Wireless Clients Dropping During Roaming Between APs
Presenting Symptom
Wireless clients experience intermittent connectivity drops when roaming between access points in the same SSID.
Network Context
The network is a small enterprise campus with Cisco 9800 WLC and 2800 series APs running IOS XE 17.3. The WLC is configured with a single SSID for employee access, using WPA2-PSK. Clients are a mix of laptops and smartphones. The issue occurs specifically when clients move from AP1 to AP2 in the same building.
Diagnostic Steps
Check client roaming history on WLC
show client roaming history <client-mac>Client MAC: aaaa.bbbb.cccc Last roam: from AP1 (slot 0) to AP2 (slot 0) at 10:23:45 Roam type: Layer 2 Roam reason: RSSI threshold Roam failure: None
Look for roam failures or excessive roam times. If roam failure is 'None', the roam itself succeeded but the client may have lost connectivity after. Also check roam time; if > 100ms, it may indicate a problem.
Verify AP neighbor list and RSSI thresholds
show ap config general <AP-name> | include rssi|neighborRSSI threshold for client disconnect: -85 dBm Neighbor list: AP2 (RSSI -70 dBm), AP3 (RSSI -75 dBm)
If the RSSI threshold is too high (e.g., -80 dBm), clients may be dropped before they can roam. Also check if the AP has a proper neighbor list; missing neighbors can cause slow roaming.
Check client association and authentication timers
show wlan <wlan-id> | include session-timeout|auth-timeoutSession timeout: 1800 seconds Auth timeout: 10 seconds
If auth timeout is too short (e.g., 5 seconds), clients may fail to complete 802.1X or PSK authentication during roam. Normal auth timeout is 10-20 seconds.
Enable debug for client roaming events
debug client <client-mac> events*Jan 1 10:23:45.123: %CLIENT_EVENTS: Client aaaa.bbbb.cccc: Roam request from AP1 to AP2 *Jan 1 10:23:45.456: %CLIENT_EVENTS: Client aaaa.bbbb.cccc: Roam complete to AP2 *Jan 1 10:23:46.000: %CLIENT_EVENTS: Client aaaa.bbbb.cccc: Disassociation from AP2 - Reason: 4 (Disassociated due to inactivity)
If you see a disassociation immediately after roam, it indicates the client is being dropped. Reason 4 (inactivity) may be due to a short idle timeout or the client not sending data quickly enough.
Root Cause
The WLAN has a short idle timeout (30 seconds) configured, causing clients to be disassociated if they do not send traffic within 30 seconds after roaming. During the roam process, there is a brief period where the client is re-authenticating and may not send data, triggering the idle timeout.
Resolution
Verification
After applying the fix, verify the idle timeout setting: show wlan <wlan-id> | include idle-timeout Expected output: Idle timeout: 300 seconds Then simulate a roam and check client history: show client roaming history <client-mac> Expected: No roam failures and no disassociations after roam.
Prevention
1. Set idle timeout to at least 300 seconds for voice or data networks to accommodate roaming delays. 2. Use Fast Roaming (802.11r) to reduce authentication time during roaming. 3. Ensure APs are configured with proper neighbor lists and RSSI thresholds to trigger early roaming.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify why clients drop after roaming. The exam tests understanding of WLAN parameters like idle timeout, session timeout, and authentication timers. A candidate must know that idle timeout disassociates clients after a period of inactivity, and that roaming can cause brief inactivity.
Exam Tips
Remember that idle timeout is different from session timeout; idle timeout disconnects idle clients, session timeout forces reauthentication after a fixed time.
The default idle timeout on Cisco WLC is 300 seconds; if you see a lower value, it may be the cause of roaming drops.
Know the command 'show wlan <id>' to verify WLAN parameters; the exam may ask you to identify misconfigured timers.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions