the specified PSD shape). The test is repeated in each axis for 0.5 hour. What about the 1.12Grms? I though it would be the sqare root of the intregration of the PSD from 3 to 500 Hz, but it doesn't seem to add up.
  That being said, would it be right to use the PSD shape a the vibration limit not to go over?
  thank you.

• Any one ever worked on 6500 series Cisco switches QOS or 6503 or 6524 QOS(Urgent help needed)

  Hi All,
  I am having issue specifally doing QOS configuration on 6503 or 6524 or 6509 switches. I am unable to match any EF(voice) traffic for eompls(vlan based) on 6503 cisco switch. If i use any other router as 2811 or 2821 my QOS configuration works perfect but if i put 6503 as PE2 it does not work.i am using vlan based eompls.
  Below is the scenario & configuration which i am having issue.
  CE1(2821 router)(dot1Q)--------->PE1(2821 router)------->P(6524 switch)-------->PE2(6503 switch)------->(dot1Q)(2821 switch)CE2.
  On CE1 i can match ip-precedence 5 traffic and mark that traffic to cos5 on outbound port.On PE1 i can match cos5 packet and mark with mpls exp top5 on inbound port, on outbound port i can match mpls exp 5. 
  On PE2(6503) i am unable to match that mpls exp5 packet on inbound port. none of the configuration worked on 6500 series switches with mls qos, ,mls qos trust dscp,mls qos trust cos etc. Although i can match cos5 traffic on CE2 on inbound interface.i can not match mpls exp 5 traffic on 6503 and all i can see traffic as default-class on 6503 switch. I tried many things and many configurations on 6503 but nothing worked.If i put 2821 router as PE2 instead of 6503 my qos configuration works. but why if i put 6503 my same qos configuration does not work? 
  ---match means=classification or classify
  Can anyone tell me how qos works on 6500 series switches or where i am having issue in my scenario.
  i am using this ios on 6503: s72033-advipservicesk9_wan-mz.122-33.SXI3.bin.
  below r my questions for 6503 qos:
  1.do i need to use some other map tables,am i  using correct map tables on 6503 as cos-dscp,dscp-cos,exp-dscp etc.
  2.any other configutaion of qos needed on 6503?
  3.i am unable to match anything on outbound port of 6503.
  4.on 6503 i am using sup720 and PFC3BXL.any specific configuration needed for PFC3bxl.
  5. 6503 not allowing me to match qos-group on inbound interface, not allowing me to set cos5 on outbound interface. not allowing me to set cos5 as an inbound interface.
  CE1(2821) config:
  class-map match-any EF
   match ip precedence 5
  class-map match-any data
   match ip precedence 3
  policy-map ip2mpls
   class EF
    set cos 5
   class data
    set cos 3
  interface FastEthernet0/0
   no ip address
   duplex auto
   speed auto
  interface FastEthernet0/0.455
   encapsulation dot1Q 455
   ip address 172.16.15.1 255.255.255.252
   service-policy output EF
  PE1(2821) config:
  mls qos map cos-dscp 0 8 16 24 32 40 48 56
  class-map match-all exp_3
   match mpls experimental topmost 3
  class-map match-all mpls_exp
   match mpls experimental topmost 5
  class-map match-any cos3
   match cos  3
  class-map match-any LOO1
   match cos  5
  policy-map EF
   class LOO1
    set mpls experimental imposition 5
   class cos3
    set mpls experimental imposition 3
  policy-map QOS_G_5
   class mpls_exp
    priority
   class exp_3
    bandwidth 500
  interface Loopback0
   ip address 3.3.3.3 255.255.255.255
  interface FastEthernet0/0
   ip address 192.168.23.2 255.255.255.0
   ip ospf network point-to-point
   duplex auto
   speed auto
   mpls ip
   service-policy output QOS_G_5
  interface FastEthernet0/1.455
   encapsulation dot1Q 455
   xconnect 5.5.5.5 455 encapsulation mpls
   service-policy input EF
  PE2(6503 qos):
  R1#show module
  Mod Ports Card Type                              Model              Serial No.
    1    4  CEF720 4 port 10-Gigabit Ethernet      WS-X6704-10GE      SAL09401U2L
    2   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX     SAL114247YN
    3   16  16 port 1000mb GBIC ethernet           WS-X6416-GBIC      SAL0712AM69
    4   24  CEF720 24 port 1000mb SFP              WS-X6724-SFP       SAL10019J4N
    5    2  Supervisor Engine 720 (Hot)            WS-SUP720-3BXL     SAD102805VM
    6    2  Supervisor Engine 720 (Active)         WS-SUP720-BASE     SAD0846060F
  Mod  Sub-Module                  Model              Serial       Hw     Status
    1  Distributed Forwarding Card WS-F6700-DFC3BXL   SAD102504EF  5.3    Ok
    2  Centralized Forwarding Card WS-F6700-CFC       SAD111300PD  3.1    Ok
    4  Centralized Forwarding Card WS-F6700-CFC       SAL1004BQ2A  2.0    Ok
    5  Policy Feature Card 3       WS-F6K-PFC3BXL     SAD10270189  1.8    Ok
    5  MSFC3 Daughterboard         WS-SUP720          SAD102801G5  2.5    Ok
    6  Policy Feature Card 3       WS-F6K-PFC3BXL     SAL1415FE95  1.11   Ok
    6  MSFC3 Daughterboard         WS-SUP720          SAD08440794  2.4    Ok
  R1#show mls qos maps
     Normal Burst Policed-dscp map:                                  (dscp= d1d2)
       d1 :  d2 0  1  2  3  4  5  6  7  8  9
        0 :    01 01 02 03 04 05 06 07 08 09
        1 :    10 11 12 13 14 15 16 17 18 19
        2 :    20 21 22 23 24 25 26 27 28 29
        3 :    30 31 32 33 34 35 36 37 38 39
        4 :    40 41 42 43 44 45 01 47 48 49
        5 :    50 51 52 53 54 55 56 57 58 59
        6 :    60 61 62 63
     Maximum Burst Policed-dscp map:                                  (dscp= d1d2)
       d1 :  d2 0  1  2  3  4  5  6  7  8  9
        0 :    00 01 02 03 04 05 06 07 08 09
        1 :    10 11 12 13 14 15 16 17 18 19
        2 :    20 21 22 23 24 25 26 27 28 29
        3 :    30 31 32 33 34 35 36 37 38 39
        4 :    40 41 42 43 44 45 46 47 48 49
        5 :    50 51 52 53 54 55 56 57 58 59
        6 :    60 61 62 63
     Dscp-cos map:                                  (dscp= d1d2)
       d1 :  d2 0  1  2  3  4  5  6  7  8  9
        0 :    00 00 00 00 00 00 00 00 01 01
        1 :    01 01 01 01 01 01 02 02 02 02
        2 :    02 02 02 02 03 03 03 03 03 03
        3 :    03 03 04 04 04 04 04 04 04 04
        4 :    05 05 05 05 05 05 05 05 06 06
        5 :    06 06 06 06 06 06 07 07 07 07
        6 :    07 07 07 07
     Dscp-exp map:                                  (dscp= d1d2)
       d1 :  d2 0  1  2  3  4  5  6  7  8  9
        0 :    00 00 00 00 00 00 00 00 01 01
        1 :    01 01 01 01 01 01 02 02 02 02
        2 :    02 02 02 02 03 03 03 03 03 03
        3 :    03 03 04 04 04 04 04 04 04 04
        4 :    05 05 05 05 05 05 05 05 06 06
        5 :    06 06 06 06 06 06 07 07 07 07
        6 :    07 07 07 07
  Cos-dscp map:
           cos:   0  1  2  3  4  5  6  7
          dscp:   0 10 18 24 34 46 48 56
     IpPrecedence-dscp map:
        ipprec:   0  1  2  3  4  5  6  7
          dscp:   0  8 16 24 32 40 48 56
     Exp-dscp map:
           exp:   0  1  2  3  4  5  6  7
          dscp:   0  8 16 24 32 40 48 56
  mls netflow interface
  mls qos map cos-dscp 0 10 18 24 34 46 48 56
  mls qos
  class-map match-all exp_3
   match mpls experimental topmost 3
  class-map match-all EXP_5
   match mpls experimental topmost 5
  class-map match-all QOS_GROUP_5
   match qos-group 5
  class-map match-all prec5
   match ip precedence 5
  class-map match-all cos5
   match cos  5
  policy-map mpls2ip
  class QOS_GROUP_5
   set cos 5
  policy-map IN_FROM_R3
   class EXP_5
    set qos-group 5
  interface Loopback0
   ip address 5.5.5.5 255.255.255.255
  interface GigabitEthernet2/2
   mls qos trust cos 
  or <------------ (tried both individually but none worked)
   mls qos trust dscp
  interface GigabitEthernet2/2.455
   encapsulation dot1Q 455
   xconnect 3.3.3.3 455 encapsulation mpls
   service-policy output mpls2ip
  interface GigabitEthernet2/1
   ip address 192.168.34.4 255.255.255.0
   ip ospf network point-to-point
   mls qos trust cos 
  or <------------ (tried both individually but none worked)
   mls qos trust dscp
   mpls ip
   service-policy input IN_FROM_R4
  Thanks & regards,
  Ahsan Rasheed

  Hi All,.
  I am still having issue on 6503 or 6524 Cisco Switch. 
  " Can any one give me any sample of 6524 or 6503 QOS working configuration, i would be really thankful "
  As i have mentioned in my prevoius post of configuration of 6503. I am unable to match mpls exp 5 packet on 6503. My qos configuration on PE1(2811 router) is working perfectly. I am unable to classify mpls ex5 or mpls exp3 on 6503 switch. Am i missing something on configuration?
  PE2 config:"6503 switch"
  class-map match-all mpls_exp
   match mpls experimental topmost 5
  policy-map EF
  class mpls_exp
  R!#mls qos
  int Gi2/4
  service-policy input EF
  mls qos trust cos
      dscp:   0 10 18 24 34 46 48 56
     Exp-dscp map:
           exp:   0  1  2  3  4  5  6  7
          dscp:   0 10 18 24 34 46 48 56
  Thanks,
  Ahsan Rasheed

• Connection between 5508 WLC and 3750-24PS switch

  I have to realize a connection between  an 5508 WLC and 3750 switch using one SFP cable. I found on Cisco documentation some reference about two different SFP cables.
  The first one is CAB-SFP-50CM, but this is used to interconnect two 3560 switches.
  The second is SFP-H10GB-CU1M. This one has SFP+ transceivers on both ends which I don’t know if are compatible with the standard SFP ports that can be found both on WLC and switch.
  My question is if I can use one of these cables in order to connect my devices, or if you know other one piece SFP cables.
  Many thanks

  I know that you can use those SFP transceivers, but I want to know if someone tried to use the SFP-H10GB cables for this kind of connection. Because I saw on another vendor website that the SFP+ cables are compatible with standard SFP ports, and I wanted to see if it is the same for Cisco cables too.
  Regards

• Flash file location in 6500 Core switch

  Hi ,
  Please guide me what is location of flash file in 6500 Series switch and how can we take back of IOS image for 6500 series.
  Thank you

  You're welcome.
  People seldom backup the actual IOS image binary file since it is usually just as easy to pull a new copy from cisco.com.
  The more useful file is the running-config. You can most easily get a one time copy of that by just setting terminal length to 0 ("term len 0"), turning on logging on your shell tool and then typing "show run". The log file will now have a local copy of your running-config. You can also copy it via the cli using tftp, ftp, scp etc. transport methods.
  Many open source and commercial products also allow you to automate that whole process for many devices. RANCID, Kiwi CatTools, SolarWinds NCM, Cisco Prime LMS, etc. all do that (and much more).
  Please rate helpful posts and mark your question as answered when it is.

• Maximum 29XX switches on a 6500 series

  Hello,
  is there a recommended maximum of user ports i can connect directly to a 6500 series core switch?
  So I have a situation with about 80 24-ports switches (in stacks of 2 or 3) connected with fiber to the core switch. Now one of the network managers states we need a distribution layer cause performance in the 6500 will drop. Reason for this is that the 29XX series switches do not support layer 3.
  Is this correct? And does the added layer 3 functionality in a (extra) distribution layer increase performance in the core? Even though almost all traffic is user - server traffic and servers are connected to core?
  Anyone know? THanks!

  Hi Friend,
  Which sup engine do you have and is there any switch fabric module you are running. Cat6500' are cross-fabric chassis which gives 32GBPS backplane switch capacity bedefualt. If you have SFM (switch fabric module) installed then it will give 256 GBPS of backplane capacity.
  If you are running Sup720, you have 720 GBPS backplane capacity and you will see a greater performance by cat65K.
  If you dont have SFM or sup 720, then yes with direct access switches uplink to Core might slow down the performance of the core switch.
  If that's the case I would suggest to got for hierarchical design and add another layer of the architecture i.e distribution layer.Now what you can do with this additional layer, is that you can uplink your access layer to it, have your inter-vlan routing done on thius layer, have to access control policy deployed at this layer.
  This addtion layer and the above functionalities will off load the processing of traffic at core and core will be efficient enough to process the traffic as fast as it can. This is a abosultely correct approach.
  Please, write back for any qurstions.
  HTH, Please rate if it does.
  -amit singh

• Does a 2504 WLC support mobility group with WiSM1 on 6500 Series

  if a 2504 WLC support mobility group with WiSM1 on 6500 Series.
  Model: WLC 2504
  Software version: 7.3.101.0
  Model: WiSM1
  Software verion: 7.x.x.x

  Yes and no. 
  Yes, mobility is supported.  
  No because I personally won't recommend inter-controller roaming.  This is more true when you're dealing with 4400/WiSM-1.  This is even more true when you've got WLC running two (or more) different codes.  

• LSB in two switch 6500 series

  i need to configure one lsb virtual address in two switchs 6500, it is for a server farm backup and they might respond to the same IP address.

  check out the following link for configuring virtual address on catalyst 6500 series :
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_installation_and_configuration_guide_chapter09186a00801c589b.html

• Getting "Configure VLAN" message when enabling SSO redundancy on 5508 WLC?

  Hello All
  We are installing a secondary 5508 HA-SKU WLC under software version 8.0.100.
  After configuring the primary 5508 (redundancy management ip, peer redundancy management ip, etc) we get the message "Please configure Redundancy Management VLAN before enabling redundancy" when we select SSO enabled.  The redundancy management ips are in the same VLAN as the management ip and this is the default untagged VLAN. What have I missed?
  John.

  Hi Ralph,
  We're running 8.0 in a  WLC 8500 series but nor tagged nor untagged interface is working. This are the scenarios we have tested:
  management interface tagged + switchport trunk tagged + HA tagged + switchport trunk tagged = SSO not working
  management interface tagged + switchport trunk tagged + HA untagged + switchport access = SSO not working
  management interface untagged + switchport trunk native vlan + HA untagged + switchport access = SSO not working
  No scenario is working and in cases 1 and 2 we have lost the associated APs as they only recover in case 3.
  In parallel, after enabling tagged interface in management, the "show ip arp" of the switch shows the IP through the HA interface and the ping is lost outwards WLC and inwards.
  Any suggestion?
  Regards.

• Clients unable to connect and get DHCP - LAP1142N AP and 5508 WLC

  Hi,
  I have 19 locations, each with 1 or more LAP1142N AP's in FlexConnect mode, AP's are primed using CAPWAP to my 5508 WLC at the datacenter. The AP's join the WLC without issue every time. I have two WLAN's, one guest and one staff, the guest network is open and obtains DHCP from a WatchGuard XTM33 firewall at each of the remote locations. The staff side is WPA2/RADIUS and DHCP is assigned from the WLC. Each AP is assigned a static IP that is not in the DHCP scope. For example: DHCP scope on the branch firewall is 192.168.1.10-250 the AP will be assigned static IP of 192.168.1.1.. The AP's are connected to a HP procurve switch that has a untagged VLAN, the firewall is using the native vlan 1 and so is the AP.
  I have been running this network for over a year and it has not had a single issue until the last two weeks. Nothing on the network has changed or has been upgraded.
  Now for the issue: The issue I am seeing is that clients are no longer able to connect to the AP and do not get DHCP assigned to them. I am able to get it working, if I remove the static IP from the AP, the AP will reboot, join the controller, then begin working, users can connect and DHCP is assigned from the firewall as it should. However, If the AP then reboots, the AP will join back to the controller but no clients can connect nor do they get a DHCP address. So, I then reassign a static IP to the AP again and it reboots, connects to the controller and clients then can connect and get DHCP.
  Attached is a running config from one of the APs
  I've found several posts on this topic, in fact the patch of unassigning or reassigning static IP is one that I found. However, I wanted to post this to see if there is any further assistance I can get on this. I am also waiting on my SmartNet to start up and will be contacting Cisco support as well.
  Thanks for any help.

  Alright, so I finally figured out the issue with this. I had a Mobility Anchor set on the guest WLAN and once I removed that all started working again.
  What is Mobility Anchor?
  A. Mobility Anchor, also referred to as Guest tunneling or Auto Anchor Mobility, is a feature where all the client traffic that belongs to a WLAN (Specially Guest WLAN) is tunneled to a predefined WLC or set of controllers that are configured as Anchor for that specific WLAN. This feature helps to restrict clients to a specific subnet and have more control over the user traffic. Refer to the Configuring Auto-Anchor Mobility section of Cisco Wireless LAN Controller Configuration Guide, Release 7.0 for more information on this feature.

• Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

  Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
  I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
  Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
  Any ideas of what might be the issue or misconfiguration?

  Jim,
  I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
  It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
  May need to open a TAC case to see if this issue is on the 550x controllers also.
  Thanks,
  Tarik