CAPWAP-3-CAPWAP_PAYLOAD_TOO_LARGE

Any ideas what this means?
Nov  2 15:53:42 c1-145-ap 42: AP:000d.28f2.31ea: *Nov  2 22:53:40.582: %CAPWAP-3-CAPWAP_PAYLOAD_TOO_LARGE: Attempt to send capwap packet with payload exceeding max size. Payload Size: 2057, Maximum Allowed Payload: 1700Nov  2 15:53:42 c1-145-ap 43: AP:000d.28f2.31ea:  -Traceback= 0x5E8E4 0x4B1410 0x43FA08 0x4417E4 0x4429E8 0x2A71ACNov  7 09:24:30 c3-143-ap 61: AP:000c.cea4.8b1a: *Nov  7 17:24:28.630: %CAPWAP-3-CAPWAP_PAYLOAD_TOO_LARGE: Attempt to send capwap packet with payload exceeding max size. Payload Size: 2044, Maximum Allowed Payload: 1700
Nov  7 09:24:30 c3-143-ap 62: AP:000c.cea4.8b1a:  -Traceback= 0x5E8E4 0x4B1410 0x43FA08 0x4417E4 0x4429E8 0x2A71AC
These are 1100s in light-weight mode, managed by 5500WLC or WiSMs running 7.0.116  Message appears sporadically, every few weeks, sometimes once in a day, sometimes in bursts, typically from a single AP (out of a flock of ~200 campus-wide), the APs involved tend to live within a particular cluster of buildings.
--sk
Stuart Kendrick
FHCRC

You might as well open a TAC case on this unless one ot the Cisco guy's here can lookup that message.  That message is not in the guide for that code you show:
http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/message/guide/ccx_cdp_cids_7.0MR1_msgs5.html#wp1008858

Similar Messages

  • Is it possible to config H-REAP/REAP and CAPWAP in Autonomous mode with a WLC?

    I'm going to deploying all new AP as Remote-Edge AP and they will be shipped straight to site.  With a pool of WLCs deployed in central DC locations.  I would like to get local staff to deploy a basic CLI discovery script for the APs.  However, i thought LAPs don't have CLI???
    I'm thinking I must use a Lightweight AP with the WLC to use Remote-Edge AP functionality - However, I'm not sure... the configuration example at the bottom doesn't state whether it an Autonomous AP or a Lightweight one.  
    http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml
    H-REAP Controller Discovery using CLI commands
    H REAPs will most commonly discover upstream controllers via DHCP option 43 or DNS resolution. Without either of these methods available, it may be desirable to provide detailed instructions to administrators at remote sites so that each H REAP may be configured with the IP address of the controllers to which they should connect. Optionally, H REAP IP addressing may be set manually as well (if DHCP is either not available or not desired).
    This example details how an H REAP's IP address, hostname, and controller IP address may be set through the console port of the access point.
    AP_CLI#capwap ap hostname ap1130ap1130#capwap ap ip address 10.10.10.51 255.255.255.0ap1130#capwap ap ip default-gateway 10.10.10.1ap1130#capwap ap controller ip address 172.17.2.172
    Could anyone help?
    Cheers
    Adrian.

    Hi Adrian,
    Further down in the doc you linked;
    H-REAP Controller Discovery using CLI commands
    H REAPs will most commonly discover upstream controllers via DHCP       option 43 or DNS resolution. Without either of these methods available, it may       be desirable to provide detailed instructions to administrators at remote sites       so that each H REAP may be configured with the IP address of the controllers to       which they should connect. Optionally, H REAP IP addressing may be set manually       as well (if DHCP is either not available or not desired).
    This example details how an H REAP's IP address, hostname, and       controller IP address may be set through the console port of the access       point.
    AP_CLI#capwap ap hostname ap1130
    ap1130#capwap ap ip address 10.10.10.51 255.255.255.0
    ap1130#capwap ap ip default-gateway 10.10.10.1
    ap1130#capwap ap controller ip address 172.17.2.172
    Note: Access points must run the LWAPP-enabled IOS® Recovery Image Cisco           IOS Software Release 12.3(11)JX1 or later, in order to support these CLI           commands out of the box. Access points with the SKU prefix of LAP (for example,           AIR-LAP-1131AG-A-K9), shipped on or after June 13, 2006 run Cisco IOS Software           Release 12.3(11)JX1 or later. These commands are available to any access point           that ships from the manufacturer running this code level, has the code upgraded           manually to this level, or is upgraded automatically by connecting to a           controller running version 6.0 or later.
    These configuration commands are only accepted when the access point is       in Standalone mode.
    Cheers!
    Rob

  • Downgrade 3600 Capwap AP to Autonomous 3600 AP

    Hello!
    I have to prepare an 3600 Capwap AP for autonomous functionality!
    The following image was downloaded:
    ap3g2-k9w7-tar.152-2.JA
    The release notes say:
    Site-Survey Only Mode for 3600, 3500, and 1550 Access Points
    You can install Cisco IOS Release 15.2(2)JA on Cisco Aironet 3600 and 3500 Series access points and on 1550 series outdoor access points to perform site surveys. This release runs on these access points with limited functionality. You can manually adjust these settings on the site-survey access points:
    • Channel on each radio
    • Transmit power on each radio
    • Enable and disable the radios
    • Manually set basic and supported transmit rates
    • Enable advertised cell power in beacons to client to enable DTPC for doing active surveys
    • Enable and disable SSID broadcast in beacons
    • Enable open authentication
    My Question is:
    Where can i find a instruction for downgrading an AIR-CAP3602i to Autonomous 3600 AP?
    Is it complicate to get the AP running, or what do i need for "downgrading"?
    thx 4 help
    Richard

    the methos to convert is..
    download TFTPd32 from google and install it on ur PC.. point the image that you have downloaded in the TFTP server..
    connect  a ethernet cable between ur laptop and AP.. let both be in the same  subnet.. and connect a console cable and get the hyperterminal console  access and issue the command.. make sure you are able to ping the PC and the AP and vice versa!!
    AP>en
    AP#debug capwap console cli
    AP#config t
    AP(confg)int gi 0
    AP(confg-if)ip addr (same subnet as that of the laptop)
    AP(confg-if)end
    AP#archieve download-sw /force-reload /overwrite tftp:///
    AP#archieve download-sw /force-reload /overwrite tftp://<10.0.0.5>/ap3g2-k9w7-tar.152-2.JA
    you can skip the ip config part if ap getting ip from dhcp.

  • Error Cisco 892f-w Wireless driver lwapp and capwap controller

    Hello, greetings to cisco support community, I write to ask for help for my router, I have trouble lifting the wireless network, I hope you can help me thanks.
           Upon entering cli ap: I have this error:
    *Jul  3 22:33:04.951: %CAPWAP-3-STATIC_TO_DHCP_IP: Could not discover WLC using
    static IP. Forcing AP to use DHCP.
    *Jul  3 22:33:14.959: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination
    *Jul  3 22:33:15.083: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigne
    d DHCP address 10.10.10.4, mask 255.255.255.248, hostname AP6400.f1cf.6738
    Translating "CISCO-CAPWAP-CONTROLLER"...domain server (8.8.8.8)
    Translating "CISCO-LWAPP-CONTROLLER"...domain server (8.8.8.8)
    *Jul  3 22:33:18.959: %CAPWAP-3-ERRORLOG: Did not get log server settings from D
    HCP.
    *Jul  3 22:33:19.083: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROL
    LER
    *Jul  3 22:33:19.207: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLL
    ER
    Here is my configuration
    Natural#SHOW RUNNing-config
    Building configuration...
    Current configuration : 5681 bytes
    ! Last configuration change at 19:56:22 UTC Wed Oct 16 2013 by juanrifle
    version 15.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname Natural
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    no aaa new-model
    memory-size iomem 10
    service-module wlan-ap 0 bootimage autonomous
    crypto pki trustpoint TP-self-signed-634714217
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-634714217
    revocation-check none
    rsakeypair TP-self-signed-634714217
    crypto pki certificate chain TP-self-signed-634714217
    certificate self-signed 01
      30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
      30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 36333437 31343231 37301E17 0D313331 30313131 38343833
      395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
      532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3633 34373134
      32313730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
      E814BC99 A2374C6C C52A0828 7D8D2215 5220B891 63F3CB16 C03D6F00 F3ECF2E9
      BE71FB32 9D1388FA 608C3267 3105F7E9 4A0FADDB C3031255 2054BF5D 971D4B0F
      AD5914F8 8D7E9CF3 FBDDD586 63C8D981 3C32F53F E43CE93F 20930CFA 9F6055E7
      810AF11D D8CBF7EA D6D5B680 B9AA465C EA9D533B A8E39059 6401101F D81939C9
      02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
      23041830 168014A1 4A274F69 1972E173 6F458E3E 67212F22 A21F3F30 1D060355
      1D0E0416 0414A14A 274F6919 72E1736F 458E3E67 212F22A2 1F3F300D 06092A86
      4886F70D 01010505 00038181 006B165B E1CABC78 F125A399 A8DB860B 7A134E69
      A342D73A A5215D08 E675406C 318E1877 EFCBB5E8 747291F3 6D39D0CD DD38FE96
      E4829127 A2BB4F47 CF1BA9A1 43631C0B BE5932A7 BDE1EAEB 98F832AC 83EAB223
      141BB6A0 3ECD607B 8E126FDC 5AC8AD12 28F8DB6A 9742994B 063610C6 D5144944
      8A129632 AC689172 1B108332 44
            quit
    ip cef
    ip dhcp excluded-address 10.10.10.1
    ip dhcp excluded-address 10.10.10.145
    ip dhcp excluded-address 10.10.10.153
    ip dhcp excluded-address 10.10.10.1 10.10.10.2
    ip dhcp pool ccp-pool
    import all
    network 10.10.10.0 255.255.255.248
    default-router 10.10.10.1
    dns-server 8.8.8.8 200.87.100.10
    lease 0 2
    ip dhcp pool ccp
    dns-server 8.8.8.8 200.87.100.10
    ip dhcp pool Oficina wireless pool
    import all
    network 10.10.10.144 255.255.255.248
    default-router 10.10.10.145
    dns-server 8.8.8.8 200.87.100.10
    ip dhcp pool guest pool
    import all
    network 10.10.10.152 255.255.255.248
    default-router 10.10.10.153
    dns-server 8.8.8.8 200.87.100.10
    no ip domain lookup
    ip domain name yourdomain.com
    no ipv6 cef
    multilink bundle-name authenticated
    license udi pid CISCO892FW-A-K9 sn FTX172783RH
    username ******** privilege 15 password 0 ******
    username ******** privilege 15 secret 4 df2cx1EOReyOFTzHQGHyju0MCCMPPDggzToRobK46
    vI
    redundancy
    interface BRI0
    no ip address
    encapsulation hdlc
    shutdown
    isdn termination multidrop
    interface FastEthernet0
    no ip address
    spanning-tree portfast
    interface FastEthernet1
    no ip address
    interface FastEthernet2
    no ip address
    interface FastEthernet3
    no ip address
    interface FastEthernet4
    no ip address
    interface FastEthernet5
    no ip address
    interface FastEthernet6
    no ip address
    interface FastEthernet7
    no ip address
    interface FastEthernet8
    description modem adsl
    ip address dhcp
    ip flow ingress
    ip flow egress
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface GigabitEthernet0
    no ip address
    shutdown
    duplex auto
    speed auto
    interface wlan-ap0
    description Service module interface to manage the embedded AP
    ip unnumbered Vlan1
    arp timeout 0
    interface Wlan-GigabitEthernet0
    description Internal switch interface connecting to the embedded AP
    switchport trunk allowed vlan 1-3,1002-1005
    switchport mode trunk
    no ip address
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
    ip address 10.10.10.1 255.255.255.248
    ip nat inside
    ip virtual-reassembly in
    ip tcp adjust-mss 1452
    interface Vlan2
    description wireless oficina
    ip address 10.10.10.145 255.255.255.248
    ip nat inside
    ip virtual-reassembly in
    interface Vlan3
    description wireless guest
    ip address 10.10.10.153 255.255.255.248
    ip nat inside
    ip virtual-reassembly in
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip flow-export destination 10.10.10.5 2055
    ip nat inside source list 110 interface FastEthernet8 overload
    ip sla auto discovery
    access-list 10 permit 10.10.10.0 0.0.0.7
    access-list 23 permit 10.10.10.0 0.0.0.7
    access-list 110 permit ip 10.10.10.0 0.0.0.255 any
    access-list 120 remark wireless guest Restriction
    access-list 120 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
    access-list 120 permit ip 10.10.10.152 0.0.0.7 any
    access-list 120 deny   ip 10.10.10.152 0.0.0.7 0.0.0.0 255.255.255.0
    access-list 120 deny   ip 10.10.10.152 0.0.0.7 172.16.0.0 0.15.255.255
    access-list 120 deny   ip 10.10.10.152 0.0.0.7 192.168.0.0 0.0.255.255
    no cdp run
    control-plane
    mgcp profile default
    line con 0
    login local
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    transport output pad telnet rlogin udptn ssh
    line aux 0
    line vty 0 4
    access-class 23 in
    privilege level 15
    login local
    transport input telnet ssh
    line vty 5 15
    access-class 23 in
    privilege level 15
    login local
    transport input telnet ssh
    end
    Natural#

    Hi Andrew,
    LAP always download the image run on a WLC (in this case 3850). So no point upgrade LAP independantly as it will always sync with image run on the controller it joins.
    In this case you can upgrade 3850 to 3.3.2 (which is the latest image as of today) if you are not already running that code
    HTH
    Rasika
    **** Pls rate all useful resposnes ****

  • CAPWAP-3-DISC_AP_MGR_ERR1 errors since upgrade to 8.0.110.0

    I have upgraded a 2504 controller to 8.0.110.0. Since then I see this error message every two minutes:
    wlc: *spamApTask7: Feb 17 12:07:23.854: #CAPWAP-3-DISC_AP_MGR_ERR1: capwap_ac_sm.c:2008 The system is unable to process Primary discovery request from AP [mac-address] on interface (1), VLAN (10), could not get IPv6 AP manager
    The controller does not have IPv6 address configured (i.e. it's still ::/128).
    The error only appears for the two 1602i in the network, not for the 1131ag.
    All access points are connected to the controller and operate normally.
    How do I get rid of these errors?
    Thanks,
    Gerald

    Global IPv6 config is enabled as I need IPv6 and as far as I understand clients won't be able to use IPv6 otherwise.
    I haven't found a way to disable IPv6 for discovery...
    Gerald

  • Could not resolve CISCO-CAPWAP-CONTROLLER

    I have a access point in Singapore which is trying to connect to a controller in Canada.  Think I am having a latency issue.  Is there a way of increasing the timeout period to allow the AP to join the controller before the initial request fails?
    Thanks

    Hi
    Make sure AP regulatory domain matches the country configured on your WLC. If that all good you can configure this on AP via console & AP should go & register to your WLC.
    LAP#debug capwap console cli
    This command is meant only for debugging/troubleshooting
    Any configuration change may result in different
    behavior from centralized configuration.
    CAPWAP console CLI allow/disallow debugging is on
    LAP#capwap ap primary-base <WLC-Name> <WLC-Mgt-IP>
    If not, post the full AP console output while it is trying to register.
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • VWLC 7.4 and AP 1602 - CAPWAP fails

    Hi guys!
    In my lab, everything just worked fine. Now AP1602 is on customer site. AP gets vWLC IP address via DHCP option 43, 60. If I try to debug vWLC console with this command "debug capwap detail enable":
    (Cisco Controller) >debug capwap detail enable
    *spamApTask0: Jul 01 12:04:26.669: 68:86:a7:cb:f6:d0 CAPWAP Control Msg Received from 10.10.10.215:16281
    *spamApTask0: Jul 01 12:04:26.683: 68:86:a7:cb:f6:d0 CAPWAP Control Msg Received from 10.10.10.215:16281
    *spamApTask0: Jul 01 12:04:26.690: 68:86:a7:cb:f6:d0 CAPWAP Control Msg Received from 10.10.10.215:16281
    *spamApTask0: Jul 01 12:04:26.690: 68:86:a7:cb:f6:d0 DTLS connection 0x10fb84e0 closed by controller
    *spamApTask0: Jul 01 12:04:26.691: 68:86:a7:cb:f6:d0 CAPWAP Control Msg Received from 10.10.10.215:16281
    *spamApTask0: Jul 01 12:04:26.691: CAPWAP DTLS connection closed msg
    *spamApTask2: Jul 01 12:05:09.168: 00:1f:6c:8a:4d:41 CAPWAP Control Msg Received from 10.10.10.156:57832
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 packet received of length 123 from 10.10.10.156:57832
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Msg Type = 1 Capwap state = 0
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 1 msgEleType = 20
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 94
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 40 msgEleType = 39
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 50
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 1 msgEleType = 41
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 45
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 1 msgEleType = 44
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 40
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 10 msgEleType = 37
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Vendor specific payload from AP  34:A8:4E:BA:47:40 validated
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 26
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 22 msgEleType = 37
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Vendor specific payload from AP  34:A8:4E:BA:47:40 validated
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 0
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 1. 0 0
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 2. 232 3
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 3. 0 0
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 4. 200 0
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: AC Descriptor message element len = 40
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 acName = Cisco_92:e4:7b
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp:AC Name message element length = 58
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: WTP Radio Information msg length = 67
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: CAPWAP Control IPV4 Address len = 77
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: CAPWAP Control IPV6 Address len = 99
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: Mwar type payload len = 110
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: Time sync payload len = 125
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 WTP already released
    On Web interface Management->Logs->Message logs-> "DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer 10.10.10.156
    Do you have any ideas , why it doesn't work? Why DTLS connection is closed by vWLC?

    Guys,
    I think I am talking about this bug here : CSCua55382 . We can find more details here :
    http://www.cisco.com/image/gif/paws/113677/virtual-wlan-dg-00.pdf
    Known Issue: AP(s) not joining vWLC − The AP must get the hash entry from a legacy controller before it
    joins a vWLC.
    • An AP must be at software version 7.3.1.35 and above to successfully join a virtual controller. Virtual
    controllers use SSC in order to validate an AP before joining.
    •An AP at version 7.3 can validate the SSC certificate provided by the virtual controller.
    • After successful certificate validation, an AP will check the hash key of the virtual controller in the
    list of stored keys in flash. If it matches the stored hash, validation is passed and the AP moves to the
    RUN state. If hash validation fails, it will disconnect from the controller and restart the discovery
    process.
    • The hash validation, which is an extra authorization step, will be performed only if the AP is joining a
    virtual controller. There will be a knob to turn on/off hash key validation.
    • By default, hash validation is enabled, which means that the AP needs to have the virtual controller
    hash key in its flash before it can successfully complete association with the virtual controller. If the
    knob is turned off, the AP will bypass the hash validation and move directly to the RUN state.
    • The hash key can be configured in the controller mobility configurations, which gets pushed to all the
    APs which are joined. The AP will save this configuration until it successfully associates to another
    controller. After which, it inherits the hash key configuration from the new controller.
    • Typically, APs can join a traditional controller, download the hash keys, and then join a virtual
    controller. However, if it is joined to a traditional controller, the hash validation knob can be turned
    off and it can join any virtual controller. The administrator can decide to keep the knob on or off
    This information is captured in Cisco bug ID CSCua55382.
    Exceptions:
    •If the AP does not have any hash key in its flash, it will bypass the hash validation, assuming that it is
    a first time installation.
         ♦In this case, the hash validation is bypassed irrespective of whether the hash validation knob
    is on/off.
         ♦ Once it successfully joins the controller, it will inherit the mobility group member hash configuration (if configured in the controller). After which, it can join a virtual controller only if it has a hash key entry in its database.
    • Clearing the AP configuration from the controller or on the AP console will result in the erasing of all
    the hash keys. After which, the AP joins the virtual controller as if it is a first time installation.
    ♦AP> test capwap erase
    ♦AP> test capwap restart
    So... because I connected my AP to the vWLC in my lab, it downloaded hash keys.Without erasing these keys, AP was unable to establish DTLS tunnel with another vWLC.
    Hope that helps!

  • WLC 5508 - LAP1242: Failed to handle capwap control message from controller

    Hello everyone,
    after finally successfully upgrading my WLCs from 6.0.199.4 to 7.6.100.0 there is another problem showing up...
    If I want to change any configuration regarding the APs on the WLCs (which doesn't work) I get the following error-messages from the APs:
    *spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.169: %CAPWAP-3-ERRORLOG: Validate Msg: msg type 12 does not supported payload 215
    *spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.169: %CAPWAP-3-ERRORLOG: Validate Msg: error in Unknown Payload(215) payload (received length = 9, payload type = 215)
    *spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.170: %CAPWAP-3-ERRORLOG: Failed to validate vendor specific message element type 215 len 9.
    *spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.170: %CAPWAP-3-ERRORLOG: Failed to decode Configuration update request.
    *spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.170: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 7 state 11.
    *spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.171: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    Find attached some informations regarding the AP and the 5508.
    Any suggestions are, as always, highly appriciated.
    Regards
    Manuel

    Good morning,
    if I need free space at the flash: How much is "enough" to handle config changes?
    Here you can see the filesystem of one of my accesspoints (all are affected):
    AP#dir all-filesystems
    Directory of arch:/
        2  -rwx       91288  Feb 22 2014 18:16:42 +00:00  event.log
        8  drwx         448  Feb 22 2014 18:16:38 +00:00  c1240-k9w8-mx.124-25e.JAO3
        4  drwx           0   Nov 2 2011 23:32:18 +00:00  configs
        5  -rwx         397  Feb 22 2014 18:19:03 +00:00  env_vars
        6  -rwx        6168  Feb 27 2014 18:14:24 +00:00  private-multiple-fs
    No space information available
    Directory of flash:/
        2  -rwx       91288  Feb 22 2014 18:16:42 +00:00  event.log
        8  drwx         448  Feb 22 2014 18:16:38 +00:00  c1240-k9w8-mx.124-25e.JAO3
        4  drwx           0   Nov 2 2011 23:32:18 +00:00  configs
        5  -rwx         397  Feb 22 2014 18:19:03 +00:00  env_vars
        6  -rwx        6168  Feb 27 2014 18:14:24 +00:00  private-multiple-fs
    15740928 bytes total (10614784 bytes free)
    Directory of zflash:/
        2  -rwx       91288  Feb 22 2014 18:16:42 +00:00  event.log
        8  drwx         448  Feb 22 2014 18:16:38 +00:00  c1240-k9w8-mx.124-25e.JAO3
        4  drwx           0   Nov 2 2011 23:32:18 +00:00  configs
        5  -rwx         397  Feb 22 2014 18:19:03 +00:00  env_vars
        6  -rwx        6168  Feb 27 2014 18:14:24 +00:00  private-multiple-fs
    15740928 bytes total (10614784 bytes free)
    Directory of archive:/
    No files in directory
    No space information available
    Directory of system:/
        2  dr-x           0                      memory
        1  -rw-       17631                      running-config
    No space information available
    Directory of nvram:/
       30  -rw-           0                      startup-config
       31  ----           0                      private-config
        1  ----        4100                      lwapp_ap.cfg
        6  ----         528                      lwapp_ap_tlv.cfg
    32768 bytes total (26572 bytes free)
    Regards, Manuel

  • Autonomous 1252 converted to CAPWAP will not join 5508 WLC

    WLC 5508 firmware is v6.0.188.0
    I've tried updating the autonomous 1252 via both the upgrade tool 3.4 and 'archive download-sw' from the CLI
    I've tried multiple recovery images
    c1250-rcvk9w8-tar.124-21a.JA2.tar
    c1250-rcvk9w8-tar.124-10b.JDA.tar
    After AP reboots with recovery image it joins WLC and downloads new CAPWAP image then reboots again
    AP will not rejoin WLC with updated CAPWAP firmware
    Any help with this is greatly appreciated!
    Thanks in advance and happy holidays,
    Scott
    Error Msg from 1252 console
    *Dec 18 15:52:50.691: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:52:50.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:52:50.695: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
    Additional info
    WLC Debugs Enabled:
    MAC address ................................ c4:7d:4f:39:31:e2
    Debug Flags Enabled:
      aaa detail enabled.
      capwap error enabled.
      capwap critical enabled.
      capwap events enabled.
      capwap state enabled.
      dtls event enabled.
      lwapp events enabled.
      lwapp errors enabled.
      pm pki enabled.
    WLC Debug Output:
    *Dec 18 10:51:51.575: dtls_conn_hash_search: Connection not found in hash table - Table empty.
    *Dec 18 10:51:51.575: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: called to get cert for CID 154c7072
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetSshPrivateKeyFromCID: called to get key for CID 154c7072
    *Dec 18 10:51:51.575: sshpmGetSshPrivateKeyFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: comparing to row 1, certname >bsnDefaultIdCert<
    *Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: comparing to row 2, certname >cscoDefaultIdCert<
    *Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: match in row 2
    *Dec 18 10:51:51.692: acDtlsCallback: Certificate installed for PKI based authentication.
    *Dec 18 10:51:51.693: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=0
    *Dec 18 10:51:51.693: local_openssl_dtls_record_inspect:   msg=ClientHello len=44 seq=0 frag_off=0 frag_len=44
    *Dec 18 10:51:51.693: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:51.693: local_openssl_dtls_send: Sending 60 bytes
    *Dec 18 10:51:51.694: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:51.694: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=1
    *Dec 18 10:51:51.694: local_openssl_dtls_record_inspect:   msg=ClientHello len=76 seq=1 frag_off=0 frag_len=76
    *Dec 18 10:51:51.695: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:51.695: local_openssl_dtls_send: Sending 544 bytes
    *Dec 18 10:51:51.695: local_openssl_dtls_send: Sending 544 bytes
    *Dec 18 10:51:51.696: local_openssl_dtls_send: Sending 314 bytes
    *Dec 18 10:51:51.712: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:51.712: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=2
    *Dec 18 10:51:51.712: local_openssl_dtls_record_inspect:   msg=Certificate len=1146 seq=2 frag_off=0 frag_len=519
    *Dec 18 10:51:51.712: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:51.712: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:51.712: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=3
    *Dec 18 10:51:51.712: local_openssl_dtls_record_inspect:   msg=Certificate len=1146 seq=2 frag_off=519 frag_len=519
    *Dec 18 10:51:51.713: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:51.713: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:51.713: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=4
    *Dec 18 10:51:51.713: local_openssl_dtls_record_inspect:   msg=Certificate len=1146 seq=2 frag_off=1038 frag_len=108
    *Dec 18 10:51:51.714: sshpmGetIssuerHandles: locking ca cert table
    *Dec 18 10:51:51.714: sshpmGetIssuerHandles: calling x509_alloc() for user cert
    *Dec 18 10:51:51.714: sshpmGetIssuerHandles: calling x509_decode()
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: <subject> C=US, ST=California, L=San Jose, O=Cisco Systems, CN=C1250-c47d4f3931e2, [email protected]
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: <issuer>  O=Cisco Systems, CN=Cisco Manufacturing CA
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: Mac Address in subject is c4:7d:4f:39:31:e2
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: Cert Name in subject is C1250-c47d4f3931e2
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.
    *Dec 18 10:51:51.719: sshpmGetCID: called to evaluate <cscoDefaultMfgCaCert>
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: called to get cert for CID 2ab15c0a
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.719: ssphmUserCertVerify: calling x509_decode()
    *Dec 18 10:51:51.730: ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (current): 2009/12/18/15:51:51
    *Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (NotBefore): 2009/11/03/00:47:36
    *Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (NotAfter): 2019/11/03/00:57:36
    *Dec 18 10:51:51.730: sshpmGetIssuerHandles: getting cisco ID cert handle...
    *Dec 18 10:51:51.730: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
    *Dec 18 10:51:51.731: sshpmFreePublicKeyHandle: called with 0x1f1f3b8c
    *Dec 18 10:51:51.731: sshpmFreePublicKeyHandle: freeing public key
    *Dec 18 10:51:51.731: openssl_shim_cert_verify_callback: Certificate verification - passed!
    *Dec 18 10:51:51.732: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:52.155: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:52.155: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=5
    *Dec 18 10:51:52.155: local_openssl_dtls_record_inspect:   msg=ClientKeyExchange len=258 seq=3 frag_off=0 frag_len=258
    *Dec 18 10:51:52.269: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:52.269: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=6
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect:   msg=CertificateVerify len=258 seq=4 frag_off=0 frag_len=258
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=ChangeCipherSpec epoch=0 seq=7
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=Handshake epoch=1 seq=0
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect:   msg=Unknown or Encrypted
    *Dec 18 10:51:52.273: openssl_dtls_process_packet: Connection established!
    *Dec 18 10:51:52.273: acDtlsCallback: DTLS Connection 0x167c5c00 established
    *Dec 18 10:51:52.273: openssl_dtls_mtu_update: Setting DTLS MTU for link to peer 192.168.100.54:62227
    *Dec 18 10:51:52.273: local_openssl_dtls_send: Sending 91 bytes
    *Dec 18 10:53:06.183: sshpmLscTask: LSC Task received a message 4
    Aironet 1252 Console Debug:
    *Dec 16 11:07:12.055: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Dec 18 15:51:40.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:51:40.999: %CAPWAP-5-CHANGED: CAPWAP changed state to 
    *Dec 18 15:51:41.695: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:51:41.699: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:51:41.699: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
    *Dec 18 15:51:46.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
    *Dec 18 15:52:39.999: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.100.2:5246
    *Dec 18 15:52:40.039: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *Dec 18 15:52:40.039: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *Dec 18 15:52:40.051: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *Dec 18 15:52:40.051: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
    *Dec 18 15:52:40.059: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec 18 15:52:40.063: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    *Dec 18 15:52:40.079: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec 18 15:52:40.079: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *Dec 18 15:52:50.059: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Dec 18 15:52:50.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:52:50.000: %CAPWAP-5-CHANGED: CAPWAP changed state to 
    *Dec 18 15:52:50.691: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:52:50.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:52:50.695: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
    *Dec 18 15:52:55.691: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.1

    Nathan and Leo are alluding to CSCte01087. Basically the caveat is that DTLS fails on a non-00:xx:xx:xx:xx:xx L2 first hop. e.g. if the APs are on the same VLAN as the management interface, they must have 00 MACs; if they are on a different VLAN, the WLC/AP gateway must have a 00 MAC. If the workaround below does not suit your environment, open a TAC case for an image with the fix.
      Symptom:
    An access point running 6.0.188.0 code may be unable to join a WLC5508.
    Messages similar to the following will be seen on the AP.
       %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
       %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message
    Conditions:
    At least one of the following conditions pertains:
    - The high order byte of the AP's MAC address is nonzero, and the AP is in
    the same subnet as the WLC5508's management (or AP manager) interface
    - The WLC's management (or AP manager) interface's default gateway's
    MAC address' high order byte is nonzero.
    Workaround:
    If the MAC address of the WLC's default gateway does not begin with 00,
    and if all of the APs' MAC addresses begin with 00, then: you can put
    the APs into the same subnet as the WLC's management (or AP manager)
    interface.
    In the general case, for the situation where the WLC's default gateway's
    MAC does not begin with 00, you can address this by changing it to begin
    with 00. Some methods for doing this include:
    -- use the "mac-address" command on the gateway, to set a MAC address
    that begins with 00
    -- then enable HSRP on the gateway (standby ip ww.xx.yy.zz) and use this
    IP as the WLC's gateway.
    For the case where the APs' MAC addresses do not begin with 00, then make
    sure that they are *not* in the same subnet as the WLC's management
    (AP manager) interface, but are behind a router.
    Another workaround is to downgrade to 6.0.182.0.  However, after
    downgrading the WLC to 6.0.182.0, any APs that have 6.0.188.0 IOS
    (i.e. 12.4(21a)JA2) still installed on them will be unable to join.
    Therefore, after downgrading the WLC, the APs will need to have a
    pre-12.4(21a)JA2 rcvk9w8 or k9w8 image installed on them.

  • Separate VLAN for CAPWAP

    Hello,
    I'm in the process of deploying a WLC2504 in an eviroment  which requires a private VLAN for access to file servers and other network resources, as well as a guest network for internet access. 
    As far as performance is concerned, will I get acceptable throughput on my WLANs with the CAPWAP tunnel flowing over the same subnet as the private network? I've seen some suggestions that recommend a separate VLAN dedicated to CAPWAP, but I don't know if this is just a suggestion for security. I understand that CAPWAP supports encryption of control messages, but not data transmissions without additional licensing. If this is just a suggestion for security, I don't think this is much of a concern. I don't see anyone on the private network intercepting guest transmissions. Could someone please advise me on this?

    Thanks for your clarification guys! I'm in the process of installing my fist CUWN. We are implementing 10 APs and have dealt with a few issues, namely throughput for laptops. I knew other factors could definitely come into play, but I wanted to rule topology out. Laptops are currently pulling very low internet speed tests results, whereas mobile devices seem to fare much better. I've tried testing with mostly 2.4 GHz connections from laptops, but even the 5GHz seem to struggle. I'm working with the Cisco TAC a bit on this one. Per their suggestion, I'm going to run Iperf to test internal performance before I involve network firewalls and Internet connectivity in the mix. 

  • Information about %CAPWAP-3- ERRORLOG messages

    Hello,
    Does anyone know where to find information about CAPWAP-3 messages like these ?
    %CAPWAP-3-ERRORLOG: Failed to send data transfer request.
    %CAPWAP-3-ERRORLOG: Queue already full.
    Thanks in advance.

    I'm with Scott.
    Post the entire bootup process.  This contains vital information than you can surmiss.
    Also post the output to the following commands:
    1.  WLC:  sh sysinfo;
    2.  WLC:  sh time;
    3.  AP:  sh version;
    4.  AP:  sh ip interface brief; and
    5.  AP:  sh inventory

  • How to replace the certificate of Cisco 2106 wireless LAN controller for CAPWAP ?

    I have interested in CAPWAP feature and I download the open capwap project to make Access Controller (AC) and Wireless Terminal Point (WTP). I had built the AC which used PC and WTP which used Atheros AP. The CAPWAP feature work well when I enabled the CAPWAP that used my own AC  and WTP. When I got the Cisco 2106 wireless LAN controller (Cisco WLC), I configured the Cisco WLC to instead my own AC but I got the authorize fail in Cisco WLC side. It seem the Cisco WLC could not recognize the CAPWAP message which sent form my own WTP. I think this issue just need to synchronize the certificate between Cisco WLC and WTP.So I need to replace the Cisco WLC's certificate manually. Does anyone know how to replace the certificate manually with Cisco WLC ?
    Best Regards,
    Alan

    Unfortunately this Support Community is for Cisco Small Business & Small Business Pro product offerings.  The WLC2106 is a traditional Cisco product.  You can find this type of support on the Cisco NetPro Forum for all traditional Cisco products.
    Best Regards,
    Glenn

  • %CAPWAP-3-ERRORLOG in MESH setup WLC7.6

    Hello everyone,
    I configured a MESH setup consisting of 3 AP's (1 root and 2 remote),
    however one AP (remote) cannot join the WLC anymore since I made the changes to static IP and bridge mode.
    I can't even reset the AP to factory settings to get it back to WLC appliance...
    This is the error logs from the AP - can anyone help?
    *Apr 10 16:15:59.187: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
    *Apr 10 16:15:59.231: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Apr 10 16:15:59.235: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Apr 10 16:16:00.235: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Apr 10 16:16:00.263: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Apr 10 16:16:01.263: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Apr 10 16:16:09.187: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Apr 10 16:16:09.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.88.53 peer_port: 5246
    *Apr 10 16:16:09.003: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Apr 10 16:16:09.011: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Apr 10 16:16:09.411: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.88.53 peer_port: 5246
    *Apr 10 16:16:09.411: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.88.53
    *Apr 10 16:16:09.415: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
    *Apr 10 16:16:09.415: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
    *Apr 10 16:16:09.415: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Apr 10 16:16:09.415: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 192.168.88.53
    *Apr 10 16:16:10.003: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Apr 10 16:16:10.039: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Apr 10 16:16:10.047: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Apr 10 16:16:11.083: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Apr 10 16:16:12.083: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Apr 10 16:16:14.411: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.88.53
    *Apr 10 16:16:14.415: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Apr 10 16:16:14.423: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Apr 10 16:16:15.415: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Apr 10 16:16:15.451: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Apr 10 16:16:16.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
    *Apr 10 16:17:08.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.88.53:5246
    *Apr 10 16:17:09.039: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
    *Apr 10 16:17:09.055: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *Apr 10 16:17:09.091: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Apr 10 16:17:10.059: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Apr 10 16:17:10.095: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Apr 10 16:17:10.103: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Apr 10 16:17:11.131: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Apr 10 16:17:12.131: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

    info0000246:
    Are you sure you allowed the AP on the mac filter in your WLC?  I was having the same issue today because I had forgotten to add the mac into the mac filtering, as soon as I did that the AP was able to join the controller.

  • Monitor capwap access points

    Hello ,
    After migrating from standalone access points to capwap access points ( with wireless lan controller / Cisco Prime ) , a lot of people are wondering how to monitor their AP's by receiving traps from the controllers .
    I am searching for trap list that should be accepted by a monitoring product ( ie nagios  ) in order to monitor the status of the access points .
    Where can i find this info ?
    Thank you in advance for your help ;
    Rgds.
    Hubert.

    Since all AP managed by WLC, all information available from WLC, no need to directly get this information from AP directly.
    If you want you can configure AP & WLC syslog to export to a syslog server & then analyse them. Below post may give some idea
    http://mrncciew.com/2014/09/19/wlc-syslog-analysis/
    http://mrncciew.com/2013/02/06/syslog-msg-log-in-wlc/
    HTH
    Rasika
    *** Pls rate all useful responses ****

  • High CAPWAP traffic when locally switched

    Hello all,
    We're seeing an ongoing issue where several APs accross multiple sites log the error, "%CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST., 12)", then disassociates from the controller, and reassociates almost immediately.  The issue is the users get disassociated from the AP and call the helpdesk.
    A counter measure at one site was to add the CAPWAP traffic (udp ports 5246 & 5247)  to the controller in our QOS Platinum policy (setting the DSCP bit to 'ef'), but that doesn't seem to help.
    We're using Flexconnect with central authentication, local switching.
    A couple of questions:
    1) The Platinum queue on the QOS is showing over 500 kbps when the only thing put in that queue is the CAPWAP traffic - there aren't any phones.  Why so much bandwidth for authentication and control traffic?
    2) What is happening with the APs that they can't talk to the controller that causes the issue in the first place?  Bandwidth doesn't seem to be an issue.
    Below are some config and outputs:
    AP-1242#show capwap reap status
    AP Mode:         REAP, Connected
    Radar detected on:
    AP-1242#show capwap reap association
    REAP Data Switching: Local
    2960#show int fa0/22
      Hardware is Fast Ethernet
      Full-duplex, 100Mb/s, media type is 10/100BaseTX
      Last input 00:00:22, output 00:00:00, output hang never
      Last clearing of "show interface" counters never
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
      Queueing strategy: fifo
      Output queue: 0/40 (size/max)
      5 minute input rate 23000 bits/sec, 13 packets/sec
      5 minute output rate 208000 bits/sec, 48 packets/sec
         37478173 packets input, 13839718021 bytes, 0 no buffer
         Received 2818773 broadcasts (0 multicasts)
         0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
         0 watchdog, 502342 multicast, 0 pause input
         0 input packets with dribble condition detected
         118634332 packets output, 36491262361 bytes, 0 underruns
         0 output errors, 0 collisions, 1 interface resets
         0 babbles, 0 late collision, 0 deferred
         0 lost carrier, 0 no carrier, 0 PAUSE output
         0 output buffer failures, 0 output buffers swapped out
    2811#show policy-map interface multilink 1
    Service-policy output: MPLS-QOS
        queue stats for all priority classes:
           queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 300637/46124112
        Class-map: PLATINUM (match-any)
          300637 packets, 46124112 bytes
          30 second offered rate 28000 bps, drop rate 0 bps
          Match: ip dscp ef (46)
            300637 packets, 46124112 bytes
            30 second rate 28000 bps
          Priority: 18% (552 kbps), burst bytes 13800, b/w exceed drops: -16
    Any help is appreciated.

    Hi Jeff,
    I think you are hitting a bug (CSCse92856) specific to 1242 AP. Solution given is "Enable Proxy ARP on the default-gateway device of your AP". You can try that & see.
    Even I cannot view detail of this bug as of insufficient access permission.Therefore I do not know more details about this bug fix & which software version affected,etc. Better you contact Cisco TAC & get more information.
    I found this infomration here
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008081103d.shtml
    One other reason that H-REAP APs do not join WLCs is if the Proxy ARP is disabled on the gateway for the H-REAP APs. From the AP console, this message is logged:
    *Jul 29 14:04:10.897: LWAPP_CLIENT_ERROR_DEBUG: 
    Retransmission count for packet exceeded more than max(CHANGE_STATE_EVENT , 1)
    This can be caused by Cisco bug ID CSCse92856. This problem applies only to AP1130 and AP1240. This problem does not apply to AP1000s, AP1100, or AP1200.
    This problem occurs when these conditions are met:
    HREAP mode is used in the WLAN. Local mode is not affected by this issue. Native VLAN mapping is required.
    The APs have to be on a different IP subnet than the AP Manager of the WLCs.
    Proxy ARP is disabled on the default gateway for the AP.
    The H-REAP AP gets the default gateway from a DHCP server.
    In order to resolve this issue, enable Proxy ARP on the default gateway router of the AP
    HTH
    Rasika
    *** Pls rate all useful responses ****

Maybe you are looking for

  • Jdev 11.1.1.4

    <font face="Times New Roman" color="35349F" size="3"> Hi, i have this servlet. can anyone tell me how to correct the problems when using it inside jdev 11.1.1.4? </font> <font face="Times New Roman" color="black" size="3"> package view.session; impor

  • Don't remember password and I can't change any settings - PLEASE HELP!!!

    Hi, My work is giving an old imac G5 and I can't change the IP address for my home internet because its asking for a password that no one remembers Even my boss is clueless. I tried going into Keychain Assistant, but it seemed not to help at all. We

  • Extraction from legacy system

    Hello Gurus, My client wants me to load data from mainframe system to BW in near real time. They want me to use some ETL tool like  Datastage, Infomatica... for doing that. Since I will have to use staging BAPI for doing extraction, I will have to ha

  • Album app crashes and other problems

    I have my Z1 Compact for about 3 months now and I am countering bugs that effect the most basic uses of the phone. - First the Album app crashes everytime I go to "Folders" it been like that before the latest update, and afterwards. - The screen prox

  • Block simultaneous logins by the same user on wired 802.1x

    Is it possible to block simultaneous logins by the same user, meaning is userX login on port gi1/0/1 and after that the same user (UserX) is trying to login on a different port, it will be blocked.