APs don't join new WLC
Hi all,
I had to changed our WLC due a RMA. Now the APs don't join the WLC:
spamApTask0: Mar 07 14:58:25.789: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 4c:4e:35:b3:da:37: Failed to create DTLS connection for AP 10:169:2:171 (15781).*spamApTask6: Mar 07 14:58:25.582: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 4c:4e:35:b3:e3:85: Failed to create DTLS connection for AP 10:169:2:147 (15930).*spamApTask6: Mar 07 14:58:25.527: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 4c:4e:35:b3:e3:a3: Failed to create DTLS connection for AP 10:169:2:145 (15932).*spamApTask3: Mar 07 14:58:25.193: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 4c:4e:35:57:b2:63: Failed to create DTLS connection for AP 10:169:2:160 (31527).*spamApTask5: Mar 07 14:58:25.117: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 4c:4e:35:b3:da:2b: Failed to create DTLS connection for AP 10:169:2:167 (15780).*spamApTask0: Mar 07 14:58:24.971: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 4c:4e:35:b3:e3:d1: Failed to create DTLS connection for AP 10:169:2:177 (15935).*spamApTask7: Mar 07 14:58:24.516: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 4c:4e:35:57:b2:f9: Failed to create DTLS connection for AP 10:169:2:142 (31537).*spamApTask4: Mar 07 14:58:24.345: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 4c:4e:35:57:bb:fb: Failed to create DTLS connection for AP 10:169:2:153 (31680).*spamApTask0: Mar 07 14:58:23.737: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 4c:4e:35:b3:da:37: Failed to create DTLS connection for AP 10:169:2:171 (15781).*spamApTask6: Mar 07 14:58:23.535: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 4c:4e:35:b3:e3:85: Failed to create DTLS connection for AP 10:169:2:147 (15930).
The only way that I found to solve it has been perform a reset factory default on APs. Unfortunately the APs have not SSH, TELNET or HTTP access enabled and I haven't physical access to all the APs.
Are there some other way to solve thas?
Hi Joan,
spamApTask0: Mar 07 14:58:25.789: #CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:7305 4c:4e:35:b3:da:37: Failed to create DTLS connection for AP 10:169:2:171 (15781).
As per logs this is the problem related to Certificate. Make sure that time setting on WLC is correct and updated.
means Unable to create the DTLS database entry for the AP.
Can you paste more info:
From WLC: Sh sysinfo
From AP: sh version
Also paste the entire bootup process from AP console.
Scott is right , for this kind of things you must raise a TAC case.
Regards
Dont forget to rate helpful posts
Similar Messages
-
How many APs Can I join a WLC 4402 and WiSM?
I have a WLC with 20 APs joined into the same management VLAN and
I'll deploy other campus with 240 APs and 2 WiSMs Blade.
Is there any recomendation about how many APs Can I put on the same management VLAN?
thanks a lotCisco recommends 60 - 100 access points per vlan. Attached is the best pratices document
https://cisco.hosted.jivesoftware.com/docs/DOC-4204 -
AP1142N doesn't join his WLC (5508)
Hello,
My APs 1142N don't join their WLC. APs and WLC management interface are in the same vlan (WLC can ping all the APs). It is strange because it doesn't seem like they are trying to contact the WLC.
What's strange is that I have other AP 1142N which joined this WLC without any problem.
(Cisco Controller) >show sysinfoManufacturer's Name.............................. Cisco Systems Inc.Product Name..................................... Cisco ControllerProduct Version.................................. 7.0.98.214Bootloader Version............................... 1.0.1Field Recovery Image Version..................... N/AFirmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27Build Type....................................... DATA + WPS ...
ap#show versionCisco IOS Software, C1140 Software (C1140-K9W7-M), Version 12.4(21a)JA1, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2009 by Cisco Systems, Inc.Compiled Wed 16-Sep-09 18:09 by prod_rel_teamROM: Bootstrap program is C1140 boot loaderBOOTLDR: C1140 Boot Loader (C1140-BOOT-M) Version 12.4(23c)JA6, RELEASE SOFTWARE (fc1)ap uptime is 43 minutesSystem returned to ROM by power-onSystem image file is "flash:/c1140-k9w7-mx.124-21a.JA1/c1140-k9w7-mx.124-21a.JA1" ...cisco AIR-AP1142N-E-K9 (PowerPC405ex) processor (revision A0) with 98294K/32768K bytes of memory.Processor board ID FCZ1649D2U0PowerPC405ex CPU at 586Mhz, revision number 0x147ELast reset from power-on1 Gigabit Ethernet interface2 802.11 Radio(s)32K bytes of flash-simulated non-volatile configuration memory.Base ethernet MAC Address: E0:2F:6D:A5:AA:F6Part Number : 73-12836-06PCA Assembly Number : 800-33767-06PCA Revision Number : A0PCB Serial Number : FOC164732R2Top Assembly Part Number : 800-33775-05Top Assembly Serial Number : FCZ1649D2U0Top Revision Number : A0Product/Model Number : AIR-AP1142N-E-K9
Regards,Ok thank. I didn't notice that it was an autonomous image.
It seems that I can't use this guide (http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp157147) to upgrade them to lightweight (can't install software on windows seven).
Regards -
AP1252 can´t join on WLC
WLC software 7.2.103.0
1. first problem: AP1252 can´t join on WLC. MAC was add on mac filter properly.
170
Mon Apr 9 15:37:32 2012
Mesh Node '2c:3f:38:be:53:ef' failed to join controller, MAC address not in MAC filter list.
171
Mon Apr 9 15:37:32 2012
AAA Authentication Failure for UserName:2c3f38be53e0 User Type: WLAN USER
172
Mon Apr 9 15:37:32 2012
Coverage hole pre alarm for client[1] 40:a6:d9:ef:87:68 on 802.11b/g interface of AP 2c:3f:38:bf:0c:80 (AP2c3f.38bf.0c80). Hist: 46 7 5 4 2 1 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
173
Mon Apr 9 15:37:32 2012
Coverage hole pre alarm for client[1] 8c:7b:9d:05:a0:67 on 802.11b/g interface of AP 2c:3f:38:bf:0c:80 (AP2c3f.38bf.0c80). Hist: 50 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
174
Mon Apr 9 15:37:30 2012
Interference Profile Failed for Base Radio MAC: 2c:3f:38:bf:1e:40 and slotNo: 0
175
Mon Apr 9 15:37:28 2012
Mesh child node 'd4:d7:48:6d:48:2f' has changed its parent to mesh node '2c:3f:38:bf:ef:60' from mesh node 'd4:d7:48:6c:7d:80'.
176
Mon Apr 9 15:37:28 2012
Mesh Node '2c:3f:38:bf:1d:2f' failed to join controller, MAC address not in MAC filter list.
177
Mon Apr 9 15:37:28 2012
AAA Authentication Failure for UserName:2c3f38bf1d20 User Type: WLAN USER
178
Mon Apr 9 15:37:28 2012
Mesh child node '2c:3f:38:bf:1d:2f' has changed its parent to mesh node 'd4:d7:48:6c:70:e0' from mesh node '2c:3f:38:be:55:00'.
179
Mon Apr 9 15:37:28 2012
Interference Profile Updated to Pass for Base Radio MAC: 2c:3f:38:bf:4b:20 and slotNo: 0
180
Mon Apr 9 15:37:27 2012
Interference Profile Failed for Base Radio MAC: d4:d7:48:6c:81:60 and slotNo: 0
Several APs can´t join on WLC and all are added on MAC filter, but they are showing this messages.
2 . Second problem.: Operational Status = UNKNOWN
Some Access Point are in UNKNOWN status. I tried but I can´t do the reboot.
I can access Web config the APs using WLC, but when I applied the reset, it wasn´t working properly.Murlio:
Is the AP model 1522 or 1252? I think you mean outdoor AP 1522 (which needs a mac filter). right?
please double check the mac filter you added. Try to delete then add it again if necessary.
it is obvious that it is a mac filter problem. be sure that you add the correct mac address and it is written correctly with the correct format and the mac filter created for "any WLAN" and the interface Name is "management".
Hope this will solve the issue.
Amjad -
Hi,
I have an existing setup where in i have a 4400 WLC and AP 1242 registered to it.
I had to replace the WLC with a new 5500 WLC. I tried registering the the 1242 AP with this new controller but i'm getting the following error message:
AP0026.0b4d.093a#
*Apr 25 07:51:59.216: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.7.51.11:5246
Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Apr 25 07:52:13.735: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER
AP0026.0b4d.093a#
Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)
*Apr 25 07:52:22.736: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Apr 25 07:52:22.736: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is not established.
*Apr 25 07:52:22.794: %WIDS-6-DISABLED: IDS Signature is removed and disabled.
*Apr 25 07:52:22.795: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 25 07:52:22.796: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 25 07:52:22.863: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Apr 25 07:52:22.863: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Apr 25 07:52:22.885: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 25 07:52:22.885: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Apr 25 07:52:22.886: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 25 07:52:22.918: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 25 07:52:22.918: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Apr 25 07:52:22.946: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Apr 25 07:52:22.947: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Apr 25 07:52:31.885: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER
*Apr 25 07:52:40.886: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Apr 25 07:52:40.888: status of voice_diag_test from WLC is false
*Apr 25 07:52:40.889: %CAPWAP-3-ERRORLOG: Could not send primary discoveryrequest. The CAPWAP state has not moved to RUN yet
*Apr 25 07:52:40.890: %CAPWAP-3-ERRORLOG: Could not send primary discoveryrequest. The CAPWAP state has not moved to RUN yet
*Apr 25 07:52:40.900: %LWAPP-3-CLIENTERRORLOG: Primary Discovery Reply: received primary discovery reply when connected to a Primary/Secondary/Tertiary controller
*Apr 25 07:52:50.887: %CAPWAP-3-ERRORLOG: Selected MWAR 'L&T-WLC-Powai'(index 0).
*Apr 25 07:52:50.887: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Apr 25 13:23:03.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.5.3 peer_port: 5246
*Apr 25 13:23:03.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Apr 25 13:23:04.717: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.5.3 peer_port: 5246
*Apr 25 13:23:04.718: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.5.3
*Apr 25 13:23:04.718: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Apr 25 13:23:04.719: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.5.3
*Apr 25 13:23:04.719: %DTLS-5-PEER_DISCONNECT: Peer 172.16.5.3 has closed connection.
*Apr 25 13:23:04.720: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.5.3:5246
*Apr 25 13:23:04.721: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Apr 25 07:52:41.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.7.51.11 peer_port: 5246
*Apr 25 07:52:41.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Apr 25 07:52:42.449: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.7.51.11 peer_port: 5246
*Apr 25 07:52:42.450: %CAPWAP-5-SENDJOIN: sending Join Request to 10.7.51.11
*Apr 25 07:52:42.450: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Apr 25 07:52:42.647: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*Apr 25 07:52:42.794: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 25 07:52:42.807: %CAPWAP-5-CHANGED: CAPWAP changed state to UP
*Apr 25 07:52:42.808: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 25 07:52:42.879: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC1-T
*Apr 25 07:52:42.940: %LWAPP-3-CLIENTEVENTLOG: SSID LTHE-Mobile added to the slot[0]
Writing out the event log to nvram...
The AP is getting a close message from the new controller. What could the issue be?After the AP gets a close message from the new WLC, it gets re associated to the old WLC.
-
Trouble getting Cisco 2600 Series AP to stay joined to WLC 5508
Hi,
I have recently been tasked with upgrading our old Autonomous APs to LWAPs. We have a 5508 WLC at our Virtual Co-Lo and I am using Flexconnect to accomadate local switching and dhcp at our sites. I have upgraded over 50 APs and joined them to the controller. These include only 1130AG and 1240AG models. However they are working flawlessly and staying connected to the controller. The issue I'm having is with a new batch of 2600 series APs staying connected to the controller. I have attempted to do research into what may be causing the disconnects but have yet to find a solution. I am using DNS to resolve the CAPWAP & LWAPP queries from the APs to the controller accross our WAN. In reading other posts I thought it may be an issue with packets getting dropped but have had our Vendor who manages Sonicwalls at both ends of the WAN confirm for me there is no packet loss. Below are logs I gathered using puttty from the AP & WLC. Any help would be greatly appreciated.
AP I'm doing the testing on:
NAME: "AP2600", DESCR: "Cisco Aironet 2600 Series (IEEE 802.11n) Access Point"
PID: AIR-CAP2602I-A-K9 , VID: V01, SN: FTX1740J8V1
WLC in question:
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.3.112.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS
System Name...................................... wificontroller
System Location.................................. Corp
System Contact................................... Net Engineer
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. Disabled
IP Address....................................... 10.250.32.8
Last Reset....................................... Software reset
System Up Time................................... 190 days 3 hrs 34 mins 24 secs
System Timezone Location......................... (GMT -5:00) Eastern Time (US and Canada)
Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
--More-- or (q)uit
Internal Temperature............................. +38 C
External Temperature............................. +20 C
Fan Status....................................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 14
Number of Active Clients......................... 71
Burned-in MAC Address............................ C8:9C:1D:8C:52:E0
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 100
Here is the output that keeps on occuring as the AP joins the WLC for a brief time and then changes to standalone mode
WT-4thFlr-AP3#
*Dec 14 15:42:04.419: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
., 3)
*Dec 14 15:42:11.443: %EVT-4-WRN: Write of flash:/event.capwap done
*Dec 14 15:42:11.483: %LWAPP-3-CLIENTERRORLOG: Switching to Standalone mode
*Dec 14 15:42:11.487: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Dec 14 15:42:11.487: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.250.32.8:5246
*Dec 14 15:42:11.571: %WIDS-6-DISABLED: IDS Signature is removed and disabled.
*Dec 14 15:42:21.575: %CAPWAP-3-ERRORLOG: Selected MWAR 'wificontroller'(index 0).
*Dec 14 15:42:21.575: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Dec 14 15:42:12.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.250.32.8 peer_port: 5246
*Dec 14 15:42:14.303: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.250.32.8 peer_port: 5246
*Dec 14 15:42:14.303: %CAPWAP-5-SENDJOIN: sending Join Request to 10.250.32.8
*Dec 14 15:42:15.127: Starting Ethernet promiscuous mode
*Dec 14 15:42:15.535: %LWAPP-4-CLIENTEVENTLOG: OfficeExtend Localssid saved in AP flash
*Dec 14 15:42:15.667: ac_first_hop_mac - IP:10.1.2.250 Hop IP:10.1.2.250 IDB:BVI1
*Dec 14 15:42:15.667: Setting AC first hop MAC: 0017.c575.a23c
*Dec 14 15:42:15.855: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller wificontroller
*Dec 14 15:42:15.911: %LWAPP-4-CLIENTEVENTLOG: No Flex ACL map configuration file to load. Connect to controller to get configuration file
*Dec 14 15:42:15.911: %LWAPP-4-CLIENTEVENTLOG: No Flex ACL map configuration file to load. Connect to controller to get configuration file
*Dec 14 15:42:15.911: %LWAPP-4-CLIENTEVENTLOG: No LS Flex ACL map configuration file to load. Connect to controller to get configuration file
*Dec 14 15:42:15.915: %LWAPP-4-CLIENTEVENTLOG: No Central Dhcp map configuration file to load. Connect to controller to get configuration file
*Dec 14 15:42:15.915: %LWAPP-3-CLIENTERRORLOG: Switching to Connected mode
*Dec 14 15:42:23.639: %WIDS-6-ENABLED: IDS Signature is loaded and enabled
*Dec 14 15:42:34.615: %CLEANAIR-6-STATE: Slot 0 disabled
*Dec 14 15:42:34.615: %CLEANAIR-6-STATE: Slot 1 disabled
*Dec 14 15:45:43.783: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
., 11)
*Dec 14 15:45:43.787: %LWAPP-3-CLIENTERRORLOG: Switching to Standalone mode
*Dec 14 15:45:43.787: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Dec 14 15:45:43.787: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.250.32.8:5246
*Dec 14 15:45:43.867: %WIDS-6-DISABLED: IDS Signature is removed and disabled.
*Dec 14 15:45:53.867: %CAPWAP-3-ERRORLOG: Selected MWAR 'wificontroller'(index 0).
*Dec 14 15:45:53.867: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Dec 14 15:45:44.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.250.32.8 peer_port: 5246
*Dec 14 15:45:46.315: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.250.32.8 peer_port: 5246
*Dec 14 15:45:46.315: %CAPWAP-5-SENDJOIN: sending Join Request to 10.250.32.8
*Dec 14 15:45:46.487: Starting Ethernet promiscuous mode
*Dec 14 15:45:49.903: %LWAPP-4-CLIENTEVENTLOG: OfficeExtend Localssid saved in AP flash
*Dec 14 15:45:50.031: ac_first_hop_mac - IP:10.1.2.250 Hop IP:10.1.2.250 IDB:BVI1
*Dec 14 15:45:50.031: Setting AC first hop MAC: 0017.c575.a23c
Here are the results of debug capwap client event on the AP:
WT-4thFlr-AP3#debug capwap client event
CAPWAP Client EVENT display debugging is on
WT-4thFlr-AP3#
*Dec 14 15:54:58.335: %CAPWAP-3-EVENTLOG: Echo Interval Expired.
*Dec 14 15:54:58.335: %CAPWAP-3-EVENTLOG: Sending packet to AC
*Dec 14 15:54:58.335: %CAPWAP-3-EVENTLOG: Echo Request sent to 10.250.32.8
*Dec 14 15:54:58.343: %CAPWAP-3-EVENTLOG: Resetting reTransmissionCnt to 0
*Dec 14 15:54:58.343: %CAPWAP-3-EVENTLOG: Queue Empty.
*Dec 14 15:54:58.343: %CAPWAP-3-EVENTLOG: Echo Response from 10.250.32.8
*Dec 14 15:55:08.000: %CAPWAP-3-EVENTLOG: Setting time to 15:55:08 UTC Dec 14 2013
*Dec 14 15:55:25.579: %CAPWAP-3-EVENTLOG: Sending packet to AC
*Dec 14 15:55:25.587: %CAPWAP-3-EVENTLOG: Resetting reTransmissionCnt to 0
*Dec 14 15:55:25.587: %CAPWAP-3-EVENTLOG: Queue Empty.
*Dec 14 15:55:25.587: %CAPWAP-3-EVENTLOG: Wtp Event Response from 10.250.32.8
*Dec 14 15:55:25.827: %CAPWAP-3-EVENTLOG: Sending packet to AC
*Dec 14 15:55:25.835: %CAPWAP-3-EVENTLOG: Resetting reTransmissionCnt to 0
*Dec 14 15:55:25.835: %CAPWAP-3-EVENTLOG: Queue Empty.
*Dec 14 15:55:25.835: %CAPWAP-3-EVENTLOG: Wtp Event Response from 10.250.32.8
*Dec 14 15:55:55.835: %CAPWAP-3-EVENTLOG: Echo Interval Expired.
*Dec 14 15:55:55.835: %CAPWAP-3-EVENTLOG: Sending packet to AC
*Dec 14 15:55:55.835: %CAPWAP-3-EVENTLOG: Echo Request sent to 10.250.32.8
*Dec 14 15:55:55.843: %CAPWAP-3-EVENTLOG: Resetting reTransmissionCnt to 0
*Dec 14 15:55:55.843: %CAPWAP-3-EVENTLOG: Queue Empty.
*Dec 14 15:55:55.843: %CAPWAP-3-EVENTLOG: Echo Response from 10.250.32.8
*Dec 14 15:55:56.000: %CAPWAP-3-EVENTLOG: Setting time to 15:55:56 UTC Dec 14 2013
*Dec 14 15:56:25.735: %CAPWAP-3-EVENTLOG: Sending packet to AC
*Dec 14 15:56:25.743: %CAPWAP-3-EVENTLOG: Resetting reTransmissionCnt to 0
*Dec 14 15:56:25.743: %CAPWAP-3-EVENTLOG: Queue Empty.
*Dec 14 15:56:25.743: %CAPWAP-3-EVENTLOG: Wtp Event Response from 10.250.32.8
*Dec 14 15:56:25.983: %CAPWAP-3-EVENTLOG: Sending packet to AC
*Dec 14 15:56:25.991: %CAPWAP-3-EVENTLOG: Resetting reTransmissionCnt to 0
*Dec 14 15:56:25.991: %CAPWAP-3-EVENTLOG: Queue Empty.
*Dec 14 15:56:25.991: %CAPWAP-3-EVENTLOG: Wtp Event Response from 10.250.32.8
*Dec 14 15:56:55.991: %CAPWAP-3-EVENTLOG: Echo Interval Expired.
*Dec 14 15:56:55.991: %CAPWAP-3-EVENTLOG: Sending packet to AC
*Dec 14 15:56:55.991: %CAPWAP-3-EVENTLOG: Echo Request sent to 10.250.32.8
*Dec 14 15:56:55.999: %CAPWAP-3-EVENTLOG: Resetting reTransmissionCnt to 0
*Dec 14 15:56:55.999: %CAPWAP-3-EVENTLOG: Queue Empty.
*Dec 14 15:56:55.999: %CAPWAP-3-EVENTLOG: Echo Response from 10.250.32.8
*Dec 14 15:56:56.000: %CAPWAP-3-EVENTLOG: Setting time to 15:56:56 UTC Dec 14 2013
Here are the results of debug capwap client packet detail:
WT-4thFlr-AP3#
*Dec 14 15:59:01.823: <<<< Start of CAPWAP Packet >>>>
*Dec 14 15:59:01.823: CAPWAP Control mesg Sent to 10.250.32.8, Port 5246
*Dec 14 15:59:01.823: Msg Type : CAPWAP_ECHO_REQUEST
*Dec 14 15:59:01.823: Msg Length : 0
*Dec 14 15:59:01.823: Msg SeqNum : 44
*Dec 14 15:59:01.823: <<<< End of CAPWAP Packet >>>>
*Dec 14 15:59:01.831: <<<< Start of CAPWAP Packet >>>>
*Dec 14 15:59:01.831: CAPWAP Control mesg Recd from 10.250.32.8, Port 5246
*Dec 14 15:59:01.831: HLEN 2, Radio ID 0, WBID 1
*Dec 14 15:59:01.831: Msg Type : CAPWAP_ECHO_RESPONSE
*Dec 14 15:59:01.831: Msg Length : 15
*Dec 14 15:59:01.831: Msg SeqNum : 44
*Dec 14 15:59:01.831:
*Dec 14 15:59:01.831: Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 11
*Dec 14 15:59:01.831: Vendor Identifier : 0x00409600
*Dec 14 15:59:01.831:
*Dec 14 15:59:01.831:
IE : UNKNOWN IE 151
*Dec 14 15:59:01.831: IE Length : 5
*Dec 14 15:59:01.831: Decode routine not available, Printing Hex Dump
*Dec 14 15:59:01.831:
52 AC 80 46 00
*Dec 14 15:59:01.831: <<<< End of CAPWAP Packet >>>>
*Dec 14 15:59:20.931: <<<< Start of CAPWAP Packet >>>>
*Dec 14 15:59:20.931: CAPWAP Control mesg Recd from 10.250.32.8, Port 5246
*Dec 14 15:59:20.931: HLEN 2, Radio ID 0, WBID 1
*Dec 14 15:59:20.931: Msg Type : CAPWAP_CONFIGURATION_UPDATE_REQUEST
*Dec 14 15:59:20.931: Msg Length : 93
*Dec 14 15:59:20.931: Msg SeqNum : 38
*Dec 14 15:59:20.931:
*Dec 14 15:59:20.931: Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 89
*Dec 14 15:59:20.931: Vendor Identifier : 0x00409600
*Dec 14 15:59:20.931:
*Dec 14 15:59:20.931:
IE : RRM_NEIGHBOR_CTRL_PAYLOAD
*Dec 14 15:59:20.931: IE Length : 83
*Dec 14 15:59:20.931: Decode routine not available, Printing Hex Dump
*Dec 14 15:59:20.931:
00 0A FA 20 08 01 F4 00 07 0A FA 20 08 03 00 01
01 00 3C 00 B4 2E 06 2E E7 B4 94 51 B2 C7 79 25
22 FD BE 04 F6 00 00 00 00 00 00 00 00 4F 50 52
53 2D 57 69 46 69 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 01 06 0B
01 01 01
*Dec 14 15:59:20.931: <<<< End of CAPWAP Packet >>>>
*Dec 14 15:59:20.931: <<<< Start of CAPWAP Packet >>>>
*Dec 14 15:59:20.931: CAPWAP Control mesg Sent to 10.250.32.8, Port 5246
*Dec 14 15:59:20.931: Msg Type : CAPWAP_CONFIGURATION_UPDATE_RESPONSE
*Dec 14 15:59:20.931: Msg Length : 8
*Dec 14 15:59:20.931: Msg SeqNum : 38
*Dec 14 15:59:20.931:
*Dec 14 15:59:20.931: Type : CAPWAP_MSGELE_RESULT_CODE, Length 4
*Dec 14 15:59:20.931: Result Code : CAPWAP_SUCCESS
*Dec 14 15:59:20.931: <<<< End of CAPWAP Packet >>>>
*Dec 14 15:59:21.139: <<<< Start of CAPWAP Packet >>>>
*Dec 14 15:59:21.139: CAPWAP Control mesg Recd from 10.250.32.8, Port 5246
*Dec 14 15:59:21.139: HLEN 2, Radio ID 0, WBID 1
*Dec 14 15:59:21.139: Msg Type : CAPWAP_CONFIGURATION_UPDATE_REQUEST
*Dec 14 15:59:21.139: Msg Length : 111
*Dec 14 15:59:21.139: Msg SeqNum : 39
*Dec 14 15:59:21.139:
*Dec 14 15:59:21.139: Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 107
*Dec 14 15:59:21.139: Vendor Identifier : 0x00409600
*Dec 14 15:59:21.139:
*Dec 14 15:59:21.139:
IE : RRM_NEIGHBOR_CTRL_PAYLOAD
*Dec 14 15:59:21.139: IE Length : 101
*Dec 14 15:59:21.139: Decode routine not available, Printing Hex Dump
*Dec 14 15:59:21.143:
01 0A FA 20 08 01 F4 00 07 0A FA 20 08 0C 00 01
01 00 3C 00 B4 2E 06 2E E7 B4 94 51 B2 C7 79 25
22 FD BE 04 F6 00 00 00 00 00 00 00 00 4F 50 52
53 2D 57 69 46 69 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 24 28 2C
30 34 38 3C 40 95 99 9D A1 01 01 01 01 01 01 01
01 01 01 01 01
*Dec 14 15:59:21.143: <<<< End of CAPWAP Packet >>>>
*Dec 14 15:59:21.143: <<<< Start of CAPWAP Packet >>>>
*Dec 14 15:59:21.143: CAPWAP Control mesg Sent to 10.250.32.8, Port 5246
*Dec 14 15:59:21.143: Msg Type : CAPWAP_CONFIGURATION_UPDATE_RESPONSE
*Dec 14 15:59:21.143: Msg Length : 8
*Dec 14 15:59:21.143: Msg SeqNum : 39
*Dec 14 15:59:21.143:
*Dec 14 15:59:21.143: Type : CAPWAP_MSGELE_RESULT_CODE, Length 4
*Dec 14 15:59:21.143: Result Code : CAPWAP_SUCCESS
*Dec 14 15:59:21.143: <<<< End of CAPWAP Packet >>>>
*Dec 14 15:59:25.547: <<<< Start of CAPWAP Packet >>>>
*Dec 14 15:59:25.547: CAPWAP Control mesg Sent to 10.250.32.8, Port 5246
*Dec 14 15:59:25.547: Msg Type : CAPWAP_WTP_EVENT_REQUEST
*Dec 14 15:59:25.547: Msg Length : 14
*Dec 14 15:59:25.547: Msg SeqNum : 45
*Dec 14 15:59:25.547:
*Dec 14 15:59:25.547: Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 10
*Dec 14 15:59:25.547: Vendor Identifier : 0x00409600
*Dec 14 15:59:25.547:
*Dec 14 15:59:25.547:
IE : RRM_LOAD_DATA_PAYLOAD
*Dec 14 15:59:25.547: IE Length : 4
*Dec 14 15:59:25.547: slot 0 rxLoad 0 txLoad 0 ccaLoad 33
*Dec 14 15:59:25.547: <<<< End of CAPWAP Packet >>>>
*Dec 14 15:59:25.555: <<<< Start of CAPWAP Packet >>>>
*Dec 14 15:59:25.555: CAPWAP Control mesg Recd from 10.250.32.8, Port 5246
*Dec 14 15:59:25.555: HLEN 2, Radio ID 0, WBID 1
*Dec 14 15:59:25.555: Msg Type : CAPWAP_WTP_EVENT_RESPONSE
*Dec 14 15:59:25.555: Msg Length : 0
*Dec 14 15:59:25.555: Msg SeqNum : 45
*Dec 14 15:59:25.555: <<<< End of CAPWAP Packet >>>>
*Dec 14 15:59:25.795: <<<< Start of CAPWAP Packet >>>>
*Dec 14 15:59:25.795: CAPWAP Control mesg Sent to 10.250.32.8, Port 5246
*Dec 14 15:59:25.795: Msg Type : CAPWAP_WTP_EVENT_REQUEST
*Dec 14 15:59:25.795: Msg Length : 14
*Dec 14 15:59:25.795: Msg SeqNum : 46
*Dec 14 15:59:25.795:
*Dec 14 15:59:25.795: Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 10
*Dec 14 15:59:25.795: Vendor Identifier : 0x00409600
*Dec 14 15:59:25.795:
*Dec 14 15:59:25.795:
IE : RRM_LOAD_DATA_PAYLOAD
*Dec 14 15:59:25.795: IE Length : 4
*Dec 14 15:59:25.795: slot 1 rxLoad 0 txLoad 0 ccaLoad 0
*Dec 14 15:59:25.795: <<<< End of CAPWAP Packet >>>>
*Dec 14 15:59:25.803: <<<< Start of CAPWAP Packet >>>>
*Dec 14 15:59:25.803: CAPWAP Control mesg Recd from 10.250.32.8, Port 5246
*Dec 14 15:59:25.803: HLEN 2, Radio ID 0, WBID 1
*Dec 14 15:59:25.803: Msg Type : CAPWAP_WTP_EVENT_RESPONSE
*Dec 14 15:59:25.803: Msg Length : 0
*Dec 14 15:59:25.803: Msg SeqNum : 46
*Dec 14 15:59:25.803: <<<< End of CAPWAP Packet >>>>
*Dec 14 15:59:30.375: <<<< Start of CAPWAP Packet >>>>
*Dec 14 15:59:30.375: CAPWAP Control mesg Recd from 10.250.32.8, Port 5246
*Dec 14 15:59:30.375: HLEN 2, Radio ID 0, WBID 1
*Dec 14 15:59:30.375: Msg Type : CAPWAP_CONFIGURATION_UPDATE_REQUEST
*Dec 14 15:59:30.375: Msg Length : 17
*Dec 14 15:59:30.375: Msg SeqNum : 40
*Dec 14 15:59:30.375:
*Dec 14 15:59:30.375: Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 13
*Dec 14 15:59:30.375: Vendor Identifier : 0x00409600
SlotId : 0
Mobile Mac Addr : BC:52:B7:E3:17:CB
*Dec 14 15:59:30.375: <<<< End of CAPWAP Packet >>>>
*Dec 14 15:59:30.375: <<<< Start of CAPWAP Packet >>>>
*Dec 14 15:59:30.375: CAPWAP Control mesg Sent to 10.250.32.8, Port 5246
*Dec 14 15:59:30.375: Msg Type : CAPWAP_CONFIGURATION_UPDATE_RESPONSE
*Dec 14 15:59:30.379: Msg Length : 8
*Dec 14 15:59:30.379: Msg SeqNum : 40
*Dec 14 15:59:30.379:
*Dec 14 15:59:30.379: Type : CAPWAP_MSGELE_RESULT_CODE, Length 4
*Dec 14 15:59:30.379: Result Code : CAPWAP_SUCCESS
*Dec 14 15:59:30.379: <<<< End of CAPWAP Packet >>>>
*Dec 14 15:59:30.387: <<<< Start of CAPWAP Packet >>>>
*Dec 14 15:59:30.387: CAPWAP Control mesg Recd from 10.250.32.8, Port 5246
*Dec 14 15:59:30.387: HLEN 2, Radio ID 0, WBID 1
*Dec 14 15:59:30.387: Msg Type : CAPWAP_WTP_EVENT_RESPONSE
*Dec 14 15:59:30.387: Msg Length : 0
*Dec 14 15:59:30.387: Msg SeqNum : 47
*Dec 14 15:59:30.387: <<<< End of CAPWAP Packet >>>>
*Dec 14 16:00:00.387: <<<< Start of CAPWAP Packet >>>>
*Dec 14 16:00:00.387: CAPWAP Control mesg Sent to 10.250.32.8, Port 5246
*Dec 14 16:00:00.387: Msg Type : CAPWAP_ECHO_REQUEST
*Dec 14 16:00:00.387: Msg Length : 0
*Dec 14 16:00:00.387: Msg SeqNum : 48
*Dec 14 16:00:00.387: <<<< End of CAPWAP Packet >>>>
*Dec 14 16:00:00.395: <<<< Start of CAPWAP Packet >>>>
*Dec 14 16:00:00.395: CAPWAP Control mesg Recd from 10.250.32.8, Port 5246
*Dec 14 16:00:00.395: HLEN 2, Radio ID 0, WBID 1
*Dec 14 16:00:00.395: Msg Type : CAPWAP_ECHO_RESPONSE
*Dec 14 16:00:00.395: Msg Length : 15
*Dec 14 16:00:00.395: Msg SeqNum : 48
*Dec 14 16:00:00.395:
*Dec 14 16:00:00.395: Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 11
*Dec 14 16:00:00.395: Vendor Identifier : 0x00409600
*Dec 14 16:00:00.395:
*Dec 14 16:00:00.395:
IE : UNKNOWN IE 151
*Dec 14 16:00:00.395: IE Length : 5
*Dec 14 16:00:00.395: Decode routine not available, Printing Hex Dump
*Dec 14 16:00:00.395:
52 AC 80 81 00
*Dec 14 16:00:00.395: <<<< End of CAPWAP Packet >>>>Under my AP Policies I only have "Accept Manufactured Installed Certificate (MIC)" checked. I attempted to add the AP based on MAC Address (c0:67:af:6f:25:70) with this certificate type but still have the same issue. I then ran the following debug on my controller and this is the output I recieve regarding that MAC. I tried to cut the output short because it get's somewhat redundant but was unsure what exactly to look for in the output. Should I be selecting a different certificate type? I am somewhat new to wireless technologies but doing my best to pick things up so if this seems trivial please forgive my ignorance.
debug pm pki enable
*sshpmLscTask: Dec 14 20:42:56.450: sshpmLscTask: LSC Task received a message 4
*spamApTask6: Dec 14 20:42:58.840: sshpmGetIssuerHandles: locking ca cert table
*spamApTask6: Dec 14 20:42:58.841: sshpmGetIssuerHandles: calling x509_alloc() for user cert
*spamApTask6: Dec 14 20:42:58.841: sshpmGetIssuerHandles: calling x509_decode()
*spamApTask6: Dec 14 20:42:58.845: sshpmGetIssuerHandles: C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AP3G2-c067af6f2570, [email protected]
*spamApTask6: Dec 14 20:42:58.845: sshpmGetIssuerHandles: O=Cisco Systems, CN=Cisco Manufacturing CA
*spamApTask6: Dec 14 20:42:58.845: sshpmGetIssuerHandles: Mac Address in subject is c0:67:af:6f:25:70
*spamApTask6: Dec 14 20:42:58.845: sshpmGetIssuerHandles: Cert Name in subject is AP3G2-c067af6f2570
*spamApTask6: Dec 14 20:42:58.845: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.
*spamApTask6: Dec 14 20:42:58.845: sshpmGetCID: called to evaluate
*spamApTask6: Dec 14 20:42:58.845: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
*spamApTask6: Dec 14 20:42:58.845: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
*spamApTask6: Dec 14 20:42:58.845: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
*spamApTask6: Dec 14 20:42:58.845: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
*spamApTask6: Dec 14 20:42:58.845: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
*spamApTask6: Dec 14 20:42:58.845: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
*spamApTask6: Dec 14 20:42:58.845: sshpmGetCertFromCID: called to get cert for CID 282aef7e
*spamApTask6: Dec 14 20:42:58.845: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
*spamApTask6: Dec 14 20:42:58.845: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
*spamApTask6: Dec 14 20:42:58.845: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
*spamApTask6: Dec 14 20:42:58.845: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
*spamApTask6: Dec 14 20:42:58.845: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
*spamApTask6: Dec 14 20:42:58.845: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
*spamApTask6: Dec 14 20:42:58.845: ssphmUserCertVerify: calling x509_decode()
*spamApTask6: Dec 14 20:42:58.856: ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<
*spamApTask6: Dec 14 20:42:58.856: sshpmGetIssuerHandles: ValidityString (current): 2013/12/15/01:42:58
*spamApTask6: Dec 14 20:42:58.856: sshpmGetIssuerHandles: ValidityString (NotBefore): 2013/08/25/13:01:22
*spamApTask6: Dec 14 20:42:58.856: sshpmGetIssuerHandles: ValidityString (NotAfter): 2023/08/25/13:11:22
*spamApTask6: Dec 14 20:42:58.856: sshpmGetIssuerHandles: getting cisco ID cert handle...
*spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: called to evaluate
*spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
*spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
*spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
*spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
*spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
*spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
*spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
*spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
*spamApTask6: Dec 14 20:42:58.856: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
*spamApTask6: Dec 14 20:42:58.857: sshpmFreePublicKeyHandle: called with 0x2c5f0cb8
*spamApTask6: Dec 14 20:42:58.857: sshpmFreePublicKeyHandle: freeing public key
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: called to evaluate
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: called to get cert for CID 183fd2b6
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultIdCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<
*spamApTask0: Dec 14 20:43:17.451: sshpmGetCID: called to evaluate -
Help adding new WLC to existing ACS
Hi All,
I need help with this.
This network has a working WLC that authenticates wireless users against an ACS by MAC address. It works fine.
I need to add a new WLC.
I added the WLC, the APs connect to the WLC fine, but the users get limited connectivity and we've found out that is because the new WLC is getting authentication errors against the ACS.
The configuration of the new WLC is exactly the same as the current working WLC and both controllers show as AAA clients on the ACS.
I want to know if somebody can point me out in the right direction to solve this.
There's connectivity fine between all devices (as far as PING goes), and there's no Firewall or filters in between.
The difference I see on both WLCs is that on the working one (WLC1), under Security - AP Policies, we see the AP Authorization List with the MAC addresses/cert type/hash. We don't get this information on the non-working WLC (attached document shows both)
Also in the attached document, I'm sending the errors I get no the WLC2 controller.
Any help is greatly appreciated.
Federico.Federico,
I didn't get you when you say that you see only One WLC under groupsetup/Mac address. Could you please elaborate this?
Also, if you don't know see any NAR configured under shared profile component then check inside the group/user setup there must be either ip based or CLI/DNIS based NAR configured for WLC's and looking at failed attempts it seem that action is denied.
HTH
Regds,
JK
Do rate helpful posts- -
How can I add a new WLC on my network
Hi there,
I have a WLC4404(v4.0.219.0) and several APs on my network.
Those APs are belonged to a couple of vlans.
I planed to add a new WLC4404(v5.0.148.0) on same network with a old one.
I configured the new WLC4404 as a primary controller of the APs and the old on as a secondary.
I noticed some APs could be registered only on same vlan with the managemnet interface of the WLC.
How can I register the APs on different VLANs with Mgmt. of the WLC?
Let me know if you have a any idea.
Thanks
Jongkwan LeeWell since the ap's only know of the existing WLC, the only way they will join, is if you remove the existing wlc and let the ap's find the new wlc. When you configure the mobility group, that info is pushed to the ap, so that it knows of the new wlc. This way you can set the primary ap to the new one and the second wlc to the existing wlc.... make sure ap fallback is enabled so that the ap will try to join the new wlc. If you still have issues, I would console into the ap and capture the log when you faile the existing wlc.
-
We just completed deployment of (4) 5508-250's in a large enviroment. We are now trying to get some test AP's to join the new WLC's. At one point it appeared that one of the 5 joined but the other 4 did not. We rebboted everything including resetting the AP's to factory and upon doing that all 5 ap's came up and joined the legacy WISM's blades sitting in the core.
The new 5508's are sitting on a new stack of switches running 12.2.58(SE2) ip base. We have all new subnets for the new ap's as well as all vlan interfaces on the controllers themselves. IE: vlan 499 and vlan 500. Vlan 500 is Management and 499 is the ap-manager interfaces (32 of them).
1. Why would the new AP's prefer the old WISM to the 5508's?
2. What do we need to do to fix that until the we can do a migration?
3. The WLC's and the cores are not in the same stack. The WLC's are on the customers 6509 and the (4) 5508's are on a new 3750x stack with a port channel to the core 6509.
4. Does the new stack have to be running the L-3 IOS with a routing protocol running. The customers current enviroment is EIGRP.
5. I have looked at the new WLC configuration and compared it to other similar sites and they are the same with the exception of the L3 on the new 3750x stack.
Thanks,
Evan KalbachHere is my response to your queries.
1. Unless you configure primary,secondary (HA parameters) on your AP, it does not prefer 5508 as long as it can reach both controllers
2. You can configure the 5508 as primary controller ( & WiSM as secondary) to inluence AP to go to 5508 as first preference. You can try below CLI command on your WiSM for the APs you want to register to 5508 as primary & keep WiSM as secondary.
config ap secondary-base
config ap primary-base <5508 WLC name> <5508 Mgt IP>
3. WLC does not need to connect Core
4. As long as WLC have rachability to rest of networks, that's fine. No L3 routing required on the swich you connect the WLC.L3 gateway can be defined another L3 switch. Then you should have extend L2 from the WLC connect switch upto L3 defined switch.
5. Doesn't matter this.
HTH
Rasika
**** Pls rate all useful responses **** -
AP(2720e) not joining a WLC (2504)
I recently purchased two 2702e AP's to expand the wireless coverage of our network but when I plug them in, they will not join the AP for some reason.
This is what I am getting on the controller;
(Cisco Controller) >show ap join stats detailed f44e0544e944
Discovery phase statistics
- Discovery requests received.............................. 51
- Successful discovery responses sent...................... 26
- Unsuccessful discovery request processing................ 0
- Reason for last unsuccessful discovery attempt........... Not applicable
- Time at last successful discovery attempt................ Dec 08 10:24:37.695
- Time at last unsuccessful discovery attempt.............. Not applicable
Join phase statistics
- Join requests received................................... 0
- Successful join responses sent........................... 0
- Unsuccessful join request processing..................... 0
- Reason for last unsuccessful join attempt................ Not applicable
- Time at last successful join attempt..................... Not applicable
- Time at last unsuccessful join attempt................... Not applicable
Configuration phase statistics
- Configuration requests received.......................... 0
- Successful configuration responses sent.................. 0
- Unsuccessful configuration request processing............ 0
- Reason for last unsuccessful configuration attempt....... Not applicable
--More-- or (q)uit
- Time at last successful configuration attempt............ Not applicable
- Time at last unsuccessful configuration attempt.......... Not applicable
Last AP message decryption failure details
- Reason for last message decryption failure............... Not applicable
Last AP disconnect details
- Reason for last AP connection failure.................... Not applicable
- Last AP disconnect reason................................ Not applicable
Last join error summary
- Type of error that occurred last......................... None
- Reason for error that occurred last...................... Not applicable
- Time at which the last join error occurred............... Not applicable
AP disconnect details
- Reason for last AP connection failure.................... Not applicable
I have tried it with just the default settings and by setting the IP on the AP to no avail.
Any suggestion would be much appreciated.
EricHi Eric,
What software code is running on your 2504 ? I hope it is 7.6.130.0
If it is 8.0.100.0, then there was a crtical bug given below, you need to check whether you hitting this
https://tools.cisco.com/bugsearch/bug/CSCur43050
Conditions:
Seen only with APs that were manufactured in August, September or October, 2014 - all Aironet APs were affected EXCEPT the 700 series. Seen with WLCs running 8.0.100.0 or an 8.0.100.x special.
If the WLC was manufactured in September 2014, or later (i.e. has a SHA2 MIC), then the first symptom is seen, i.e. the AP joins the 8.0.100 WLC, downloads the image, but then fails to rejoin.
If the WLC was manufactured before September 2014 (i.e. does not have a SHA2 MIC), then the second symptom is seen, i.e. the AP can join the 8.0.100 WLC OK, but then will fail download during a subsequent upgrade.
Also seen with new APs trying to join a controller running IOS-XE 3.6.0 (15.3(3)JN k9w8 image.) (Track CSCur50946 for the IOS-XE fix)
Workaround:
Downgrade to AireOS 7.6.130.0, or to IOS-XE 3.3, if the APs are supported in the earlier code
Pls attach AP console output while trying to boot & register to see the exact reason for failure.
HTH
Rasika
**** Pls rate all useful responses **** -
Converted 1140 AP can't join the WLC 5508
Hello! Please, help me to sort my problem out.
We have bought autonomous APs AIR-AP1141N-E-K9 and converted them to the lightweight mode, but they cannot join the WLC 5508. The errors are below. There were NO problems with the LAPs that were bought before, together with the WLC.
AP's IP: 172.22.90.27 IOS version 12.4
WLC's IP: 172.22.90.20 IOS version 6.0.188.0
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This Discussion has been converted into document:- https://supportforums.cisco.com/docs/DOC-23054
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
logs from the AP:
Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)
*Oct 13 21:37:06.044: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Oct 13 21:37:06.045: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Oct 13 21:37:06.046: bsnInitRcbSlot: slot 1 has NO radio
*Oct 13 21:37:06.056: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to a
dministratively down
*Oct 13 21:37:06.066: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to r
eset
*Oct 13 21:37:06.098: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Oct 13 21:37:15.060: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLL
ER
*Oct 13 21:37:24.060: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROL
LER
*Oct 13 21:37:34.060: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Oct 13 21:38:34.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_i
p: 172.22.90.20 peer_port: 5246
*Oct 13 21:38:34.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Oct 13 21:38:34.822: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully
peer_ip: 172.22.90.20 peer_port: 5246
*Oct 13 21:38:34.823: %CAPWAP-5-SENDJOIN: sending Join Request to 172.22.90.20
*Oct 13 21:38:34.823: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Oct 13 21:38:34.825: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Contr
ol Message from 172.22.90.20
*Oct 13 21:38:34.825: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
*Oct 13 21:38:34.825: %CAPWAP-3-ERRORLOG: Failed to handle capwap control messag
e from controller
*Oct 13 21:38:39.823: %CAPWAP-5-SENDJOIN: sending Join Request to 172.22.90.20
*Oct 13 21:38:39.823: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Contr
ol Message from 172.22.90.20
*Oct 13 21:38:39.823: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
*Oct 13 21:38:39.823: %CAPWAP-3-ERRORLOG: Failed to handle capwap control messag
e from controller
*Oct 13 21:38:39.824: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap p
acket from 172.22.90.20
*Oct 13 21:39:33.999: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 1
72.22.90.20:5246
*Oct 13 21:39:34.000: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Oct 13 21:38:34.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_i
p: 172.22.90.20 peer_port: 5246
*Oct 13 21:38:34.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Oct 13 21:38:34.001: %DTLS-5-PEER_DISCONNECT: Peer 172.22.90.20 has closed conn
ection.
*Oct 13 21:38:34.001: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 1
72.22.90.20:5246
*Oct 13 21:38:34.001: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination
*Oct 13 21:38:34.125: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is
not established.
logs from the WLC:
debug capwap events enable
*Dec 21 15:02:06.244: 68:bc:0c:63:3d:a0 DTLS keys for Control Plane deleted successfully for AP 172.22.90.27
*Dec 21 15:02:06.246: 68:bc:0c:63:3d:a0 DTLS connection closed event receivedserver (172:22:90:20/5246) client (172:22:90:27/21077)
*Dec 21 15:02:06.246: 68:bc:0c:63:3d:a0 Entry exists for AP (172:22:90:27/21077)
*Dec 21 15:02:06.246: 68:bc:0c:63:3d:a0 apfSpamProcessStateChangeInSpamContext: Deregister LWAPP event for AP 68:bc:0c:63:3d:a0 slot 0
*Dec 21 15:02:06.246: 68:bc:0c:63:3d:a0 Deregister LWAPP event for AP 68:bc:0c:63:3d:a0 slot 0
*Dec 21 15:02:06.246: 68:bc:0c:63:3d:a0 apfSpamProcessStateChangeInSpamContext: Deregister LWAPP event for AP 68:bc:0c:63:3d:a0 slot 1
*Dec 21 15:02:06.246: 68:bc:0c:63:3d:a0 Deregister LWAPP event for AP 68:bc:0c:63:3d:a0 slot 1
Ble
*Dec 21 15:04:03.194: 68:bc:0c:63:3d:a0 capwap_ac_platform.c:1223 - Operation State 0 ===> 4
*Dec 21 15:04:03.194: 68:bc:0c:63:3d:a0 Register LWAPP event for AP 68:bc:0c:63:3d:a0 slot 0
*Dec 21 15:05:36.253: 68:bc:0c:63:3d:a0 Join Version: = 100711424
*Dec 21 15:05:36.253: 68:bc:0c:63:3d:a0 Join resp: CAPWAP Maximum Msg element len = 93
debug capwap errors enable
*Dec 21 16:16:51.879: 68:bc:0c:63:3d:a0 DTLS connection was closed
*Dec 21 16:17:09.940: 68:bc:0c:63:3d:a0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 12, joined Aps =5
debug capwap detail enable
*Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 CAPWAP Control Msg Received from 172.22.90.27:21078
*Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 packet received of length 281 from 172.22.90.27:21078
*Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 Msg Type = 3 Capwap state = 5
*Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 Join resp: Result Code message element len = 8
*Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 1. 47 0
*Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 2. 232 3
*Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 3. 6 0
*Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 4. 12 0
*Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 Join resp: AC Descriptor message element len = 48
*Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 acName = Wi-Fi_Controller
*Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 Join resp: AC Name message element len = 68
*Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 Join resp: WTP Radio Information message element len = 77
*Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 Join resp: CAPWAP Control IPV4 Address len = 87
*Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 Sending encrypted packet to AP 172:22:90:27 (21078)
*Dec 21 16:21:49.961: 68:bc:0c:63:3d:a0 Releasing WTP
*Dec 21 16:24:12.212: 68:bc:0c:63:3d:a0 CAPWAP Control Msg Received from 172.22.90.27:21077
*Dec 21 16:24:12.212: 68:bc:0c:63:3d:a0 DTLS connection 0x167c8b20 closed by controller
*Dec 21 16:24:12.212: DTL Deleting AP 9 - 0.0.0.0
*Dec 21 16:24:12.214: CAPWAP DTLS connection closed msg
*Dec 21 16:24:12.216: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'mfpSendEventReport+168' for AP 68:bc:0c:63:3d:a0(0)
*Dec 21 16:24:12.216: Received SPAM_MFP_RADIO_DOWN message
*Dec 21 16:24:12.218: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'l2roamInit+560' for AP 68:bc:0c:63:3d:a0(0)
*Dec 21 16:24:12.220: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'apfSpamCallbackInSpamContext+1224' for AP 68:bc:0c:63:3d:a0(0)
*Dec 21 16:24:12.222: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'apfSpamSendBlackListTable+376' for AP 68:bc:0c:63:3d:a0(0)
*Dec 21 16:24:12.224: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'rrmIappSendChdPacket+2320' for AP 68:bc:0c:63:3d:a0(0)
*Dec 21 16:24:12.226: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'asTrackInitTask+19360' for AP 68:bc:0c:63:3d:a0(0)
*Dec 21 16:24:12.228: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'mfpSendEventReport+168' for AP 68:bc:0c:63:3d:a0(1)
*Dec 21 16:24:12.228: Received SPAM_MFP_RADIO_DOWN message
*Dec 21 16:24:12.230: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'l2roamInit+560' for AP 68:bc:0c:63:3d:a0(1)
*Dec 21 16:24:12.232: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'apfSpamCallbackInSpamContext+1224' for AP 68:bc:0c:63:3d:a0(1)
*Dec 21 16:24:12.234: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'apfSpamSendBlackListTable+376' for AP 68:bc:0c:63:3d:a0(1)
*Dec 21 16:24:12.236: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'rrmIappSendChdPacket+2320' for AP 68:bc:0c:63:3d:a0(1)
*Dec 21 16:24:12.238: 68:bc:0c:63:3d:a0 Sending LWAPP Event DeReg to 'asTrackInitTask+19360' for AP 68:bc:0c:63:3d:a0(1)
*Dec 21 16:24:12.238: 68:bc:0c:63:3d:a0 Deleting and removing AP 68:bc:0c:63:3d:a0 from fast path
P.S. The time is set to the WLC with the NTP
P.P.S. Don't lookup at the time the logs were made - they were made not during the same day/timeI have solved this as soon as published my problem!!!
the answer is published here:
https://supportforums.cisco.com/thread/2004491
especially in the post of Matthew Fowler
Hi,
Please take a look at CSCte01087.
I see that your WLC is 10.0.13.5 and your AP is 10.0.13.28/24 so they are on the same subnet. I also see your AP MAC address does not begin with 00. This is why I believe it is relevant.
Please try the workaround or open a TAC case if you need a fix.
-Matt
Symptom:
An access point running 6.0.188.0 code may be unable to join a WLC5508.
Messages similar to the following will be seen on the AP.
%CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
%CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message
Conditions:
At least one of the following conditions pertains:
- The high order byte of the AP's MAC address is nonzero, and the AP is in
the same subnet as the WLC5508's management (or AP manager) interface
- The WLC's management (or AP manager) interface's default gateway's
MAC address' high order byte is nonzero.
Workaround:
If the MAC address of the WLC's default gateway does not begin with 00,
and if all of the APs' MAC addresses begin with 00, then: you can put
the APs into the same subnet as the WLC's management (or AP manager)
interface.
In the general case, for the situation where the WLC's default gateway's
MAC does not begin with 00, you can address this by changing it to begin
with 00. Some methods for doing this include:
-- use the "mac-address" command on the gateway, to set a MAC address
that begins with 00
-- then enable HSRP on the gateway (standby ip ww.xx.yy.zz) and use this
IP as the WLC's gateway.
For the case where the APs' MAC addresses do not begin with 00, then make
sure that they are *not* in the same subnet as the WLC's management
(AP manager) interface, but are behind a router.
Another workaround is to downgrade to 6.0.182.0. However, after
downgrading the WLC to 6.0.182.0, any APs that have 6.0.188.0 IOS
(i.e. 12.4(21a)JA2) still installed on them will be unable to join.
Therefore, after downgrading the WLC, the APs will need to have a
pre-12.4(21a)JA2 rcvk9w8 or k9w8 image installed on them.
different vlan!!!! yes! thank you Matthew Fowler sooooo much!!!! -
Hello Guys,
I have converted ap 1131 from autonomous to lwapp successfully by using upgrade utility tool but the AP does not join the WLC 2106. I can see it as a neighbor on the switch with no IP address. please help me.
Thank youHello Scott,
Thank you for the reply
Please find the attached file for the config, i found out that i have not updated the time on WLC but i did update the time on WLC and tested for other AP and this one too wont join the WLC. The ap are located remote.
atsg-wl1#show run | incl hostname
hostname atsg-wl1
atsg-wl1#test pb display
Display of the Parameter Block
Total Number of Records : 7
Number of Certs : 6
Number of Keys : 1
atsg-wl1#term length 0
atsg-wl1#show version | include Cisco IOS
Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.3(7)JA3, RELEASE SOFTWARE (fc1)
atsg-wl1#show controller | include Radio AIR
Radio AIR-AP1131G, Base Address 0019.0737.02f0, BBlock version 0.00, Software version 5.80.15
Radio AIR-AP1131A, Base Address 0019.073b.02d0, BBlock version 0.00, Software version 5.80.15
atsg-wl1#show controllers d0 | include Current
Current Frequency: 2447 MHz Channel 8
Current CCK Power: 14 dBm
Current OFDM Power: 14 dBm
Current Rates: basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
atsg-wl1#show controllers d1 | include Current
Current Frequency: 5805 MHz Channel 161
Current Power: 17 dBm
Current Rates: basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
atsg-wl1#show run | include station-role
station-role root
station-role root
atsg-wl1#test pb disp
Display of the Parameter Block
Total Number of Records : 7
Number of Certs : 6
Number of Keys : 1
atsg-wl1#show int F0 | include address
Hardware is PowerPCElvis Ethernet, address is 0019.555f.ccfa (bia 0019.555f.ccfa)
atsg-wl1#show int | include Dot11Radio
Dot11Radio0 is up, line protocol is up
Dot11Radio1 is up, line protocol is up
atsg-wl1#show sntp | exclude SNTP
10.148.0.1 16 1 never
172.16.21.57 16 1 never
Broadcast client mode is enabled.
atsg-wl1#show run
Building configuration...
Current configuration : 6025 bytes
! Last configuration change at 19:35:46 UTC Thu Jan 31 2013 by didata
! NVRAM config last updated at 19:13:48 UTC Fri Feb 1 2013 by didata
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
hostname atsg-wl1
logging buffered informational
logging console informational
enable secret 5
ip subnet-zero
ip domain name aspentech.com
ip name-server 10.96.16.230
ip name-server 10.148.0.249
ip name-server 10.32.19.1
aaa new-model
aaa group server radius rad_eap
server 10.16.16.123 auth-port 1645 acct-port 1646
aaa authentication login default group tacacs+ local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
no dot11 igmp snooping-helper
dot11 ssid
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
infrastructure-ssid optional
dot11 network-map
power inline negotiation prestandard source
usernamepassword 7
username privilege 15 password 7
usernamep rivilege 15 password 7
class-map match-all _class_Protocol_301_C351
match access-group name Voice_Over_IP_301
class-map match-all _class_8
match ip dscp cs1
class-map match-all _class_0
match ip dscp default
class-map match-all _class_48
match ip dscp cs6
class-map match-all _class_18
match ip dscp af21
class-map match-all _class_24
match ip dscp cs3
class-map match-all _class_16
match ip dscp cs2
class-map match-all _class_34
match ip dscp af41
class-map match-all _class_26
match ip dscp af31
class-map match-all _class_40
match ip dscp cs5
class-map match-all _class_46
match ip dscp ef
class-map match-all _class_56
match ip dscp cs7
class-map match-all _class_10
match ip dscp af11
class-map match-all _class_32
match ip dscp cs4
policy-map _policy_Voice_Over_IP_202
class _class_Protocol_301_C351
set cos 6
policy-map _policy_fallback_policy
class _class_0
set cos 0
class _class_8
set cos 1
class _class_10
set cos 1
class _class_16
set cos 2
class _class_18
set cos 2
class _class_24
set cos 3
class _class_26
set cos 3
class _class_32
set cos 4
class _class_34
set cos 4
class _class_40
set cos 5
class _class_46
set cos 5
class _class_48
set cos 6
class _class_56
set cos 7
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
encryption mode wep mandatory mic key-hash
broadcast-key change 900
ssid
traffic-class background cw-min 5 cw-max 8 fixed-slot 2
traffic-class best-effort cw-min 5 cw-max 8 fixed-slot 6
traffic-class video cw-min 4 cw-max 6 fixed-slot 1
traffic-class voice cw-min 3 cw-max 7 fixed-slot 1
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
packet retries 32
fragment-threshold 2338
station-role root
rts threshold 2339
rts retries 32
world-mode legacy
no cdp enable
infrastructure-client
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption mode wep mandatory mic key-hash
broadcast-key change 900
ssid aspen100abcdefgh
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
world-mode legacy
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.148.0.7 255.255.255.0
no ip route-cache
ip default-gateway 10.148.0.1
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip tacacs source-interface BVI1
ip radius source-interface BVI1
ip access-list extended Voice_Over_IP_300
permit 119 any any
permit ip any any
ip access-list extended Voice_Over_IP_301
permit 119 any any
permit ip any any
logging facility local0
snmp-server view iso_view iso included
snmp-server community admin view iso_view RW
snmp-server community all4114all view iso_view RW
snmp-server community ddbos2000 RO
snmp-server location ATSG
snmp-server contact James Lee
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server host 192.135.137.12 ddbos2000
tacacs-server host 10.16.16.123 key 7
tacacs-server host 10.96.16.245 key 7
tacacs-server directed-request
radius-server host 10.16.16.123 auth-port 1645 acct-port 1646 timeout 5 retransmit 3 key 7
radius-server deadtime 120
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
bridge 1 route ip
line con 0
transport preferred all
transport output all
stopbits 1
line vty 0 4
exec-timeout 0 0
transport preferred all
transport input all
transport output all
line vty 5 15
exec-timeout 0 0
transport preferred all
transport input all
transport output all
end
atsg-wl1#show run | incl hostname
hostname atsg-wl1
atsg-wl1#arch down /over /create-space tftp://10.148.0.118/images/c1130-rcvk $over /create-space tftp://10.148.0.118/images/c1130-rcvk9 w8-tar.12 te-space tftp://10.148.0.118/images/c1130-rcvk9w8-tar.123 -11.JX1.t ftp://10.148.0.118/images/c1130-rcvk9w8-tar.123-11.JX1.ta r
examining image...
Loading images/c1130-rcvk9w8-tar.123-11.JX1.tar from 10.148.0.118 (via BVI1): !
extracting info (273 bytes)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 1873920 bytes]
Image info:
Version Suffix: rcvk9w8-
Image Name: c1130-rcvk9w8-mx
Version Directory: c1130-rcvk9w8-mx
Ios Image Size: 1874432
Total Image Size: 1874432
Image Feature: WIRELESS LAN|LWAPP|RECOVERY
Image Family: C1130
Wireless Switch Management Version: 3.0.51.0
Extracting files...
Loading images/c1130-rcvk9w8-tar.123-11.JX1.tar from 10.148.0.118 (via BVI1): !
extracting info (273 bytes)
c1130-rcvk9w8-mx/ (directory) 0 (bytes)
extracting c1130-rcvk9w8-mx/c1130-rcvk9w8-mx (1867816 bytes)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
extracting c1130-rcvk9w8-mx/info (273 bytes)
extracting info.ver (273 bytes)!
[OK - 1873920 bytes]
Deleting current version...
Deleting flash:/c1130-k9w7-mx.123-7.JA3...done.
New software image installed in flash:/c1130-rcvk9w8-mx
Configuring system to use new image...done.
atsg-wl1#show archive status
SUCCESS: Upgrade complete.
atsg-wl1#write erase
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
atsg-wl1#dir flash:
Directory of flash:/
2 -rwx 2072 Jan 31 2013 19:36:18 +00:00 private-multiple-fs
149 drwx 128 Jan 31 2013 19:36:11 +00:00 c1130-rcvk9w8-mx
4 -rwx 342 Jan 31 2013 19:36:14 +00:00 env_vars
15998976 bytes total (14126080 bytes free)
atsg-wl1#dir nvram:
Directory of nvram:/
30 -rw- 0 startup-config
31 ---- 0 private-config
1 -rw- 0 ifIndex-table
2 ---- 12 persistent-data
32768 bytes total (30668 bytes free)
atsg-wl1#sh crypto ca trustpoints
atsg-wl1#sh crypto ca certificates
atsg-wl1#terminal length 0
atsg-wl1#show run | begin BVI1
interface BVI1
ip address 10.148.0.7 255.255.255.0
no ip route-cache
ip default-gateway 10.148.0.1
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip tacacs source-interface BVI1
ip radius source-interface BVI1
ip access-list extended Voice_Over_IP_300
permit 119 any any
permit ip any any
ip access-list extended Voice_Over_IP_301
permit 119 any any
permit ip any any
logging facility local0
snmp-server view iso_view iso included
snmp-server community admin view iso_view RW
snmp-server community all4114all view iso_view RW
snmp-server community ddbos2000 RO
snmp-server location ATSG
snmp-server contact James Lee
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server host 192.135.137.12 ddbos2000
tacacs-server host 10.16.16.123 key 7
tacacs-server host 10.96.16.245 key 7
tacacs-server directed-request
radius-server host 10.16.16.123 auth-port 1645 acct-port 1646 timeout 5 retransmit 3 key 7
radius-server deadtime 120
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
bridge 1 route ip
line con 0
transport preferred all
transport output all
stopbits 1
line vty 0 4
exec-timeout 0 0
transport preferred all
transport input all
transport output all
line vty 5 15
exec-timeout 0 0
transport preferred all
transport input all
transport output all
end -
LAP's are unable to join Cisco WLC
Dear all,
I have moved my WLC to my datacentre from branch office. after movement i have updated DHCP options with the new ip address but all of my access point are not joining to WLC.Kindly check the attached cofiguration of WLC as well as LAP logs and It will be a great help if somebody can help me to relsolve this issue.
Please note that for datacenter - Branch connectivity we are using L3 MPLS line and there is no firewall between the office and I am using Ver 7 software on my WLC/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Hi,
Your DHCP option 43 is good
From your file ‘AP error logs.txt’ it’s clear that the DHCP server provides option 43 that point to 10.204.20.4.
I also see that the controller name is AEDXBWLC01.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
The AP cannot guess this name so this means that it can communicate with the controller.
You do not need to configure DNS
Your DNS server is not configured with CISCO-LWAPP-CONTROLLER.localdomain. But you do not need to configure DNS since you already have a working option 43.
If you want to use DNS you should configure both CISCO-CAPWAP-CONTROLLER.localdomain and CISCO-LWAPP-CONTROLLER.localdomain, where localdomain is the access point domain name. Old software use LWAPP and new software uses CAPWAP.
What might cause the problems?
I believe that you have a certificate mismatch between the controller and the AP. In order to fix this you can manually add the AP to the AP authorization list.
In order to allow APs to join, use one of these options:
Add them to the authorization list of the WLC: use the config auth-list add mic command.
Add them as clients to the RADIUS server. The Called-Station-ID is the MAC address of the controller. If you separate the APs into groups, you can create policies to define which APs can authenticate against which Called-Station-IDs.
Debug
You can debug to see what’s happening when the AP tries to join the controller.
You can also use this debug to obtain the Ethernet address for the AP:
(Cisco Controller) >debug lwapp events enable
Mon May 22 12:00:21 2006: Received LWAPP DISCOVERY REQUEST from AP 00:0b:85:5b:fb:d0 to ff:ff:ff:ff:ff:ff on port '1'
Mon May 22 12:00:21 2006: Successful transmission of LWAPP Discovery-Response to AP 00:0b:85:5b:fb:d0 on Port 1
/André -
How can I apply existing WCS "WLAN Config" templates to a new WLC?
We've been running a pair of WLC 4402s managed by WCS, thus we are still on the older 7.0.235.0 (WCS) / 7.0.235.3 (WLC) release. I'm trying to add an additional WLC 4402-50 as a hot spare. I first ran the manual setup steps to give it an IP in our range, and used the WLCs web page to set our SNMP communities and such to the values used by our existing WLCs, then I added the new WLC in WCS.
At this point I could apply most of the "Controller Templates" from our existing configuration to the new unit. However, I can not get it to take our existing interfaces nor our WLAN Configurations. How do I avoid needing to recreate these from scratch on the new WLC?
We only have four dynamic interfaces, and each WLC needs its own IP address for each interface, so I did manually add these via the WLCs web page. However, now when I go to the WCS' "Configure > Contoller Templagte Launch Pad" page, then select "WLANs > WLAN Configuration", I see my usual list of WLANs, but can't figure how to push them to the new WLC.
For all of the other templates on the launch pad, I can select a template, click the "Apply to Controllers..." button, and I get a list that has my existing two and also the new controller. I can select the new controller, and apply the template, and it succeeds.
Yet if I select a specific WLAN config, and press "Apply to Controllers...", the list that appears has only my existing two WLCs, not the the new one.
In small green type at the top it says, "Controllers configured with Interface/Interface Group - 'w-restricted' and selected RADIUS server(s), LDAP servers, ACL Name with rules and Ingress interface are shown."
I have already manually added the interface "w-restricted" to the new controller, and have added the RADIUS servers via the template used by our other two WLCs. Not sure what to do about "LDAP servers, ACL Name with rules and Ingress interface", as we don't have any ACL rules, nor use LDAP directly from the WLCs (as all user ID stuff is via RADIUS).
Any hints on what manual setup I should add to get the new WLC in the list for these WLAN Configs?
Thanks,
SteveTo be honest, if your only adding another WLC, your better off creating the interface and WLAN's manually. I don't like pushing out templates to create new WLAN's. I would use it to adjust an existing WLAN, but that would be it. To me it's safer. Also your new WLC is on the same code? If you really want to figure it out, I would manually add the interfaces first then refresh the co fog from the new WLC and then push out the WLAN SSID and see if it takes. If not, don't waste your time anymore and create it manually.
Sent from Cisco Technical Support iPhone App -
Hi,
I have two WLC 8500 working in SSO and with nat enable feature configure in management interface.
SSO is working, but i have to configure NAT before SSO becasuse when SSO is up, ip address and nat are greyed out in managemente interface.
Some AP's must join the controller in the private address of the management interface and others AP must join in the public ip address configured in NAT address.
for some reason, there are a lot of AP's that can't join the controller, i have 3 ap's joined in the public ip address and 3 ap's joined in the private ip address
config network ap-discovery nat-only disable is already configured, from the console of one AP that can't not join i see the following:
*Sep 10 12:32:48.115: %CAPWAP-3-ERRORLOG: Selected MWAR 'GI12WLC001A'(index 0).
*Sep 10 12:32:48.115: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Sep 10 12:35:48.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 212.89.5.130 peer_port: 5246
*Sep 10 12:36:17.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2176 Max retransmission count reached!
*Sep 10 12:36:47.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 212.89.5.130:5246
*Sep 10 12:36:47.999: %CAPWAP-3-ERRORLOG: Selected MWAR 'GI12WLC001A'(index 0).
*Sep 10 12:36:47.999: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Sep 10 12:35:48.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.35.0.78 peer_port: 5246
the AP is trying both private and public ip address to join the WLC but can't join properly.
From the WLC console:
debug capwap errors enable:
*spamApTask4: Sep 10 13:13:49.837: 00:10:db:ff:50:06 Discarding non-ClientHello Handshake OR DTLS encrypted packet from 10.35.1.13:47807)since DTLS session is not established
*spamApTask3: Sep 10 13:13:49.958: 1c:6a:7a:5b:e0:30 ApModel: AIR-CAP3702I-E-K9
*spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!
*spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!
*spamApTask3: Sep 10 13:13:49.958: 1c:6a:7a:5b:e0:30 ApModel: AIR-CAP3702I-E-K9
*spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!
*spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!
*spamApTask2: Sep 10 13:13:52.103: 00:10:db:ff:50:06 Discarding non-ClientHello Handshake OR DTLS encrypted packet from 10.35.1.11:21207)since DTLS session is not established
*spamApTask1: Sep 10 13:13:52.224: 1c:6a:7a:5e:0f:10 ApModel: AIR-CAP3702I-E-K9
*spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!
*spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!
*spamApTask1: Sep 10 13:13:52.224: 1c:6a:7a:5e:0f:10 ApModel: AIR-CAP3702I-E-K9
*spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!
*spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!
the AP model are the same, this is not the problem, but for some reason there are AP's that have problems with the NAT configuration, if i disable NAT option, every AP with private ip address config can join the WLC.
I've tried to break SSO, desconfigure NAT, and private ip address AP join the controller without problem.
anybody can give me a clue?
Regards!it seens like DTLS connection can't be stablished between AP and WLC.
The AP sends discovery request
the WLC respond with two discovery responds, the firts one, contains the public ip address of the WLC and the second one contains the private ip address.
once discovery proccess is complete, the AP tries to send DTLS hello packet to the WLC, but this packet never arrives to WLC.
because hello doesn't arrive, the AP sends a close notify alert to the WLC and tries to send the DTLS hello packet to the WLC private address with same result.
the AP get into a loop trying to send DTLS hello packets to both private and public address.
DTLS hello packet never arrive, but close notify alert arrive to WLC.
theres is FW in the middle doing NAT, but i can understand why close notify alert packets error arrives WLC and Hello DTLS packets don't. this packets uses the same protocol UDP and the same port.
Regards
Maybe you are looking for
-
Ordering values in SQL Calendar
Hi All, I have an sql based calendar which is used as a roster. There are only a couple of entries in each day showing the names of personnel. I have a custom display setting such that the name is highlighted in different colours based on their on-ca
-
Hi there, I have a 4 year old mac book and the fan is coming on permanently, and it gets very hot. Any ideas how to fix this please? - Di I just need to replace the battery, or is this problem a lot more serious? Thanks in advance for your time. Oggy
-
VD 346: Period indicator 1
Hello all, following problem needs to be solved. We have added a new form with language Z2 (Serbia), when we now print a PO in german or english everything is fine, if we print it in Z2, the system brings error: VD 346: Period indicator 1 I have tran
-
Want to rebroadcast a login access network through my macbook to airport express
How do i log in to the website based wireless network at my marina on my macbook then rebroadcast the network via airport express through ethernet?
-
After open an Excel spreadsheet manually, is there a way to use PS to edit it without open another copy?