Symptom
- LWA using enhanced url-filter to allow multiple IPs for the same hostname
- URL fitler is not applied to the client and redirection will fail whenever the resolved IP is not in acl-policy WA-sec-
--- URL Filter ---
urlfilter enhanced-list TestURL
url preference 1 action permit
---- Flex Profile ---------
WLC#show run | sec wireless profile flex default-flex-profile
wireless profile flex default-flex-profile
acl-policy WA-sec-52.20.92.170
urlfilter list TestURL <<<<<<<<<<<<<<
acl-policy WA-v4-int-52.20.92.170
description "default flex profile"
ip http client proxy 0.0.0.0 0
vlan-name TestVLAN
vlan-id 38
- When checking the entry on the AP, we don't see the URL filter pushed:
AP# show flexconnect url-acl
ACL-NAME ACTION URL-LIST
Conditions
- 9800/FlexConnect/Local switching
- Enhanced url-filter applied to the Flex profile
Workaround
There are multiple workarounds:
1. Either allow all IPs into the ACL manually.
2. Edit the enhanced filter by deleting or adding a new entry into the enhanced-list
WLC(config)#urlfilter enhanced-list TestURL
url preference 1 action permit
url preference 5 action permit <<<< added new URL
Check the AP: AP# show flexconnect url-acl
ACL-NAME ACTION URL-LIST
WA-sec-52.20.92.170
allow url1
allow url2
Workaround 2 only works if the AP is stable. If the AP disconnects from the WLC then joins back, we need to reapply it.
Further Problem Description
Enhanced URL filtering is used only for flex mode local switching. Refer to https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_dns_based_acls.html#concept_FC84F350446D4D76A965400D13DA122A
