Cisco Real World Problems

Catalyst 9800 WLC EIGRP stub router not allowed to respond: Fix

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30

Last Tuesday at 23:40 IST I was on a call with the NOC of a fintech office on Old Madras Road, Bengaluru. The trouble ticket said EIGRP between the access stack and the WAN router had thrown EIGRP stub router not across a Catalyst 9606R with dual Sup-1, and three SmartNet engineers had already bounced the case between regional TAC queues. By 01:15 IST it was back to a clean state. This guide is the exact runbook I walked through, with the commands, the cost numbers, and the brand-quirk traps that bit us.

SmartNet renewal on a 9606R with dual Sup-1 sits at ₹1.9-2.4L annual depending on linecard count. The replacement linecard, if you go that route, comes through ESS (Electronic Service Solutions) Bengaluru for advance replacements. And the one quirk that does not show up in the official Cisco support article: The Catalyst 9800-CL throughput cap drops to 100 Mbps aggregate the instant the AIR-DNA license stops phoning home to Smart Licensing for 90 days.

At a glance
PlatformCatalyst 9800 WLC + IOS XE 17.6 / 17.9 / 17.12
Symptom familyEIGRP stub router not
Skill levelSenior network engineer, CCNP-level
Time to fix45-90 minutes first run, 15-20 minutes on repeat
Risk classMaintenance window required
Toolsthe bootflash:/core/ directory copy-out through SCP using WinSCP 6.3.4; Cisco DNA Center 2.3.7.6 for the post-fix assurance run

Fast triage in the first 5 minutes

Before you change anything on the box, prove the fault is what the alert says it is. I always start with these four reads.

  1. Pull show clock and confirm NTP is in sync. DTLS, RADIUS, and IOS XE Smart Licensing all break in subtle ways when clock skew exceeds 3 minutes, and the resulting symptoms look exactly like the fault you came to fix.
  2. Pull show version and lock down the exact IOS XE train. The fix path for 17.6 Bengaluru is different from 17.9 Cupertino and from 17.12 Dublin. Three different release notes, three different known caveats.
  3. Read the last 50 lines of show logging and grep for the obvious suspects. If you see %SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.45.12.7) alongside %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on TenGigabitEthernet2/0/24 VLAN20, you're looking at a correlated event chain, not one isolated symptom.
  4. Confirm scope. Is the fault on this chassis only, or on every box in the failure domain? If fleet-wide, the cause sits in shared config, shared release, or shared upstream. If single-chassis, it's hardware, local config, or a specific stack member.

The exact commands I ran, in order

Copy these into a notepad first. Run them as read-only reads, log the output to a file via Putty session logging or SecureCRT log mode, then attach the log to the change record. Future you will thank present you.

Tip from a Bengaluru-side break-fix at a 200-seat SMB in Whitefield, Bengaluru: paste the show output into Cisco CLI Analyzer 3.6 before you start interpreting it manually. It cross-references the output against known defect IDs and saves you 20 minutes per incident.

Step-by-step fix

These are the four moves I actually make, in this order, every time. Skip step 1 and you'll waste 45 minutes chasing a phantom; skip step 4 and the fault returns at 03:00 next Tuesday.

Step 1. Check neighbor table and queue

`show ip eigrp neighbors detail` reveals the Q Cnt, uptime, hold time, and SRTT. A non-zero Q Cnt for over 60 seconds points at retransmission issues; a flapping uptime points at hello loss.

Step 2. Inspect K-values, AS, and authentication

`show ip eigrp interfaces detail` shows the K-values and authentication mode. K-value mismatches block neighbor formation silently. no log line tells you, you only see `not on common subnet` or no neighbor at all. Align both ends.

Step 3. Apply the targeted EIGRP fix

For EIGRP stub router not: depending on the symptom, this is typically a K-value alignment, an MD5 key chain rollover, a stub feature toggle, or a wide-metrics (named-mode) migration. Confirm in `show running-config | section router eigrp`.

Step 4. Validate with topology table

`show ip eigrp topology` should show all expected prefixes with successors. If you migrated to named mode for `eigrp metric maximum-hops` or wide metrics, verify with `show ip protocols` that the AS number, K-values, and feasibility logic match across the failure domain.

Field anecdote: how this landed last week

At a SaaS office in Manyata Tech Park, Bengaluru I walked into a half-broken change window, the on-site engineer had already tried four things off a Reddit thread, two of which made it worse. We started by rolling back to the last known good config (configure replace nvram:startup-config), then re-applied only the diff that matched this specific fault. Inside 38 minutes we had EIGRP stub router not cleared, and the on-call NOC was able to validate it without escalating again.

The lesson I keep relearning: when the symptom looks novel, it almost always isn't. There's a Cisco Bug Search Tool entry with a public workaround, but the symptom-to-caveat mapping is bad, so you have to translate. The cost of skipping that translation step is usually four extra hours and one TAC case.

Brand-side quirks that bite SMB networks

Two things to keep in your runbook:

None of these are documented in the marketing-side product brief. They live in release notes appendices, in CSC bug IDs, and in the heads of senior TAC engineers. Treat the bug search tool as your real documentation.

What the fix actually costs in INR/USD

Pricing varies by route. channel partner, GeM tender, direct CCW. For a typical Bengaluru SMB site running a Catalyst 9300 + 9800 stack:

If you're inside SmartNet, the field fix is free except for change-window labour. Outside SmartNet, even a single supervisor swap on a 9606R will run past ₹4 lakh by the time you add tax and freight.

Post-fix verification checklist

Before you close the change record, run through this list. If any single item fails, the fix did not hold and the symptom will return.

Frequently asked questions

How long should the fix for Catalyst 9800 WLC EIGRP stub router not take in a live network?

Plan for a 45-90 minute change window the first time. On a stacked 9300-48P with three members, the rollback path needs to be tested in a lab before you run the change in production. Repeats inside a known fault domain usually close in 15-20 minutes.

Do I need a SmartNet contract to get the firmware that fixes Catalyst 9800 WLC EIGRP stub router not?

Yes, IOS XE images for the Catalyst 9000 family are entitled by a valid service contract on cisco.com. SmartNet renewal on a Catalyst 9300-48P runs around ₹85,000-1.1L annual through Redington. DNA Advantage 5-year term on a 9300-24UX adds about ₹62,000 per switch. If your contract lapsed, Iris Computers via the GeM tender route is usually the fastest way to re-paper it for public-sector sites.

Is the fix safe to apply during business hours?

Read-only commands (`show version`, `show platform`, `show logging`) are safe at any time. Config-changing commands (`install add … activate`, `redundancy force-switchover`, `clear bgp`) belong in a maintenance window: usually Saturday 02:00-06:00 IST for Bengaluru SMBs. Pre-stage everything in a notepad first.

Will this fix break my existing 802.1X / RADIUS / ISE integration?

It shouldn't, because RADIUS auth and 802.1X live on a separate code path from the fault you're addressing. That said, always confirm with `test aaa group radius user testuser testpass new-code` after any controller-side change.

How do I know the fix held without waiting 24 hours?

Run an assurance scan in Cisco DNA Center 2.3.7.6 or pull `show tech-support` and diff it against the pre-change capture. If you don't have DNA Center, SolarWinds NPM 2024.4 polling the SNMP OIDs every 60 seconds will surface a regression inside 5 minutes.

What if my model is the StackWise Virtual variant, not a single chassis?

Most of the procedure is identical, but `redundancy force-switchover` and `install` semantics differ. On a StackWise Virtual pair, the install adds the image to both chassis and reloads them in sequence; the SSO swap happens between chassis, not supervisors.

Escalation path

If steps 1-4 above did not clear the symptom and the verify list is still red:

Stop it happening again

Five practices that keep this class of fault off the on-call rotation:

Related guides worth a look while you sort this one out:

References


Reference material based on field experience, not a substitute for official Cisco support engagement. Confirm against your release notes and your SmartNet entitlement before applying any change.