1041N APs not joining 2100 WLC

Hopefully this will be an easy solution for some of you.
I have two LAP1041N APs I am trying to setup on a new 2100 WLC (7.0.116.0). THe APs will blink green fast; then go to a green, red, blue cycle for a min or so; then back to blinking green fast. Not sure what else to try here.
Thanks for the help.

Please use a L2/ L3 switch
For a L2 swith the AP and WLC must be on the same VLAN iof the L2 switch
For AP:
config t
int gig 0/1
swithport access native vlan 1( for ex)
switchport mode access
no shut
For WLC :
config t
int gig 0/2
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
no shut
For L3 switch you can assign vlan interfaces :
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080665cdf.shtml#wlc
Also here is the link to the discovery process:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00806c9e51.shtml
Thanks,
Tuhin

Similar Messages

Cisco APs not joining WLC

Hi guys,
I am in the process of configuring a WLC and got stuck due to APs are not joining the WLC.
I have configure DHCP server on the Gateway router and the WLC management interface is pointing to the Gateway as DHCP Server.
I have multiple Dynamic interfaces configured on the WLC and Interface group has been configured and mapped to Management Interface.
For each WLAN, a separate DHCP pool has been created on the router.
LAG has been configured and working fine. Connectivity works fine in the network and I can ping all devices and vlans from WLC.
Now, the APs are not joining the WLC. The error I am getting
" 44:03:a7:f1:b4:40 Received a Discovery Request from 44:03:A7:F1:B4:40 via IP broadcast address but the source IP address (10.xx.xx.xx) is not in any of the configured subnets. Dropping it "
Some one help me troubleshooting this issue with DHCP IP Assignment.
Thanks,
CJ

If you are using Broadcast method to discover WLC to AP then you need to ensure following is correctly configured.
1. Unders the switch SVI defined for AP-management (10.38.11.x) you have to configure "ip helper-address "
2. In switch global config "ip forward-protocol udp 5246"
Refer this for more detail
http://mrncciew.com/2013/05/04/wlc-discovery-via-broadcast/
There are other methods available as well (static, DNS, DHCP option 43) for the WLC discovery purpose. To verify there is no configuration issues at WLC end, you can simply configure the WLC details on AP statically & check wether AP get register to WLC. To do this you can enter following CLI commands on AP console priviledge mode.
debug capwap console cli
capwap ap ip address 10.38.11.x 255.255.255.x
capwap ap ip default-gateway 10.38.11.y
capwap ap controller ip address
In this way your AP should get registered to WLC (if no config issue at WLC end). Refer this for more detail
http://mrncciew.com/2013/03/17/ap-registration/
If you have so many APs, then as Steve pointed configuring DHCP-Option 43 would be a good option
Regards
Rasika
**** Pls rate all useful responses ****

AP not joining to WLC

Hi,
After a wireless network interruption, one of MAP 1522 it's not joining to WLC .
What should I do to solve this problem?
Thanks.
(Cisco Controller) >show ap join stats detailed 00:08:30:bb:53:20
Discovery phase statistics
- Discovery requests received.............................. 7
- Successful discovery responses sent...................... 5
- Unsuccessful discovery request processing................ 0
- Reason for last unsuccessful discovery attempt........... Not applicable
- Time at last successful discovery attempt................ Feb 23 11:25:16.137
- Time at last unsuccessful discovery attempt.............. Not applicable
Join phase statistics
- Join requests received................................... 2
- Successful join responses sent........................... 2
- Unsuccessful join request processing..................... 2
- Reason for last unsuccessful join attempt................ RADIUS authorization is pending for the AP
- Time at last successful join attempt..................... Feb 23 11:25:28.385
- Time at last unsuccessful join attempt................... Feb 23 11:25:28.386
Configuration phase statistics
- Configuration requests received.......................... 3
- Successful configuration responses sent.................. 1
- Unsuccessful configuration request processing............ 0
- Reason for last unsuccessful configuration attempt....... Not applicable
- Time at last successful configuration attempt............ Feb 23 11:25:28.581
--More-- or (q)uit
- Time at last unsuccessful configuration attempt.......... Not applicable
Last AP message decryption failure details
- Reason for last message decryption failure............... Not applicable
Last AP disconnect details
- Reason for last AP connection failure.................... Timed out while waiting for ECHO repsonse from the AP
- Last AP disconnect reason................................ AP's capwap state machine restarted
Last join error summary
- Type of error that occurred last......................... AP got or has been disconnected
- Reason for error that occurred last...................... Timed out while waiting for ECHO repsonse from the AP
- Time at which the last join error occurred............... Mar 18 19:07:28.864
AP disconnect details
- Reason for last AP connection failure.................... Timed out while waiting for ECHO repsonse from the AP

Ioan,
as you see here:
Reason for last unsuccessful join attempt................ RADIUS authorization is pending for the AP
It seems you need to add a mac filter for this AP on you WLC so it joins.
Or, if you are using external radius for authorization, you need to add an entery for this AP on the radius server.
Here are some links that may help:
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00808f8599.shtml#p5
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c7234.shtml
Don't please forget to rate the reply if it is useful.
Cheers,
Amjad

APs not joining controller errors

I keep getting errors on different APs not joining controllers:
Jan 5 15:54:40.097: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jan 5 15:54:40.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.x.x.x peer_port: 5246
*Jan 5 15:54:40.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Jan 5 15:54:41.778: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.x.x.x peer_port: 5246
*Jan 5 15:54:41.780: %CAPWAP-5-SENDJOIN: sending Join Request to 10.x.x.x
*Jan 5 15:54:41.780: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Jan 5 15:54:41.787: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.x.x.x
*Jan 5 15:54:41.788: %DTLS-5-PEER_DISCONNECT: Peer 10.x.x.x has closed connection.
*Jan 5 15:54:41.788: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 10.x.x.x :5246.
Any ideas? I'm not sure why the peer is disconnecting the connection. The controller that is linked to It happens on 1242 and 1231 APs mostly. I've had it happen on a 1142 and 1252 once, but after a reboot it joined fine.
I'm running 6.0.188.0 on 6 WISMs. The ap-manager that these APs keep trying to join only has 5 APs on it.

Can you get a sniffer trace of the port-channel to one of the WiSM, and if possible, the console of the AP? Also, check the MAC address of the AP(s) that are not joining to see if they start with something other than 00:, you may also want to check the MAC of the gw for those AP for the same thing.
The defect I'm thinking of is CSCte01087

APs not joining WLC

Hello community,
I hope you can help me with my problem.
I have a vWLC Firmware version: 7.4.121.0, I have also Aironet 1700Aps
I have successfully configured wlc with service and management interface. In the management network I can ping the vWLC managenemt interface as well the APs in this network. The firewall is also the DHCP Server for the management network. (It is working because APs get an IP address) The problem is the APs are not joining the vWLC. This is my first time I use WLC and APs. So they are completely new and not used before.
Here is the debug output of vWLC:
ApTask4: Feb 11 16:31:07.997: 84:80:2d:bd:fa:10 Finding DTLS connection to delete for AP (192:168:200:10/57250)
*spamApTask4: Feb 11 16:31:07.997: 84:80:2d:bd:fa:10 Disconnecting DTLS Capwap-Ctrl session 0x8faa580 for AP (192:168:200:10/57250)
*spamApTask4: Feb 11 16:31:07.997: 84:80:2d:bd:fa:10 CAPWAP State: Dtls tear down
*spamApTask4: Feb 11 16:31:07.998: 84:80:2d:bd:fa:10 DTLS connection closed event receivedserver (192:168:200:3/5246) client (192:168:200:10/57250)
*spamApTask4: Feb 11 16:31:07.998: 84:80:2d:bd:fa:10 Entry exists for AP (192:168:200:10/57250)
*spamApTask4: Feb 11 16:31:07.998: 84:80:2d:bd:fa:10 No AP entry exist in temporary database for 192.168.200.10:57250
*spamApTask4: Feb 11 16:31:08.004: 84:80:2d:bd:fa:1e DTLS connection not found, creating new connection for 192:168:200:10 (57250) 192:168:200:3 (5246)
*spamApTask4: Feb 11 16:31:08.472: 84:80:2d:bd:fa:1e DTLS Session established server (192.168.200.3:5246), client (192.168.200.10:57250)
*spamApTask4: Feb 11 16:31:08.472: 84:80:2d:bd:fa:1e Starting wait join timer for AP: 192.168.200.10:57250
*spamApTask4: Feb 11 16:31:08.477: 84:80:2d:bd:fa:10 Join Request from 192.168.200.10:57250
*spamApTask4: Feb 11 16:31:08.477: 84:80:2d:bd:fa:1e Deleting AP entry 192.168.200.10:57250 from temporary database.
*spamApTask4: Feb 11 16:31:08.477: 84:80:2d:bd:fa:10 Finding DTLS connection to delete for AP (192:168:200:10/57250)
*spamApTask4: Feb 11 16:31:08.477: 84:80:2d:bd:fa:10 Disconnecting DTLS Capwap-Ctrl session 0x8faa720 for AP (192:168:200:10/57250)
*spamApTask4: Feb 11 16:31:08.477: 84:80:2d:bd:fa:10 CAPWAP State: Dtls tear down
*spamApTask4: Feb 11 16:31:08.479: 84:80:2d:bd:fa:10 DTLS connection closed event receivedserver (192:168:200:3/5246) client (192:168:200:10/57250)
*spamApTask4: Feb 11 16:31:08.479: 84:80:2d:bd:fa:10 Entry exists for AP (192:168:200:10/57250)
*spamApTask4: Feb 11 16:31:08.479: 84:80:2d:bd:fa:10 No AP entry exist in temporary database for 192.168.200.10:57250
*spamApTask4: Feb 11 16:31:08.515: 84:80:2d:bd:fa:10 Discovery Request from 192.168.200.10:57250
*spamApTask4: Feb 11 16:31:08.515: 84:80:2d:bd:fa:10 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 200, joined Aps =0
*spamApTask4: Feb 11 16:31:08.515: 84:80:2d:bd:fa:10 Discovery Response sent to 192.168.200.10:57250
*spamApTask4: Feb 11 16:31:08.515: 84:80:2d:bd:fa:10 Discovery Response sent to 192.168.200.10:57250
*spamApTask4: Feb 11 16:31:08.516: 84:80:2d:bd:fa:10 Discovery Request from 192.168.200.10:57250
*spamApTask4: Feb 11 16:31:08.516: 84:80:2d:bd:fa:10 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 200, joined Aps =0
*spamApTask4: Feb 11 16:31:08.516: 84:80:2d:bd:fa:10 Discovery Response sent to 192.168.200.10:57250
*spamApTask4: Feb 11 16:31:08.516: 84:80:2d:bd:fa:10 Discovery Response sent to 192.168.200.10:57250
*spamApTask0: Feb 11 16:31:08.516: 84:80:2d:bd:fa:1e Received LWAPP DISCOVERY REQUEST to 40:4a:03:79:d7:20 on port '1'
*spamApTask0: Feb 11 16:31:08.516: 84:80:2d:bd:fa:1e Discarding discovery request in LWAPP from AP supporting CAPWAP
Sadly I don`t have a debuging cable for the APs. Therefore I have no debuging output of the APs. (It is ordered ;-) )
But I hope the output of the APs is right now not important to solve this problem.
Thank you
//EDIT
On the firewall are no ports blocked

Okay I upgraded the vWLC to 8.0.110.0.
I looked in the event log of the vWLC. It was successfully discovered and also the new image version was send to the AP.
Sadly the Ap does not join to the vWLC.
*apfReceiveTask: Feb 12 09:53:35.640: WARP IEs: (12)
*apfReceiveTask: Feb 12 09:53:35.640: [0000] dd 0a 00 c0 b9 01 00 00 00 08 01 01
*apfReceiveTask: Feb 12 09:53:35.640: Wlan Feature status 0 for AP:84:80:2d:45:75:e0 (slotID 1)
*apfReceiveTask: Feb 12 09:53:35.640: Split tunnel status (Disabled) encoded in the vap payload for WLAN(1), AP:84:80:2d:45:75:e0 (slotID 1)
*spamApTask5: Feb 12 09:53:35.789: 84:80:2d:45:75:e0 Configuration Status from 192.168.200.10:57251
*spamApTask5: Feb 12 09:53:35.789: 84:80:2d:45:75:e0 CAPWAP State: Configure
*spamApTask5: Feb 12 09:53:35.789: 84:80:2d:45:75:e0 Updating IP info for AP 84:80:2d:45:75:e0 -- static 0, 192.168.200.10/255.255.255.0, gtw 192.168.200.3
*spamApTask5: Feb 12 09:53:35.789: 84:80:2d:45:75:e0 Updating IP 192.168.200.10 ===> 192.168.200.10 for AP 84:80:2d:45:75:e0
*spamApTask5: Feb 12 09:53:35.789: 84:80:2d:45:75:e0 Invalid length (9) countedlen 6 sizeUserPayload 277 for vendor-specific element 0x00409600-unknown (185) from AP 84:80:2D:45:75:E0
*spamApTask5: Feb 12 09:53:35.790: 84:80:2d:45:75:e0 Setting MTU to 1485
*spamApTask5: Feb 12 09:53:35.790: 84:80:2d:45:75:e0 Finding DTLS connection to delete for AP (192:168:200:10/57251)
*spamApTask5: Feb 12 09:53:35.790: 84:80:2d:45:75:e0 Disconnecting DTLS Capwap-Ctrl session 0xb947000 for AP (192:168:200:10/57251)
*spamApTask5: Feb 12 09:53:35.790: 84:80:2d:45:75:e0 CAPWAP State: Dtls tear down
*spamApTask5: Feb 12 09:53:35.791: 84:80:2d:45:75:e0 DTLS connection closed event receivedserver (192.168.200.3/5246) client (192.168.200.10/57251)
*spamApTask5: Feb 12 09:53:35.791: 84:80:2d:45:75:e0 Entry exists for AP (192.168.200.10/57251)
*spamApTask5: Feb 12 09:53:35.791: 84:80:2d:45:75:e0 apfSpamProcessStateChangeInSpamContext: Deregister LWAPP event for AP 84:80:2d:45:75:e0 slot 0
*spamApTask5: Feb 12 09:53:35.791: 84:80:2d:45:75:e0 apfSpamProcessStateChangeInSpamContext: Deregister LWAPP event for AP 84:80:2d:45:75:e0 slot 1
*spamApTask5: Feb 12 09:53:35.791: update ap status:84:80:2d:45:75:e0 ,index:60
*spamApTask5: Feb 12 09:53:35.791: 84:80:2d:45:75:e0 No AP entry exist in temporary database for 192.168.200.10:57251
*apfReceiveTask: Feb 12 09:53:35.792: 84:80:2d:45:75:e0 Deregister LWAPP event for AP 84:80:2d:45:75:e0 slot 0
*apfReceiveTask: Feb 12 09:53:35.792: 84:80:2d:45:75:e0 Deregister LWAPP event for AP 84:80:2d:45:75:e0 slot 1
*spamApTask4: Feb 12 09:53:35.918: 84:80:2d:45:75:e0 Discovery Request from 192.168.200.10:57250
*spamApTask4: Feb 12 09:53:35.918: 84:80:2d:45:75:e0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 200, joined Aps =0
*spamApTask4: Feb 12 09:53:35.918: apModel: AIR-CAP702I-C-K9
*spamApTask4: Feb 12 09:53:35.918: apType = 45 apModel: AIR-CAP702I-C-K9
*spamApTask4: Feb 12 09:53:35.918: 84:80:2d:45:75:e0 Discovery Response sent to 192.168.200.10 port 57250
*spamApTask4: Feb 12 09:53:35.918: 84:80:2d:45:75:e0 Discovery Response sent to 192.168.200.10:57250
*spamApTask4: Feb 12 09:53:35.919: 84:80:2d:45:75:e0 Discovery Request from 192.168.200.10:57250
*spamApTask4: Feb 12 09:53:35.919: 84:80:2d:45:75:e0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 200, joined Aps =0
*spamApTask4: Feb 12 09:53:35.919: apModel: AIR-CAP702I-C-K9
*spamApTask4: Feb 12 09:53:35.919: apType = 45 apModel: AIR-CAP702I-C-K9
*spamApTask4: Feb 12 09:53:35.919: 84:80:2d:45:75:e0 Discovery Response sent to 192.168.200.10 port 57250
*spamApTask4: Feb 12 09:53:35.919: 84:80:2d:45:75:e0 Discovery Response sent to 192.168.200.10:57250
Sadly I don`t understand what this debugging log says :-(
Maybe you can help me again
Thank you
//SOLUTION -----------------------------------------------------------------------------------------------------------------------------------------------------------
I found something on the internet, but for all people having also this problem here is the solution:
Change the country of your vWLC. Right now I am in China, so I changed it and then it was working flawlessly :-)
Step 1
Disable the 802.11 networks as follows:
Choose Wireless > 802.11a/n > Network.
Unselect the 802.11a Network Status check box.
Click Apply.
Choose Wireless > 802.11a/n > Network.
Unselect the 802.11b/g Network Status check box.
Click Apply.
Step 2
Choose Wireless > Country to open the Country page.
Thank you all for your help :-)
Paul

APs not joining 5508 on dynamic ports created manualy

Hey all,
i have a problem with our new 5508 wireless controller (7.0.116.0).
Port 1 is the system default "management" (Port 2 is backup). Dynamic AP Management is disabled.
Port 3 is a new dynamic interface "ap-manager 2" with Dynamic AP Management enabled and has a ip in a seperated VLAN which is not routed.
When i am connecting the AP (1260 series) to the "ap-manager 2" interface, then it will not join and i get an error message on the WLC:
*spamApTask1: Mar 05 14:52:12.783: %CAPWAP-3-DISC_INTF_ERR1:
capwap_ac_sm.c:1453 Ignoring discovery request received on non-management
interface (3) from AP
When i am connecting the AP to the "management2 interface, then it is working fine. But i don't want the APs in the Management LAN. I want them in the separated no routed LAN explicit for the APs.
What do i miss here.
Thanks a lot.
Regards
Matthew

Hmmm...but i found follwoing in the documentation:
The AP-manager interface's IP address must be different from the management interface's IP address and may or may not be on the same subnet as the management interface. However, we recommend that both interfaces be on the same subnet for optimum access point association.
I want the APs in a separated non routed LAN because of security reasons. Why set APs into the management LAN when they only need to communicate with the controller?
But if there is no way to do that, then i need to redesign the plans for the WLAN structure.
Thanks
Matthew

AP(2720e) not joining a WLC (2504)

I recently purchased two 2702e AP's to expand the wireless coverage of our network but when I plug them in, they will not join the AP for some reason.
This is what I am getting on the controller;
(Cisco Controller) >show ap join stats detailed f44e0544e944
Discovery phase statistics
- Discovery requests received.............................. 51
- Successful discovery responses sent...................... 26
- Unsuccessful discovery request processing................ 0
- Reason for last unsuccessful discovery attempt........... Not applicable
- Time at last successful discovery attempt................ Dec 08 10:24:37.695
- Time at last unsuccessful discovery attempt.............. Not applicable
Join phase statistics
- Join requests received................................... 0
- Successful join responses sent........................... 0
- Unsuccessful join request processing..................... 0
- Reason for last unsuccessful join attempt................ Not applicable
- Time at last successful join attempt..................... Not applicable
- Time at last unsuccessful join attempt................... Not applicable
Configuration phase statistics
- Configuration requests received.......................... 0
- Successful configuration responses sent.................. 0
- Unsuccessful configuration request processing............ 0
- Reason for last unsuccessful configuration attempt....... Not applicable
--More-- or (q)uit
- Time at last successful configuration attempt............ Not applicable
- Time at last unsuccessful configuration attempt.......... Not applicable
Last AP message decryption failure details
- Reason for last message decryption failure............... Not applicable
Last AP disconnect details
- Reason for last AP connection failure.................... Not applicable
- Last AP disconnect reason................................ Not applicable
Last join error summary
- Type of error that occurred last......................... None
- Reason for error that occurred last...................... Not applicable
- Time at which the last join error occurred............... Not applicable
AP disconnect details
- Reason for last AP connection failure.................... Not applicable
I have tried it with just the default settings and by setting the IP on the AP to no avail.
Any suggestion would be much appreciated.
Eric

Hi Eric,
What software code is running on your 2504 ? I hope it is 7.6.130.0
If it is 8.0.100.0, then there was a crtical bug given below, you need to check whether you hitting this
https://tools.cisco.com/bugsearch/bug/CSCur43050
Conditions:
Seen only with APs that were manufactured in August, September or October, 2014 - all Aironet APs were affected EXCEPT the 700 series. Seen with WLCs running 8.0.100.0 or an 8.0.100.x special.
If the WLC was manufactured in September 2014, or later (i.e. has a SHA2 MIC), then the first symptom is seen, i.e. the AP joins the 8.0.100 WLC, downloads the image, but then fails to rejoin.
If the WLC was manufactured before September 2014 (i.e. does not have a SHA2 MIC), then the second symptom is seen, i.e. the AP can join the 8.0.100 WLC OK, but then will fail download during a subsequent upgrade.
Also seen with new APs trying to join a controller running IOS-XE 3.6.0 (15.3(3)JN k9w8 image.) (Track CSCur50946 for the IOS-XE fix)
Workaround:
Downgrade to AireOS 7.6.130.0, or to IOS-XE 3.3, if the APs are supported in the earlier code
Pls attach AP console output while trying to boot & register to see the exact reason for failure.
HTH
Rasika
**** Pls rate all useful responses ****

Cisco LAP 2602 can not join Virtual WLC

dear all,
i just install Virtual WLC and i remove WLC 2504 , i install & configured it , but LAP can not join. it was work fine with WLC 2504.
i used the same network topology with the old WLC.
i receive this error logs.
*spamApTask4: Feb 04 06:01:30.082: <<<< Start of CAPWAP Packet >>>>
*spamApTask4: Feb 04 06:01:30.082: CAPWAP Control mesg Recd from 10.192.200.93, Port 26711
*spamApTask4: Feb 04 06:01:30.082: HLEN 4, Radio ID 0, WBID 1
*spamApTask4: Feb 04 06:01:30.082: Msg Type : CAPWAP_DISCOVERY_REQUEST
*spamApTask4: Feb 04 06:01:30.082: Msg Length : 155
*spamApTask4: Feb 04 06:01:30.082: Msg SeqNum : 0
*spamApTask4: Feb 04 06:01:30.082:
*spamApTask4: Feb 04 06:01:30.082: Type : CAPWAP_MSGELE_DISCOVERY_TYPE, Length 1
*spamApTask4: Feb 04 06:01:30.082: Discovery Type : CAPWAP_DISCOVERY_TYPE_UNKNOWN
*spamApTask4: Feb 04 06:01:30.082:
*spamApTask4: Feb 04 06:01:30.082: Type : CAPWAP_MSGELE_WTP_BOARD_DATA, Length 62
*spamApTask4: Feb 04 06:01:30.083: Vendor Identifier : 0x00409600
*spamApTask4: Feb 04 06:01:30.083: WTP_SERIAL_NUMBER : AIR-CAP2602E-I-K9
*spamApTask4: Feb 04 06:01:30.083:
*spamApTask4: Feb 04 06:01:30.083: Type : CAPWAP_MSGELE_WTP_DESCRIPTOR, Length 40
*spamApTask4: Feb 04 06:01:30.083: Maximum Radios Supported : 2
*spamApTask4: Feb 04 06:01:30.083: Radios in Use : 2
*spamApTask4: Feb 04 06:01:30.083: Encryption Capabilities : 0x00 0x01
*spamApTask4: Feb 04 06:01:30.083:
*spamApTask4: Feb 04 06:01:30.083: Type : CAPWAP_MSGELE_WTP_FRAME_TUNNEL, Length 1
*spamApTask4: Feb 04 06:01:30.083: WTP Frame Tunnel Mode : NATIVE_FRAME_TUNNEL_MODE
*spamApTask4: Feb 04 06:01:30.083:
*spamApTask4: Feb 04 06:01:30.083: Type : CAPWAP_MSGELE_WTP_MAC_TYPE, Length 1
*spamApTask4: Feb 04 06:01:30.083: WTP Mac Type : SPLIT_MAC
*spamApTask4: Feb 04 06:01:30.083:
*spamApTask4: Feb 04 06:01:30.083: Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 10
*spamApTask4: Feb 04 06:01:30.083: Vendor Identifier : 0x00409600
*spamApTask4: Feb 04 06:01:30.083:
IE : UNKNOWN IE 207
*spamApTask4: Feb 04 06:01:30.083: IE Length : 4
*spamApTask4: Feb 04 06:01:30.083: Decode routine not available, Printing Hex Dump
*spamApTask4: Feb 04 06:01:30.083: 00000000: 03 00 00 01 ....
*spamApTask4: Feb 04 06:01:30.083:
*spamApTask4: Feb 04 06:01:30.083: Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 12
*spamApTask4: Feb 04 06:01:30.083: Vendor Identifier : 0x00409600
*spamApTask4: Feb 04 06:01:30.083:
IE : RAD_NAME_PAYLOAD
*spamApTask4: Feb 04 06:01:30.083: IE Length : 6
*spamApTask4: Feb 04 06:01:30.083: Rad Name :
*spamApTask4: Feb 04 06:01:30.083: CEO_AP
*spamApTask4: Feb 04 06:01:30.083: <<<< End of CAPWAP Packet >>>>
*spamApTask4: Feb 04 06:01:30.083: dc:a5:f4:8c:ff:30 Discovery Request from 10.192.200.93:26711
*spamApTask4: Feb 04 06:01:30.083: dc:a5:f4:8c:ff:30 ApModel: AIR-CAP2602E-I-K9
*spamApTask4: Feb 04 06:01:30.083: dc:a5:f4:8c:ff:30 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 200, joined Aps =0
*spamApTask4: Feb 04 06:01:30.083: apModel: AIR-CAP2602E-I-K9
*spamApTask4: Feb 04 06:01:30.083: apType = 26 apModel: AIR-CAP2602E-I-K9
*spamApTask4: Feb 04 06:01:30.083: apType: Ox1a bundleApImageVer: 8.0.110.0
*spamApTask4: Feb 04 06:01:30.083: version:8 release:0 maint:110 build:0
*spamApTask4: Feb 04 06:01:30.083: dc:a5:f4:8c:ff:30 Discovery Response sent to 10.192.200.93 port 26711
*spamApTask4: Feb 04 06:01:30.083: dc:a5:f4:8c:ff:30 Discovery Response sent to 10.192.200.93:26711
Please any help.

dear
yes the wlc 2504  is 8.0.110 but because its damaged i replaced it with new vWLC v 8.0.110.
also i can not put the LAP in flexconnect until its joint.

3502i APs not joining controller

So basically my infrastructure consists of four 4402 WLCs running on 7.0.235.3. I'm trying to get new access points to join to the environment, but I am having difficulty doing so. All currently joined APs work fine and are operating well. I'm getting a red, green, off blink code which means it's trying to join, but never does. The other one I get a constantly blinking green but it never joins either. I've setup option 43 in DHCP, added cisco-capwap-controller entries in DNS thinking it was because those are missing, and still cannot get these two access points to join. Can anyone think why it would not be joining?
The access points and WLC are all on the Same VLAN by the way.

Hello,
In a Cisco Unified Wireless network, the LAPs must first discover and       join a WLC before they can service wireless clients.
Originally, the controllers only operated in Layer 2 mode. In Layer 2       mode, the LAPs are required to be on the same subnet as the management       interface and the Layer 3 mode AP-manager interface is not present on the       controller. The LAPs communicate with the controller using Layer 2       encapsulation only (ethernet encapsulation) and do not Dynamic Host       Configuration Protocol (DHCP) an IP address.
When Layer 3 mode on the controller was developed, a new Layer 3       interface called AP-manager was introduced. In Layer 3 mode, the LAPs would       DHCP an IP address first and then send their discovery request to the       management interface using IP addresses (Layer 3). This allowed the LAPs to be       on a different subnet than the management interface of the controller. Layer 3       mode is the dominate mode today. Some controllers and LAPs can only perform       Layer 3 mode.
However, this presented a new problem: how did the LAPs find the       management IP address of the controller when it was on a different subnet?
In Layer 2 mode, they were required to be on the same subnet. In Layer       3 mode, the controller and LAP are essentially playing hide and seek in the       network. If you do not tell the LAP where the controller is via DHCP option 43,       DNS resolution of "Cisco-lwapp-controller@local_domain", or statically       configure it, the LAP does not know where in the network to find the management       interface of the controller.
In addition to these methods, the LAP does automatically look on the       local subnet for controllers with a 255.255.255.255 local broadcast. Also, the       LAP remembers the management IP address of any controller it joins across       reboots. Therefore, if you put the LAP first on the local subnet of the       management interface, it will find the controller's management interface and       remember the address. This is called priming. This does not help find the       controller if you replace a LAP later on. Therefore, Cisco recommends using the       DHCP option 43 or DNS methods.
When the LAPs discover the controller, they do not know if the       controller is in Layer 2 mode or Layer 3 mode. Therefore, the LAPs always       connect to the management interface address of the controller first with a       discovery request. The controller then tells the LAP which mode it is in the       discovery reply. If the controller is in Layer 3 mode, the discovery reply       contains the Layer 3 AP-manager IP address so the LAP can send a join request       to the AP-manager interface next.
Note: By default both management and AP-manager interfaces are left           untagged on their VLAN during configuration. In case these are tagged, make           sure they are tagged to the same VLAN in order to properly receive discovery           and join response from the WLC.
The LWAPP AP goes through this process on startup for Layer 3       mode:
The LAP boots and DHCPs an IP address if it was not previously           assigned a static IP address.
The LAP sends discovery requests to controllers through the various           discovery algorithms and builds a controller list. Essentially, the LAP learns           as many management interface addresses for the controller list as possible via:
DHCP option 43 (good for global companies where offices and             controllers are on different continents)
DNS entry for             cisco-capwap-controller (good for local             businesses - can also be used to find where brand new APs join)
Note: If you use CAPWAP, make sure that there is a DNS entry for                 cisco-capwap-controller.
Management IP addresses of controllers the LAP remembers             previously
A Layer 3 broadcast on the subnet
Over the air provisioning
Statically configured information
From this list, the easiest method to use for deployment is to have           the LAPs on the same subnet as the management interface of the controller and           allow the LAP’s Layer 3 broadcast to find the controller. This method should be           used for companies that have a small network and do not own a local DNS           server.
The next easiest method of deployment is to use a DNS entry with           DHCP. You can have multiple entries of the same DNS name. This allows the LAP           to discover multiple controllers. This method should be used by companies that           have all of their controllers in a single location and own a local DNS server.           Or, if the company has multiple DNS suffixes and the controllers are segregated           by suffix.
DHCP option 43 is used by large companies to localize the information           via the DHCP. This method is used by large enterprises that have a single DNS           suffix. For example, Cisco owns buildings in Europe, Australia, and the United           States. In order to ensure that the LAPs only join controllers locally, Cisco           cannot use a DNS entry and must use DHCP option 43 information to tell the LAPs           what the management IP address of their local controller is.
Finally, static configuration is used for a network that does not           have a DHCP server.You can statically configure the information necessary to           join a controller via the console port and the AP’s CLI. For information on how           to statically configure controller information using the AP CLI, refer to           Manually           Configuring Controller Information Using the Access Point CLI.
For a detailed explanation on the different discovery algorithms that           LAPs use to find controllers, refer to           LAP           Registration with WLC.
For information on configuring DHCP option 43 on a DHCP server, refer           to           DHCP           OPTION 43 for Lightweight Cisco Aironet Access Points Configuration           Example.
Send a discovery request to every controller on the list and wait for           the controller's discovery reply which contains the system name, AP-manager IP           addresses, the number of APs already attached to each AP-manager interface, and           overall excess capacity for the controller.
Look at the controller list and send a join request to a controller           in this order (only if the AP received a discovery reply from it):
Primary Controller system name (previously configured on             LAP)
Secondary Controller system name (previously configured on             LAP)
Tertiary Controller system name (previously configured on             LAP)
Master controller (if the LAP has not been previously configured             with any Primary, Secondary, or Tertiary controller names. Used to always know             which controller brand new LAPs join)
If none of the above are seen, load balance across controllers             using the excess capacity value in the discovery response.
If two controllers have the same excess capacity, then send the             join request to the first controller that responded to the discovery request             with a discovery response. If a single controller has multiple AP-managers on             multiple interfaces, choose the AP-manager interface with the least number of             APs.
The controller will respond to all discovery requests without             checking certificates or AP credentials. However, join requests must have a             valid certificate in order to get a join response from the controller. If the             LAP does not receive a join response from its choice, the LAP will try the next             controller in the list unless the controller is a configured controller             (Primary/Secondary/Tertiary).
When it receives the join reply, the AP checks to make sure it has           the same image as that of the controller. If not, the AP downloads the image           from the controller and reboots to load the new image and starts the process           all over again from step 1.
If it has the same software image, it asks for the configuration from           the controller and moves into the registered state on the controller.
After you download the configuration, the AP might reload again to           apply the new configuration. Therefore, an extra reload can occur and is a           normal behavior.

AP 1042N with ios 15.2(4)JB5 is not joining to WLC with ios 7.4.121.0

I am trying to add AP 1042N with ios15.2(4)JB5 in WLC 2504 with IOS version 7.4.121.0 , but AP is not joining and
Below mentioned is the log I am getting in the AP , here 192.168.100.10 is WLC ip
*May 20 19:31:22.745: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*May 20 19:51:24.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.10 peer_port: 5246
*May 20 19:51:24.804: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.10 peer_port: 5246
*May 20 19:51:24.805: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.10
*May 20 19:51:29.804: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.10
*May 20 19:52:23.222: %DTLS-5-ALERT: Received WARNING : Close notify alert from 192.168.100.10
*May 20 19:52:23.222: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.100.10:5246
*May 20 19:52:23.223: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*May 20 19:51:24.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.10 peer_port: 5246
*May 20 19:51:24.818: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.10 peer_port: 5246
*May 20 19:51:24.819: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.10
*May 20 19:51:29.819: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.10
Can anyone tell me, is there any issue between the AP & WLC IOS compatibility or what else could be reason for this.

Hi Thanks for everyone's comments,
I found solution, I i was extracting only one file from the tar image and supporting files were not extracted to flash
Now I did " “archive tar /xtract tftp://<TFTP server IP>/<ImageName>.tar flash: “ and extracted complete tar in to the flash and changed boot priority. Now it is joining to controller
Thank you

AP 3702 not join the WLC

Hi,
I have two WLC 8500 working in SSO and with nat enable feature configure in management interface.
SSO is working, but i have to configure NAT before SSO becasuse when SSO is up, ip address and nat are greyed out in managemente interface.
Some AP's must join the controller in the private address of the management interface and others AP must join in the public ip address configured in NAT address.
for some reason, there are a lot of AP's that can't join the controller, i have 3 ap's joined in the public ip address and 3 ap's joined in the private ip address
config network ap-discovery nat-only disable is already configured, from the console of one AP that can't not join i see the following:
*Sep 10 12:32:48.115: %CAPWAP-3-ERRORLOG: Selected MWAR 'GI12WLC001A'(index 0).
*Sep 10 12:32:48.115: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Sep 10 12:35:48.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 212.89.5.130 peer_port: 5246
*Sep 10 12:36:17.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2176 Max retransmission count reached!
*Sep 10 12:36:47.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 212.89.5.130:5246
*Sep 10 12:36:47.999: %CAPWAP-3-ERRORLOG: Selected MWAR 'GI12WLC001A'(index 0).
*Sep 10 12:36:47.999: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Sep 10 12:35:48.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.35.0.78 peer_port: 5246
the AP is trying both private and public ip address to join the WLC but can't join properly.
From the WLC console:
debug capwap errors enable:
*spamApTask4: Sep 10 13:13:49.837: 00:10:db:ff:50:06 Discarding non-ClientHello Handshake OR DTLS encrypted packet from 10.35.1.13:47807)since DTLS session is not established
*spamApTask3: Sep 10 13:13:49.958: 1c:6a:7a:5b:e0:30 ApModel: AIR-CAP3702I-E-K9
*spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!
*spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!
*spamApTask3: Sep 10 13:13:49.958: 1c:6a:7a:5b:e0:30 ApModel: AIR-CAP3702I-E-K9
*spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!
*spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!
*spamApTask2: Sep 10 13:13:52.103: 00:10:db:ff:50:06 Discarding non-ClientHello Handshake OR DTLS encrypted packet from 10.35.1.11:21207)since DTLS session is not established
*spamApTask1: Sep 10 13:13:52.224: 1c:6a:7a:5e:0f:10 ApModel: AIR-CAP3702I-E-K9
*spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!
*spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!
*spamApTask1: Sep 10 13:13:52.224: 1c:6a:7a:5e:0f:10 ApModel: AIR-CAP3702I-E-K9
*spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!
*spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!
the AP model are the same, this is not the problem, but for some reason there are AP's that have problems with the NAT configuration, if i disable NAT option, every AP with private ip address config can join the WLC.
I've tried to break SSO, desconfigure NAT, and private ip address AP join the controller without problem.
anybody can give me a clue?
Regards!

it seens like DTLS connection can't be stablished between AP and WLC.
The AP sends discovery request
the WLC respond with two discovery responds, the firts one, contains the public ip address of the WLC and the second one contains the private ip address.
once discovery proccess is complete, the AP tries to send DTLS hello packet to the WLC, but this packet never arrives to WLC.
because hello doesn't arrive, the AP sends a close notify alert to the WLC and tries to send the DTLS hello packet to the WLC private address with same result.
the AP get into a loop trying to send DTLS hello packets to both private and public address.
DTLS hello packet never arrive, but close notify alert arrive to WLC.
theres is FW in the middle doing NAT, but i can understand why close notify alert packets error arrives WLC and Hello DTLS packets don't. this packets uses the same protocol UDP and the same port.
Regards

Cisco APs not updating after WLC-update

Hello everyone,
I need to update my 5508 WLCs to a newer software, to support new AP-models.
Started with AIR-CT5500-K9-1-7-0-0-FUS.aes and AIR-CT5500-K9-7-0-240-0.aes, everything worked fine. Pre-Downloaded the newer Image to the APs, restarted the WLCs and everything was ok.
Now I tried to update to 7.6.100.0 as well as 7.4.121.0. Both Versions should support my APs, but it doesn't work at all.
Any ideas are highly appreciated.
If you need further output, just let me know.
Regards,
Manuel
These are some informations about the environment, AP-info and logging after "upgrade" to 7.4.121.0, controller-information after downgrading again...
AP# sh ver
Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.4(23c)JA7, RELEASE SOFTWARE (fc1)
ROM: Bootstrap program is C1240 boot loader BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.4(13d)JA, RELEASE SOFTWARE (fc2)
AP uptime is 1 minute System returned to ROM by power-on System image file is "flash:/c1240-k9w8-mx.124-23c.JA7/c1240-k9w8-mx.124-23c.JA7"
cisco AIR-LAP1242AG-E-K9 (PowerPCElvis) processor (revision A0) with 27638K/5120K bytes of memory.
Processor board ID FCZ1545812F
PowerPCElvis CPU at 262Mhz, revision number 0x0950
Last reset from power-on LWAPP image version 7.0.240.0
1 FastEthernet interface
2 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 70:CA:9B:07:86:B8
Part Number                          : 73-10256-07
PCA Assembly Number                  : 800-26918-06
PCA Revision Number                  : A0
PCB Serial Number                    : FOC15402NP4
Top Assembly Part Number            : 800-29152-03
Top Assembly Serial Number          : FCZ1545812F
Top Revision Number                  : A0
Product/Model Number                : AIR-LAP1242AG-E-K9
Configuration register is 0xF
AP#dir
Directory of flash:/
2 -rwx      89311 Jan 18 2014 20:41:00 +00:00 event.log
3 drwx          64 Jan 18 2014 20:43:21 +00:00 update
5 drwx        256 Jan 18 2014 20:40:55 +00:00 c1240-k9w8-mx.124-23c.JA7
4 -rwx        6168 Nov 2 2011 23:32:18 +00:00 private-multiple-fs
7 -rwx        395 Mar 1 2002 00:00:05 +00:00 env_vars
15740928 bytes total (8772096 bytes free)
AP#dir
Directory of flash:/c1240-k9w8-mx.124-23c.JA7/
9 -rwx      131328 Jan 18 2014 20:39:46 +00:00 7101.img
10 -rwx        292 Jan 18 2014 20:39:46 +00:00 info
11 -rwx    4642714 Jan 18 2014 20:40:55 +00:00 c1240-k9w8-mx.124-23c.JA7
15 -rwx      131328 Jan 18 2014 20:40:56 +00:00 6701.img
#sh logging --> see attached file
CONTROLLER (unfortunately after downgrading it again):
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.240.0
Bootloader Version............................... 1.0.16
Field Recovery Image Version..................... 7.0.112.21
Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
Build Type....................................... DATA + WPS
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
IP Address....................................... WLC-IP
Last Reset....................................... Software reset
System Up Time................................... 0 days 0 hrs 26 mins 3 secs
System Timezone Location......................... (GMT +1:00) Amsterdam, Berlin, Rome, Vienna Current Boot
License Level....................... base
Current Boot License Type........................ Permanent
Next Boot License Level.......................... base
Next Boot License Type........................... Permanent
Configured Country............................... DE - Germany
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 2
Number of Active Clients......................... 5
Burned-in MAC Address............................ 1C:DF:0F:C6:D8:80
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 150
(Cisco Controller) >show boot
Primary Boot Image............................... 7.4.121.0
Backup Boot Image................................ 7.0.240.0 (default) (active)
(Cisco Controller) >show ap bundle primary
Primary AP Image        Size
ap1g2                  9576
ap3g1                  6684
ap3g2                  11208
ap801                  5192
ap802                  5232
c1100                  3096
c1130                  4972
c1140                  4992
c1200                  3364
c1240                  4812
c1250                  5512
c1310                  3136
c1520                  6412
c3201                  4324
c602i                  3716
(Cisco Controller) >show ap bundle secondary
Secondary AP Image      Size
ap3g1                  6684
ap801                  5192
ap802                  5232
c1100                  3096
c1130                  4972
c1140                  4992
c1200                  3364
c1240                  4812
c1250                  5512
c1310                  3136
c1520                  6412
c3201                  4324
c602i                  3716
Nachricht geändert durch Manuel Sporleder

Hi Scott,
I am not trying to pre-download it anymore, since this doesn't work at all.
If I just restart the controller, the APs are downloading the image telling me "everything is fine", are rebooted and that stated with the old image again.
This is what you can see in the attached log-file:
*Mar 1 00:00:05.873: soap_prepare_new_image_crash: mini ios flash:/c1240-rcvk9w8-mx/c1240-rcvk9w8-mx
*Mar 1 00:00:06.242: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
*Mar 1 00:00:07.662: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
*Mar 1 00:00:09.054: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1
*Mar 1 00:00:09.152: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 1024 messages)
*Mar 1 00:00:09.181: status of voice_diag_test from WLC is false
*Mar 1 00:00:11.381: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
*Mar 1 00:00:11.440: %SYS-5-RESTART: System restarted
*Mar 1 00:00:11.441: %SNMP-5-COLDSTART: SNMP agent on host AP is undergoing a cold start
*Nov 2 23:31:59.107: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Nov 2 23:31:59.108: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Nov 2 23:31:59.929: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
*Nov 2 23:32:00.107: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Nov 2 23:32:00.107: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 2 23:32:18.102: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Nov 2 23:32:18.163: bsnUnlockDevice: not bring radio up: radio 1 is in admin disable state
*Nov 2 23:32:18.345: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Nov 2 23:32:18.759: status of voice_diag_test from WLC is false
*Nov 2 23:32:18.847: Logging LWAPP message to 255.255.255.255.
*Nov 2 23:32:33.181: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Nov 2 23:32:33.247: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 2 23:32:34.212: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Nov 2 23:32:34.213: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
*Jan 20 20:32:44.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: WLC-1-IP peer_port: 5246
*Jan 20 20:32:44.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Jan 20 20:32:45.479: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: WLC-1-IP peer_port: 5246
*Jan 20 20:32:45.480: %CAPWAP-5-SENDJOIN: sending Join Request to WLC-1-IP
*Jan 20 20:32:45.481: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Jan 20 20:32:45.483: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Jan 20 20:32:45.483: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Jan 20 20:32:45.483: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Jan 20 20:32:45.484: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from WLC-1-IPperform archive download capwap:/c1240 tar file
*Jan 20 20:32:45.494: %CAPWAP-5-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
*Jan 20 20:32:45.499: %CAPWAP-5-CHANGED: CAPWAP changed state to IMAGE
*Jan 20 20:33:58.755: %DTLS-3-BAD_RECORD: Erroneous record received from WLC-1-IP: Duplicate (replayed) record
*Jan 20 20:33:59.315: image upgrade successfully, system is now reloading
This happens again and again and again...
Regards, Manuel

APs not joining controller

I upgraded a controller yesterday 5508 it went from a low code version 6.x to 6.0.196.0 then to 7.0.116.0. However although all the access points joined code 6.0.196.0 they refused to join 7.0.116.0. The aps are all 1242s.
The country codes etc were all fine so I do not understand what was going on.
Any ideas?
*spamApTask0: Jun 26 16:07:44.734: 00:3a:99:db:f3:20 Discovery Request from 10.0.0.183:55065
*spamApTask0: Jun 26 16:07:44.734: 00:3a:99:db:f3:20 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0
*spamApTask0: Jun 26 16:07:44.735: 00:3a:99:db:f3:20 Discovery Response sent to 10.0.0.183:55065
*spamApTask0: Jun 26 16:07:44.735: 00:3a:99:db:f3:20 Received LWAPP DISCOVERY REQUEST to e8:b7:48:9b:86:4f on port '13'
*spamApTask0: Jun 26 16:07:44.735: 00:3a:99:db:f3:20 Discarding discovery request in LWAPP from AP supporting CAPWAP
*spamApTask0: Jun 26 16:07:44.735: 00:3a:99:db:f3:20 Discovery Request from 10.0.0.183:55065
*spamApTask0: Jun 26 16:07:44.735: 00:3a:99:db:f3:20 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0
*spamApTask0: Jun 26 16:07:44.735: 00:3a:99:db:f3:20 Discovery Response sent to 10.0.0.183:55065
*spamApTask7: Jun 26 16:07:45.308: 00:3a:99:db:fa:20 Discovery Request from 10.0.0.95:55080
*spamApTask7: Jun 26 16:07:45.308: 00:3a:99:db:fa:20 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0
*spamApTask0: Jun 26 16:07:45.308: 00:3a:99:db:fa:20 Received LWAPP DISCOVERY REQUEST to e8:b7:48:9b:86:4f on port '13'
*spamApTask0: Jun 26 16:07:45.308: 00:3a:99:db:fa:20 Discarding discovery request in LWAPP from AP supporting CAPWAP
*spamApTask7: Jun 26 16:07:45.308: 00:3a:99:db:fa:20 Discovery Response sent to 10.0.0.95:55080
*spamApTask7: Jun 26 16:07:45.309: 00:3a:99:db:fa:20 Discovery Request from 10.0.0.95:55080
*spamApTask7: Jun 26 16:07:45.309: 00:3a:99:db:fa:20 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0
*spamApTask7: Jun 26 16:07:45.309: 00:3a:99:db:fa:20 Discovery Response sent to 10.0.0.95:55080
*spamApTask7: Jun 26 16:07:45.511: 00:13:c3:e1:4c:e0 Discovery Request from 10.0.1.232:20023
*spamApTask7: Jun 26 16:07:45.511: 00:13:c3:e1:4c:e0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0
*spamApTask7: Jun 26 16:07:45.511: 00:13:c3:e1:4c:e0 Discovery Response sent to 10.0.1.232:20023
*spamApTask0: Jun 26 16:07:45.511: 00:13:c3:e1:4c:e0 Received LWAPP DISCOVERY REQUEST to e8:b7:48:9b:86:4f on port '13'
*spamApTask0: Jun 26 16:07:45.511: 00:13:c3:e1:4c:e0 Discarding discovery request in LWAPP from AP supporting CAPWAP
*spamApTask7: Jun 26 16:07:45.512: 00:13:c3:e1:4c:e0 Discovery Request from 10.0.1.232:20023
*spamApTask7: Jun 26 16:07:45.512: 00:13:c3:e1:4c:e0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0
*spamApTask7: Jun 26 16:07:45.512: 00:13:c3:e1:4c:e0 Discovery Response sent to 10.0.1.232:20023
*spamApTask4: Jun 26 16:07:46.516: 00:3a:99:db:fa:10 DTLS connection not found, creating new connection for 10:0:0:101 (55079) 10:0:1:45 (5246)
*spamApTask4: Jun 26 16:07:46.708: 00:3a:99:db:fa:10 DTLS connection closed event receivedserver (10:0:1:45/5246) client (10:0:0:101/55079)
*spamApTask4: Jun 26 16:07:46.708: 00:3a:99:db:fa:10 No entry exists for AP (10:0:0:101/55079)
*spamApTask4: Jun 26 16:07:46.708: 00:3a:99:db:fa:10 No entry exists in database
*spamApTask4: Jun 26 16:07:47.759: 00:3a:99:db:fa:a0 Discovery Request from 10.0.0.184:55084
*spamApTask4: Jun 26 16:07:47.759: 00:3a:99:db:fa:a0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0
*spamApTask0: Jun 26 16:07:47.760: 00:3a:99:db:fa:a0 Received LWAPP DISCOVERY REQUEST to e8:b7:48:9b:86:4f on port '13'
*spamApTask0: Jun 26 16:07:47.760: 00:3a:99:db:fa:a0 Discarding discovery request in LWAPP from AP supporting CAPWAP
*spamApTask4: Jun 26 16:07:47.760: 00:3a:99:db:fa:a0 Discovery Response sent to 10.0.0.184:55084
*spamApTask4: Jun 26 16:07:47.760: 00:3a:99:db:fa:a0 Discovery Request from 10.0.0.184:55084
*spamApTask4: Jun 26 16:07:47.760: 00:3a:99:db:fa:a0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0
*spamApTask4: Jun 26 16:07:47.760: 00:3a:99:db:fa:a0 Discovery Response sent to 10.0.0.184:55084
*spamApTask7: Jun 26 16:07:49.471: 00:13:c3:e1:4d:c0 Discovery Request from 10.0.1.239:20032
*spamApTask7: Jun 26 16:07:49.471: 00:13:c3:e1:4d:c0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0
*spamApTask7: Jun 26 16:07:49.471: 00:13:c3:e1:4d:c0 Discovery Response sent to 10.0.1.239:20032
*spamApTask0: Jun 26 16:07:49.471: 00:13:c3:e1:4d:c0 Received LWAPP DISCOVERY REQUEST to e8:b7:48:9b:86:4f on port '13'
*spamApTask0: Jun 26 16:07:49.471: 00:13:c3:e1:4d:c0 Discarding discovery request in LWAPP from AP supporting CAPWAP
*spamApTask7: Jun 26 16:07:49.472: 00:13:c3:e1:4d:c0 Discovery Request from 10.0.1.239:20032
*spamApTask7: Jun 26 16:07:49.472: 00:13:c3:e1:4d:c0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0
*spamApTask7: Jun 26 16:07:49.472: 00:13:c3:e1:4d:c0 Discovery Response sent to 10.0.1.239:20032
*spamApTask1: Jun 26 16:07:52.222: 00:13:c3:e1:4d:80 Discovery Request from 10.0.1.230:20027
*spamApTask1: Jun 26 16:07:52.222: 00:13:c3:e1:4d:80 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0
*spamApTask1: Jun 26 16:07:52.223: 00:13:c3:e1:4d:80 Discovery Response sent to 10.0.1.230:20027
*spamApTask0: Jun 26 16:07:52.223: 00:13:c3:e1:4d:80 Received LWAPP DISCOVERY REQUEST to e8:b7:48:9b:86:4f on port '13'
*spamApTask0: Jun 26 16:07:52.223: 00:13:c3:e1:4d:80 Discarding discovery request in LWAPP from AP supporting CAPWAP
*spamApTask1: Jun 26 16:07:52.223: 00:13:c3:e1:4d:80 Discovery Request from 10.0.1.230:20027
*spamApTask1: Jun 26 16:07:52.223: 00:13:c3:e1:4d:80 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0
*spamApTask1: Jun 26 16:07:52.224: 00:13:c3:e1:4d:80 Discovery Response sent to 10.0.1.230:20027
*spamApTask5: Jun 26 16:07:52.267: 00:3a:99:da:c7:70 DTLS connection not found, creating new connection for 10:0:0:181 (34152) 10:0:1:45 (5246)
*spamApTask1: Jun 26 16:07:52.274: 00:3a:99:db:ff:20 Discovery Request from 10.0.0.182:55099
*spamApTask1: Jun 26 16:07:52.274: 00:3a:99:db:ff:20 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0
*spamApTask0: Jun 26 16:07:52.274: 00:3a:99:db:ff:20 Received LWAPP DISCOVERY REQUEST to e8:b7:48:9b:86:4f on port '13'
*spamApTask1: Jun 26 16:07:52.274: 00:3a:99:db:ff:20 Discovery Response sent to 10.0.0.182:55099
*spamApTask0: Jun 26 16:07:52.274: 00:3a:99:db:ff:20 Discarding discovery request in LWAPP from AP supporting CAPWAP
*spamApTask1: Jun 26 16:07:52.275: 00:3a:99:db:ff:20 Discovery Request from 10.0.0.182:55099
*spamApTask1: Jun 26 16:07:52.275: 00:3a:99:db:ff:20 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0
*spamApTask1: Jun 26 16:07:52.275: 00:3a:99:db:ff:20 Discovery Response sent to 10.0.0.182:55099
*spamApTask1: Jun 26 16:07:52.306: 00:3a:99:db:f2:40 DTLS connection not found, creating new connection for 10:0:0:100 (55069) 10:0:1:45 (5246)
*spamApTask5: Jun 26 16:07:52.463: 00:3a:99:da:c7:70 DTLS connection closed event receivedserver (10:0:1:45/5246) client (10:0:0:181/34152)
*spamApTask5: Jun 26 16:07:52.463: 00:3a:99:da:c7:70 No entry exists for AP (10:0:0:181/34152)
*spamApTask5: Jun 26 16:07:52.463: 00:3a:99:da:c7:70 No entry exists in database
*spamApTask1: Jun 26 16:07:52.501: 00:3a:99:db:f2:40 DTLS connection closed event receivedserver (10:0:1:45/5246) client (10:0:0:100/55069)
*spamApTask1: Jun 26 16:07:52.502: 00:3a:99:db:f2:40 No entry exists for AP (10:0:0:100/55069)
*spamApTask1: Jun 26 16:07:52.502: 00:3a:99:db:f2:40 No entry exists in database

Something "weird" is on the newest 7.0.X. Here's my situation:
1. It doesn't happen to all new APs. When I mean "new", I mean out from a box including APs from RMA.
2. I've seen this in 1240, 1250, 1140. Haven't seen it on a 3500.
3. Here's how it goes ... When the AP, fresh from a box, connects to the networks, sees the WLC/WiSM and downloads the full IOS (OK so far). After the reboot the AP in question loads the new IOS and shows up in the WLC/WiSM. When I check CDP neighbors, NOTHING. What the ... ?
4. Go to the switch and do command "sh cdp neighbor" and what do I get? NOTHING.
5. Check PoE and show that it's IEEE.
For unknown reason, APs in this "trance" shuts off the CDP. I currently have a Cisco TAC Case trying to iron out this "feature". Doesn't appear on the 7.0.96.0 but happens to the newer one.

APs not joining

So today has been a disaster. I have 11 Cisco Aironet APs connected to a Cisco WLC 4402 running 7.0.235.3. When we lost power to the controller over the weekend I only had 8 come back. In the AP join log three of them were saying"Layer 3 discovery request not received on management VLAN". Mind you they were working before the power went out. So one of my colleagues advised me to shut down the controller, disable the switch ports the AP's are plugged into, restart the controller, and then reenable the ports on the switch. Well now I only have three. The rest get the same error message I mentioned before. I also tried disabled and reenabled the DHCP scope they work on as well. Like I said they were all working before the power went out. Can anyone help?

Nothing is wrong. That message simply means, that there was an LWAPP request and the code the AP is on is CAPWAP. This happens in case you have a WLC on older code, but get/convert one with newer code.
Is the dhcp server for the AP management network in another vlan and you have ip helper-address configured?
How are you doing your Discovery? L2 forwarding, option 43?
I think you may have to upgrade the code on your controller to support your aps... or downgrade the code on the aps manually before attempting the join process with your controller.
What model # AP ?

Autonomous 1252 converted to CAPWAP will not join 5508 WLC

WLC 5508 firmware is v6.0.188.0
I've tried updating the autonomous 1252 via both the upgrade tool 3.4 and 'archive download-sw' from the CLI
I've tried multiple recovery images
c1250-rcvk9w8-tar.124-21a.JA2.tar
c1250-rcvk9w8-tar.124-10b.JDA.tar
After AP reboots with recovery image it joins WLC and downloads new CAPWAP image then reboots again
AP will not rejoin WLC with updated CAPWAP firmware
Any help with this is greatly appreciated!
Thanks in advance and happy holidays,
Scott
Error Msg from 1252 console
*Dec 18 15:52:50.691: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
*Dec 18 15:52:50.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
*Dec 18 15:52:50.695: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
*Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
*Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
Additional info
WLC Debugs Enabled:
MAC address ................................ c4:7d:4f:39:31:e2
Debug Flags Enabled:
aaa detail enabled.
capwap error enabled.
capwap critical enabled.
capwap events enabled.
capwap state enabled.
dtls event enabled.
lwapp events enabled.
lwapp errors enabled.
pm pki enabled.
WLC Debug Output:
*Dec 18 10:51:51.575: dtls_conn_hash_search: Connection not found in hash table - Table empty.
*Dec 18 10:51:51.575: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: called to get cert for CID 154c7072
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetSshPrivateKeyFromCID: called to get key for CID 154c7072
*Dec 18 10:51:51.575: sshpmGetSshPrivateKeyFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
*Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: comparing to row 1, certname >bsnDefaultIdCert<
*Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: comparing to row 2, certname >cscoDefaultIdCert<
*Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: match in row 2
*Dec 18 10:51:51.692: acDtlsCallback: Certificate installed for PKI based authentication.
*Dec 18 10:51:51.693: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=0
*Dec 18 10:51:51.693: local_openssl_dtls_record_inspect:   msg=ClientHello len=44 seq=0 frag_off=0 frag_len=44
*Dec 18 10:51:51.693: openssl_dtls_process_packet: Handshake in progress...
*Dec 18 10:51:51.693: local_openssl_dtls_send: Sending 60 bytes
*Dec 18 10:51:51.694: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246 Peer 192.168.100.54:62227
*Dec 18 10:51:51.694: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=1
*Dec 18 10:51:51.694: local_openssl_dtls_record_inspect:   msg=ClientHello len=76 seq=1 frag_off=0 frag_len=76
*Dec 18 10:51:51.695: openssl_dtls_process_packet: Handshake in progress...
*Dec 18 10:51:51.695: local_openssl_dtls_send: Sending 544 bytes
*Dec 18 10:51:51.695: local_openssl_dtls_send: Sending 544 bytes
*Dec 18 10:51:51.696: local_openssl_dtls_send: Sending 314 bytes
*Dec 18 10:51:51.712: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246 Peer 192.168.100.54:62227
*Dec 18 10:51:51.712: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=2
*Dec 18 10:51:51.712: local_openssl_dtls_record_inspect:   msg=Certificate len=1146 seq=2 frag_off=0 frag_len=519
*Dec 18 10:51:51.712: openssl_dtls_process_packet: Handshake in progress...
*Dec 18 10:51:51.712: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246 Peer 192.168.100.54:62227
*Dec 18 10:51:51.712: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=3
*Dec 18 10:51:51.712: local_openssl_dtls_record_inspect:   msg=Certificate len=1146 seq=2 frag_off=519 frag_len=519
*Dec 18 10:51:51.713: openssl_dtls_process_packet: Handshake in progress...
*Dec 18 10:51:51.713: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246 Peer 192.168.100.54:62227
*Dec 18 10:51:51.713: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=4
*Dec 18 10:51:51.713: local_openssl_dtls_record_inspect:   msg=Certificate len=1146 seq=2 frag_off=1038 frag_len=108
*Dec 18 10:51:51.714: sshpmGetIssuerHandles: locking ca cert table
*Dec 18 10:51:51.714: sshpmGetIssuerHandles: calling x509_alloc() for user cert
*Dec 18 10:51:51.714: sshpmGetIssuerHandles: calling x509_decode()
*Dec 18 10:51:51.719: sshpmGetIssuerHandles: <subject> C=US, ST=California, L=San Jose, O=Cisco Systems, CN=C1250-c47d4f3931e2, [email protected]
*Dec 18 10:51:51.719: sshpmGetIssuerHandles: <issuer> O=Cisco Systems, CN=Cisco Manufacturing CA
*Dec 18 10:51:51.719: sshpmGetIssuerHandles: Mac Address in subject is c4:7d:4f:39:31:e2
*Dec 18 10:51:51.719: sshpmGetIssuerHandles: Cert Name in subject is C1250-c47d4f3931e2
*Dec 18 10:51:51.719: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.
*Dec 18 10:51:51.719: sshpmGetCID: called to evaluate <cscoDefaultMfgCaCert>
*Dec 18 10:51:51.719: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
*Dec 18 10:51:51.719: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
*Dec 18 10:51:51.719: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
*Dec 18 10:51:51.719: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
*Dec 18 10:51:51.719: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
*Dec 18 10:51:51.719: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
*Dec 18 10:51:51.719: sshpmGetCertFromCID: called to get cert for CID 2ab15c0a
*Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
*Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
*Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
*Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
*Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
*Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
*Dec 18 10:51:51.719: ssphmUserCertVerify: calling x509_decode()
*Dec 18 10:51:51.730: ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<
*Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (current): 2009/12/18/15:51:51
*Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (NotBefore): 2009/11/03/00:47:36
*Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (NotAfter): 2019/11/03/00:57:36
*Dec 18 10:51:51.730: sshpmGetIssuerHandles: getting cisco ID cert handle...
*Dec 18 10:51:51.730: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
*Dec 18 10:51:51.731: sshpmFreePublicKeyHandle: called with 0x1f1f3b8c
*Dec 18 10:51:51.731: sshpmFreePublicKeyHandle: freeing public key
*Dec 18 10:51:51.731: openssl_shim_cert_verify_callback: Certificate verification - passed!
*Dec 18 10:51:51.732: openssl_dtls_process_packet: Handshake in progress...
*Dec 18 10:51:52.155: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246 Peer 192.168.100.54:62227
*Dec 18 10:51:52.155: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=5
*Dec 18 10:51:52.155: local_openssl_dtls_record_inspect:   msg=ClientKeyExchange len=258 seq=3 frag_off=0 frag_len=258
*Dec 18 10:51:52.269: openssl_dtls_process_packet: Handshake in progress...
*Dec 18 10:51:52.269: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246 Peer 192.168.100.54:62227
*Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=6
*Dec 18 10:51:52.269: local_openssl_dtls_record_inspect:   msg=CertificateVerify len=258 seq=4 frag_off=0 frag_len=258
*Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=ChangeCipherSpec epoch=0 seq=7
*Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=Handshake epoch=1 seq=0
*Dec 18 10:51:52.269: local_openssl_dtls_record_inspect:   msg=Unknown or Encrypted
*Dec 18 10:51:52.273: openssl_dtls_process_packet: Connection established!
*Dec 18 10:51:52.273: acDtlsCallback: DTLS Connection 0x167c5c00 established
*Dec 18 10:51:52.273: openssl_dtls_mtu_update: Setting DTLS MTU for link to peer 192.168.100.54:62227
*Dec 18 10:51:52.273: local_openssl_dtls_send: Sending 91 bytes
*Dec 18 10:53:06.183: sshpmLscTask: LSC Task received a message 4
Aironet 1252 Console Debug:
*Dec 16 11:07:12.055: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Dec 18 15:51:40.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.2 peer_port: 5246
*Dec 18 15:51:40.999: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Dec 18 15:51:41.695: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
*Dec 18 15:51:41.699: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
*Dec 18 15:51:41.699: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
*Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
*Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
*Dec 18 15:51:46.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
*Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
*Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
*Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
*Dec 18 15:52:39.999: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.100.2:5246
*Dec 18 15:52:40.039: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Dec 18 15:52:40.039: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Dec 18 15:52:40.051: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Dec 18 15:52:40.051: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Dec 18 15:52:40.059: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 18 15:52:40.063: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Dec 18 15:52:40.079: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 18 15:52:40.079: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Dec 18 15:52:50.059: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Dec 18 15:52:50.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.2 peer_port: 5246
*Dec 18 15:52:50.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Dec 18 15:52:50.691: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
*Dec 18 15:52:50.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
*Dec 18 15:52:50.695: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
*Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
*Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
*Dec 18 15:52:55.691: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
*Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
*Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
*Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.1

Nathan and Leo are alluding to CSCte01087. Basically the caveat is that DTLS fails on a non-00:xx:xx:xx:xx:xx L2 first hop. e.g. if the APs are on the same VLAN as the management interface, they must have 00 MACs; if they are on a different VLAN, the WLC/AP gateway must have a 00 MAC. If the workaround below does not suit your environment, open a TAC case for an image with the fix.
Symptom:
An access point running 6.0.188.0 code may be unable to join a WLC5508.
Messages similar to the following will be seen on the AP.
   %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
   %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message
Conditions:
At least one of the following conditions pertains:
- The high order byte of the AP's MAC address is nonzero, and the AP is in
the same subnet as the WLC5508's management (or AP manager) interface
- The WLC's management (or AP manager) interface's default gateway's
MAC address' high order byte is nonzero.
Workaround:
If the MAC address of the WLC's default gateway does not begin with 00,
and if all of the APs' MAC addresses begin with 00, then: you can put
the APs into the same subnet as the WLC's management (or AP manager)
interface.
In the general case, for the situation where the WLC's default gateway's
MAC does not begin with 00, you can address this by changing it to begin
with 00. Some methods for doing this include:
-- use the "mac-address" command on the gateway, to set a MAC address
that begins with 00
-- then enable HSRP on the gateway (standby ip ww.xx.yy.zz) and use this
IP as the WLC's gateway.
For the case where the APs' MAC addresses do not begin with 00, then make
sure that they are *not* in the same subnet as the WLC's management
(AP manager) interface, but are behind a router.
Another workaround is to downgrade to 6.0.182.0. However, after
downgrading the WLC to 6.0.182.0, any APs that have 6.0.188.0 IOS
(i.e. 12.4(21a)JA2) still installed on them will be unable to join.
Therefore, after downgrading the WLC, the APs will need to have a
pre-12.4(21a)JA2 rcvk9w8 or k9w8 image installed on them.

1041N APs not joining 2100 WLC

Similar Messages

Maybe you are looking for