Currently in the process of deploying some Cisco 7921 handsets. Most things appear to be working well with them, accept we're having some issues with roaming when the phones are switching between Access Points, we experience voice gaps of up to 5 seconds. The phone appears to stay connected, we simply lose 2-way voice. I've seen similar posts on here previously and have followed the feedback supplied in those, but unfortunately issues are still ongoing.
Our current setup is 4 x WLCs managing 170 Access Points - we've been advised we have 100% coverage by the company who carried out our wireless surveys. The VoIP vlan on the WLCs is configured to use A only.
Hardare versions are detailed below, I've also attached a screenshot of our VoIP vlan configuration. I've tested phones using both PEAP and EAP-Fast, using a locally created account on our Cisco ACS, PEAP appears to function the better of the 2, we experience longer voice gaps with EAP-Fast. Some of the advanced EAP settings have been modified on the WLCs, to match those documented in the 7921 deplyment guide, again our current settings are detailed below.
WCS - 220.127.116.11
WLC - 18.104.22.168
7921 Firmware - 1.3.2
show advanced eap
EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 0
EAPOL-Key Timeout (seconds)...................... 1
EAPOL-Key Max Retries............................ 2
Is anyone able to advise on the configuration we have in use, and whether this would have a detrimental affect on roaming. Also, are there any particular debugs that could be performed that may assist in resolving the issue?
Thanks is advance
Solved! Go to Solution.
A couple thoughts regarding your voice issue here. What is the average transmit power of the radios on the 802.11a side? Are the phones configured to only search for the 802.11a band? What channels are selected for 802.11a under Wireless> 802.11a RRM> DCA, also what does the channel spread look like in your environment? Also what data rates are configured? I know there was an issue in one code version where you had to have 12mbps as either supported or manadatory otherwise the phones behaved oddly.
Check those things and see if anything seems odd.
First of all in 1.3.2 the 7921s/7925s do not support CCKM with WPA2/AES. It only supports CCKM with WPA/TKIP. Support for WPA2/AES-CCKM is in 1.3.4 which should be out soon.
So, at the moment every roam will be going back to the RADIUS server for re-auth which is not ideal.
Second, this should not be zero:
EAP-Request Max Retries.......................... 0
I'd say this causes a complete restart of the EAP transaction if we miss a request. Once again, not ideal.
Regarding debugs, a 'debug client
Thanks for the feedback. That would certainly explain why we're seeing the additional latency during the roam.
With regards firmware 1.3.4, any idea when this may be available to download?
Also, you mention the EAP-Request Max Retries setting should not be Zero. Any pointers on a good value to set this too? I've left at Zero as this is what it advises in the deployment guide, and I believe is the standard setting on the WLCs.
Why would CCKM even come into play when WPA2/AES by 802.11i standard had its own keying... ? Any ideas?
The 7921s/7925s don't support PKC/OKC. They use the other caching method (only cache previously associated APs; I don't know the maximum that can be stored). Bottom line is for fast roaming you will want CCKM for 7921/7925. I believe 802.11i doesn't specify how PMKID caching should be done, hence the emergence of two different methods. This will all be sorted out with 802.11r though.
Daniel, the default is 2 retries and I can't give a firm date for 1.3.4 (in case of slips etc) but is very soon.
Thanks for the fast reply. Where did you see this at ? Its not in any of the manual as my old memory can tell. CCKM does advanced cache, or atleast i thought so .. You have me rethinking what i thought i knew was right...
I few items i wanted to add...
1) You can turn the phone into site survey mode ... TOOL BOX -->6--->6. If you see any areas (HIGHER) then -67 signal that area is out of voice coverage.
2) You can also use the neighbor function on the phone. You always want to make sure you have 2 cells @ -67 or better at the edge
3) You can turn on advance logging on the phone itself (really cool btw). You can see what the phone is seeing as to access points it is scanning and signals it hears.You can see the 802.11 exchange as well and the entire roam from the phone side...
4) Are you using TKIP? If so, Cisco best pratices is to turn off countermeasures ... see here: http://www.my80211.com/voip-labs/2009/12/29/configure-tkip-countermeasure-holdoff-timer-on-wlc.html My site btw
5) You can also do a client debug from the CLI. This will show you what the phone is doing on the controller side. Drop down into the cli of the controller and enter client debug and then the mac of the phone. Very powerful when used with the phone debugs
6) Your roam time SHOULD NEVER EXCEED 150ms. If you do a debug on the handset and you see roams great then 150ms then you need to look at coverage first and then start to track inward (follow the packet as I like to call it).
We are on 4.2.207 with 22.214.171.124 code and have no issues.
We are running 1131,1242 - WPA/TKIP. However we did have a rash of voip issues recently but discovered we had bad 7921 phones. Users drop them 2 - 3 times and they start to crap the bed. In fact, when 1 user has a bad phone and they call other users... these other users think they have bad phones too! Not a fun time from our side of the fense.
If you havent seen the VoIp Deisgn guide this may help as well...
I'm running 126.96.36.199 WLC firmware and 1.3.3 phone firmware. No issues here. I've used the same phone firmware on all the previous 6.X codes. No issues too.
speaking of the newer code we have a site with 188.8.131.52 and 184.108.40.206 and its kool as well...
Thanks for everyones feedback, much appreciated.
Starting from the top down, environment details are as follows:
Kayle - Wireless - 802.11a/n - RRM - DCA - Not sure if this is a potential issue or not, but of the 4 WLCs that manage our Access Points, 3 have extended Extended UNII-2 channels enabled. I'll look to get this enabled on the 4th controller ASAP. Could this potentially have an impact, I'd suspect that the Access Points on the controller without UNII-2 enabled would use the lower numbered channels, whilst the others would use the extended range. I'm certainly no expert though! I've added another attachment detailing our data rates configured.
I haven't looked into performing a significant amount of debugging just yet, we have 4 WLCs that our Access Points are managed between, the debug output was appearing across all the devices as the phone roamed, which made piecing the data together a little tricky.
Matt - Thanks for the feedback - I'll look to modify the EAP-Request Max Retries statement, I'll keep my eyes peeled for the release of the 1.3.4 firmware.
George - Thanks for debug/logging information. I'll look to get logging enabled on one of the phones tomorrow. With regards AES/TKIP - We currently utilise WPA2/AES, I'm under the impression AES is the faster Encryption alogorithm, and considered more secure than TKIP. What are the security implications, if any, of rolling back to WPA2/TKIP. In theory, this would only be a short term move until the 1.3.4 code is released as per Matts comments above.
Our security team advised we're not to use WPA under any circumstance, and must stick to WPA2.
Thanks again - Dan
Dan, how did you make out ?
Just wanted to give some feedback on the 1.3(4) firmware. We pushed this to all our 7921 phones yesterday, and I'm pleased to advise our roaming issues now appear resolved. We've tested considerably over the last 2 days, and have near perfect voice coverage across our campus.
Thanks again for everyone's input.
We have upgraded to 1.3.4 to fix the roaming issues as well. The phones seem to roam much better now, but battery life is terrible. Anyone else notice this?
Yes. We have the same problem with the batteries since upgrading to 1.3.4
I've already mentioned that here:
Do you use 7921G or 7925G phones????