WLC 5508 issue with 4 ports in portchannel

Hi,
We have one WLC 5508 and LAG is enabled on it but when we connect 4 cables to a distribution switch only 3 links are sending and receiving traffic and the 4th one is up with outgoing traffic from the distribution switch to WLC but nothing incoming.
Some APs went down and refuse to be registered back to the WLC. when we shut down the 4th port everything is back to normal.
the etherchannel config is identical and I can see all ports are active and not suspended :
interface GigabitEthernet2/2/1
description PortChannel-WLC1-Port1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 60-67,2808,2922,2923,2932
 switchport mode trunk
 channel-group 99 mode on
interface GigabitEthernet2/2/2
description PortChannel-WLC1-Port2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 60-67,2808,2922,2923,2932
 switchport mode trunk
 channel-group 99 mode on
interface GigabitEthernet2/2/3
description PortChannel-WLC1-Port3
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 60-67,2808,2922,2923,2932
 switchport mode trunk
 channel-group 99 mode on
interface GigabitEthernet2/2/4
description PortChannel-WLC1-Port4
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 60-67,2808,2922,2923,2932
 switchport mode trunk
 channel-group 99 mode on

sh etherchannel 99 sum
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      N - not in use, no aggregation
        f - failed to allocate aggregator
        M - not in use, no aggregation due to minimum links not met
        m - not in use, port not aggregated due to minimum links not met
        u - unsuitable for bundling
        d - default port
        w - waiting to be aggregated
Number of channel-groups in use: 38
Number of aggregators:           38
Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
99     Po99(SU)         -        Gi2/2/1(P)     Gi2/2/2(P)     Gi2/2/3(D)     
                                 Gi2/2/4(P)     
Last applied Hash Distribution Algorithm: Fixed
Gi2/2/3 is down becasue we had to shut down the interface because when it is up many APs refuse to register.

Similar Messages

  • WLC 5508 Problem with #DOT1X-3-INVALID_REPLAY_CTR

    Hi all,
    I have WLC 5508 with version 7.4.110.0 and with 13 AccessPoints.So 12 of this AP are  AIR-LAP1142N-E-K9 and 1 is AIR-CAP3602I-E-K9.
    Logs of my WLC are:
    *Dot1x_NW_MsgTask_1: Jan 11 01:15:05.167: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 90:c1:15:c6:c3:49 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *Dot1x_NW_MsgTask_4: Jan 11 01:09:41.015: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 5c:0a:5b:c1:16:34 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *Dot1x_NW_MsgTask_3: Jan 11 01:03:32.269: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 40:b3:95:13:da:cb - got 00 00 00 00 00 00 00 03, expected 00 00 00 00 00 00 00 04
    *Dot1x_NW_MsgTask_3: Jan 11 01:03:32.266: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 40:b3:95:13:da:cb - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 04
    *Dot1x_NW_MsgTask_0: Jan 11 01:03:31.648: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 24:77:03:67:01:48 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_5: Jan 11 01:03:31.638: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:da:c1:cd - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_2: Jan 11 01:03:31.638: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client cc:78:5f:29:cc:82 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_4: Jan 11 01:03:31.633: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 08:11:96:55:81:c4 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_0: Jan 11 01:03:31.631: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 84:3a:4b:56:36:50 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_1: Jan 11 01:03:31.630: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:e2:d4:91 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_0: Jan 11 00:59:52.593: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client a0:88:b4:60:20:f8 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *apfRogueTask_3: Jan 11 00:59:32.168: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 2, Requested containment level 4
    *apfRogueTask_3: Jan 11 00:58:38.635: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 1, Requested containment level 4
    *Dot1x_NW_MsgTask_0: Jan 11 00:50:06.885: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 10:68:3f:46:4e:e8 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *Dot1x_NW_MsgTask_0: Jan 11 00:50:06.883: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 10:68:3f:46:4e:e8 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 02
    *dot1xMsgTask: Jan 11 00:49:05.842: #DOT1X-3-PSK_CONFIG_ERR: 1x_ptsm.c:618 Client c8:e0:eb:19:2a:97 may be using an incorrect PSK
    *apfRogueTask_3: Jan 11 00:40:42.576: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 3, Requested containment level 4
    *Dot1x_NW_MsgTask_3: Jan 11 00:40:17.471: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client c4:43:8f:f1:8c:8b - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    *Dot1x_NW_MsgTask_4: Jan 11 00:40:03.368: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client f0:d1:a9:8e:1a:dc - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
    *Dot1x_NW_MsgTask_1: Jan 11 00:39:30.528: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:d8:84:09 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
    I already go to this link to check the Description of errors-
    http://www.cisco.com/en/US/docs/wireless/controller/message/guide/msgs4.html#wp1000139
    Appreciate all feedback. Thank you.

    Hi Ruben,
    a) After successful dot1x authentication, session keys are derived from pairwise master key.
    b) When the AP transmits a key to a station by default, it expects a response back within a set timeframe.
    c) If the station does not respond, the AP increments the counter and retransmits the key.
    d) If the AP receives a response to first message just after the retransmission of the key, a mismatch occurs in the counter.
    This in most of the cases will be a client driver problem.
    Solution :
    1) try to increase the EAPOL-Key Timeout ( config advanced eap ).
    2) Upgrade the client driver.
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • WLC 5508 issue

    We already have WCL 5508 setup with several SSIDs. We plan to create a new one and assign to new VLAN. However:
    1. About 240 devices, laptops, IPods, etc will be connecting to that single SSID - is there any way to resolve that? I don't want to create multiple vlans and ssids for 30 devices.
    2. I would like to create ACCT and Service SSID and have them access different vlans: for example
    ACCT should have access to printer, server, Internet access
    Service only Internet and server access.  Can I use ACL in WLC 5508? WLC 5508 is connected 8x to 3750 > 4900 > ASA 5510. There are only 2 and total would be 5 ACC list on it. Is this will be better idea to put ACC list on 3750 or 4900 or even ASA?
    I am new to WLC controller and trying to figure it out asap. Thank You.
    -John

    Hi John,
    1. 240 devices per SSID is not a huge number. If you are concern about number of IP addresses available in a single vlan, you can always use interface group(or vlan select feature) to map multiple vlan to the same SSID. Refer below for better understanding of that feature
    http://mrncciew.com/2013/01/27/understanding-vlan-select-feature/
    AP-Group is another option, but above is much easier from administration point of view.
    2. Yes, 4900 seems like best place to control inter-vlan traffic as that is the place where you define L3 interface (or gateway) of each of these user vlan
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • WLC DHCP issue with 6500

    Hi,
    I configured WLC as DHCP server and is working fine when connected to 3750 core switch. The AP's and clients are getting IP address.
    When the same WLC is connected to 6500 , the DHCP is not working from WLC . The same port of 6500 switch  is verified by connecting a 3750 switch as dhcp server and AP as well as clients are getting IP.
    DHCP snooping and port security is not enabled in the 6500 and the configuration is simple. The WLC is untagged and the 6500 port is a trunk port with 242 as native VLAN.
    Please help

    Dear Surendra,
    Please see the answers in line.
    1.As per your previous post, if we connect WLC to 3750 core everything works fine.. so in this case, i assume that we have INTERFACE VLAN on the switch and then the management interafce on the WLC are in the same subnet?? correct??
    "Yes , All are in the same Vlan . Interface VLAN and management interface are in same subnet."
    2. Similarly, if we swap the 3750 with 6500, it doesnt work.. in this case.. have you created the interface vlan on the 6500 in the same subnet as that of management interface of the WLC??
    " Yes, the 6500 has vlan interface without IP. The same way we configured 3750 "
    Or
    3.are we not swapping the 6500 and we are connecting the WLC to the WLC to the 6500 and then this 6500 to the 3750??
    "We connected WLC LAP to 3750 and the dhcp of wlc is working fine.. When WLC & AP connected to 6500 , the WLC DHCP is not working. We verified the 6500 port by coonecting 3750 as DHCP server and WLC is connected to 3750 and all were working fine. When WLC is directly connected to 6500 , the LAP is not joing to WLC. When static IP is given to LAP, the LAP joined WLC but the clients were not getting IP."
    4.Layer 2 means... interface VLAN on the switch and the WLC management and the AP DHCP pool are all in the same subnet. correct?
    "Yes all are in the same subnet"
    Thanks for your efforts.
    Regards,
    Savad

  • WLC 5508 integration with fortigate and Guest Vlan

    Hi
    I have 5508 Cisco WLC and i want to connect my wlc one port to fortigate (FW) for direct internet.
    And other port in WLC i will connect on Cisco Core Switch for other SSID's and for management. Now the question is how to divide port in WLC 5508, how to point layer 3 traffic if don't configure switch port as trunk.
    Kindly what will be best solution.

    sh etherchannel 99 sum
    Flags:  D - down        P - bundled in port-channel
            I - stand-alone s - suspended
            H - Hot-standby (LACP only)
            R - Layer3      S - Layer2
            U - in use      N - not in use, no aggregation
            f - failed to allocate aggregator
            M - not in use, no aggregation due to minimum links not met
            m - not in use, port not aggregated due to minimum links not met
            u - unsuitable for bundling
            d - default port
            w - waiting to be aggregated
    Number of channel-groups in use: 38
    Number of aggregators:           38
    Group  Port-channel  Protocol    Ports
    ------+-------------+-----------+-----------------------------------------------
    99     Po99(SU)         -        Gi2/2/1(P)     Gi2/2/2(P)     Gi2/2/3(D)     
                                     Gi2/2/4(P)     
    Last applied Hash Distribution Algorithm: Fixed
    Gi2/2/3 is down becasue we had to shut down the interface because when it is up many APs refuse to register.

  • WCS Install Issue With Port 80

    I am installing WCS on a server with another web app that uses Port 80. WCS complains because of this. What is another good port to use for WCS instead of 80 that is pretty typical? If I use another port do I need to-do anything to IIS on a Windows 2k3 server?
    Thanks for any help.

    For what it's worth, in the Cisco AireSpace class, the instructor stressed not changing the default port numbers during install.
    Also, the idea that the WCS server needs to be somewhat beefy would indicate to me that if you load up other apps on it at the same time, you are going to have performance issues.

  • WLC 5508: LAG with not stacked switches

    Hello!
    We are planning to implement the redundant physical connection from 5508 WLC to not stacked 3750 switches.
    The sheme is attached.
    Is there any way to implement such variant of the topology?

    When you don't have LAG enabled, you can choose a primary port and a backup port.
    Do you mean to choose primary and backup for managment interface?
    As it is mentioned in documentation about AP-managment: "You cannot map the AP-manager interface to a backup port"
    http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_011.html#ID345

  • Does WLC 5508 Support LDAPS - Port 636

    We have 2 5508 WLC's and @ 35 AirCap Radios.
    We're running latest S/W release 8.0.110.
    We presently use LDAP to authenticate to the wireless.
    We would like to move to LDAPS on port 636.
    Configuration Guide says you can select other port numbers for LDAP but
    only port 389 is supported.
    Is this true?
    I read some old posts that said on releases year ago LDAPS and port 636 was supported.

    Config guide says below & it is default to 389. It does not say only 389 supported.
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0101110.html
    "If you are adding a new server, enter the LDAP server’s TCP port number in the Port Number text box. The valid range is 1 to 65535, and the default value is 389."
    Anyway give it a try & see
    Rasika

  • Continued issues with Port Forwarding/Matchmaking ...

    I am at a loss. I am one step away from cancelling with BT. Please, if someone can provide simple, step by step instructions, that would be great...
    I have a new Home Hub 5 (type a), as apparently the last was faulty and kept dropping out around peak time. I initially set up port forwarding for my Xbox360 and placed the Xbox One in the DMZ. For the most part, things worked, but now, I am unable to maintain a solid connection, even with this awful excuse for Fibre Optic.
    I have reset the hub. Restored to factory settings. I have assigned static IP's. Placed devices in the DMZ. Followed all steps provided from the many sources available. I am still getting a "Matchmaking" service error on the 360, and my Xbox One continually changes it NAT type from moderate to open, leaving me to run the checks each time I want to start a game online, intead of just booting up the console and playing without concern.
    I have just cleared all my settings for port forwarding, and when I try to set it up again, I can't due to "Conflicts", which don't exist. Even after factory resetting the Hub.
    Please. Can someone help me before I throw all this in the bin and cancel with BT. I am exhausted with it all and am getting nowhere.
    How do I clear all the settings so I can assign ports without "conflicts".
    Why am I getting matchmaking service errors on Xbox360 when there are no issues on Xbox's end.
    What am I missing?

    The TP Link TD-W9980 and Billion 8800nl are popular at the cheaper end (£65ish) or there are the ASUS DSL AC68U Billion8800AXL and Netgear D6400 in the pricier (£150ish) range. Personally I have the TP-Link. The downside to the Billion 8800nl is lack of 5Ghz wireless.

  • WLC 2504 - Issue with using Microsoft NPS for Radius Management Login

    Hello,
    In our environment we like to have our network admins and engineers use their Active Directory credentials when logging into devices so we can log who logged into which devices and if any changes were made. To do this we use a Server 2008 R2 NPS server with all our routers, switches and ASA's. We recently purchased a WLC to begin adding wireless to our environment. (See WLC_Radius_Config.png and NPS_Radius_Config.png)
    On the WLC, I am able to authenticate in using my AD credentials but when I go to apply any config changes I get a message saying "Authorization Failed. No sufficient privileges." (See error.png) I have a feeling I am missing something small but this is very important to us.
    I checked the Radius server and there are no login errors or NPS errors pointing to the WLC logins. Has anyone else run into this issue or know what I can do to solve it? 
    Thanks,

    Hi Kyujin,
    I wish I had finished my guide.  Didn't realize it would take this long.
    But what I meant is that when adding the attributes to my NPS (Microsoft's Network Policy Server) I only had to add the role and virtual domain if using Prime Infrastructure.
    If you use NCS, you have to add the role, all the tasks, and the virtual domain.
    See the screenshots and see if that helps explain it.  Not sure how TACACS will work as I'm not familiar with it.
    Microsoft NPS - Attributes for NCS
    Microsoft NPS - Attributes for PI

  • Need Help, Issue With Porting Number

    Hey I ported my number from sprint, but right now I have service on my iphone and my old sprint phone and if I send a text from iphone I get a response on sprint phone. Anyway I can fix this? Or will it work itself out with time?

    That is normal for porting your phone number, within a few more hours, it will all switch over to the iPhone, you will recieve a text message confirming once this is complete. So, just hang on to the Sprint phone a tiny bit longer, you're almost there!

  • WLC 5508 custom syslog port

    We're using a Kibana server that utilizes udp port 1514, instead of the normal port 514. There doesn't appear to be a place to specify a custom port number. Does anyone know of a place to change this? If not, is Cisco going to provide a software fix for this? I can do it on our ASA easily.

    Unfortunately you cannot change syslog port in any of the legacy controllers (5508/2504/etc). Here is a post on the same topic
    https://supportforums.cisco.com/thread/2239795
    If it is NGWC (like 3850,etc) you can do this as it runs on IOS-XE instead of Aironet software image.
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • WLC 5508 - Issue- Will not start NCS

                       After a powerloss and reboot the unit will not start NCS. The running configuration file apears to be intact. Any suggestions would be apreciated. Currently generation failure logs.
    Thanks in advance
    John D.

    Hi John:
    Power cycling a 5508 wireless LAN controller shouldn't have any impact on NCS.  The best source of accurate information will be the logs.zip file that would come from running the command
    backup-logs 06282013 repository
    That's going to cause all the logs for NCS to be backed and zipped up, and the copy put over on the repository.  Once you have that, you can unzip it, and the place to start would be the hm-0-0.log file.  That's the log of the Health Monitor service that watches over everything and tells the other services like the database, FTP/TFTP servers and such to kick off, and logs what those services do when told to kick off.  Based on which service isn't behaving, you'd check the log for that service for more details of why that service isn't behaving.

  • WLC 5508 software version working with ISE1.1.2

    Hi,
    My understanding is that for fully WLC 5508 integration with ISE 1.1.2, it needs Version 7.2.103.0.  Question is if customer has 5508 with either 7.0.230 or 7.0.98, and ISE 1.1.2, can AAA part work?  what part will not work, any potential issue if they don't upgrade 5508 to 7.2.103?
    Thanks in advance!
    Tina

    Please check the below Table:
    Table 1 Supported Network Access Devices
    Device
    Minimum OS Version
    MAB
    802.1X
    Web Auth
    Session CoA
    VLAN
    DACL
    SGA
    IOS Sensor
    CWA
    LWA
    Wireless LAN Controller (WLC) 2500, 5500
    7.2.103.0
    No6
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    No
    Ref. Link: http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp55038

  • Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users

    Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users
    I've been given a fantastic "opportunity" by my boss to use our existing wireless infrastructure to provide internet access to potentially upto 2000 VIP guests arriving with BYOD devices, in a very densely populated area for a 3 day event. We are talking an area of approx 200m x 15m. Think of it as an awards ceremony/concert. The solution will also be mobile so we will be using internet breakout from different telcos as it will move to approx 20 countries. The area is also incredibly densely populated with other wifi APs. I did a brief site survey and AirMagnet could detect over 2500 other 'rogue' APs from where I was stood! I hope CleanAir works!
    We need a simple authentication method for them to connect with zero admin from our side. We don't want to just offer up a rolling daily PSK as that's a bit amateur and we don't really want the VIP guests sharing the PSK with others during their stay. Ideally they could self-provision by providing an email address.
    I know the WLC can handle webauth for local users but I don't think it scales very well. ie I don't think I can offer the account to several hundred people.
    Cisco ISE looks a very expansive (and expensive) product but I don't think we need all it's capabilities (do I?). It would be nice to just ask a potential user for their email address and grant them access and email them next year. I've seen Cisco NAC but that looks over the top too for just guest users who will only be accessing a shared internet connection.
    I've seen 3rd party supposed software solutions from Kiosk Antamedia etc do they work with Cisco Enterprise WLC solutions?
    We'd like to limit users to a certain (low) bandwidth and block (say) torrent traffic to keep the general user experience worthwhile.
    Does anybody have any case study documents or experience of such a project? As well as the authentication it's how well the APs will handle the dense potential number of clients trying to connect in such a confined space. 
    Any suggestions would be gratefully appreciated from the knowledgeable community.
    Cheers,
    Mike

    Hi Rasika,
    We are having WLC 5508 model with software version running 7.4.121.0. AP Models are AIR-CAP2602I.
    Normally our WAN links are good even while the issue pertains. We are connected to remote offices over ipsec site to site vpn for WAN. The link latency in WLC between the AP and the controller shows  <1ms.
    currently the Guest network is using WPA2-PSK auth given in the controller. we are trying to find a option to make the Guest wireless auth local to the office, and see if this solves the problem. 
    any suggestions,
    Thank you,
    Arjun

Maybe you are looking for