2100 wireless LAN controller intermittant DHCP issue does not respond to clients

Similar Messages

• AIR-CAP3501I access point not joining the Cisco 2100 Wireless Lan controller.

  Hello All,
  I am installing a new LAP (AIR-CAP3501I ) through the wireless lan controller (AIR-WLC2112-K9) with software version 7.0. I have an external ADSL modem which will act as the DHCP server for the wireless clients and the LAP.
  Please find my network setup as below:
  The ISP ADSL modem , WLC and LAP are connected to a unmanaged POE switch. The LAP gets its power through the POE switch. When i connect the LAP and the WLC to the switch along with the ADSL modem, the LAPs are getting the ip address from the ADSL modem, however they are not joining the WLC for further process.
  ADSL Modem ip address: 192.168.1.254
  Management ip address on the LAP: 192.168.1.1 ( Assigned to port 1, untagged Vlan).
  Ap Manager ip address: 192.168.1.1 ( Assigned to the same port i.e port1, Untagged Vlan).
  The LAP is getting an IP address from the ADSL modem in the range of the DHCP scope.
  I will paste the logs very soon.
  Please let me know if i am doing anything wrong oe what will be the issue.
  Thanks in advance,
  Mohammed Ameen

  Hello All,
  Please find the logs for  "debug capwap event" from the WLC below:
  *spamReceiveTask: Sep 26 19:44:59.196: e8:04:62:0a:3f:10 Join Version: = 117465600
  *spamReceiveTask: Sep 26 19:44:59.197: e8:04:62:0a:3f:10 Join resp: CAPWAP Maximum Msg element len = 92
  *spamReceiveTask: Sep 26 19:44:59.197: e8:04:62:0a:3f:10 Join Response sent to 192.168.1.156:45510
  *spamReceiveTask: Sep 26 19:44:59.197: e8:04:62:0a:3f:10 CAPWAP State: Join
  *spamReceiveTask: Sep 26 19:44:59.197: e8:04:62:0a:3f:10 capwap_ac_platform.c:1216 - Operation State 0 ===> 4
  *apfReceiveTask: Sep 26 19:44:59.198: e8:04:62:0a:3f:10 Register LWAPP event for AP e8:04:62:0a:3f:10 slot 0
  *spamReceiveTask: Sep 26 19:44:59.341: e8:04:62:0a:d1:20 DTLS connection not found, creating new connection for 192:168:1:158 (45644) 192:168:1:2 (5246)
  *spamReceiveTask: Sep 26 19:45:00.119: e8:04:62:0a:d1:20 DTLS Session established server (192.168.1.2:5246), client (192.168.1.158:45644)
  *spamReceiveTask: Sep 26 19:45:00.119: e8:04:62:0a:d1:20 Starting wait join timer for AP: 192.168.1.158:45644
  *spamReceiveTask: Sep 26 19:45:00.121: e8:04:62:0a:d1:20 Join Request from 192.168.1.158:45644
  *spamReceiveTask: Sep 26 19:45:00.123: e8:04:62:0a:d1:20 Join Version: = 117465600
  *spamReceiveTask: Sep 26 19:45:00.123: e8:04:62:0a:d1:20 Join resp: CAPWAP Maximum Msg element len = 92
  *spamReceiveTask: Sep 26 19:45:00.124: e8:04:62:0a:d1:20 Join Response sent to 192.168.1.158:45644
  *spamReceiveTask: Sep 26 19:45:00.124: e8:04:62:0a:d1:20 CAPWAP State: Join
  *spamReceiveTask: Sep 26 19:45:00.124: e8:04:62:0a:d1:20 capwap_ac_platform.c:1216 - Operation State 0 ===> 4
  *apfReceiveTask: Sep 26 19:45:00.125: e8:04:62:0a:d1:20 Register LWAPP event for AP e8:04:62:0a:d1:20 slot 0
  *spamReceiveTask: Sep 26 19:45:00.273: e8:04:62:0a:d1:20 Configuration Status from 192.168.1.158:45644
  *spamReceiveTask: Sep 26 19:45:00.273: e8:04:62:0a:d1:20 CAPWAP State: Configure
  *spamReceiveTask: Sep 26 19:45:00.273: Invalid channel 1 spacified for the AP APf866.f2ab.24b6, slotId = 0
  *spamReceiveTask: Sep 26 19:45:00.274: e8:04:62:0a:d1:20 Updating IP info for AP e8:04:62:0a:d1:20 -- static 0, 192.168.1.158/255.255.255.0, gtw 192.168.1.254
  *spamReceiveTask: Sep 26 19:45:00.274: e8:04:62:0a:d1:20 Updating IP 192.168.1.158 ===> 192.168.1.158 for AP e8:04:62:0a:d1:20
  *spamReceiveTask: Sep 26 19:45:00.274: e8:04:62:0a:d1:20 Setting MTU to 1485
  *spamReceiveTask: Sep 26 19:45:00.274: e8:04:62:0a:d1:20 Finding DTLS connection to delete for AP (192:168:1:158/45644)
  *spamReceiveTask: Sep 26 19:45:00.274: e8:04:62:0a:d1:20 Disconnecting DTLS Capwap-Ctrl session 0xa06d6a4 for AP (192:168:1:158/45644)
  *spamReceiveTask: Sep 26 19:45:00.274: e8:04:62:0a:d1:20 CAPWAP State: Dtls tear down
  *spamReceiveTask: Sep 26 19:45:00.277: spamProcessGlobalPathMtuUpdate: Changing Global LRAD MTU to 576
  *spamReceiveTask: Sep 26 19:45:00.277: e8:04:62:0a:d1:20 DTLS connection closed event receivedserver (192:168:1:2/5246) client 192:168:1:158/45644).
  The Acess point joins the Controller for 2-3 seconds and then unjoins again. I am not sure what i am doing wrong here. The access points are getting the IPs from the ADSL modem through the switch, then it talks to the WLC, however it does not join the controller for further process.
  Note:
  The Managemnet interface and the AP manager interface are assigned to the same port 1 with unassigned Vlan as mention above.

• New WSUS install does not respond to clients over ports 8530 or 8531

  I've recently installed WSUS on a Server 2012 machine, and am struggling to get it to respond to requests from other hosts. I cannot get it to respond to any host in any manner, except for requests from itself.
  My setup is as follows:
  WSUS installed on a Server 2012 domain controller, DC01.
  Other roles installed include AD CS, AD DS, DNS, IIS, and Print Services.
  WSUS is using all default settings.
  The firewall has inbound and outbound exceptions for ports 8530 and 8531
  A bit of information about what's happening:
  IIS will respond over port 80. I can open a Web browser from my workstation and connect to http://dc01/. If I attempt to connect to http://dc01:8530 (which I know should not work, but
  should respond with a 403 error), it times out. Identical behavior is observed over port 8531 with https.
  IIS will respond with a 403 if I make this same connection in a browser on DC01, it will work if I connect using either the loopback IP or hostname, but will time out if I attempt to make the connection using the server's local IP (IPv4).
  If I try to connect from my workstation using the WSUS configuration snap-in, I get an error: The remote server could not be contacted. Please verify that IIS on the server is correctly configured and is running.
  If I try to connect from DC01 using the WSUS configuration snap-in, it works correctly.
  The above is true for both http (8530) and https (8531).
  IIS logs show inbound connections from my workstation and show that IIS is responding with a 200. However, Wireshark running on DC01 shows three attempts by my workstation to open a connection -- three SYN packets, one initial attempt then two identical
  retries -- over a period of about ten seconds, with no responses from DC01. If IIS is responding, the responses are getting lost sometime before they hit the NIC.
  Bindings in IIS are correct, 8530 for http and 8531 for https.
  Given that everything works fine when making a local connection, I think I can safely assume that WSUS itself is running properly, and the issue is related to IIS. Nonetheless, in the hopes of this simply being a failed install, I have uninstalled and reinstalled
  both IIS and WSUS multiple times. (One thing to note, though I doubt it's related: WSUS consistently fails to set the path for the local update cache, failing the post-deployment configuration. I have to manually edit the UpdateServices-Services.xml file to
  include the path for the local cache. Everything goes fine after I do that.)
  I'm pretty stumped on this, and would happily accept any help. Thanks!

  I've recently installed WSUS on a Server 2012 machine, and am struggling to get it to respond to requests from other hosts. I cannot get it to respond to any host in any manner, except for requests from itself.
  My setup is as follows:
  WSUS installed on a Server 2012 domain controller, DC01.
  Other roles installed include AD CS, AD DS, DNS, IIS, and Print Services.
  Fundamentally you have two issues here:
  The first is the question of co-existence between WSUS and AD CS.
  The second is whether this machine was a DC before, or after, you installed WSUS.
  With Windows Server 2003 systems, running 'dcpromo' after installing IIS (and WSUS) would break IIS (and thus WSUS). With Windows Server 2012, installing WSUS with the AD DS role present results in a broken WSUS installation (if not an outright installation
  failure). This is because on a WS2012 Domain Controller, there are GPO restrictions on "Log On As A Service" which impact the ability of certain LOCAL accounts to do so ... one of which being the Network Service which is required for WSUS and another local
  use account, which is used for WID.
  Regarding ports and IIS -- WSUS is designed to work on port 8530 by default on a Windows Server 2012 box. It can also be made to work on port 80, but you have to use the correct utilities and procedures to make that change. As for your observation
  that "port 6000" seems to be a cutoff.... I'll (re)direct your attention to the installation of Active Directory Certificate Services, which I suspect is a contributing factor, and in general firewall configuration rules -- which are probably the most likely
  culprit on the port range of 6000+ (not including 8530 which I promise you is open by a rule explicitly created by/for WSUS).
  So, here's my suggestion:
  Install the WSUS role first.
  Install the AD DS role if you must (but Domain Controllers should not also be web or application server).
  Install the AD CS role elsewhere.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• Issues after changing the AP Name on Wireless LAN Controller

  I recently changed the AP Name of all the Wireless Access Points in my branch office (which are all associated to the branch office Wireless LAN Controller(s)). After that I noticed that all branch office employees are unable to connect to the employee SSID. The employee SSID uses web authentication and employees are authenticated using Head Office AD via Cisco ACS, both located at the Head Office.
  There are other SSID's on the WLC which all work fine, but only employee SSID which uses AD authentication does not work. AD authenticaion is working fine because employee's in HO are successfully able to connect to the employee SSID at HO.
  The branch office is connected to the HO via a tunnel link. We noticed that if we restart both the ASA at either ends of the tunnel. The employee SSID starts working again but only temporarily for a day or so... what could be the issue? Can renaming the AP's cause issues? How can I fix this problem?
  Thanks in advance

  Thanks Elliott,
          I did the debug like you said and I am getting the following debug messages:
  *apfMsConnTask_0: Jun 20 08:18:14.580: Deleting the client immediatly since WLAN is changed
  and also
  *apfReceiveTask: Jun 20 05:25:11.857: 00:1f:3c:86:af:15 Orphan Packet from 192.168.52.34
  The logging on the WLC shows
  *apfReceiveTask: Jun 18 17:56:41.788: %MM-1-ANCHOR_UNAVAILABLE: mm_mobile.c:2155
  All export anchors are down. Cannot anchor the client.00:c0:a8:f3:cd:ae
  The DHCP pool for the employee users are configured on a guest WLC which sits behind an ASA

• Wireless Lan Controller Issue

  Hi All,
  We have a Wireless Lan Controller 4402 with software version 4.0.155.5. On Friday we experience a problem where our clients wouldn't get redirected to the internal webpage for authentication. It would just come up with page not found. We know the page was working fine becasue we could manually type in the
  https://1.1.1.1/login.html and the
  page would come up and you could login successfully. The users who were already connected to the controller were not affected and continued to operate. We have 2 other WLC's at the same software revision and they were not affected so I don't think it has anything to to with software level. Its like the webserver in the wlc failed to work. We failed over the AP's to the 3rd WLC and rebooted WLC1. After the WLC1 restarted we failed one of the previous non-working AP's back to it and it works again.
  I know "now" there is debug commands to run at the time when the WLC wasn't working, but unfortunately I didn't know at the time. The WLC is running again fine and I was wondering if anybody has seen this issue before.
  Any ideas on a fix or reason would be greatly appreciated.
  Thanks,

  We are running WiSM 4.1.185.0 and we just had the similar problem with one controller. The other three controllers were fine when it happened. The exactly issue was the nslookup failed(timed out) from the client, so the web login page won't show when people lunch the browser. A reboot of the controller fixed the problem. We have been running Cisco LWAPP for more than a year (from 4.0.155.5 to 4.1.185.0) and it is the first time we see this problem. TAC is still investigating the cause.
  Zhenning

• Warning page on Cisco Wireless Lan Controller for guest access

  Hi,
  We have an Cisco wireless LAN controller 4400 in our organization, and lots of guest using our Wi-Fi network.
  I would like to configure a warning and terms and condition page when guest using first time our network.
  Can you please let me know is that possible without adding external web server and how to configure.
  Many Thanks in Advance
  Amit Sharma

  Hi Amit,
  Hope you are doing great!!
  the below link will help you in getting the issue resolved!!
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00809bdb5f.shtml
  Please dont forget to rate the usefull posts!!
  Regards
  Surendra

• How to replace the certificate of Cisco 2106 wireless LAN controller for CAPWAP ?

  I have interested in CAPWAP feature and I download the open capwap project to make Access Controller (AC) and Wireless Terminal Point (WTP). I had built the AC which used PC and WTP which used Atheros AP. The CAPWAP feature work well when I enabled the CAPWAP that used my own AC  and WTP. When I got the Cisco 2106 wireless LAN controller (Cisco WLC), I configured the Cisco WLC to instead my own AC but I got the authorize fail in Cisco WLC side. It seem the Cisco WLC could not recognize the CAPWAP message which sent form my own WTP. I think this issue just need to synchronize the certificate between Cisco WLC and WTP.So I need to replace the Cisco WLC's certificate manually. Does anyone know how to replace the certificate manually with Cisco WLC ?
  Best Regards,
  Alan

  Unfortunately this Support Community is for Cisco Small Business & Small Business Pro product offerings.  The WLC2106 is a traditional Cisco product.  You can find this type of support on the Cisco NetPro Forum for all traditional Cisco products.
  Best Regards,
  Glenn

• Cisco Wireless LAN Controller Always disconnect

  Dear All,
  Please help to assist my issue.I used Cisco Wireless LAN Controller model: 5508 with version 7.0.98.0 and I got issue with connection always disconnect ping always loss or some time client can't get DHCP from Controller. 
  - I configure as Internal DHCP Server with 1 SSID.
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110865-dhcp-wlc.html
  - DHCP least is not full and I also try to clear-lease all but still not work.

  1. Config dhcp proxy enable
  2. In case of internal Dhcp, try debug for clients
   using,
  debug client <MAC ADDRESS OF CLIENT>

• 4404 wireless lan controller managment via wireless clients

  I am having an issue managing a 4404 wireless lan controller via wireless clients.
  I have checked the box "enable controller management to be accessible from wireless clients" under management. For some reason that does not seem to fix the problem (page cannot be displayed). I cannot ping the controller by IP but other devices on the same subnet respond. Everything else works fine.
  I CAN manage the controller when plugged in a wired connection.
  When I do a route print it is identical wireless or wired. The route simple points to my interface. If I modify the route on my computer to actually point to our gateway instead of the interface then everything works. But why should I have to do this only for my wireless connection and not my wired to manage this box?

  Thanks for the info. I narrowed the problem down to an ARP issue.
  In order for me to connect to the controller, I run a batch file that creates a static ARP entry on my laptop. I don't have to do this for any other device except the controller. Not sure what the underlying cause is, but that works as a workaround right now.

• Wireless LAN Controller not broadcasting network to Access points

  Good Day Team,
  I am working with a 2100 series WLC controller and 1100 series access point.
  I noticed that the wireless lan controller is working. Also the access point is working.
  The issue is that there is no internet connection on the access point.
  What could be the error?
  Kindly advice

  Try do diagnose your problem following this steps:
  1) Connect to the wireless network
  2) Check your IP address with "ifconfig"
  3) Check if your gateway is set correctly with "route -n"
  4) Try to ping your gateway. Is it working?
  5) Try to ping an internet IP like google: "ping 74.125.234.115"
  6) Try to resolve names with "nslookup www.google.com" for example.
  7) Try to traceroute to an IP or name on internet. Check the result to see the last hop you reached.
  8) If you passed all those tests, try this: "telnet www.google.com 80"
  If everything works, but not the test #8, your problem could be related to some proxy configuration.

• Wireless lan Controller 4402 / ping dynamic interface failed

  hi,
  i've a problem with a Wireless Lan Controller 4402.
  When i configure the dynamic interface on the my network , with wired lan
  i don't reach (i use the ping command) the ip address of the WLC.
  In my case (wired):
  On my pc i've a ip 10.1.78.1 255.255.0.0 and dgw 10.1.1.1 (vlan721)
  The lan WLC have a ip of management 10.12.2.4 /24 (vlan799) [dgw 10.12.2.1]
  dynamic vlan 792 ip add 10.12.78.100 / 22 (vlan792) [dgw 10.12.68.1]
  i ping these interfaces (10.12.2.4 and 10.12.78.100) and the ping is ok.
  When i create a dynamic interface vlan 721 starting the problem:
  dynamic vlan 791 ip address 10.1.1.240 / 16 (vlan721)
  After this ......the ping on 10.12.2.4 and 10.12.78.100 don't respond very well
  and i lose the 80-90% of the ping packages.
  through the wi-fi instead I do not have problems.
  the problem exist only via wired (cable).
  Can you help me?
  Thanks
  FCostalunga

  Hello,
  Pinging the dynamic interface is officially not supported. The reason why is because the controller places a very low priority on ICMP traffic. Typically, you will not have an issue with doing so on your wireless network because this interface is basically a gateway for the client. However, from the wired network - the only interface designed to respond to pings 100% of the time is the management interface. Hope this helps!
  -Mark

• User names from Wireless LAN Controller

  Hi all
  I'm trying to get a report out of a Cisco 4402 Wireless LAN controller, showing all the current clients on a particular WLAN profile, with their user name.
  The Monitor -> Clients screen shows me all the MAC addreses, and I can filter by WLAN Profile Name to home in on the clients I'm interested in.  When I click on a MAC address for more detail, I can see the correctly populated User Name on the Client Properties screen - so the WLC definitely knows all the detail I need...
  Ideally I want spreadheet with a list of usernames of currently connected users (or even better, users that have connected over a time period).  I can't see any way to export this data without doing it manually (and I have 270ish clients at any one time).
  I've tried at the command line, with a "show clients summary", which at least gives me a table I can copy and paste into a spreadsheet, but again the username detail is only displayed with a "show clients detail MACADDRESS" - and the MACADDRESS field won't take a wildcard.
  I've also tried examining the log files, and setting up SysLog to a syslog server - but I haven't observed user names in any of the logs I've seen.
  The WLC is on version 4.2.176.0 - and doing an upgrade isn't very convenient at present - although I might consider taking the pain if a later release provides the funcationaility I need.
  Does anyone have any ideas on this one?
  Thanks!

  Dear Scott,
         I have some points to get clarified for step by step approach that has to be carried out during our downtime, or which is best option for this migration.
  Is that the WLC running different code will be able to join Mobility Group.  i.e. irrespective of Model and Code ?
  1. Do i have to create a mobility group and include the existing WLC and new 3 numbers of WLC , thus when i remove the Existing WLC from the Group the Ap will try to get assosiated with other WLC in the group.
  2. In WCS changing the Access point template configuring primary, secondary , tertiary Wireless LAN controller with New wireless LAN controller, during the down time this activity will be performed.
  Which method or way to proceed during the downtime. Looking for your expert view.
  Thanks .... Arun

• Can cisco CAP2702i connect to Cisco3850 switch with wireless LAN controller license via another switch ?

  If i connect cisco AP - CAP2702i to another switch, and use trunk port between Cisco3850 and the other switch , can the AP able to register with Cisco3850 with wireless LAN controller  ?   or the AP has to directly connect to Cisco3850 in order to register?

  The AP and 3850 wireless management are in same Vlan( vlan202). The AP is new unit and did not join MC before. 
  What i did on 3850 :
  input command - wireless management interface vlan 202
                            - ap cdp
                            - wireless mobility controller
  Is there any config i miss out on 3850 and any config need to be set on AP ?
  From Ap console output show me "could not discover WLC using dhcp ip". Is it due to AP dont have IP address? If AP register with WLC through layer 2 , i believe there is no related with IP.Correct me if i'm wrong.
  Due to the 3850 is not a POE, the AP unable directly connect to 3850  . I guess have to use power adapter to power on the AP.

• Integrate Wireless LAN Controller with Windows IAS

  I would like to have internal users authenticate to Wireless LAN Controller Module using Windows IAS server. What option are there for me to present to users? Do they get a separate domain username/password box? Can it pass thru their existing domain login credentials if they already logged into Windows domain? Does any additional client/laptop software need to be installed?

  What you should do is configure PEAP and use the IAS so users can authenticate with their AD credentials.
  This should help you:
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

• MARS/Wireless LAN Controller

  I see 5.3 for MARS now supports Wireless Lan Controller integration, but 4.3 does not. We use a MARS 20 so 5.3 isn't an option. Anyone heard any news on a future 4.x release getting WLC integration as well?

  There's supposed to be a code merge in 2008. I'm not holding my breathe, but I've been told that many times and if true it leads me to believe that eventually the gen 1 will also support the wireless lan controller. Cisco has never specifically told me that though.