APs don't join new WLC

Similar Messages

• How many APs Can I join a WLC 4402 and WiSM?

  I have a WLC with 20 APs joined into the same management VLAN and
  I'll deploy other campus with 240 APs and 2 WiSMs Blade.
  Is there any recomendation about how many APs Can I put on the same management VLAN?
  thanks a lot

  Cisco recommends 60 - 100 access points per vlan. Attached is the best pratices document
  https://cisco.hosted.jivesoftware.com/docs/DOC-4204

• AP1142N doesn't join his WLC (5508)

  Hello,
  My APs 1142N don't join their WLC. APs and WLC management interface are in the same vlan (WLC can ping all the APs). It is strange because it doesn't seem like they are trying to contact the WLC.
  What's strange is that I have other AP 1142N which joined this WLC without any problem.
  (Cisco Controller) >show sysinfoManufacturer's Name.............................. Cisco Systems Inc.Product Name..................................... Cisco ControllerProduct Version.................................. 7.0.98.214Bootloader Version............................... 1.0.1Field Recovery Image Version..................... N/AFirmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27Build Type....................................... DATA + WPS ...
  ap#show versionCisco IOS Software, C1140 Software (C1140-K9W7-M), Version 12.4(21a)JA1, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2009 by Cisco Systems, Inc.Compiled Wed 16-Sep-09 18:09 by prod_rel_teamROM: Bootstrap program is C1140 boot loaderBOOTLDR: C1140 Boot Loader (C1140-BOOT-M) Version 12.4(23c)JA6, RELEASE SOFTWARE (fc1)ap uptime is 43 minutesSystem returned to ROM by power-onSystem image file is "flash:/c1140-k9w7-mx.124-21a.JA1/c1140-k9w7-mx.124-21a.JA1" ...cisco AIR-AP1142N-E-K9     (PowerPC405ex) processor (revision A0) with 98294K/32768K bytes of memory.Processor board ID FCZ1649D2U0PowerPC405ex CPU at 586Mhz, revision number 0x147ELast reset from power-on1 Gigabit Ethernet interface2 802.11 Radio(s)32K bytes of flash-simulated non-volatile configuration memory.Base ethernet MAC Address: E0:2F:6D:A5:AA:F6Part Number                          : 73-12836-06PCA Assembly Number                  : 800-33767-06PCA Revision Number                  : A0PCB Serial Number                    : FOC164732R2Top Assembly Part Number             : 800-33775-05Top Assembly Serial Number           : FCZ1649D2U0Top Revision Number                  : A0Product/Model Number                 : AIR-AP1142N-E-K9
  Regards,

  Ok thank. I didn't notice that it was an autonomous image.
  It seems that I can't use this guide (http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp157147) to upgrade them to lightweight (can't install software on windows seven).
  Regards

• AP1252 can´t join on WLC

  WLC software 7.2.103.0
  1. first problem: AP1252 can´t join on WLC. MAC was add on mac filter properly.
  170
  Mon Apr 9 15:37:32 2012
  Mesh Node '2c:3f:38:be:53:ef' failed to join controller, MAC address not in MAC filter list.
  171
  Mon Apr 9 15:37:32 2012
  AAA Authentication Failure for UserName:2c3f38be53e0 User Type: WLAN USER
  172
  Mon Apr 9 15:37:32 2012
  Coverage hole pre alarm for client[1] 40:a6:d9:ef:87:68 on 802.11b/g interface of AP 2c:3f:38:bf:0c:80 (AP2c3f.38bf.0c80). Hist: 46 7 5 4 2 1 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
  173
  Mon Apr 9 15:37:32 2012
  Coverage hole pre alarm for client[1] 8c:7b:9d:05:a0:67 on 802.11b/g interface of AP 2c:3f:38:bf:0c:80 (AP2c3f.38bf.0c80). Hist: 50 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
  174
  Mon Apr 9 15:37:30 2012
  Interference Profile Failed for Base Radio MAC: 2c:3f:38:bf:1e:40 and slotNo: 0
  175
  Mon Apr 9 15:37:28 2012
  Mesh child node 'd4:d7:48:6d:48:2f' has changed its parent to mesh node '2c:3f:38:bf:ef:60' from mesh node 'd4:d7:48:6c:7d:80'.
  176
  Mon Apr 9 15:37:28 2012
  Mesh Node '2c:3f:38:bf:1d:2f' failed to join controller, MAC address not in MAC filter list.
  177
  Mon Apr 9 15:37:28 2012
  AAA Authentication Failure for UserName:2c3f38bf1d20 User Type: WLAN USER
  178
  Mon Apr 9 15:37:28 2012
  Mesh child node '2c:3f:38:bf:1d:2f' has changed its parent to mesh node 'd4:d7:48:6c:70:e0' from mesh node '2c:3f:38:be:55:00'.
  179
  Mon Apr 9 15:37:28 2012
  Interference Profile Updated to Pass for Base Radio MAC: 2c:3f:38:bf:4b:20 and slotNo: 0
  180
  Mon Apr 9 15:37:27 2012
  Interference Profile Failed for Base Radio MAC: d4:d7:48:6c:81:60 and slotNo: 0
  Several APs can´t join on WLC and all are added on MAC filter, but they are showing this messages.
  2 . Second problem.:  Operational Status = UNKNOWN
  Some Access Point are in UNKNOWN status. I tried but I can´t do the reboot.
  I can access Web config the APs using WLC, but when I applied the reset, it wasn´t working properly.

  Murlio:
  Is the AP model 1522 or 1252? I think you mean outdoor AP 1522 (which needs a mac filter). right?
  please double check the mac filter you added. Try to delete then add it again if necessary.
  it is obvious that it is a mac filter problem. be sure that you add the correct mac address and it is written correctly with the correct format and the mac filter created for "any WLAN" and the interface Name is "management".
  Hope this will solve the issue.
  Amjad

• AP not joining the new WLC

  Hi,
  I have an existing setup where in i have a 4400 WLC and AP 1242 registered to it.
  I had to replace the WLC with a new 5500 WLC. I tried registering the the 1242 AP with this new controller but i'm getting the following error message:
  AP0026.0b4d.093a#
  *Apr 25 07:51:59.216: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.7.51.11:5246
  Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)
  Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
  *Apr 25 07:52:13.735: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER
  AP0026.0b4d.093a#
  Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)
  *Apr 25 07:52:22.736: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
  *Apr 25 07:52:22.736: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is not established.
  *Apr 25 07:52:22.794: %WIDS-6-DISABLED: IDS Signature is removed and disabled.
  *Apr 25 07:52:22.795: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *Apr 25 07:52:22.796: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *Apr 25 07:52:22.863: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
  *Apr 25 07:52:22.863: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
  *Apr 25 07:52:22.885: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  *Apr 25 07:52:22.885: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
  *Apr 25 07:52:22.886: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Apr 25 07:52:22.918: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  *Apr 25 07:52:22.918: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
  *Apr 25 07:52:22.946: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
  *Apr 25 07:52:22.947: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
  *Apr 25 07:52:31.885: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER
  *Apr 25 07:52:40.886: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
  *Apr 25 07:52:40.888:  status of voice_diag_test from WLC is false
  *Apr 25 07:52:40.889: %CAPWAP-3-ERRORLOG: Could not send primary discoveryrequest. The CAPWAP state has not moved to RUN yet
  *Apr 25 07:52:40.890: %CAPWAP-3-ERRORLOG: Could not send primary discoveryrequest. The CAPWAP state has not moved to RUN yet
  *Apr 25 07:52:40.900: %LWAPP-3-CLIENTERRORLOG: Primary Discovery Reply: received primary discovery reply when connected to a Primary/Secondary/Tertiary controller
  *Apr 25 07:52:50.887: %CAPWAP-3-ERRORLOG: Selected MWAR 'L&T-WLC-Powai'(index 0).
  *Apr 25 07:52:50.887: %CAPWAP-3-ERRORLOG: Go join a capwap controller 
  *Apr 25 13:23:03.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.5.3 peer_port: 5246
  *Apr 25 13:23:03.001: %CAPWAP-5-CHANGED: CAPWAP changed state to  
  *Apr 25 13:23:04.717: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.5.3 peer_port: 5246
  *Apr 25 13:23:04.718: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.5.3
  *Apr 25 13:23:04.718: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
  *Apr 25 13:23:04.719: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.5.3
  *Apr 25 13:23:04.719: %DTLS-5-PEER_DISCONNECT: Peer 172.16.5.3 has closed connection.
  *Apr 25 13:23:04.720: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.5.3:5246
  *Apr 25 13:23:04.721: %CAPWAP-3-ERRORLOG: Go join a capwap controller 
  *Apr 25 07:52:41.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.7.51.11 peer_port: 5246
  *Apr 25 07:52:41.001: %CAPWAP-5-CHANGED: CAPWAP changed state to  
  *Apr 25 07:52:42.449: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.7.51.11 peer_port: 5246
  *Apr 25 07:52:42.450: %CAPWAP-5-SENDJOIN: sending Join Request to 10.7.51.11
  *Apr 25 07:52:42.450: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
  *Apr 25 07:52:42.647: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
  *Apr 25 07:52:42.794: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Apr 25 07:52:42.807: %CAPWAP-5-CHANGED: CAPWAP changed state to UP
  *Apr 25 07:52:42.808: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  *Apr 25 07:52:42.879: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC1-T
  *Apr 25 07:52:42.940: %LWAPP-3-CLIENTEVENTLOG: SSID LTHE-Mobile added to the slot[0]
  Writing out the event log to nvram...
  The AP is getting a close message from the new controller. What could the issue be?

  After the AP gets a close message from the new WLC, it gets re associated to the old WLC.

• Trouble getting Cisco 2600 Series AP to stay joined to WLC 5508

  Hi,
  I have recently been tasked with upgrading our old Autonomous APs to LWAPs.  We have a 5508 WLC at our Virtual Co-Lo and I am using Flexconnect to accomadate local switching and dhcp at our sites.  I have upgraded over 50 APs and joined them to the controller.  These include only 1130AG and 1240AG models.  However they are working flawlessly and staying connected to the controller.  The issue I'm having is with a new batch of 2600 series APs staying connected to the controller.  I have attempted to do research into what may be causing the disconnects but have yet to find a solution.  I am using DNS to resolve the CAPWAP & LWAPP queries from the APs to the controller accross our WAN.  In reading other posts I thought it may be an issue with packets getting dropped but have had our Vendor who manages Sonicwalls at both ends of the WAN confirm for me there is no packet loss.  Below are logs I gathered using puttty from the AP & WLC.  Any help would be greatly appreciated.
  AP I'm doing the testing on:
  NAME: "AP2600", DESCR: "Cisco Aironet 2600 Series (IEEE 802.11n) Access Point"
  PID: AIR-CAP2602I-A-K9 , VID: V01, SN: FTX1740J8V1
  WLC in question:
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.3.112.0
  Bootloader Version............................... 1.0.1
  Field Recovery Image Version..................... 6.0.182.0
  Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
  Build Type....................................... DATA + WPS
  System Name...................................... wificontroller
  System Location.................................. Corp
  System Contact................................... Net Engineer
  System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
  Redundancy Mode.................................. Disabled
  IP Address....................................... 10.250.32.8
  Last Reset....................................... Software reset
  System Up Time................................... 190 days 3 hrs 34 mins 24 secs
  System Timezone Location......................... (GMT -5:00) Eastern Time (US and Canada)
  Configured Country............................... US  - United States
  Operating Environment............................ Commercial (0 to 40 C)
  Internal Temp Alarm Limits....................... 0 to 65 C
  --More-- or (q)uit
  Internal Temperature............................. +38 C
  External Temperature............................. +20 C
  Fan Status....................................... OK
  State of 802.11b Network......................... Enabled
  State of 802.11a Network......................... Enabled
  Number of WLANs.................................. 14
  Number of Active Clients......................... 71
  Burned-in MAC Address............................ C8:9C:1D:8C:52:E0
  Power Supply 1................................... Present, OK
  Power Supply 2................................... Absent
  Maximum number of APs supported.................. 100
  Here is the output that keeps on occuring as the AP joins the WLC for a brief time and then changes to standalone mode
  WT-4thFlr-AP3#
  *Dec 14 15:42:04.419: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
  ., 3)
  *Dec 14 15:42:11.443: %EVT-4-WRN: Write of flash:/event.capwap done
  *Dec 14 15:42:11.483: %LWAPP-3-CLIENTERRORLOG: Switching to Standalone mode
  *Dec 14 15:42:11.487: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
  *Dec 14 15:42:11.487: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.250.32.8:5246
  *Dec 14 15:42:11.571: %WIDS-6-DISABLED: IDS Signature is removed and disabled.
  *Dec 14 15:42:21.575: %CAPWAP-3-ERRORLOG: Selected MWAR 'wificontroller'(index 0).
  *Dec 14 15:42:21.575: %CAPWAP-3-ERRORLOG: Go join a capwap controller
  *Dec 14 15:42:12.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.250.32.8 peer_port: 5246
  *Dec 14 15:42:14.303: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.250.32.8 peer_port: 5246
  *Dec 14 15:42:14.303: %CAPWAP-5-SENDJOIN: sending Join Request to 10.250.32.8
  *Dec 14 15:42:15.127: Starting Ethernet promiscuous mode
  *Dec 14 15:42:15.535: %LWAPP-4-CLIENTEVENTLOG: OfficeExtend Localssid saved in AP flash
  *Dec 14 15:42:15.667: ac_first_hop_mac - IP:10.1.2.250 Hop IP:10.1.2.250 IDB:BVI1
  *Dec 14 15:42:15.667: Setting AC first hop MAC: 0017.c575.a23c
  *Dec 14 15:42:15.855: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller wificontroller
  *Dec 14 15:42:15.911: %LWAPP-4-CLIENTEVENTLOG: No Flex ACL map configuration file to load. Connect to controller to get configuration file
  *Dec 14 15:42:15.911: %LWAPP-4-CLIENTEVENTLOG: No Flex ACL map configuration file to load. Connect to controller to get configuration file
  *Dec 14 15:42:15.911: %LWAPP-4-CLIENTEVENTLOG: No LS Flex ACL map configuration file to load. Connect to controller to get configuration file
  *Dec 14 15:42:15.915: %LWAPP-4-CLIENTEVENTLOG: No Central Dhcp map configuration file to load. Connect to controller to get configuration file
  *Dec 14 15:42:15.915: %LWAPP-3-CLIENTERRORLOG: Switching to Connected mode
  *Dec 14 15:42:23.639: %WIDS-6-ENABLED: IDS Signature is loaded and enabled
  *Dec 14 15:42:34.615: %CLEANAIR-6-STATE: Slot 0 disabled
  *Dec 14 15:42:34.615: %CLEANAIR-6-STATE: Slot 1 disabled
  *Dec 14 15:45:43.783: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
  ., 11)
  *Dec 14 15:45:43.787: %LWAPP-3-CLIENTERRORLOG: Switching to Standalone mode
  *Dec 14 15:45:43.787: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
  *Dec 14 15:45:43.787: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.250.32.8:5246
  *Dec 14 15:45:43.867: %WIDS-6-DISABLED: IDS Signature is removed and disabled.
  *Dec 14 15:45:53.867: %CAPWAP-3-ERRORLOG: Selected MWAR 'wificontroller'(index 0).
  *Dec 14 15:45:53.867: %CAPWAP-3-ERRORLOG: Go join a capwap controller
  *Dec 14 15:45:44.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.250.32.8 peer_port: 5246
  *Dec 14 15:45:46.315: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.250.32.8 peer_port: 5246
  *Dec 14 15:45:46.315: %CAPWAP-5-SENDJOIN: sending Join Request to 10.250.32.8
  *Dec 14 15:45:46.487: Starting Ethernet promiscuous mode
  *Dec 14 15:45:49.903: %LWAPP-4-CLIENTEVENTLOG: OfficeExtend Localssid saved in AP flash
  *Dec 14 15:45:50.031: ac_first_hop_mac - IP:10.1.2.250 Hop IP:10.1.2.250 IDB:BVI1
  *Dec 14 15:45:50.031: Setting AC first hop MAC: 0017.c575.a23c
  Here are the results of debug capwap client event on the AP:
  WT-4thFlr-AP3#debug capwap client event
  CAPWAP Client EVENT display debugging is on
  WT-4thFlr-AP3#
  *Dec 14 15:54:58.335: %CAPWAP-3-EVENTLOG: Echo Interval Expired.
  *Dec 14 15:54:58.335: %CAPWAP-3-EVENTLOG: Sending packet to AC
  *Dec 14 15:54:58.335: %CAPWAP-3-EVENTLOG: Echo Request sent to 10.250.32.8
  *Dec 14 15:54:58.343: %CAPWAP-3-EVENTLOG: Resetting reTransmissionCnt to 0
  *Dec 14 15:54:58.343: %CAPWAP-3-EVENTLOG: Queue Empty.
  *Dec 14 15:54:58.343: %CAPWAP-3-EVENTLOG: Echo Response from 10.250.32.8
  *Dec 14 15:55:08.000: %CAPWAP-3-EVENTLOG: Setting time to 15:55:08 UTC Dec 14 2013
  *Dec 14 15:55:25.579: %CAPWAP-3-EVENTLOG: Sending packet to AC
  *Dec 14 15:55:25.587: %CAPWAP-3-EVENTLOG: Resetting reTransmissionCnt to 0
  *Dec 14 15:55:25.587: %CAPWAP-3-EVENTLOG: Queue Empty.
  *Dec 14 15:55:25.587: %CAPWAP-3-EVENTLOG: Wtp Event Response from 10.250.32.8
  *Dec 14 15:55:25.827: %CAPWAP-3-EVENTLOG: Sending packet to AC
  *Dec 14 15:55:25.835: %CAPWAP-3-EVENTLOG: Resetting reTransmissionCnt to 0
  *Dec 14 15:55:25.835: %CAPWAP-3-EVENTLOG: Queue Empty.
  *Dec 14 15:55:25.835: %CAPWAP-3-EVENTLOG: Wtp Event Response from 10.250.32.8
  *Dec 14 15:55:55.835: %CAPWAP-3-EVENTLOG: Echo Interval Expired.
  *Dec 14 15:55:55.835: %CAPWAP-3-EVENTLOG: Sending packet to AC
  *Dec 14 15:55:55.835: %CAPWAP-3-EVENTLOG: Echo Request sent to 10.250.32.8
  *Dec 14 15:55:55.843: %CAPWAP-3-EVENTLOG: Resetting reTransmissionCnt to 0
  *Dec 14 15:55:55.843: %CAPWAP-3-EVENTLOG: Queue Empty.
  *Dec 14 15:55:55.843: %CAPWAP-3-EVENTLOG: Echo Response from 10.250.32.8
  *Dec 14 15:55:56.000: %CAPWAP-3-EVENTLOG: Setting time to 15:55:56 UTC Dec 14 2013
  *Dec 14 15:56:25.735: %CAPWAP-3-EVENTLOG: Sending packet to AC
  *Dec 14 15:56:25.743: %CAPWAP-3-EVENTLOG: Resetting reTransmissionCnt to 0
  *Dec 14 15:56:25.743: %CAPWAP-3-EVENTLOG: Queue Empty.
  *Dec 14 15:56:25.743: %CAPWAP-3-EVENTLOG: Wtp Event Response from 10.250.32.8
  *Dec 14 15:56:25.983: %CAPWAP-3-EVENTLOG: Sending packet to AC
  *Dec 14 15:56:25.991: %CAPWAP-3-EVENTLOG: Resetting reTransmissionCnt to 0
  *Dec 14 15:56:25.991: %CAPWAP-3-EVENTLOG: Queue Empty.
  *Dec 14 15:56:25.991: %CAPWAP-3-EVENTLOG: Wtp Event Response from 10.250.32.8
  *Dec 14 15:56:55.991: %CAPWAP-3-EVENTLOG: Echo Interval Expired.
  *Dec 14 15:56:55.991: %CAPWAP-3-EVENTLOG: Sending packet to AC
  *Dec 14 15:56:55.991: %CAPWAP-3-EVENTLOG: Echo Request sent to 10.250.32.8
  *Dec 14 15:56:55.999: %CAPWAP-3-EVENTLOG: Resetting reTransmissionCnt to 0
  *Dec 14 15:56:55.999: %CAPWAP-3-EVENTLOG: Queue Empty.
  *Dec 14 15:56:55.999: %CAPWAP-3-EVENTLOG: Echo Response from 10.250.32.8
  *Dec 14 15:56:56.000: %CAPWAP-3-EVENTLOG: Setting time to 15:56:56 UTC Dec 14 2013
  Here are the results of debug capwap client packet detail:
  WT-4thFlr-AP3#
  *Dec 14 15:59:01.823: <<<<   Start of CAPWAP Packet  >>>>
  *Dec 14 15:59:01.823: CAPWAP Control mesg Sent to 10.250.32.8, Port 5246
  *Dec 14 15:59:01.823:         Msg Type   : CAPWAP_ECHO_REQUEST
  *Dec 14 15:59:01.823:         Msg Length : 0
  *Dec 14 15:59:01.823:         Msg SeqNum : 44
  *Dec 14 15:59:01.823: <<<<  End of CAPWAP Packet  >>>>
  *Dec 14 15:59:01.831: <<<<   Start of CAPWAP Packet  >>>>
  *Dec 14 15:59:01.831: CAPWAP Control mesg Recd from 10.250.32.8, Port 5246
  *Dec 14 15:59:01.831:         HLEN 2,   Radio ID 0,    WBID 1
  *Dec 14 15:59:01.831:         Msg Type   : CAPWAP_ECHO_RESPONSE
  *Dec 14 15:59:01.831:         Msg Length : 15
  *Dec 14 15:59:01.831:         Msg SeqNum : 44
  *Dec 14 15:59:01.831: 
  *Dec 14 15:59:01.831:      Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 11
  *Dec 14 15:59:01.831:         Vendor Identifier  : 0x00409600
  *Dec 14 15:59:01.831:
  *Dec 14 15:59:01.831:
      IE            :   UNKNOWN IE 151
  *Dec 14 15:59:01.831:     IE Length     :   5
  *Dec 14 15:59:01.831:     Decode routine not available, Printing Hex Dump
  *Dec 14 15:59:01.831:
  52 AC 80 46 00
  *Dec 14 15:59:01.831: <<<<  End of CAPWAP Packet  >>>>
  *Dec 14 15:59:20.931: <<<<   Start of CAPWAP Packet  >>>>
  *Dec 14 15:59:20.931: CAPWAP Control mesg Recd from 10.250.32.8, Port 5246
  *Dec 14 15:59:20.931:         HLEN 2,   Radio ID 0,    WBID 1
  *Dec 14 15:59:20.931:         Msg Type   : CAPWAP_CONFIGURATION_UPDATE_REQUEST
  *Dec 14 15:59:20.931:         Msg Length : 93
  *Dec 14 15:59:20.931:         Msg SeqNum : 38
  *Dec 14 15:59:20.931: 
  *Dec 14 15:59:20.931:      Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 89
  *Dec 14 15:59:20.931:         Vendor Identifier  : 0x00409600
  *Dec 14 15:59:20.931:
  *Dec 14 15:59:20.931:
      IE            :   RRM_NEIGHBOR_CTRL_PAYLOAD
  *Dec 14 15:59:20.931:     IE Length     :   83
  *Dec 14 15:59:20.931:     Decode routine not available, Printing Hex Dump
  *Dec 14 15:59:20.931:
  00 0A FA 20 08 01 F4 00 07 0A FA 20 08 03 00 01
  01 00 3C 00 B4 2E 06 2E E7 B4 94 51 B2 C7 79 25
  22 FD BE 04 F6 00 00 00 00 00 00 00 00 4F 50 52
  53 2D 57 69 46 69 00 00 00 00 00 00 00 00 00 00
  00 00 00 00 00 00 00 00 00 00 00 00 00 01 06 0B
  01 01 01
  *Dec 14 15:59:20.931: <<<<  End of CAPWAP Packet  >>>>
  *Dec 14 15:59:20.931: <<<<   Start of CAPWAP Packet  >>>>
  *Dec 14 15:59:20.931: CAPWAP Control mesg Sent to 10.250.32.8, Port 5246
  *Dec 14 15:59:20.931:         Msg Type   : CAPWAP_CONFIGURATION_UPDATE_RESPONSE
  *Dec 14 15:59:20.931:         Msg Length : 8
  *Dec 14 15:59:20.931:         Msg SeqNum : 38
  *Dec 14 15:59:20.931: 
  *Dec 14 15:59:20.931:      Type : CAPWAP_MSGELE_RESULT_CODE, Length 4
  *Dec 14 15:59:20.931:         Result Code : CAPWAP_SUCCESS
  *Dec 14 15:59:20.931: <<<<  End of CAPWAP Packet  >>>>
  *Dec 14 15:59:21.139: <<<<   Start of CAPWAP Packet  >>>>
  *Dec 14 15:59:21.139: CAPWAP Control mesg Recd from 10.250.32.8, Port 5246
  *Dec 14 15:59:21.139:         HLEN 2,   Radio ID 0,    WBID 1
  *Dec 14 15:59:21.139:         Msg Type   : CAPWAP_CONFIGURATION_UPDATE_REQUEST
  *Dec 14 15:59:21.139:         Msg Length : 111
  *Dec 14 15:59:21.139:         Msg SeqNum : 39
  *Dec 14 15:59:21.139: 
  *Dec 14 15:59:21.139:      Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 107
  *Dec 14 15:59:21.139:         Vendor Identifier  : 0x00409600
  *Dec 14 15:59:21.139:
  *Dec 14 15:59:21.139:
      IE            :   RRM_NEIGHBOR_CTRL_PAYLOAD
  *Dec 14 15:59:21.139:     IE Length     :   101
  *Dec 14 15:59:21.139:     Decode routine not available, Printing Hex Dump
  *Dec 14 15:59:21.143:
  01 0A FA 20 08 01 F4 00 07 0A FA 20 08 0C 00 01
  01 00 3C 00 B4 2E 06 2E E7 B4 94 51 B2 C7 79 25
  22 FD BE 04 F6 00 00 00 00 00 00 00 00 4F 50 52
  53 2D 57 69 46 69 00 00 00 00 00 00 00 00 00 00
  00 00 00 00 00 00 00 00 00 00 00 00 00 24 28 2C
  30 34 38 3C 40 95 99 9D A1 01 01 01 01 01 01 01
  01 01 01 01 01
  *Dec 14 15:59:21.143: <<<<  End of CAPWAP Packet  >>>>
  *Dec 14 15:59:21.143: <<<<   Start of CAPWAP Packet  >>>>
  *Dec 14 15:59:21.143: CAPWAP Control mesg Sent to 10.250.32.8, Port 5246
  *Dec 14 15:59:21.143:         Msg Type   : CAPWAP_CONFIGURATION_UPDATE_RESPONSE
  *Dec 14 15:59:21.143:         Msg Length : 8
  *Dec 14 15:59:21.143:         Msg SeqNum : 39
  *Dec 14 15:59:21.143: 
  *Dec 14 15:59:21.143:      Type : CAPWAP_MSGELE_RESULT_CODE, Length 4
  *Dec 14 15:59:21.143:         Result Code : CAPWAP_SUCCESS
  *Dec 14 15:59:21.143: <<<<  End of CAPWAP Packet  >>>>
  *Dec 14 15:59:25.547: <<<<   Start of CAPWAP Packet  >>>>
  *Dec 14 15:59:25.547: CAPWAP Control mesg Sent to 10.250.32.8, Port 5246
  *Dec 14 15:59:25.547:         Msg Type   : CAPWAP_WTP_EVENT_REQUEST
  *Dec 14 15:59:25.547:         Msg Length : 14
  *Dec 14 15:59:25.547:         Msg SeqNum : 45
  *Dec 14 15:59:25.547: 
  *Dec 14 15:59:25.547:      Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 10
  *Dec 14 15:59:25.547:         Vendor Identifier  : 0x00409600
  *Dec 14 15:59:25.547:
  *Dec 14 15:59:25.547:
      IE            :   RRM_LOAD_DATA_PAYLOAD
  *Dec 14 15:59:25.547:     IE Length     :   4
  *Dec 14 15:59:25.547:          slot 0 rxLoad 0 txLoad 0 ccaLoad 33
  *Dec 14 15:59:25.547: <<<<  End of CAPWAP Packet  >>>>
  *Dec 14 15:59:25.555: <<<<   Start of CAPWAP Packet  >>>>
  *Dec 14 15:59:25.555: CAPWAP Control mesg Recd from 10.250.32.8, Port 5246
  *Dec 14 15:59:25.555:         HLEN 2,   Radio ID 0,    WBID 1
  *Dec 14 15:59:25.555:         Msg Type   : CAPWAP_WTP_EVENT_RESPONSE
  *Dec 14 15:59:25.555:         Msg Length : 0
  *Dec 14 15:59:25.555:         Msg SeqNum : 45
  *Dec 14 15:59:25.555: <<<<  End of CAPWAP Packet  >>>>
  *Dec 14 15:59:25.795: <<<<   Start of CAPWAP Packet  >>>>
  *Dec 14 15:59:25.795: CAPWAP Control mesg Sent to 10.250.32.8, Port 5246
  *Dec 14 15:59:25.795:         Msg Type   : CAPWAP_WTP_EVENT_REQUEST
  *Dec 14 15:59:25.795:         Msg Length : 14
  *Dec 14 15:59:25.795:         Msg SeqNum : 46
  *Dec 14 15:59:25.795: 
  *Dec 14 15:59:25.795:      Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 10
  *Dec 14 15:59:25.795:         Vendor Identifier  : 0x00409600
  *Dec 14 15:59:25.795:
  *Dec 14 15:59:25.795:
      IE            :   RRM_LOAD_DATA_PAYLOAD
  *Dec 14 15:59:25.795:     IE Length     :   4
  *Dec 14 15:59:25.795:          slot 1 rxLoad 0 txLoad 0 ccaLoad 0
  *Dec 14 15:59:25.795: <<<<  End of CAPWAP Packet  >>>>
  *Dec 14 15:59:25.803: <<<<   Start of CAPWAP Packet  >>>>
  *Dec 14 15:59:25.803: CAPWAP Control mesg Recd from 10.250.32.8, Port 5246
  *Dec 14 15:59:25.803:         HLEN 2,   Radio ID 0,    WBID 1
  *Dec 14 15:59:25.803:         Msg Type   : CAPWAP_WTP_EVENT_RESPONSE
  *Dec 14 15:59:25.803:         Msg Length : 0
  *Dec 14 15:59:25.803:         Msg SeqNum : 46
  *Dec 14 15:59:25.803: <<<<  End of CAPWAP Packet  >>>>
  *Dec 14 15:59:30.375: <<<<   Start of CAPWAP Packet  >>>>
  *Dec 14 15:59:30.375: CAPWAP Control mesg Recd from 10.250.32.8, Port 5246
  *Dec 14 15:59:30.375:         HLEN 2,   Radio ID 0,    WBID 1
  *Dec 14 15:59:30.375:         Msg Type   : CAPWAP_CONFIGURATION_UPDATE_REQUEST
  *Dec 14 15:59:30.375:         Msg Length : 17
  *Dec 14 15:59:30.375:         Msg SeqNum : 40
  *Dec 14 15:59:30.375: 
  *Dec 14 15:59:30.375:      Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 13
  *Dec 14 15:59:30.375:         Vendor Identifier  : 0x00409600
          SlotId                  :   0
          Mobile Mac Addr         :   BC:52:B7:E3:17:CB
  *Dec 14 15:59:30.375: <<<<  End of CAPWAP Packet  >>>>
  *Dec 14 15:59:30.375: <<<<   Start of CAPWAP Packet  >>>>
  *Dec 14 15:59:30.375: CAPWAP Control mesg Sent to 10.250.32.8, Port 5246
  *Dec 14 15:59:30.375:         Msg Type   : CAPWAP_CONFIGURATION_UPDATE_RESPONSE
  *Dec 14 15:59:30.379:         Msg Length : 8
  *Dec 14 15:59:30.379:         Msg SeqNum : 40
  *Dec 14 15:59:30.379: 
  *Dec 14 15:59:30.379:      Type : CAPWAP_MSGELE_RESULT_CODE, Length 4
  *Dec 14 15:59:30.379:         Result Code : CAPWAP_SUCCESS
  *Dec 14 15:59:30.379: <<<<  End of CAPWAP Packet  >>>>
  *Dec 14 15:59:30.387: <<<<   Start of CAPWAP Packet  >>>>
  *Dec 14 15:59:30.387: CAPWAP Control mesg Recd from 10.250.32.8, Port 5246
  *Dec 14 15:59:30.387:         HLEN 2,   Radio ID 0,    WBID 1
  *Dec 14 15:59:30.387:         Msg Type   : CAPWAP_WTP_EVENT_RESPONSE
  *Dec 14 15:59:30.387:         Msg Length : 0
  *Dec 14 15:59:30.387:         Msg SeqNum : 47
  *Dec 14 15:59:30.387: <<<<  End of CAPWAP Packet  >>>>
  *Dec 14 16:00:00.387: <<<<   Start of CAPWAP Packet  >>>>
  *Dec 14 16:00:00.387: CAPWAP Control mesg Sent to 10.250.32.8, Port 5246
  *Dec 14 16:00:00.387:         Msg Type   : CAPWAP_ECHO_REQUEST
  *Dec 14 16:00:00.387:         Msg Length : 0
  *Dec 14 16:00:00.387:         Msg SeqNum : 48
  *Dec 14 16:00:00.387: <<<<  End of CAPWAP Packet  >>>>
  *Dec 14 16:00:00.395: <<<<   Start of CAPWAP Packet  >>>>
  *Dec 14 16:00:00.395: CAPWAP Control mesg Recd from 10.250.32.8, Port 5246
  *Dec 14 16:00:00.395:         HLEN 2,   Radio ID 0,    WBID 1
  *Dec 14 16:00:00.395:         Msg Type   : CAPWAP_ECHO_RESPONSE
  *Dec 14 16:00:00.395:         Msg Length : 15
  *Dec 14 16:00:00.395:         Msg SeqNum : 48
  *Dec 14 16:00:00.395: 
  *Dec 14 16:00:00.395:      Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 11
  *Dec 14 16:00:00.395:         Vendor Identifier  : 0x00409600
  *Dec 14 16:00:00.395:
  *Dec 14 16:00:00.395:
      IE            :   UNKNOWN IE 151
  *Dec 14 16:00:00.395:     IE Length     :   5
  *Dec 14 16:00:00.395:     Decode routine not available, Printing Hex Dump
  *Dec 14 16:00:00.395:
  52 AC 80 81 00
  *Dec 14 16:00:00.395: <<<<  End of CAPWAP Packet  >>>>

  Under my AP Policies I only have "Accept Manufactured Installed Certificate (MIC)" checked.  I attempted to add the AP based on MAC Address (c0:67:af:6f:25:70) with this certificate type but still have the same issue.  I then ran the following debug on my controller and this is the output I recieve regarding that MAC.  I tried to cut the output short because it get's somewhat redundant but was unsure what exactly to look for in the output.  Should I be selecting a different certificate type?  I am somewhat new to wireless technologies but doing my best to pick things up so if this seems trivial please forgive my ignorance.
  debug pm pki enable
  *sshpmLscTask: Dec 14 20:42:56.450: sshpmLscTask: LSC Task received a message 4
  *spamApTask6: Dec 14 20:42:58.840: sshpmGetIssuerHandles: locking ca cert table
  *spamApTask6: Dec 14 20:42:58.841: sshpmGetIssuerHandles: calling x509_alloc() for user cert
  *spamApTask6: Dec 14 20:42:58.841: sshpmGetIssuerHandles: calling x509_decode()
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetIssuerHandles: C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AP3G2-c067af6f2570, [email protected]
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetIssuerHandles:   O=Cisco Systems, CN=Cisco Manufacturing CA
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetIssuerHandles: Mac Address in subject is c0:67:af:6f:25:70
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetIssuerHandles: Cert Name in subject is AP3G2-c067af6f2570
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetCID: called to evaluate
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetCertFromCID: called to get cert for CID 282aef7e
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
  *spamApTask6: Dec 14 20:42:58.845: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
  *spamApTask6: Dec 14 20:42:58.845: ssphmUserCertVerify: calling x509_decode()
  *spamApTask6: Dec 14 20:42:58.856: ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<
  *spamApTask6: Dec 14 20:42:58.856: sshpmGetIssuerHandles: ValidityString (current): 2013/12/15/01:42:58
  *spamApTask6: Dec 14 20:42:58.856: sshpmGetIssuerHandles: ValidityString (NotBefore): 2013/08/25/13:01:22
  *spamApTask6: Dec 14 20:42:58.856: sshpmGetIssuerHandles: ValidityString (NotAfter): 2023/08/25/13:11:22
  *spamApTask6: Dec 14 20:42:58.856: sshpmGetIssuerHandles: getting cisco ID cert handle...
  *spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: called to evaluate
  *spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
  *spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
  *spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
  *spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
  *spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
  *spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
  *spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
  *spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
  *spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
  *spamApTask6: Dec 14 20:42:58.857: sshpmFreePublicKeyHandle: called with 0x2c5f0cb8
  *spamApTask6: Dec 14 20:42:58.857: sshpmFreePublicKeyHandle: freeing public key
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: called to evaluate
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: called to get cert for CID 183fd2b6
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultIdCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<
  *spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: called to evaluate

• Help adding new WLC to existing ACS

  Hi All,
  I need help with this.
  This network has a working WLC that authenticates wireless users against an ACS by MAC address. It works fine.
  I need to add a new WLC.
  I added the WLC, the APs connect to the WLC fine, but the users get limited connectivity and we've found out that is because the new WLC is getting authentication errors against the ACS.
  The configuration of the new WLC is exactly the same as the current working WLC and both controllers show as AAA clients on the ACS.
  I want to know if somebody can point me out in the right direction to solve this.
  There's connectivity fine between all devices (as far as PING goes), and there's no Firewall or filters in between.
  The difference I see on both WLCs is that on the working one (WLC1), under Security - AP Policies, we see the AP Authorization List with the MAC addresses/cert type/hash.  We don't get this information on the non-working WLC (attached document shows both)
  Also in the attached document, I'm sending the errors I get no the WLC2 controller.
  Any help is greatly appreciated.
  Federico.

  Federico,
  I didn't get you when you say that you see only One WLC under groupsetup/Mac address. Could you please elaborate this?
  Also, if you don't know see any NAR configured under shared profile component then check inside the group/user setup there must be either ip based or CLI/DNIS based NAR configured for WLC's and looking at failed attempts it seem that action is denied.
  HTH
  Regds,
  JK
  Do rate helpful posts-

• How can I add a new WLC on my network

  Hi there,
  I have a WLC4404(v4.0.219.0) and several APs on my network.
  Those APs are belonged to a couple of vlans.
  I planed to add a new WLC4404(v5.0.148.0) on same network with a old one.
  I configured the new WLC4404 as a primary controller of the APs and the old on as a secondary.
  I noticed some APs could be registered only on same vlan with the managemnet interface of the WLC.
  How can I register the APs on different VLANs with Mgmt. of the WLC?
  Let me know if you have a any idea.
  Thanks
  Jongkwan Lee

  Well since the ap's only know of the existing WLC, the only way they will join, is if you remove the existing wlc and let the ap's find the new wlc. When you configure the mobility group, that info is pushed to the ap, so that it knows of the new wlc. This way you can set the primary ap to the new one and the second wlc to the existing wlc.... make sure ap fallback is enabled so that the ap will try to join the new wlc. If you still have issues, I would console into the ap and capture the log when you faile the existing wlc.

• AP's will not join new 5508's

  We just completed deployment of (4) 5508-250's in a large enviroment. We are now trying to get some test AP's to join the new WLC's. At one point it appeared that one of the 5 joined but the other 4 did not. We rebboted everything including resetting the AP's to factory and upon doing that all 5 ap's came up and joined the legacy WISM's blades sitting in the core.
  The new 5508's are sitting on a new stack of switches running 12.2.58(SE2) ip base.  We have all new subnets for the new ap's as well as all vlan interfaces on the controllers themselves. IE: vlan 499 and vlan 500. Vlan 500 is Management and 499 is the ap-manager interfaces (32 of them).
  1. Why would the new AP's prefer the old WISM to the 5508's?
  2. What do we need to do to fix that until the we can do a migration?
  3. The WLC's and the cores are not in the same stack. The WLC's are on the customers 6509 and the (4) 5508's are on a new 3750x stack with a port channel to the core 6509.
  4. Does the new stack have to be running the L-3 IOS with a routing protocol running. The customers current enviroment is EIGRP.
  5. I have looked at the new WLC configuration and compared it to other similar sites and they are the same with the exception of the L3 on the new 3750x stack.
  Thanks,
  Evan Kalbach

  Here is my response to your queries.
  1.  Unless you configure primary,secondary (HA parameters) on your AP, it does not prefer 5508 as long as it can reach both controllers
  2. You can configure the 5508 as primary controller ( & WiSM as secondary) to inluence AP to go to 5508 as first preference. You can try below CLI command on your WiSM for the APs you want to register to 5508 as primary & keep WiSM as secondary.
  config ap secondary-base
  config ap primary-base <5508 WLC name> <5508 Mgt IP>
  3. WLC does not need to connect Core
  4. As long as WLC have rachability to rest of networks, that's fine. No L3 routing required on the swich you connect the WLC.L3 gateway can be defined another L3 switch. Then you should have extend L2 from the WLC connect switch upto L3 defined switch.
  5. Doesn't matter this.
  HTH
  Rasika
  **** Pls rate all useful responses ****

• AP(2720e) not joining a WLC (2504)

  I recently purchased two 2702e AP's to expand the wireless coverage of our network but when I plug them in, they will not join the AP for some reason.
  This is what I am getting on the controller;
  (Cisco Controller) >show ap join stats detailed f44e0544e944
  Discovery phase statistics
  - Discovery requests received.............................. 51
  - Successful discovery responses sent...................... 26
  - Unsuccessful discovery request processing................ 0
  - Reason for last unsuccessful discovery attempt........... Not applicable
  - Time at last successful discovery attempt................ Dec 08 10:24:37.695
  - Time at last unsuccessful discovery attempt.............. Not applicable
  Join phase statistics
  - Join requests received................................... 0
  - Successful join responses sent........................... 0
  - Unsuccessful join request processing..................... 0
  - Reason for last unsuccessful join attempt................ Not applicable
  - Time at last successful join attempt..................... Not applicable
  - Time at last unsuccessful join attempt................... Not applicable
  Configuration phase statistics
  - Configuration requests received.......................... 0
  - Successful configuration responses sent.................. 0
  - Unsuccessful configuration request processing............ 0
  - Reason for last unsuccessful configuration attempt....... Not applicable
  --More-- or (q)uit
  - Time at last successful configuration attempt............ Not applicable
  - Time at last unsuccessful configuration attempt.......... Not applicable
  Last AP message decryption failure details
  - Reason for last message decryption failure............... Not applicable
  Last AP disconnect details
  - Reason for last AP connection failure.................... Not applicable
  - Last AP disconnect reason................................ Not applicable
  Last join error summary
  - Type of error that occurred last......................... None
  - Reason for error that occurred last...................... Not applicable
  - Time at which the last join error occurred............... Not applicable
  AP disconnect details
  - Reason for last AP connection failure.................... Not applicable
  I have tried it with just the default settings and by setting the IP on the AP to no avail.
  Any suggestion would be much appreciated.
  Eric

  Hi Eric,
  What software code is running on your 2504 ? I hope it is 7.6.130.0
  If it is 8.0.100.0, then there was a crtical bug given below, you need to check whether you hitting this
  https://tools.cisco.com/bugsearch/bug/CSCur43050
  Conditions:
  Seen only with APs that were manufactured in August, September or October, 2014 - all Aironet APs were affected EXCEPT the 700 series. Seen with WLCs running 8.0.100.0 or an 8.0.100.x special.
  If the WLC was manufactured in September 2014, or later (i.e. has a SHA2 MIC), then the first symptom is seen, i.e. the AP joins the 8.0.100 WLC, downloads the image, but then fails to rejoin.
  If the WLC was manufactured before September 2014 (i.e. does not have a SHA2 MIC), then the second symptom is seen, i.e. the AP can join the 8.0.100 WLC OK, but then will fail download during a subsequent upgrade.
  Also seen with new APs trying to join a controller running IOS-XE 3.6.0 (15.3(3)JN k9w8 image.) (Track CSCur50946 for the IOS-XE fix)
  Workaround:
  Downgrade to AireOS 7.6.130.0, or to IOS-XE 3.3, if the APs are supported in the earlier code
  Pls attach  AP console output while trying to boot & register to see the exact reason for failure.
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Converted 1140 AP can't join the WLC 5508

  Hello! Please, help me to sort my problem out.
  We have bought autonomous APs   AIR-AP1141N-E-K9 and converted them to the lightweight mode, but they cannot join the WLC 5508. The errors are below. There were NO problems with the LAPs that were bought before, together with the WLC.
  AP's IP: 172.22.90.27   IOS version  12.4
  WLC's IP: 172.22.90.20   IOS version 6.0.188.0
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  This Discussion has been converted into document:- https://supportforums.cisco.com/docs/DOC-23054
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  logs from the AP:
  Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)
  *Oct 13 21:37:06.044: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *Oct 13 21:37:06.045: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *Oct 13 21:37:06.046: bsnInitRcbSlot: slot 1 has NO radio
  *Oct 13 21:37:06.056: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to a
  dministratively down
  *Oct 13 21:37:06.066: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to r
  eset
  *Oct 13 21:37:06.098: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
  *Oct 13 21:37:15.060: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLL
  ER
  *Oct 13 21:37:24.060: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROL
  LER
  *Oct 13 21:37:34.060: %CAPWAP-3-ERRORLOG: Go join a capwap controller
  *Oct 13 21:38:34.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_i
  p: 172.22.90.20 peer_port: 5246
  *Oct 13 21:38:34.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
  *Oct 13 21:38:34.822: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully
  peer_ip: 172.22.90.20 peer_port: 5246
  *Oct 13 21:38:34.823: %CAPWAP-5-SENDJOIN: sending Join Request to 172.22.90.20
  *Oct 13 21:38:34.823: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
  *Oct 13 21:38:34.825: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Contr
  ol Message from 172.22.90.20
  *Oct 13 21:38:34.825: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
  *Oct 13 21:38:34.825: %CAPWAP-3-ERRORLOG: Failed to handle capwap control messag
  e from controller
  *Oct 13 21:38:39.823: %CAPWAP-5-SENDJOIN: sending Join Request to 172.22.90.20
  *Oct 13 21:38:39.823: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Contr
  ol Message from 172.22.90.20
  *Oct 13 21:38:39.823: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
  *Oct 13 21:38:39.823: %CAPWAP-3-ERRORLOG: Failed to handle capwap control messag
  e from controller
  *Oct 13 21:38:39.824: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap p
  acket from 172.22.90.20
  *Oct 13 21:39:33.999: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 1
  72.22.90.20:5246
  *Oct 13 21:39:34.000: %CAPWAP-3-ERRORLOG: Go join a capwap controller
  *Oct 13 21:38:34.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_i
  p: 172.22.90.20 peer_port: 5246
  *Oct 13 21:38:34.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
  *Oct 13 21:38:34.001: %DTLS-5-PEER_DISCONNECT: Peer 172.22.90.20 has closed conn
  ection.
  *Oct 13 21:38:34.001: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 1
  72.22.90.20:5246
  *Oct 13 21:38:34.001: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination
  *Oct 13 21:38:34.125: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is
  not established.
  logs from the WLC:
  debug capwap events enable
  *Dec 21 15:02:06.244: 68:bc:0c:63:3d:a0 DTLS keys for Control Plane deleted successfully for AP 172.22.90.27
    *Dec 21 15:02:06.246: 68:bc:0c:63:3d:a0 DTLS connection closed event receivedserver (172:22:90:20/5246) client (172:22:90:27/21077)
  *Dec 21 15:02:06.246: 68:bc:0c:63:3d:a0 Entry exists for AP (172:22:90:27/21077)
  *Dec 21 15:02:06.246: 68:bc:0c:63:3d:a0 apfSpamProcessStateChangeInSpamContext: Deregister LWAPP event for AP 68:bc:0c:63:3d:a0 slot 0
  *Dec 21 15:02:06.246: 68:bc:0c:63:3d:a0 Deregister LWAPP event for AP 68:bc:0c:63:3d:a0 slot 0
  *Dec 21 15:02:06.246: 68:bc:0c:63:3d:a0 apfSpamProcessStateChangeInSpamContext: Deregister LWAPP event for AP 68:bc:0c:63:3d:a0 slot 1
  *Dec 21 15:02:06.246: 68:bc:0c:63:3d:a0 Deregister LWAPP event for AP 68:bc:0c:63:3d:a0 slot 1
  Ble
  *Dec 21 15:04:03.194: 68:bc:0c:63:3d:a0 capwap_ac_platform.c:1223 - Operation State 0 ===> 4
  *Dec 21 15:04:03.194: 68:bc:0c:63:3d:a0 Register LWAPP event for AP 68:bc:0c:63:3d:a0 slot 0
    *Dec 21 15:05:36.253: 68:bc:0c:63:3d:a0 Join Version: = 100711424
  *Dec 21 15:05:36.253: 68:bc:0c:63:3d:a0 Join resp: CAPWAP Maximum Msg element len = 93
  debug capwap errors enable
  *Dec 21 16:16:51.879: 68:bc:0c:63:3d:a0 DTLS connection was closed
  *Dec 21 16:17:09.940: 68:bc:0c:63:3d:a0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 12, joined Aps =5
  debug capwap detail enable
  *Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 CAPWAP Control Msg Received from 172.22.90.27:21078
  *Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 packet received of length 281 from 172.22.90.27:21078
  *Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 Msg Type = 3 Capwap state = 5
  *Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 Join resp: Result Code message element len = 8
  *Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 1. 47 0
  *Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 2. 232 3
  *Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 3. 6 0
  *Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 4. 12 0
  *Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 Join resp: AC Descriptor message element len = 48
  *Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 acName = Wi-Fi_Controller
  *Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 Join resp: AC Name message element len = 68
  *Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 Join resp: WTP Radio Information message element len = 77
  *Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 Join resp: CAPWAP Control IPV4 Address len = 87
  *Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 Sending encrypted packet to AP 172:22:90:27 (21078)
  *Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 Releasing WTP
  *Dec 21 16:24:12.212: 68:bc:0c:63:3d:a0 CAPWAP Control Msg Received from 172.22.90.27:21077
  *Dec 21 16:24:12.212: 68:bc:0c:63:3d:a0 DTLS connection 0x167c8b20 closed by controller
  *Dec 21 16:24:12.212: DTL Deleting AP 9 - 0.0.0.0
  *Dec 21 16:24:12.214: CAPWAP DTLS connection closed msg
  *Dec 21 16:24:12.216: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'mfpSendEventReport+168' for AP 68:bc:0c:63:3d:a0(0)
  *Dec 21 16:24:12.216: Received SPAM_MFP_RADIO_DOWN message
  *Dec 21 16:24:12.218: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'l2roamInit+560' for AP 68:bc:0c:63:3d:a0(0)
  *Dec 21 16:24:12.220: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'apfSpamCallbackInSpamContext+1224' for AP 68:bc:0c:63:3d:a0(0)
  *Dec 21 16:24:12.222: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'apfSpamSendBlackListTable+376' for AP 68:bc:0c:63:3d:a0(0)
  *Dec 21 16:24:12.224: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'rrmIappSendChdPacket+2320' for AP 68:bc:0c:63:3d:a0(0)
  *Dec 21 16:24:12.226: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'asTrackInitTask+19360' for AP 68:bc:0c:63:3d:a0(0)
  *Dec 21 16:24:12.228: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'mfpSendEventReport+168' for AP 68:bc:0c:63:3d:a0(1)
  *Dec 21 16:24:12.228: Received SPAM_MFP_RADIO_DOWN message
  *Dec 21 16:24:12.230: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'l2roamInit+560' for AP 68:bc:0c:63:3d:a0(1)
  *Dec 21 16:24:12.232: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'apfSpamCallbackInSpamContext+1224' for AP 68:bc:0c:63:3d:a0(1)
  *Dec 21 16:24:12.234: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'apfSpamSendBlackListTable+376' for AP 68:bc:0c:63:3d:a0(1)
  *Dec 21 16:24:12.236: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'rrmIappSendChdPacket+2320' for AP 68:bc:0c:63:3d:a0(1)
  *Dec 21 16:24:12.238: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'asTrackInitTask+19360' for AP 68:bc:0c:63:3d:a0(1)
  *Dec 21 16:24:12.238: 68:bc:0c:63:3d:a0 Deleting and removing AP 68:bc:0c:63:3d:a0 from fast path
  P.S. The time is set to the WLC with the NTP
  P.P.S. Don't lookup at the time the logs were made - they were made not during the same day/time

  I have solved this as soon as published my problem!!!
  the answer is published here:
  https://supportforums.cisco.com/thread/2004491
  especially in the post of Matthew Fowler
  Hi,
  Please take a look at CSCte01087.
  I see that your WLC is 10.0.13.5 and your AP is 10.0.13.28/24 so they are on the same subnet. I also see your AP MAC address does not begin with 00. This is why I believe it is relevant.
  Please try the workaround or open a TAC case if you need a fix.
  -Matt
  Symptom:
  An access point running 6.0.188.0 code may be unable to join a WLC5508.
  Messages similar to the following will be seen on the AP.
     %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
     %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message
  Conditions:
  At least one of the following conditions pertains:
  - The high order byte of the AP's MAC address is nonzero, and the AP is in
  the same subnet as the WLC5508's management (or AP manager) interface
  - The WLC's management (or AP manager) interface's default gateway's
  MAC address' high order byte is nonzero.
  Workaround:
  If the MAC address of the WLC's default gateway does not begin with 00,
  and if all of the APs' MAC addresses begin with 00, then: you can put
  the APs into the same subnet as the WLC's management (or AP manager)
  interface.
  In the general case, for the situation where the WLC's default gateway's
  MAC does not begin with 00, you can address this by changing it to begin
  with 00. Some methods for doing this include:
  -- use the "mac-address" command on the gateway, to set a MAC address
  that begins with 00
  -- then enable HSRP on the gateway (standby ip ww.xx.yy.zz) and use this
  IP as the WLC's gateway.
  For the case where the APs' MAC addresses do not begin with 00, then make
  sure that they are *not* in the same subnet as the WLC's management
  (AP manager) interface, but are behind a router.
  Another workaround is to downgrade to 6.0.182.0.  However, after
  downgrading the WLC to 6.0.182.0, any APs that have 6.0.188.0 IOS
  (i.e. 12.4(21a)JA2) still installed on them will be unable to join.
  Therefore, after downgrading the WLC, the APs will need to have a
  pre-12.4(21a)JA2 rcvk9w8 or k9w8 image installed on them.
  different vlan!!!! yes! thank you Matthew Fowler sooooo much!!!!

• Ap won't join the WLC

  Hello Guys,
  I have converted ap 1131 from autonomous to lwapp successfully by using upgrade utility tool but the AP does not join the WLC 2106. I can see it as a neighbor on the switch with no IP address. please help me.
  Thank you

  Hello Scott,
  Thank you for the reply
  Please find the attached file for the config, i found out that i have not updated the time on WLC  but i did update the time on WLC and tested for other AP and this one too wont join the WLC. The ap are located remote.
  atsg-wl1#show run | incl hostname
  hostname atsg-wl1
  atsg-wl1#test pb display
  Display of the Parameter Block
  Total Number of Records : 7
  Number of Certs : 6
  Number of Keys : 1
  atsg-wl1#term length 0
  atsg-wl1#show version | include Cisco IOS
  Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.3(7)JA3, RELEASE SOFTWARE (fc1)
  atsg-wl1#show controller | include Radio AIR
  Radio AIR-AP1131G, Base Address 0019.0737.02f0, BBlock version 0.00, Software version 5.80.15
  Radio AIR-AP1131A, Base Address 0019.073b.02d0, BBlock version 0.00, Software version 5.80.15
  atsg-wl1#show controllers d0 | include Current
  Current Frequency: 2447 MHz  Channel 8
  Current CCK Power: 14 dBm
  Current OFDM Power: 14 dBm
  Current Rates:  basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  atsg-wl1#show controllers d1 | include Current
  Current Frequency: 5805 MHz  Channel 161
  Current Power: 17 dBm
  Current Rates:  basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
  atsg-wl1#show run | include station-role
  station-role root
  station-role root
  atsg-wl1#test pb disp
  Display of the Parameter Block
  Total Number of Records : 7
  Number of Certs : 6
  Number of Keys : 1
  atsg-wl1#show int F0 | include address
    Hardware is PowerPCElvis Ethernet, address is 0019.555f.ccfa (bia 0019.555f.ccfa)
  atsg-wl1#show int | include Dot11Radio
  Dot11Radio0 is up, line protocol is up
  Dot11Radio1 is up, line protocol is up
  atsg-wl1#show sntp | exclude SNTP
  10.148.0.1         16        1        never     
  172.16.21.57       16        1        never     
  Broadcast client mode is enabled.
  atsg-wl1#show run
  Building configuration...
  Current configuration : 6025 bytes
  ! Last configuration change at 19:35:46 UTC Thu Jan 31 2013 by didata
  ! NVRAM config last updated at 19:13:48 UTC Fri Feb 1 2013 by didata
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime localtime
  service password-encryption
  hostname atsg-wl1
  logging buffered informational
  logging console informational
  enable secret 5
  ip subnet-zero
  ip domain name aspentech.com
  ip name-server 10.96.16.230
  ip name-server 10.148.0.249
  ip name-server 10.32.19.1
  aaa new-model
  aaa group server radius rad_eap
  server 10.16.16.123 auth-port 1645 acct-port 1646
  aaa authentication login default group tacacs+ local
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  aaa session-id common
  no dot11 igmp snooping-helper
  dot11 ssid
     authentication open eap eap_methods
     authentication network-eap eap_methods
     guest-mode
     infrastructure-ssid optional
  dot11 network-map
  power inline negotiation prestandard source
  usernamepassword 7
  username privilege 15 password 7
  usernamep rivilege 15 password 7
  class-map match-all _class_Protocol_301_C351
  match access-group name Voice_Over_IP_301
  class-map match-all _class_8
  match ip dscp cs1
  class-map match-all _class_0
  match ip dscp default
  class-map match-all _class_48
  match ip dscp cs6
  class-map match-all _class_18
  match ip dscp af21
  class-map match-all _class_24
  match ip dscp cs3
  class-map match-all _class_16
  match ip dscp cs2
  class-map match-all _class_34
  match ip dscp af41
  class-map match-all _class_26
  match ip dscp af31
  class-map match-all _class_40
  match ip dscp cs5
  class-map match-all _class_46
  match ip dscp ef
  class-map match-all _class_56
  match ip dscp cs7
  class-map match-all _class_10
  match ip dscp af11
  class-map match-all _class_32
  match ip dscp cs4
  policy-map _policy_Voice_Over_IP_202
  class _class_Protocol_301_C351
    set cos 6
  policy-map _policy_fallback_policy
  class _class_0
    set cos 0
  class _class_8
    set cos 1
  class _class_10
    set cos 1
  class _class_16
    set cos 2
  class _class_18
    set cos 2
  class _class_24
    set cos 3
  class _class_26
    set cos 3
  class _class_32
    set cos 4
  class _class_34
    set cos 4
  class _class_40
    set cos 5
  class _class_46
    set cos 5
  class _class_48
    set cos 6
  class _class_56
    set cos 7
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  shutdown
  encryption mode wep mandatory mic key-hash
  broadcast-key change 900
  ssid
  traffic-class background cw-min 5 cw-max 8 fixed-slot 2
  traffic-class best-effort cw-min 5 cw-max 8 fixed-slot 6
  traffic-class video cw-min 4 cw-max 6 fixed-slot 1
  traffic-class voice cw-min 3 cw-max 7 fixed-slot 1
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  packet retries 32
  fragment-threshold 2338
  station-role root
  rts threshold 2339
  rts retries 32
  world-mode legacy
  no cdp enable
  infrastructure-client
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  shutdown
  encryption mode wep mandatory mic key-hash
  broadcast-key change 900
  ssid aspen100abcdefgh
  speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
  station-role root
  world-mode legacy
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 10.148.0.7 255.255.255.0
  no ip route-cache
  ip default-gateway 10.148.0.1
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip tacacs source-interface BVI1
  ip radius source-interface BVI1
  ip access-list extended Voice_Over_IP_300
  permit 119 any any
  permit ip any any
  ip access-list extended Voice_Over_IP_301
  permit 119 any any
  permit ip any any
  logging facility local0
  snmp-server view iso_view iso included
  snmp-server community admin view iso_view RW
  snmp-server community all4114all view iso_view RW
  snmp-server community ddbos2000 RO
  snmp-server location ATSG
  snmp-server contact James Lee
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  snmp-server enable traps tty
  snmp-server enable traps disassociate
  snmp-server enable traps deauthenticate
  snmp-server enable traps authenticate-fail
  snmp-server enable traps config
  snmp-server enable traps syslog
  snmp-server host 192.135.137.12 ddbos2000
  tacacs-server host 10.16.16.123 key 7
  tacacs-server host 10.96.16.245 key 7
  tacacs-server directed-request
  radius-server host 10.16.16.123 auth-port 1645 acct-port 1646 timeout 5 retransmit 3 key 7
  radius-server deadtime 120
  radius-server vsa send accounting
  radius-server vsa send authentication
  control-plane
  bridge 1 route ip
  line con 0
  transport preferred all
  transport output all
  stopbits 1
  line vty 0 4
  exec-timeout 0 0
  transport preferred all
  transport input all
  transport output all
  line vty 5 15
  exec-timeout 0 0
  transport preferred all
  transport input all
  transport output all
  end
  atsg-wl1#show run | incl hostname
  hostname atsg-wl1
  atsg-wl1#arch down /over /create-space  tftp://10.148.0.118/images/c1130-rcvk                                                                    $over /create-space  tftp://10.148.0.118/images/c1130-rcvk9                  w8-tar.12                                                                   te-space  tftp://10.148.0.118/images/c1130-rcvk9w8-tar.123                  -11.JX1.t                                                                  ftp://10.148.0.118/images/c1130-rcvk9w8-tar.123-11.JX1.ta                  r
  examining image...
  Loading images/c1130-rcvk9w8-tar.123-11.JX1.tar from 10.148.0.118 (via BVI1): !
  extracting info (273 bytes)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  [OK - 1873920 bytes]
  Image info:
      Version Suffix: rcvk9w8-
      Image Name: c1130-rcvk9w8-mx
      Version Directory: c1130-rcvk9w8-mx
      Ios Image Size: 1874432
      Total Image Size: 1874432
      Image Feature: WIRELESS LAN|LWAPP|RECOVERY
      Image Family: C1130
      Wireless Switch Management Version: 3.0.51.0
  Extracting files...
  Loading images/c1130-rcvk9w8-tar.123-11.JX1.tar from 10.148.0.118 (via BVI1): !
  extracting info (273 bytes)
  c1130-rcvk9w8-mx/ (directory) 0 (bytes)
  extracting c1130-rcvk9w8-mx/c1130-rcvk9w8-mx (1867816 bytes)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  extracting c1130-rcvk9w8-mx/info (273 bytes)
  extracting info.ver (273 bytes)!
  [OK - 1873920 bytes]
  Deleting current version...
  Deleting flash:/c1130-k9w7-mx.123-7.JA3...done.
  New software image installed in flash:/c1130-rcvk9w8-mx
  Configuring system to use new image...done.
  atsg-wl1#show archive status
  SUCCESS: Upgrade complete.
  atsg-wl1#write erase
  Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
  [OK]
  Erase of nvram: complete
  atsg-wl1#dir flash:
  Directory of flash:/
      2  -rwx        2072  Jan 31 2013 19:36:18 +00:00  private-multiple-fs
    149  drwx         128  Jan 31 2013 19:36:11 +00:00  c1130-rcvk9w8-mx
      4  -rwx         342  Jan 31 2013 19:36:14 +00:00  env_vars
  15998976 bytes total (14126080 bytes free)
  atsg-wl1#dir nvram:
  Directory of nvram:/
     30  -rw-           0                      startup-config
     31  ----           0                      private-config
      1  -rw-           0                      ifIndex-table
      2  ----          12                      persistent-data
  32768 bytes total (30668 bytes free)
  atsg-wl1#sh crypto ca trustpoints
  atsg-wl1#sh crypto ca certificates
  atsg-wl1#terminal length 0
  atsg-wl1#show run | begin BVI1
  interface BVI1
  ip address 10.148.0.7 255.255.255.0
  no ip route-cache
  ip default-gateway 10.148.0.1
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip tacacs source-interface BVI1
  ip radius source-interface BVI1
  ip access-list extended Voice_Over_IP_300
  permit 119 any any
  permit ip any any
  ip access-list extended Voice_Over_IP_301
  permit 119 any any
  permit ip any any
  logging facility local0
  snmp-server view iso_view iso included
  snmp-server community admin view iso_view RW
  snmp-server community all4114all view iso_view RW
  snmp-server community ddbos2000 RO
  snmp-server location ATSG
  snmp-server contact James Lee
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  snmp-server enable traps tty
  snmp-server enable traps disassociate
  snmp-server enable traps deauthenticate
  snmp-server enable traps authenticate-fail
  snmp-server enable traps config
  snmp-server enable traps syslog
  snmp-server host 192.135.137.12 ddbos2000
  tacacs-server host 10.16.16.123 key 7
  tacacs-server host 10.96.16.245 key 7
  tacacs-server directed-request
  radius-server host 10.16.16.123 auth-port 1645 acct-port 1646 timeout 5 retransmit 3 key 7
  radius-server deadtime 120
  radius-server vsa send accounting
  radius-server vsa send authentication
  control-plane
  bridge 1 route ip
  line con 0
  transport preferred all
  transport output all
  stopbits 1
  line vty 0 4
  exec-timeout 0 0
  transport preferred all
  transport input all
  transport output all
  line vty 5 15
  exec-timeout 0 0
  transport preferred all
  transport input all
  transport output all
  end

• LAP's are unable to join Cisco WLC

  Dear all,
  I  have moved my WLC to my datacentre from branch office. after movement i have updated DHCP options with the new ip address but all of my access point are not joining  to WLC.Kindly check the attached cofiguration of WLC as well as LAP logs and It will be a great help if somebody can help me to relsolve this issue.
  Please note that  for datacenter -  Branch connectivity we are using L3  MPLS line and there is no firewall between the office and I am using Ver 7 software on my WLC

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hi,
  Your DHCP option 43 is good
  From your file ‘AP error logs.txt’ it’s clear that the DHCP server provides option 43 that point to 10.204.20.4.
  I also see that the controller name is AEDXBWLC01.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  The AP cannot guess this name so this means that it can communicate with the controller.
  You do not need to configure DNS
  Your DNS server is not configured with CISCO-LWAPP-CONTROLLER.localdomain. But you do not need to configure DNS since you already have a working option 43.
  If you want to use DNS you should configure both CISCO-CAPWAP-CONTROLLER.localdomain and CISCO-LWAPP-CONTROLLER.localdomain, where localdomain is the access point domain name. Old software use LWAPP and new software uses CAPWAP.
  What might cause the problems?
  I believe that you have a certificate mismatch between the controller and the AP. In order to fix this you can manually add the AP to the AP authorization list.
  In order to allow APs to join, use one of these options:
  Add them to the authorization list of the WLC: use the config auth-list add mic command.
  Add them as clients to the RADIUS server. The Called-Station-ID is the MAC address of the controller. If you separate the APs into groups, you can create policies to define which APs can authenticate against which Called-Station-IDs.
  Debug
  You can debug to see what’s happening when the AP tries to join the controller.
  You can also use this debug to obtain the Ethernet address for the AP:
  (Cisco Controller) >debug lwapp events enable
  Mon May 22 12:00:21 2006: Received LWAPP DISCOVERY REQUEST from AP 00:0b:85:5b:fb:d0 to ff:ff:ff:ff:ff:ff on port '1'
  Mon May 22 12:00:21 2006: Successful transmission of LWAPP Discovery-Response to AP 00:0b:85:5b:fb:d0 on Port 1
  /André

• How can I apply existing WCS "WLAN Config" templates to a new WLC?

  We've been running a pair of WLC 4402s managed by WCS, thus we are still on the older 7.0.235.0 (WCS) / 7.0.235.3 (WLC) release. I'm trying to add an additional WLC 4402-50 as a hot spare. I first ran the manual setup steps to give it an IP in our range, and used the WLCs web page to set our SNMP communities and such to the values used by our existing WLCs, then I added the new WLC in WCS.
  At this point I could apply most of the "Controller Templates" from our existing configuration to the new unit. However, I can not get it to take our existing interfaces nor our WLAN Configurations. How do I avoid needing to recreate these from scratch on the new WLC?
  We only have four dynamic interfaces, and each WLC needs its own IP address for each interface, so I did manually add these via the WLCs web page. However, now when I go to the WCS' "Configure > Contoller Templagte Launch Pad" page, then select "WLANs > WLAN Configuration", I see my usual list of WLANs, but can't figure how to push them to the new WLC.
  For all of the other templates on the launch pad, I can select a template, click the "Apply to Controllers..." button, and I get a list that has my existing two and also the new controller. I can select the new controller, and apply the template, and it succeeds.
  Yet if I select a specific WLAN config, and press "Apply to Controllers...", the list that appears has only my existing two WLCs, not the the new one.
  In small green type at the top it says, "Controllers configured with Interface/Interface Group - 'w-restricted'  and selected RADIUS server(s), LDAP servers, ACL Name with rules and  Ingress interface are shown."
  I have already manually added the interface "w-restricted" to the new controller, and have added the RADIUS servers via the template used by our other two WLCs. Not sure what to do about "LDAP servers, ACL Name with rules and  Ingress interface", as we don't have any ACL rules, nor use LDAP directly from the WLCs (as all user ID stuff is via RADIUS).
  Any hints on what manual setup I should add to get the new WLC in the list for these WLAN Configs?
  Thanks,
  Steve

  To be honest, if your only adding another WLC, your better off creating the interface and WLAN's manually. I don't like pushing out templates to create new WLAN's. I would use it to adjust an existing WLAN, but that would be it. To me it's safer. Also your new WLC is on the same code? If you really want to figure it out, I would manually add the interfaces first then refresh the co fog from the new WLC and then push out the WLAN SSID and see if it takes. If not, don't waste your time anymore and create it manually.
  Sent from Cisco Technical Support iPhone App

• AP 3702 not join the WLC

  Hi,
  I have two WLC 8500 working in SSO and with nat enable feature configure in management interface.
  SSO is working, but i have to configure NAT before SSO becasuse when SSO is up, ip address and nat are greyed out in managemente interface.
  Some AP's must join the controller in the private address of the management interface and others AP must join in the public ip address configured in NAT address. 
  for some reason, there are a lot of AP's that can't join the controller, i have 3 ap's joined in the public ip address and 3 ap's joined in the private ip address
  config network ap-discovery nat-only disable is already configured, from the console of one AP that can't not join i see the following:
  *Sep 10 12:32:48.115: %CAPWAP-3-ERRORLOG: Selected MWAR 'GI12WLC001A'(index 0).
  *Sep 10 12:32:48.115: %CAPWAP-3-ERRORLOG: Go join a capwap controller
  *Sep 10 12:35:48.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 212.89.5.130 peer_port: 5246
  *Sep 10 12:36:17.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2176 Max retransmission count reached!
  *Sep 10 12:36:47.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 212.89.5.130:5246
  *Sep 10 12:36:47.999: %CAPWAP-3-ERRORLOG: Selected MWAR 'GI12WLC001A'(index 0).
  *Sep 10 12:36:47.999: %CAPWAP-3-ERRORLOG: Go join a capwap controller
  *Sep 10 12:35:48.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.35.0.78 peer_port: 5246
  the AP is trying both private and public ip address to join the WLC but can't join properly.
  From the WLC console:
  debug capwap errors enable:
  *spamApTask4: Sep 10 13:13:49.837: 00:10:db:ff:50:06 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  10.35.1.13:47807)since DTLS session is not established 
  *spamApTask3: Sep 10 13:13:49.958: 1c:6a:7a:5b:e0:30 ApModel: AIR-CAP3702I-E-K9
  *spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!
  *spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!
  *spamApTask3: Sep 10 13:13:49.958: 1c:6a:7a:5b:e0:30 ApModel: AIR-CAP3702I-E-K9
  *spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!
  *spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!
  *spamApTask2: Sep 10 13:13:52.103: 00:10:db:ff:50:06 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  10.35.1.11:21207)since DTLS session is not established 
  *spamApTask1: Sep 10 13:13:52.224: 1c:6a:7a:5e:0f:10 ApModel: AIR-CAP3702I-E-K9
  *spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!
  *spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!
  *spamApTask1: Sep 10 13:13:52.224: 1c:6a:7a:5e:0f:10 ApModel: AIR-CAP3702I-E-K9
  *spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!
  *spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!
  the AP model are the same, this is not the problem, but for some reason there are AP's that have problems with the NAT configuration, if i disable NAT option, every AP with private ip address config can join the WLC.
  I've tried to break SSO, desconfigure NAT, and private ip address AP join the controller without problem.
  anybody can give me a clue?
  Regards!

  it seens like DTLS connection can't be stablished between AP and WLC.
  The AP sends discovery request
  the WLC respond with two discovery responds, the firts one, contains the public ip address of the WLC and the second one contains the private ip address.
  once discovery proccess is complete, the AP tries to send DTLS hello packet to the WLC, but this packet never arrives to WLC.
  because hello doesn't arrive, the AP sends a close notify alert to the WLC and tries to send the DTLS hello packet to the WLC private address with same result.
  the AP get into a loop trying to send DTLS hello packets to both private and public address.
  DTLS hello packet never arrive, but close notify alert arrive to WLC.
  theres is FW in the middle doing NAT, but i can understand why close notify alert packets error arrives WLC and Hello DTLS packets don't. this packets uses the same protocol UDP and the same port.
  Regards