Wireless Access

So we installed a new edge router, a Cisco 8500, last week and immediately every remote AP kept coming up and down and never stayed connected long enough for the SSID's to broadcast.

After a rough day of troubleshooting and then moving every AP to a different cluster, we isolated the issue to the new router (I hope Cisco TAC can help us figure that one out).

We now put the old router back into production and set up a small lab with the new router/1 AP and same issue persists.

The question I have is if anyone has ever ran into something like this and have any ideas on what could cause transient IPSec/GRE traffic to have issues?  Any and all ideas are appreciated

We have an Aruba 9240 cluster with about 400 AP's and growing.  There is a mix of AP514's and AP615's and all are effected.

Thanks

So we installed a new edge router, a Cisco 8500, last week and immediately every remote AP kept coming up and down and never stayed connected long enough for the SSID's to broadcast.

After a rough day of troubleshooting and then moving every AP to a different cluster, we isolated the issue to the new router (I hope Cisco TAC can help us figure that one out).

We now put the old router back into production and set up a small lab with the new router/1 AP and same issue persists.

The question I have is if anyone has ever ran into something like this and have any ideas on what could cause transient IPSec/GRE traffic to have issues?  Any and all ideas are appreciated

We have an Aruba 9240 cluster with about 400 AP's and growing.  There is a mix of AP514's and AP615's and all are effected.

Thanks

Apologies for resurrecting this @Chipula, but we've just migrated one of our Cisco ASR1001s to an Cisco 8500 that is in the traffic path between controllers and APs.

We kept as much the same as possible, including IOS version (17.9.5f), but we've hit this same issue. As we replaced our "secondary" first, we can troubleshoot live.

MTU was our first consideration but we've combed through the configuration, verified the working/not working routes are exactly the same with regards to MTU.

One cautious suspicion I have personally is that the router is incorrectly trying to process this specific IPsec traffic itself and dropping it (`show drops` has an abnormally high "IpsecIkeIndicate" compared to the operational one).

We're running this up the flagpole of Cisco support now but I'm keen to know - did you get to the bottom of this?

So we installed a new edge router, a Cisco 8500, last week and immediately every remote AP kept coming up and down and never stayed connected long enough for the SSID's to broadcast.

After a rough day of troubleshooting and then moving every AP to a different cluster, we isolated the issue to the new router (I hope Cisco TAC can help us figure that one out).

We now put the old router back into production and set up a small lab with the new router/1 AP and same issue persists.

The question I have is if anyone has ever ran into something like this and have any ideas on what could cause transient IPSec/GRE traffic to have issues?  Any and all ideas are appreciated

We have an Aruba 9240 cluster with about 400 AP's and growing.  There is a mix of AP514's and AP615's and all are effected.

Thanks

I never got a clear answer from Cisco but we ended up using 17.6.X code and it was fine.  We also tested 17.12.X but at that time it wasn't recommended for use but I believe it is now.

Apologies for resurrecting this @Chipula, but we've just migrated one of our Cisco ASR1001s to an Cisco 8500 that is in the traffic path between controllers and APs.

We kept as much the same as possible, including IOS version (17.9.5f), but we've hit this same issue. As we replaced our "secondary" first, we can troubleshoot live.

MTU was our first consideration but we've combed through the configuration, verified the working/not working routes are exactly the same with regards to MTU.

One cautious suspicion I have personally is that the router is incorrectly trying to process this specific IPsec traffic itself and dropping it (`show drops` has an abnormally high "IpsecIkeIndicate" compared to the operational one).

We're running this up the flagpole of Cisco support now but I'm keen to know - did you get to the bottom of this?

So we installed a new edge router, a Cisco 8500, last week and immediately every remote AP kept coming up and down and never stayed connected long enough for the SSID's to broadcast.

After a rough day of troubleshooting and then moving every AP to a different cluster, we isolated the issue to the new router (I hope Cisco TAC can help us figure that one out).

We now put the old router back into production and set up a small lab with the new router/1 AP and same issue persists.

The question I have is if anyone has ever ran into something like this and have any ideas on what could cause transient IPSec/GRE traffic to have issues?  Any and all ideas are appreciated

We have an Aruba 9240 cluster with about 400 AP's and growing.  There is a mix of AP514's and AP615's and all are effected.

Thanks