We have a few in DoD but they are using WPA2-TLS. We make sure to enable OKC and Validate PMKID, but I'm not sure that would apply in your case.
This was working fine before and then you upgraded and had issues or is this a new deployment?
From a very old email, on our initial deployment for the pilot, we had a lot of SFS issues
####
How many lost VPINGs will trigger a SFS?
Per our docs containing badge ping behavior:
Searching for Server (SFS) is displayed on the badge¹s screen when the
badge is associated with a wireless AP but is not able to communicate
with the Vocera server. It is accompanied by the LED on the top of the
badge flashing red. Every 30 seconds the Vocera client sends a
keep-alive packet (an application layer ping) to the Vocera server. If
the Vocera client does not receive an acknowledgement (Ack) from the
Vocera server it will send a retry after 500ms. The Vocera client will
retry ten times at 500ms intervals for a total of 11 attempts. If it
does not receive a confirmation from the Vocera server it displays
Searching for Server and the LED will blinking red.
Common issues for SFS:
€ Transmit Power Asymmetry
€ High Channel/AP utilization
€ Interference
€ Malfunctioning AP
€ ARP Resolution
€ Vocera Server is not Active
#####
In our case, none of the above was the issue, the contorller and APs were working fine, but the badges needed some additional settings enabled (like Multicast for one). One thing to look at is the show datapath session table for one of the badges having issues to see if the required ports/protocols are fully open...Once we got everything configured, it all worked fine.