This discussion is locked


Unanswered Question
Feb 12th, 2010
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to configure and troubleshoot WCS related issues with Cisco expert Lucien Avramov. Lucien is a Customer Support Engineer working in San Jose TAC center. He is a technical leader within the Network Management Team and has been supporting WCS for about 2 years. He handles world-wide escalations related to Network Management, including WCS. He has a Bachelor Degree in General Engineering and a Master's Degree in Computer Science from the French prestigious Ecole des Mines (Mining School). Lucien holds a CCIE in Routing and Switching (CCIE #19945).

Remember to use the rating system to let Lucien know if you have received an adequate response.

Lucien might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 26, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (8 ratings)
Craig Le-Butt Mon, 02/15/2010 - 04:04
User Badges:


2 part question.

ACS, upgading ACS Windows V4.0 to 4.2 then 4.2.1.  Problem is the CSLOG service keeps flapping.  It authenticated wireless users but just doesn't log them.


We seem to be getting a few APs showing up Ieee on sh power inline.  We've tried reseting from the controllers and shutting the  port down on the switch.

Any idears?



Leo Laohoo Mon, 02/15/2010 - 13:31
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Hey Craig,

This doesn't start until 26 February 2010. 

Lucien Avramov Tue, 02/16/2010 - 07:21
User Badges:
  • Red, 2250 points or more

Leo, please feel free to post questions until Feb 26th

Lucien Avramov Tue, 02/16/2010 - 07:20
User Badges:
  • Red, 2250 points or more

1. Are you using remote logging agent? Can you see the logging on the local ACS logs?

This is more related to an ACS issue at this point as the WLC is able to get you authenticated but ACS does not log it.

I think you may be hitting: CSCta66819  ACS CSLog service stale threads can cause remote logging failure

2. This is more related to a controller WLC problem than WCS here.

This section is oriented for WCS (Wireless Control System).

Please post your questions to the appropriate section:

For 1. :

For 2.:

When you post, please indicate the version of your WLC, the version of code on the AP and the model and post the output of show power inline.

Kokorev_Ivan Wed, 02/17/2010 - 00:35
User Badges:

Hi, there is a question, whether it is possible to remove an error from logging history on Catalyst 3560 so that this error did not register any more even if it will occur.


Jason Bree Wed, 02/17/2010 - 08:39
User Badges:

We have WCS running that is connected to several WiSMs and a 4402 in the dmz for guest access.  We are using a NAC guest server to set up guest accounts.

I have a report that runs daily on the WCS that shows busiest guest network clients.  I am trying to figure out how clients that are not authed and have not received an IP can have 7MB of data transferred.  I also downloaded a very large file from the guest network and did not show up in the log for that day. Can the discrepancy be from that fact that the WCS is not acting as the lobby ambassador?  I have attached a copy of the report



Lucien Avramov Wed, 02/17/2010 - 09:14
User Badges:
  • Red, 2250 points or more
I'm glad you asked.

There is a common condition where associated clients show up with
as the IP and that is if the client is using an unlearned static IP address and did not obtain an IP via DHCP.
Authentication happens prior to getting an IP address.
Therefore these clients can still authenticate and get on the network, but won't show up with an IP.

You can configure the WLAN to require DHCP and that will prevent these clients with the static IP from being able
to associate. Unfortunately, there's not much that can be done with the report entries in WCS as they just reflect
the client data logged on the controllers.

huangedmc Wed, 02/17/2010 - 13:16
User Badges:

High memory utilization on WCS server.

The solid.exe and java.exe processes constantly take up most of our memory.

Is this normal behavior?

Lucien Avramov Wed, 02/17/2010 - 13:39
User Badges:
  • Red, 2250 points or more

Out of the blue, no it is not. But this mainly depends on how many APs you are managing with your WCS and what hardware you have.

You can check in what category you fall for the hardware requirements in the release notes:


Standard server—Supports up to 2,000 Cisco Aironet lightweight access points, 1,000 standalone access points, and 450 Cisco wireless LAN controllers.

3.2-GHz Intel processor.

2.13-GHz Intel Quad Core X3210 processor.

2.16-GHz Intel Core2 processor.


80 GB minimum free disk space is needed on your hard drive.

If you are using VMWare, then the requirements are different then for a standalone server.

ewood2624 Thu, 02/25/2010 - 12:45
User Badges:

I'm not sure if this has been answered yet, but where can I find the specs needed for VMWare?

contact_abdul Fri, 02/19/2010 - 07:35
User Badges:

I want to use Cisco 1250 series devices ( AIR-LAP1252G-E-K9  at 2.4 GHZ ) with wireless

controller of 4400 or 5500 series.

I want to use wall mount patch antenas (I will choose any one of the  following models)

AIR-ANT2460P-R   6 dBi Patch Antenna


AIR-ANT2465P-R   Diversity Patch 6.5 dBi


AIR-ANT2485P-R   Patch  8.5 dBi

Now my questions are :

01. The 1250 series has options for three antenas it must to use all the three antenas on each LAP ?

02.Suppose I want my Access point to support wireless G and Wireless N ,then can i get it done by using ONLY ONE ANTENA?

03.Suppose I want  my LAP to support only wireless n clients then can I use only one antena on each access point?

04.There are thick concrete walls comming on the way.Which of the above antenas you suggest best?

Thanx in advance.Please answer.



Lucien Avramov Fri, 02/19/2010 - 11:58
User Badges:
  • Red, 2250 points or more

The 802.11n standard operates at two frequencies : 2.4 GHz and 5 GHz.

The 5GHz will provide you better coverage for thick walls and longer distance.

The 2.4 GHz will provide you shorter coverage but better bandwitdh.

It's always that compromise: either you have long distance and better coverage, either you are closer to the AP and you have better bw.

Would the AP work with no antennas at all? Yes, but the coverage will be very limited.

The AP can work with as many antennas as you place.

In your case you have selected 2.4 GHz. You can look at their specs, basically, the better antenna, the less signal atenuations (noise) it will have.

If you are looking for best coverage for .N, I would strongly recommend you to have one 2.4 GHz antenna and one 5 GHz antenna.

Specs of the antennas you mentionned:

Also, another useful doc: the data sheet document for the 1250

Leo Laohoo Fri, 02/19/2010 - 16:22
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Hi Abdul,

Late last year, Cisco released a new series of antennaes for the 1240 and/or 1250 APs.  Check the PDF files from here:

I've also noticed that your antennaes that your questions are based on are 2.4Ghz.  I believe you need both 2.4Ghz and 5.0Ghz to get wireless "n" running.

As to thick concrete, no one but you will be able to answer that.  There are many combinations of concrete (including the steel wires).  As far as I know, concrete blocks (or cinder blocks) take approximately -5 to -10 dBm off your signal.  One way to address the issue is not to do with antennae but the placement.

If you want to use full bandwidth of "n" then it's nice if you can get all three antennaes connected.

To make your setup alot simpler, no hassles as to which antennaes to buy, have you considered looking at the 1142 series AP?

Hope this helps.

481567 Sat, 02/20/2010 - 10:22
User Badges:

I have a question about Per User Rate Limiting with QoS Profiles. I am running WCS 6.0 and have two anchor controllers installed in seperate data centers. I manage a wireless network with 100+ wireless controllers and 1000+ access points. I need to be able to rate limit guest users at our sites with a limited amount of bandwidth. It would help me a bunch if you could provide screen shots with specific Per User Rate limiting examples. My question is this; say I have a site with a 256k circuit.

QoS Profile Plan:

Platinum with no rate limiting for the Voice clients. The defaults are fine with this profile.

Gold with no rate limiting for our infrastructure or enterprise data SSID. The defaults are fine for this profile.

Silver with no rate limiting at our larger site that support guest access.

Bronze with Per User Rate limiting for our smaller sites that have a limited amount of bandwidth.

I plan on rate limiting the network in the DMZ. 

1) What is the avarage data rate used for? What would be a good base line for a site with a 256k circuit?

2) What is the burst data rate used for? What would be a good base line to start from for a site with a 256k circuit?

3) What is the avarage real-time rate used for? What would be a good base line to start from for a site with a 256k circuit?

4) What is the burst real-time rate used for? What would be a good base line to start from for a site with a 256k circuit?


Lucien Avramov Sun, 02/21/2010 - 11:15
User Badges:
  • Red, 2250 points or more

The QoS settings on the WCS, are the same on what is set actually on the controllers itself.

1) The Average Data Rate: it's the average rate for non-UDP traffic.

2) Burst Data Rate: it's the peak data rate for non-UDP traffic.

3) Average Real-time Rate: it's the average data rate for UDP traffic.

4) Burst Real-time Rate: it's the peak data rate for UDP traffic.

Think about the rates this way: average real-time = UDP traffic, average = Non-UDP traffic.

The rate values are per user and not for the whole circuit. The rate limits are unidirectional, outbound from the controller to the AP. For example if you have 10 users, and you want to provide them equal bw, you should use the value 25.6 kbps. By default the value entered 0 means, that there is no BW limitations set.

The Burst Data Rate should be greater than or equal to the Average Data Rate. Otherwise, the QoS policy may block traffic to and from the wireless client. Also, the values that you will set are in Kbps.

If you want to achieve QoS as a whole, for example restrict guest user traffic to 256 kbps as a whole, then you apply the QoS on the outbound WAN interface (R2 S0/0) as per the example below:

Another document you may want to read about the QoS:

481567 Mon, 02/22/2010 - 07:40
User Badges:


    I am new to rate limiting on WLAN controllers so please forgive me.

Say I have a 256k circuit and want to rate limit the clients to 56k. I'm not sure hove many clients will connect to the system at any one time, but I suspect it wouldn't be over 5 at any one time. For the most part; I think there would be 1 or 2 guest clients on a normal day. These are very small offices.

Keep in mind; I'm just looking for recommendations.

What would I set the average data rate "56k"?

What would you set the burst data rate to?

What would you set the average real-time rate to?

What would you set the burst real-time rate to?

Just a FYI; I tried to access the links you sent me, but my account wouldn't let me access the doc. I'm not sure why as we have an enterprise account.



Craig Le-Butt Mon, 02/22/2010 - 00:52
User Badges:

Wireless Guest Access


I’m looking for advice and if anyone else reads this if they have any solutions.

Basically we are a large NHS Trust, our link to the out side world is via N3 which all the hospitals are on in the UK.  We are planning to give guest access over 3 sites which is no problems, just supply an external ISP.  What I’m looking for is to minimise the admin side to staff for setting up guest access to possibly 100 odd patients at one go.  I wonder what over solutions people of put in place so don’t have to manage there sites instead of using the Lobby Ambassador. 

I know there is an programme called Amigopd which will do the job, but can’t find any one who is using it.



Craig Le-Butt Tue, 02/23/2010 - 01:07
User Badges:


Got several PCs that I've been told have to go on 802.11a, is there anyway of making sure all other clients that have the capability of going on 802.11a stay on 802.11g?

Don't know if this can be done through group policy, or would have to create a seperate SSID to use 802.11a

We are currently using WCS 6.0.170 and all WiSMs running 5.2.193.


Lucien Avramov Tue, 02/23/2010 - 15:08
User Badges:
  • Red, 2250 points or more

Craig, different SSID will be the way to go here.

kirklands Tue, 02/23/2010 - 12:44
User Badges:


Ever since we upgraded our controllers to We started to see alerts in the WCS that AP are drawing low power from ethernet. Failure reason: 'The AP draws 15.4 watts from ethernet'. We do not use Poe switches. We are using inj4 power injectors with 1142. Do you know if this is a false postive between the wcs and the controller? There are no traps that show any power failures. This may be a controller issue only.

Lucien Avramov Tue, 02/23/2010 - 14:09
User Badges:
  • Red, 2250 points or more

Hi Scott,

I have seen two issues internally but no yet a trend that leaded to a bug on WCS

If the radios do work properly (turned on), by the power injectors, the message is then a false positive and have no impact on your production.

There is actually a bug that was marked not reproducible for 1232 APs but this can be generalized to any AP running CAPWAP.

The bug id is CSCtb78808.

You may want to turn debugs on the controller to identify if this is an issue on the controller or on the WCS.

Also turn on logging on WCS to full and have a look at the WCS logs to see if you see any messages coming from the WLC.

Let me know how it goes

nowires01 Tue, 02/23/2010 - 13:45
User Badges:

Would you be able to confirm if the latest boot software file ( ER.aes) is required when using WiSM software ? I guess my question is what boot software should I be using if I'm currently using a WiSM with software? At the moment I'm using bootloader version.

I'm having to re-install the WiSM IOS to one of my controllers to due to possible corruption. Currently this controller is in production and supporting up to 138 AP's at the moment. As I'm trying to add new AP's they keep erroring out with unable to Tar file, and I've tried with 3 other new 1130's. However, when I pointed the AP's over to a different WLC within the same mobility group they joined with no problems and were able register and download it's software.

My peers who've had this same issue in the past had to re-install the WiSM IOS.

Greatly appreicated.


Lucien Avramov Tue, 02/23/2010 - 15:20
User Badges:
  • Red, 2250 points or more

You shouldnt have to upgrade or downgrade the bootloader. ER.aes is fine for 4.2, 5 and 6.0 controller versions

Craig Le-Butt Thu, 02/25/2010 - 07:47
User Badges:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Got a little problem.

Adding a second WISM blade to a 6509

Got a 6509 which has an existing WiSM installed slot 3., I’ve added a second WiSM in to slot8.

The problem is there is not enough address in VLAN600 for the extra WiSM plus future WiSMs, so the plan is to move them all to VLAN617.  I’ve installed the second WiSM setup the gateway, ap manager and manager

From the 6059 I can ping the gateway and the management IP of the wism. 

But on the WISM I cant ping the service IP or the ap-manager even though they are in the same vlan.

any ideas?


huangedmc Thu, 02/25/2010 - 08:55
User Badges:

Are you running out of addresses for WiSM & the AP's, or for clients?

From a strictly routing/switching stand of point, you should limit your broadcast domain.

It's normal that you can't ping the ap-manager IP, but just the management IP.

Service port needs to be on a different subnet than the management interface.

I don't think it'll let you put them in the same VLAN even if you try.

Lucien Avramov Thu, 02/25/2010 - 13:21
User Badges:
  • Red, 2250 points or more

As Huang said, you can only ping the management interface.

Also let me here add some good practices:

The management and AP-manager interfaces must be left untagged, for example, VLAN ID 0, when they are on the native VLAN on the trunk. Remove the tags from the management interface.

Also if the ping is attempted over wireless, the management through wireless check box can be unchecked. All the AP-managers and the dynamic interfaces do not support pings. The dynamic interfaces can only be pinged if they are mapped to the same port as the management interface. They only send Internet Control Message Protocol (ICMP) replies if the controller is under a light load, because the ICMP is placed as the lowest priority task.

Also, the management interface must be accessed with Layer 3 connectivity to the subnet on which the interface resides. If the management interface is 10.x.x.x, make sure the PC has full access to this subnet. In order to check this, try to access the GUI through secure HTTP. If this does not work, provide full access to the subnet.

mbanenas Thu, 02/25/2010 - 12:20
User Badges:


I have 2 WCS servers and I'm getting overwhelmed by the amount of alarms that are generated.  It's hard to tell which alarms are severe and need immediate action and which are just cosmetic.  Are there any recommendations or best practices for setting up the alarms on the WCS?



Lucien Avramov Thu, 02/25/2010 - 13:50
User Badges:
  • Red, 2250 points or more

What version of WCS are you running?

mbanenas Thu, 02/25/2010 - 14:58
User Badges:

Lucien Avramov Fri, 02/26/2010 - 11:37
User Badges:
  • Red, 2250 points or more

You can make all the alarm setting changes under Administration -> Settings -> Severity Configuration.

Feel free to change all the ones that bother you to informational.

For example, if you are in an environment with Rogue APs, and you get those message alot and they are for you a kind of false positive, reduce the severity on them.

There is no really good practice, I would say it really depends on your environment and what alarms you don't want to bothered for. Definitely, the controller or ap radios down are messages you do want to be alarmed for.

If you let me know what messages you get I can evaluate and make a suggestion about changes you may make.

In case this ask the expert event closes, please re-post your question on the forum discussion and I look at it there.

We just setup WCS6.0.170.0 on a Linux server. We also have a 4402 controller to talk to.

The WCS server loses connection to the 4402 controller periodically. However, if I leave a continuous ping running from the WCS server to the controller, it almost never happens.

The odd thing too is that when there is no way to connect from the WCS to the controller, or ping back from the controller to the WCS, they are both working fine separately and available through web and other access from other computers. It's almost as if the controller has blocked access to it from the IP of the WCS server.

Is that possible? The connections start working again after a period of time, but it all seems random, and there is nothing I can find logged anywhere about it other than the alerts in WCS that the controller is unreachable.

I've check the switch logs for interface problems and span-tree issues, arp issues etc. I can find no problems with my limited abilities here.

Do you have any ideas?



Lucien Avramov Thu, 02/25/2010 - 13:37
User Badges:
  • Red, 2250 points or more


Are you having a VPN / MPLS connection between your WLCs and your WCS?

The fact when you are pinging, the controller shows online should be just a coincidence. WCS uses SNMP protocol to talk to the WLC, whereas the pings do use ICMP.

In any case, I here suggest you to tweak a little your SNMP configuration on your WCS.

Go to Administration -> Settings -> SNMP Settings

Reduce the value of your maxvarbind per PDU to 50 or lower.

The next things you can try if you don't see improvement is to uncheck the checkbox use reachability parameters and change the backoff algorithm.

This should help your issue.

Let me know how it goes.

I have made the changes you mentioned to see what happens.

As far as the connection, both devices are plugged into the same network switch, Cisco 4948.

I just used ping to ascertain whether or not it was just the SNMP protocol, or all connection fail.

We have a CCIE working on this new installation for us, I'll just task him with figuring it out ;-)

Thank you,


KescomAnis Thu, 02/25/2010 - 13:01
User Badges:
We have some APs (AP1, AP2, etc) with confugured WDS on one AP. (Without WCS).

On APs configured two SSID with two static assigned VLANs:

dot11 ssid K-Internet
   vlan 3
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii
dot11 ssid K-Private
   vlan 1
   authentication open eap EAP_WDS
   authentication network-eap EAP_WDS
   authentication key-management wpa
   mbssid guest-mode
interface Dot11Radio0
encryption vlan 1 mode ciphers aes-ccm tkip
encryption vlan 3 mode ciphers aes-ccm tkip
broadcast-key vlan 1 change 900
broadcast-key vlan 3 change 900
ssid K-Internet
ssid K-Private
wlccp ap username password


aaa authentication login WDS_Auth_Client group rad_eap

wlccp ap username password
wlccp authentication-server infrastructure WDS_Auth_Infrastructure
wlccp authentication-server client any WDS_Auth_Client
wlccp wds priority 100 interface BVI1

All works Ok with EAP-FAST authentication on Cisco ACS RADIUS.
But now I want to use per user Dynamic VLAN Assignment.
(IETF RADIUS Attributes 64,65,81)

I want to connect to SSID K-Private and move to VLAN 3 for example.

On WDS AP I see:

WDS-AP# show wlccp wds mn detail

MAC: 0015.af95.3d52,  IP-ADDR:,  State: REGISTERED
BSS: 0019.a9b6.70a1, SSID: K-Private
Vlan Assigned by AAA: 3   ( <--- VLAN 3, All Ok)
Ntwrk-ID:   -
Key Mgmt: None,  Authentication: EAP

But on AP1 nothing changed:

AP1# show dot11 associations all-client

Address           : 0015.af95.3d52     Name             : NONE
IP Address        :       Interface        : Dot11Radio 0

State             : EAP-Assoc          Parent           : self
SSID              : K-Private
VLAN              : 1     ( <--- VLAN 1 )
Key Mgmt type     : WPAv2-CP           Encryption       : AES-CCMP

What I need to configure to make this feature worked?
Thanks for your help.

Lucien Avramov Thu, 02/25/2010 - 13:55
User Badges:
  • Red, 2250 points or more

Okay, I think you are not having an issue because of WDS but because MBSSID is not supported with Dynamic Vlan Assignment.

Please remove dot11 mbssid and mbssid guest-mode and it should resolve your issue.

Ps: this forum is mainly for WCS related questions.

barryfowles Fri, 02/26/2010 - 01:52
User Badges:


If I have WCS installed and licensed and I need to rename the server that WCS has been installed on. What is the process I need to undertake in order to achieve this?


Lucien Avramov Fri, 02/26/2010 - 08:55
User Badges:
  • Red, 2250 points or more

You can rename the server at your will, with the regular hostname change procedure on linux / windows.

However, the license of WCS is based off the hostname.

Your way to go here would be to call in TAC, request them to rehost your license to your new hostname.

I suggest you to get the modified license before you start changing the hostname.

Data will not be lost if you change hostnames, you will just need to change the license file from the WCS menu.


This Discussion