Catalyst 9800 WLC EIGRP stub router not allowed to respond: Fix
By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30
Last Tuesday at 23:40 IST I was on a call with the NOC of a fintech office on Old Madras Road, Bengaluru. The trouble ticket said EIGRP between the access stack and the WAN router had thrown EIGRP stub router not across a Catalyst 9606R with dual Sup-1, and three SmartNet engineers had already bounced the case between regional TAC queues. By 01:15 IST it was back to a clean state. This guide is the exact runbook I walked through, with the commands, the cost numbers, and the brand-quirk traps that bit us.
SmartNet renewal on a 9606R with dual Sup-1 sits at ₹1.9-2.4L annual depending on linecard count. The replacement linecard, if you go that route, comes through ESS (Electronic Service Solutions) Bengaluru for advance replacements. And the one quirk that does not show up in the official Cisco support article: The Catalyst 9800-CL throughput cap drops to 100 Mbps aggregate the instant the AIR-DNA license stops phoning home to Smart Licensing for 90 days.
| Platform | Catalyst 9800 WLC + IOS XE 17.6 / 17.9 / 17.12 |
|---|---|
| Symptom family | EIGRP stub router not |
| Skill level | Senior network engineer, CCNP-level |
| Time to fix | 45-90 minutes first run, 15-20 minutes on repeat |
| Risk class | Maintenance window required |
| Tools | the bootflash:/core/ directory copy-out through SCP using WinSCP 6.3.4; Cisco DNA Center 2.3.7.6 for the post-fix assurance run |
Fast triage in the first 5 minutes
Before you change anything on the box, prove the fault is what the alert says it is. I always start with these four reads.
- Pull
show clockand confirm NTP is in sync. DTLS, RADIUS, and IOS XE Smart Licensing all break in subtle ways when clock skew exceeds 3 minutes, and the resulting symptoms look exactly like the fault you came to fix. - Pull
show versionand lock down the exact IOS XE train. The fix path for 17.6 Bengaluru is different from 17.9 Cupertino and from 17.12 Dublin. Three different release notes, three different known caveats. - Read the last 50 lines of
show loggingand grep for the obvious suspects. If you see%SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.45.12.7)alongside%SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on TenGigabitEthernet2/0/24 VLAN20, you're looking at a correlated event chain, not one isolated symptom. - Confirm scope. Is the fault on this chassis only, or on every box in the failure domain? If fleet-wide, the cause sits in shared config, shared release, or shared upstream. If single-chassis, it's hardware, local config, or a specific stack member.
The exact commands I ran, in order
Copy these into a notepad first. Run them as read-only reads, log the output to a file via Putty session logging or SecureCRT log mode, then attach the log to the change record. Future you will thank present you.
show versionshow platform | include Switch|Role|Stateshow inventoryshow logging | include LINK|LINEPROTO|RELOAD|FAULTshow ip eigrp neighbors detailshow ip eigrp topologyshow ip eigrp interfacesshow ip eigrp events
Tip from a Bengaluru-side break-fix at a 200-seat SMB in Whitefield, Bengaluru: paste the show output into Cisco CLI Analyzer 3.6 before you start interpreting it manually. It cross-references the output against known defect IDs and saves you 20 minutes per incident.
Step-by-step fix
These are the four moves I actually make, in this order, every time. Skip step 1 and you'll waste 45 minutes chasing a phantom; skip step 4 and the fault returns at 03:00 next Tuesday.
Step 1. Check neighbor table and queue
`show ip eigrp neighbors detail` reveals the Q Cnt, uptime, hold time, and SRTT. A non-zero Q Cnt for over 60 seconds points at retransmission issues; a flapping uptime points at hello loss.
Step 2. Inspect K-values, AS, and authentication
`show ip eigrp interfaces detail` shows the K-values and authentication mode. K-value mismatches block neighbor formation silently. no log line tells you, you only see `not on common subnet` or no neighbor at all. Align both ends.
Step 3. Apply the targeted EIGRP fix
For EIGRP stub router not: depending on the symptom, this is typically a K-value alignment, an MD5 key chain rollover, a stub feature toggle, or a wide-metrics (named-mode) migration. Confirm in `show running-config | section router eigrp`.
Step 4. Validate with topology table
`show ip eigrp topology` should show all expected prefixes with successors. If you migrated to named mode for `eigrp metric maximum-hops` or wide metrics, verify with `show ip protocols` that the AS number, K-values, and feasibility logic match across the failure domain.
Field anecdote: how this landed last week
At a SaaS office in Manyata Tech Park, Bengaluru I walked into a half-broken change window, the on-site engineer had already tried four things off a Reddit thread, two of which made it worse. We started by rolling back to the last known good config (configure replace nvram:startup-config), then re-applied only the diff that matched this specific fault. Inside 38 minutes we had EIGRP stub router not cleared, and the on-call NOC was able to validate it without escalating again.
The lesson I keep relearning: when the symptom looks novel, it almost always isn't. There's a Cisco Bug Search Tool entry with a public workaround, but the symptom-to-caveat mapping is bad, so you have to translate. The cost of skipping that translation step is usually four extra hours and one TAC case.
Brand-side quirks that bite SMB networks
Two things to keep in your runbook:
- IOS XE 17.6 ships with CSCvy53024, where the WNCD process leaks memory on roaming events above 18 clients per AP per minute: a known caveat the release notes bury on page 27.
- On IOS XE 17.9.4a, the Stack-Wise V1 ports do not auto-negotiate to V2 silicon, a 9300-48P mixed with a 9300X stack member will keep one box in standalone mode until you reset the stack-power.
None of these are documented in the marketing-side product brief. They live in release notes appendices, in CSC bug IDs, and in the heads of senior TAC engineers. Treat the bug search tool as your real documentation.
What the fix actually costs in INR/USD
Pricing varies by route. channel partner, GeM tender, direct CCW. For a typical Bengaluru SMB site running a Catalyst 9300 + 9800 stack:
- SmartNet 8x5xNBD on a Catalyst 9300-48P: ₹85,000-1,10,000 annual through Redington India.
- SmartNet 24x7x4 on a 9500-40X core pair: ₹1,60,000-2,00,000 annual through Ingram Micro.
- Solution Support on a 9800-40 WLC HA pair: roughly ₹1,40,000 annual.
- DNA Advantage 5-year term on a 9300-24UX: ~₹62,000 per switch (one-time, term-licensed).
- Linecard RMA out of contract: ₹2,80,000-7,50,000 depending on linecard SKU, sourced via Comsys Infosolutions in Mumbai if you need a 9400-LC-48P next-day.
- For GeM tender route on a 9800-CL DNA Premier license (5 years, 100 APs): roughly $4,200-5,100 USD landed cost in Bengaluru.
If you're inside SmartNet, the field fix is free except for change-window labour. Outside SmartNet, even a single supervisor swap on a 9606R will run past ₹4 lakh by the time you add tax and freight.
Post-fix verification checklist
Before you close the change record, run through this list. If any single item fails, the fix did not hold and the symptom will return.
show platformreports all stack members in Ready state with the expected role.show logging | include FAULT|RELOAD|CRCshows zero new entries since the change applied.- End-user smoke test: a real client device (Galaxy S22, MacBook M2, ThinkPad X1) completes the full Associate → Authenticate → DHCP → DNS → HTTPS path in under 8 seconds.
- Assurance scan in Cisco DNA Center 2.3.7.6 shows green health on the impacted device for at least 4 polling intervals.
- The original alert source (SolarWinds NPM 2024.4, PRTG, or LibreNMS) has cleared the fault and not re-alarmed.
Frequently asked questions
How long should the fix for Catalyst 9800 WLC EIGRP stub router not take in a live network?
Plan for a 45-90 minute change window the first time. On a stacked 9300-48P with three members, the rollback path needs to be tested in a lab before you run the change in production. Repeats inside a known fault domain usually close in 15-20 minutes.
Do I need a SmartNet contract to get the firmware that fixes Catalyst 9800 WLC EIGRP stub router not?
Yes, IOS XE images for the Catalyst 9000 family are entitled by a valid service contract on cisco.com. SmartNet renewal on a Catalyst 9300-48P runs around ₹85,000-1.1L annual through Redington. DNA Advantage 5-year term on a 9300-24UX adds about ₹62,000 per switch. If your contract lapsed, Iris Computers via the GeM tender route is usually the fastest way to re-paper it for public-sector sites.
Is the fix safe to apply during business hours?
Read-only commands (`show version`, `show platform`, `show logging`) are safe at any time. Config-changing commands (`install add … activate`, `redundancy force-switchover`, `clear bgp`) belong in a maintenance window: usually Saturday 02:00-06:00 IST for Bengaluru SMBs. Pre-stage everything in a notepad first.
Will this fix break my existing 802.1X / RADIUS / ISE integration?
It shouldn't, because RADIUS auth and 802.1X live on a separate code path from the fault you're addressing. That said, always confirm with `test aaa group radius user testuser testpass new-code` after any controller-side change.
How do I know the fix held without waiting 24 hours?
Run an assurance scan in Cisco DNA Center 2.3.7.6 or pull `show tech-support` and diff it against the pre-change capture. If you don't have DNA Center, SolarWinds NPM 2024.4 polling the SNMP OIDs every 60 seconds will surface a regression inside 5 minutes.
What if my model is the StackWise Virtual variant, not a single chassis?
Most of the procedure is identical, but `redundancy force-switchover` and `install` semantics differ. On a StackWise Virtual pair, the install adds the image to both chassis and reloads them in sequence; the SSO swap happens between chassis, not supervisors.
Escalation path
If steps 1-4 above did not clear the symptom and the verify list is still red:
- Open a TAC case at cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html. Severity 2 for production-down on a contracted site usually returns a callback inside 1 hour during India business hours.
- Attach the
show tech-support, the crashinfo file (if any), and the timeline of changes. TAC's first question is always "what changed", so answer it before they ask. - For India-specific RMA and advance replacement, ESS (Electronic Service Solutions) Bengaluru handles the on-the-ground swap when Cisco fulfilment is slow. Their dispatch desk is faster than the central CCW line for SmartNet 24x7x4 sites inside the Bengaluru ring road.
- If you suspect a known caveat that has no fixed-in train yet, escalate to the Cisco Bug Search Tool entry and add your contract number to the affected list. That moves the priority on the BU side.
Stop it happening again
Five practices that keep this class of fault off the on-call rotation:
- Hold IOS XE on the latest extended-maintenance train (currently 17.9.5 for Catalyst 9000). Upgrade once per year inside a documented change window, not reactively.
- Run Cisco DNA Center 2.3.7.6 (or your equivalent) with assurance enabled. The early-warning signals on RRM, WNCD, and stack-power are real and they work.
- Document every change in archive log config and back it up to a Git repo via RANCID or Oxidized every 24 hours.
- Maintain a spare-parts kit on-site for SMB locations more than 30 minutes from the channel partner. One linecard, one SFP+, one stack cable, one console cable.
- Run a quarterly tabletop on the most likely failure modes: stack master failure, supervisor switchover, WLC HA SSO swap, WAN-edge BGP peer flap.
Related fixes
Related guides worth a look while you sort this one out:
- Catalyst 8300/8500 EIGRP stub router not allowed to respond: Fix
- Catalyst 9200 EIGRP Stub Router Not Allowed To Respond: Fix
- Catalyst 9300 EIGRP stub router not allowed to respond: Fix
- Catalyst 9400 EIGRP stub router not allowed to respond: Fix
- Catalyst 9500 EIGRP stub router not allowed to respond: Fix
- Catalyst Center / DNAC EIGRP stub router not allowed to respond: Fix
References
- Cisco IOS XE Catalyst 9000 Series Switches release notes (cisco.com/c/en/us/td/docs/switches/lan/catalyst9000/).
- Cisco Catalyst 9800 Series Wireless Controllers configuration guide (cisco.com/c/en/us/td/docs/wireless/controller/9800/).
- Cisco Bug Search Tool (bst.cisco.com) for the exact caveat ID.
- Cisco DNA Center Assurance user guide for the in-product diagnostics.
- Cisco CLI Analyzer 3.6, free download, requires CCO login.
Reference material based on field experience, not a substitute for official Cisco support engagement. Confirm against your release notes and your SmartNet entitlement before applying any change.