CAPWAP error on WLC

Yesterday I had an AP that disassociated from the controller and now it won't join.  I'm getting the following errors.  Cisco's documentation is not really pointing out the issue.  Any one encountered these before?
Software Version: 7.4.100.0
FRI: 1.0.0
*spamApTask0: Dec 16 19:24:13.613: fc:99:47:d9:8a:4b Failed to parse CAPWAP packet from 10.141.16.44:39077
*spamApTask0: Dec 16 19:25:08.194: 00:00:00:00:00:00 DTLS connection was closed
*spamApTask1: Dec 16 19:25:18.699: 00:00:00:00:00:00 Not allocating an entry for the AP, received an AP with zero mac 00:00:00:00:00:00
*spamApTask1: Dec 16 19:25:18.699: 00:00:00:00:00:00 Failed to allocate database entry for AP 10.141.16.44:39078
*spamApTask1: Dec 16 19:25:18.700: 00:00:00:00:00:00 Failed to add database entry for 10.141.16.44:39078
*spamApTask1: Dec 16 19:25:18.700: 00:00:00:00:00:00 State machine handler: Failed to process  msg type = 3 state = 0 from 10.141.16.44:39078
*spamApTask1: Dec 16 19:25:18.700: fc:99:47:d9:8a:4b Failed to parse CAPWAP packet from 10.141.16.44:39078
*spamApTask1: Dec 16 19:25:23.697: 00:00:00:00:00:00 Not allocating an entry for the AP, received an AP with zero mac 00:00:00:00:00:00
*spamApTask1: Dec 16 19:25:23.697: 00:00:00:00:00:00 Failed to allocate database entry for AP 10.141.16.44:39078
*spamApTask1: Dec 16 19:25:23.697: 00:00:00:00:00:00 Failed to add database entry for 10.141.16.44:39078
*spamApTask1: Dec 16 19:25:23.697: 00:00:00:00:00:00 State machine handler: Failed to process  msg type = 3 state = 0 from 10.141.16.44:39078

If you are running Software Version: 7.4.100.0, then you should upgrade it to at least 7.4.110.0 (7.4MR1)  as the code you are running is very first release of 7.4 ( released on 2012 Dec) which consists of many bugs.
If you are interested latest bug fixed version of 7.4 (which is 7.4.111.x or 7.4MR2) you can get a pre-release code from here
https://supportforums.cisco.com/docs/DOC-37334
Here is a summary of bugs we encounter in this 7.4.x journey sofar.
http://mrncciew.com/2013/02/10/day-0-with-wlc-7-4-code/
Then see if this issue still there. Also make sure you upgraded your WLC FUS to 1.7.0.0 as well (this could lead upto 30-40 min of downtime to your wireless)
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/fus_rn_1_7_0_0.html
HTH
Rasika
**** Pls rate all useful responses *****

Similar Messages

  • Error Loading WLCS - ?build compatibility?

    Hi:
    Just trying to run WLPS, which is sometimes talked about as a separate
    product,
    but it all seems to come together.
    I get the following errors on WLCS startup (required to do anything with
    WLPS).
    I'm running WLS 5.1 SP 8, and the latest WLCS/PS (no service packs),
    and just going with Cloudscape defaults.
    Any ideas?
    Thanks
    Matt
    =============== Initializing Logger ======================
    Tue Mar 27 19:32:31 PST 2001:<E> <T3Services>
    COMMERCE_SERVER_FRAMEWORK,LOG_ERROR,"==========================WebLogic
    Commerce Servers PRODUCT ERROR======================"
    Tue Mar 27 19:32:31 PST 2001:<E> <T3Services>
    COMMERCE_SERVER_FRAMEWORK,LOG_ERROR,"Current WebLogic build may not be
    compatible with the WebLogic Commerce Server implementation. Minimum
    Build: 83914 Current Installation Build: 66825"
    Tue Mar 27 19:32:31 PST 2001:<E> <T3Services>
    COMMERCE_SERVER_FRAMEWORK,LOG_ERROR,"==========================END
    WebLogic Commerce Servers PRODUCT ERROR======================"
    Tue Mar 27 19:32:31 PST 2001:<I> <WebLogicServer> Disable Server Logins
    requested by system
    Tue Mar 27 19:32:31 PST 2001:<I> <WebLogicServer> Server Logins are now
    disabled
    Tue Mar 27 19:32:31 PST 2001:<I> <WebLogicServer> Server shutdown by
    system
    [Matt.Taylor.vcf]

    Hi Matt,
    Check to make sure that the WLS service packs are installed
    correctly and the environment settings are okay. Were there
    any other error messages above? Often EJBs won't deploy with
    incompatible service packs.
    Thanks,
    Skip
    "Matt Taylor" <[email protected]> wrote in message
    news:[email protected]..
    >
    Hi:
    Just trying to run WLPS, which is sometimes talked about as a separate
    product,
    but it all seems to come together.
    I get the following errors on WLCS startup (required to do anything with
    WLPS).
    I'm running WLS 5.1 SP 8, and the latest WLCS/PS (no service packs),
    and just going with Cloudscape defaults.
    Any ideas?
    Thanks
    Matt
    =============== Initializing Logger ======================
    Tue Mar 27 19:32:31 PST 2001:<E> <T3Services>
    COMMERCE_SERVER_FRAMEWORK,LOG_ERROR,"==========================WebLogic
    Commerce Servers PRODUCT ERROR======================"
    Tue Mar 27 19:32:31 PST 2001:<E> <T3Services>
    COMMERCE_SERVER_FRAMEWORK,LOG_ERROR,"Current WebLogic build may not be
    compatible with the WebLogic Commerce Server implementation. Minimum
    Build: 83914 Current Installation Build: 66825"
    Tue Mar 27 19:32:31 PST 2001:<E> <T3Services>
    COMMERCE_SERVER_FRAMEWORK,LOG_ERROR,"==========================END
    WebLogic Commerce Servers PRODUCT ERROR======================"
    Tue Mar 27 19:32:31 PST 2001:<I> <WebLogicServer> Disable Server Logins
    requested by system
    Tue Mar 27 19:32:31 PST 2001:<I> <WebLogicServer> Server Logins are now
    disabled
    Tue Mar 27 19:32:31 PST 2001:<I> <WebLogicServer> Server shutdown by
    system

  • 1200 AP CAPWAP errors connecting to a 4404 WLC

    We recently updated to software release 6.0.188.0.  We now have one AP unbale to join.  When the AP attempts to join I am getting the following errors:
    %CAPWAP-3-ERRORLOG: Go join a capwap controller
    %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.9.254.251 peer_port: 5246
    %CAPWAP-5-CHANGED: CAPWAP changed state to
    %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.9.254.251 peer_port: 5246
    %CAPWAP-3-ERRORLOG: Failed to get serial number.
    %CAPWAP-3-ERRORLOG: WTP Board data: Failed to get serial number.
    %CAPWAP-3-ERRORLOG: Join request: Failed to encode WTP Board Data message element.
    %CAPWAP-3-ERRORLOG: Failed to encode Join request.
    %CAPWAP-3-ERRORLOG: Failed to send Join request to 10.9.254.251
    %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 10.9.254.251:5246
    All other AP's join successfully.  This AP had no problems prior to the update.

    Only Cisco Aironet 1200 Series Access Points that contain 802.11g (AIR-MP21G) or second-generation 802.11a radios (AIR-RM21A or AIR-RM22A) are supported for use with controller software releases. The AIR-RM20A radio, which was included in early 1200 series access point models, is not supported. To see the type of radio module installed in your access point, enter this command on the access point: show controller dot11radio n, where n is the number of the radio (0 or 1).
    Cisco Unified Wireless Network Solution Components
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn6_0_188.html#wp233793

  • SFP Error with WLC 5508

    all,
    I'm facing a problem to upgrade my WLC 5508 from 6.0.199.4 to 7.0.98.218
    On my WLC, I have a bad src error message about the SFP.
    With the version 6, I have the "warning" but the port is UP and Running
               STP   Admin   Physical   Physical   Link   Link
    Pr  Type   Stat   Mode     Mode      Status   Status  Trap     POE    SFPType
    1  Normal  Disa Enable  Auto       Auto       Down   Enable  N/A     Not Present
    2  Normal  Disa Enable  Auto       Auto       Down   Enable  N/A     Not Present
    3  Normal  Forw Enable  Auto       1000 Full  Up     Enable  N/A     SFP Error
    on version 7.0.98.218, the port never comes UP:
               STP   Admin   Physical   Physical   Link   Link
    Pr  Type   Stat   Mode     Mode      Status   Status  Trap     POE    SFPType
    1  Normal  Disa Enable  Auto       Auto       Down   Enable  N/A     Not Present
    2  Normal  Disa Enable  Auto       Auto       Down   Enable  N/A     Not Present
    3  Normal  Disa Enable  Auto       Auto       Down   Enable  N/A     SFP Error
    I see a bug about CSCta32912, but normally, it is solved in version 7.
    How to solve this issue?
    Thanks.
               STP   Admin   Physical   Physical   Link   Link
    Pr  Type   Stat   Mode     Mode      Status   Status  Trap     POE    SFPType
    1  Normal  Disa Enable  Auto       Auto       Down   Enable  N/A     Not Present
    2  Normal  Disa Enable  Auto       Auto       Down   Enable  N/A     Not Present
    3  Normal  Forw Enable  Auto       1000 Full  Up     Enable  N/A     SFP Error

    Are you using a Cisco SFP or a third party one?
    Sent from Cisco Technical Support iPad App

  • Decrypt Errors on WLC version 7

    Hello
    I am seeing a lot of the following showing up in the WLC trap log:
    Decrypt errors occurred for client <CLIENT-MAC> using WPA2 key on 802.11b/g interface of AP 00:17:0f:81:ad:90
    I have done a fair amount of searching about and I cant seem to find a clear explanation for this message.  Could someone suggest what might be causing these issues and how to resolve them?
    For refernce we are using WLC runninn 7.0.98 and ACS 4.0
    Thanks in advance.

    Its a fair range of clients across several APs in the building.  I havent got an exact list of
    clients but I know its both old and new Lenovo/IBM laptops as well as Macbooks and Macbook Pros.
    Our APs are the 1131AGs if that helps.

  • CAPWAP error in logs - CAPWAPPING-3-PKT_RECV_ERROR

    Hi Everyone
    I'm seeing the following message in my logs every 30 seconds:
    396901: Apr  2 2014 13:31:20.958 BST: *capwapPingSocketTask: 1 wcm:  %CAPWAPPING-3-PKT_RECV_ERROR: capwapPingSocketTask: capwappingRecvPkt returned error
    Does anyone know what this means or how I can find out more information? This is a new network without many users at present, but I'm not aware of any operational issues. I'm just concerned that this is a syslog level 3 message (Error), so I assume it's fairly serious and warrants investigation.
    The set up is a single 3850 operating as an MC with three APs directly attached (AP model is 2602).
    Happy to provide config or any show command output - just let me know what you need.
    Thanks!
    Rich.

    What is this IOS version of your 3850 ? If it is not 3.3.2, I would upgrade to that code & see
    In general, here is a very good presentation how to troubleshoot CA issues. Below is the link to recorded video session.
    BRKEWN-3021 - Troubleshooting Converged Access Wireless Deployments (2014 Melbourne)
    HTH
    Rasika
    *** Pls rate all useful responses ****

  • Peculiar error from WLC and LWAP locking out iPhone 6+

    WiFi LAN:
    WLC Cisco 2504 Software Version 8.0.100.6
    LWAP's Cisco 1702i's Software Version IOS 15.3 Mini IOS 8.0.72.236
    Single WLAN using WPA2 (AuthPSK)
    Apple iPhone 6+ Software Version 8.1.2
    The error being reported in the 2504 WLC Message Log is:
    "*sntpReceiveTask: Jan 21 10:59:27.457: #LWAPP -3-DUP_IP:spam_Irad.c:39857 The system has added client a8:8e:24:60:a0:52 to exclusion list due to IP Address conflict of AP 192.168.10.10, this is a duplicate of IP on another machine (MAC a8:8e:24:60:a0:52)"
    In the error above:
    a8:8e:24:60:a0:52  - Is the Smart Phone being locked out of the LAN.
    192.168.10.10 - Is the IP address of the LWAP where the problem started yesterday.
    To troubleshoot, I took the smartphone to another LWAP 100 meters away and the above error still gets reported to the 2504 WLC.
    My questions to the support community:
    1) I have looked everywhere for this "Exclusion List" on the 2504 WLC GUI and cannot fine it. Does it exist on the 2504 GUI? CLI?
    2) If not, is it on the LWAP?
    My thinking is to clear this list to see if this smartphone can then join the LAN.  THX

    Thanks for that Scott. I will do the updates when a window opens up. I performed the opened SSID as you suggested and the smartphone would not join on the first attempt. On the second attempt I manually entered network settings and it finally joined and has held for over an hour now. I have 2 iPhone 6 smartphones with this problem now and 45 mixed iPhone 6's/Droids running flawlessly with WPA2/AES Security. I will attach a couple screenshots of the security setup to this post. 
    On another note, I had originally though that this was an Apple IOS 8 issue as I found a recent thread on the Apple Support Communities mentioning the same issue of continuous re-logging in.
    https://discussions.apple.com/thread/6536955

  • Wireless errors on WLC

     hi
    Ikeep getting this error on the WLC where users kept getting kicked off the the wireless network
    %DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:848 Received EAPOL-key M2 msg has invalid information when mobile is
    in START  state - invalid secure bit; KeyLen 24, Key type 1, client a4:4e:31:20:32:fc
    is this a Client issue or Controller issue

    Error Message    %DOT1X-3-INVALID_WPA_KEY_MSG_STATE: Received invalid [chars] msg in
    [chars] state - [chars]; len [int], key type [int], client
    [hex]:[hex]:[hex]:[hex]:[hex]:[hex]
    Explanation    Client authentication failed because of an authentication protocol error between the client and access point.
    Recommended Action    If the problem persists, try upgrading the client driver software or using different client software to isolate the cause. Also investigate possible intruder activity.

  • High 802.11 MAC Counters Errors on WLC

    When I log into our WLC I see a very high TX Failed, ACK Failure, RTS Failure and FCS Error Counts. Is this normal? How can I troubleshoot this problem? We have 10 LAPs that are in the same network as the managed and ap manager interfaces on the WLC. Thanks.

    Quantify very high please. Truly very high error rates usually are due to multipath issues in your RF network. However, MTU size can also have an effect. If you could, please send over a list of errors from a 10 minute slice of time under normal load. This will assist us in understanding your network. Also, please include client device types and overall network environment on the RF side.

  • DHCP Error with WLC 2504 and Aironet 2600 setup across subnets

    Hey guys
    I have just setup a new WLC 2504 controller to manage a WiFi service that will span 6 geographic locations.  The local networks at each location are on different subnets (all 192.168.x.x) and are linked up via IPSEC VPN links, and there is Active Directory spanning the sites, with DNS and DHCP servers running at each location.
    I tested the WLC at our main office with a single AP, and it worked fine.  The AP set itself up, and wireless devices connect with no probs. Great!  Yesterday I headed out to one of our remote sites, and connected an AP to their network - and that seemed to work fine too.  Within a few minutes I was able to see the WiFi network I'd setup, and my smartphone connected to it straight away (as I'd rpeviously connected at the main office), so I was pretty happy that all was working well.
    This morning however I've had notification that wifi performance at the remote site isn't great.  I've got someone to check their ip address, and I've found that their IP address and default gateway match the LAN at the main office where the WLC is based - NOT the LAN where the wireless client is.  Obvioulsy this is not ideal!
    So I guess my question is, what have I done wrong?  (I guess I HAVE done something wrong!?).  And how can I get wireless clients at remote sites to pick up an IP from the DHCP server at THEIR site?
    Any help would be greatly appreciated! 
    Thanks!           

    Hello Tim,
    What mode your APs are in? Local mode? or FlexConnect mode?
    If local mode, then all the traffic will be tunnelled to the WLC and they'll be same as if you are connecting from the WLC location.
    If you use FlexConnect APs (which is recommended for remote sites) you can configure FlexConnect groups on the WLC and add each location in a specific group. In that group you can decide what VLAN the users should be in.
    Check this link for FlexConnect group configuration
    http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_flexconnect.html#wp1230080
    HTH
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • Logs loaded with errors from WLC 4404

    I get pages and pages of these in my syslog... yet everything appears to be wrong.. what gives?Nov 26 01:44:42.102 dtl_pdu_landd.c:400 DTL-3-PKT_TX_ERROR: Failed to transmit a packet of type 2,USP:291897344/288555008/288555008.
    Thanks!

    IDS Disassociation Flood attacks against valid clients are sometimes reported where the attacker's MAC address is that of an AP joined to that controller.
    When a client is associated to the AP but stops communicating because of card removal, roaming out of range, etc. to the AP, the AP will wait until the idle timeout. Once the idle timeout is reached, the AP sends that client a disassociate frame. When the client does not acknowledge the disassociate frame, the AP retransmits the frame numerous times (around 60 frames). The IDS subsystem of the controller hears these retransmits and alerts with this message.
    This bug is resolved in version 4.0.217.0. Upgrade your Controller version to this version in order to overcome this alert message against valid clients and APs.

  • Ping works! But Join not. Why?

    Hello folks, I have some problems please help me,
    My access point won't join to my my WLC. I'm pinging the AP from the WLC is reply. But the AP won't join. Why is that?
    Thank you.

    So hard to understand the join-process of an AP to a WLC. This is what I concern, please correct me guys:
    Basic requirement:
    AP basic requirement:
    1. Put an IP address to AP via: Static configuration or get an IP address via DHCP mechanism + options 43 .
    2. Put a configuration in access port of a switch that will be used to connect the LAP. Use command switchport mode access, switchport access vlan ...
    3. Plug the access point to switch.
    4. Access points reboots.
    Start of CAPWAP process:
    5. After finishing reboots process, AP gather / discover any potential WLCs around him using a discovery-request packet via: Its static configured primary, secondary or tertiary controller address; via DHCP options 43 value that he receive from get from point 1, via DNS or via subnet broadcast (255.255.255.255).
    6. A list of potentially WLCs now created. Specifically, A list of potentially (Interface management of WLCs)
    7. AP Sending discovery request messages to each IP address of the Interface-management that he found in point 6.
    8. After sending discovery request, the access points will receive a discovery response, which each of discovery response message include the information about AP-management interface if the AP-management interface is created in the WLC.
    8. Next,AP sending join request to the WLC and also send his certificate. WLC authorize this.
    9. If AP is authorized then AP sending configuration request but if he knows that his software version is different with WLC.
    So there are 3 types of process in LWAPP:
    1. Discovery phase
    2. Join phase
    3. Configuration phase
    Discovery phase is using discovery-request and discovery-response.
    Join phase is using join-request and join-response
    Configuration phase is using configuration-request and configuration-response
    Discovery phase is for:
    1. Looking / knowing / discovering interface-management IP address
    2. Looking / knowing / discovering Interface-AP-Manager IP address too
    Usefull debug commands in this process: debug capwap events enable
    Join phase is for:
    1. Validating AP's certicate
    Usefull debug commands in this process: debug capwap events enable, debug pm pki enable
    Configuration phase is for:
    1. Matching software version on AP and WLC.
    Useful debug commands in this process: debug capwap events enable.
    So where these command should be placed according to 3 phases of CAPWAP?
    WLC>debug mac -- this can be skipped if only one AP is trying to join wlc.
    WLC>debug capwap error enable
    WLC>debug capwap event enable
    Kind a confuse to get things straight up here
    Thanks a lot mate

  • Autonomous 1252 converted to CAPWAP will not join 5508 WLC

    WLC 5508 firmware is v6.0.188.0
    I've tried updating the autonomous 1252 via both the upgrade tool 3.4 and 'archive download-sw' from the CLI
    I've tried multiple recovery images
    c1250-rcvk9w8-tar.124-21a.JA2.tar
    c1250-rcvk9w8-tar.124-10b.JDA.tar
    After AP reboots with recovery image it joins WLC and downloads new CAPWAP image then reboots again
    AP will not rejoin WLC with updated CAPWAP firmware
    Any help with this is greatly appreciated!
    Thanks in advance and happy holidays,
    Scott
    Error Msg from 1252 console
    *Dec 18 15:52:50.691: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:52:50.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:52:50.695: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
    Additional info
    WLC Debugs Enabled:
    MAC address ................................ c4:7d:4f:39:31:e2
    Debug Flags Enabled:
      aaa detail enabled.
      capwap error enabled.
      capwap critical enabled.
      capwap events enabled.
      capwap state enabled.
      dtls event enabled.
      lwapp events enabled.
      lwapp errors enabled.
      pm pki enabled.
    WLC Debug Output:
    *Dec 18 10:51:51.575: dtls_conn_hash_search: Connection not found in hash table - Table empty.
    *Dec 18 10:51:51.575: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: called to get cert for CID 154c7072
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetSshPrivateKeyFromCID: called to get key for CID 154c7072
    *Dec 18 10:51:51.575: sshpmGetSshPrivateKeyFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: comparing to row 1, certname >bsnDefaultIdCert<
    *Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: comparing to row 2, certname >cscoDefaultIdCert<
    *Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: match in row 2
    *Dec 18 10:51:51.692: acDtlsCallback: Certificate installed for PKI based authentication.
    *Dec 18 10:51:51.693: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=0
    *Dec 18 10:51:51.693: local_openssl_dtls_record_inspect:   msg=ClientHello len=44 seq=0 frag_off=0 frag_len=44
    *Dec 18 10:51:51.693: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:51.693: local_openssl_dtls_send: Sending 60 bytes
    *Dec 18 10:51:51.694: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:51.694: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=1
    *Dec 18 10:51:51.694: local_openssl_dtls_record_inspect:   msg=ClientHello len=76 seq=1 frag_off=0 frag_len=76
    *Dec 18 10:51:51.695: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:51.695: local_openssl_dtls_send: Sending 544 bytes
    *Dec 18 10:51:51.695: local_openssl_dtls_send: Sending 544 bytes
    *Dec 18 10:51:51.696: local_openssl_dtls_send: Sending 314 bytes
    *Dec 18 10:51:51.712: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:51.712: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=2
    *Dec 18 10:51:51.712: local_openssl_dtls_record_inspect:   msg=Certificate len=1146 seq=2 frag_off=0 frag_len=519
    *Dec 18 10:51:51.712: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:51.712: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:51.712: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=3
    *Dec 18 10:51:51.712: local_openssl_dtls_record_inspect:   msg=Certificate len=1146 seq=2 frag_off=519 frag_len=519
    *Dec 18 10:51:51.713: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:51.713: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:51.713: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=4
    *Dec 18 10:51:51.713: local_openssl_dtls_record_inspect:   msg=Certificate len=1146 seq=2 frag_off=1038 frag_len=108
    *Dec 18 10:51:51.714: sshpmGetIssuerHandles: locking ca cert table
    *Dec 18 10:51:51.714: sshpmGetIssuerHandles: calling x509_alloc() for user cert
    *Dec 18 10:51:51.714: sshpmGetIssuerHandles: calling x509_decode()
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: <subject> C=US, ST=California, L=San Jose, O=Cisco Systems, CN=C1250-c47d4f3931e2, [email protected]
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: <issuer>  O=Cisco Systems, CN=Cisco Manufacturing CA
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: Mac Address in subject is c4:7d:4f:39:31:e2
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: Cert Name in subject is C1250-c47d4f3931e2
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.
    *Dec 18 10:51:51.719: sshpmGetCID: called to evaluate <cscoDefaultMfgCaCert>
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: called to get cert for CID 2ab15c0a
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.719: ssphmUserCertVerify: calling x509_decode()
    *Dec 18 10:51:51.730: ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (current): 2009/12/18/15:51:51
    *Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (NotBefore): 2009/11/03/00:47:36
    *Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (NotAfter): 2019/11/03/00:57:36
    *Dec 18 10:51:51.730: sshpmGetIssuerHandles: getting cisco ID cert handle...
    *Dec 18 10:51:51.730: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
    *Dec 18 10:51:51.731: sshpmFreePublicKeyHandle: called with 0x1f1f3b8c
    *Dec 18 10:51:51.731: sshpmFreePublicKeyHandle: freeing public key
    *Dec 18 10:51:51.731: openssl_shim_cert_verify_callback: Certificate verification - passed!
    *Dec 18 10:51:51.732: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:52.155: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:52.155: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=5
    *Dec 18 10:51:52.155: local_openssl_dtls_record_inspect:   msg=ClientKeyExchange len=258 seq=3 frag_off=0 frag_len=258
    *Dec 18 10:51:52.269: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:52.269: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=6
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect:   msg=CertificateVerify len=258 seq=4 frag_off=0 frag_len=258
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=ChangeCipherSpec epoch=0 seq=7
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=Handshake epoch=1 seq=0
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect:   msg=Unknown or Encrypted
    *Dec 18 10:51:52.273: openssl_dtls_process_packet: Connection established!
    *Dec 18 10:51:52.273: acDtlsCallback: DTLS Connection 0x167c5c00 established
    *Dec 18 10:51:52.273: openssl_dtls_mtu_update: Setting DTLS MTU for link to peer 192.168.100.54:62227
    *Dec 18 10:51:52.273: local_openssl_dtls_send: Sending 91 bytes
    *Dec 18 10:53:06.183: sshpmLscTask: LSC Task received a message 4
    Aironet 1252 Console Debug:
    *Dec 16 11:07:12.055: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Dec 18 15:51:40.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:51:40.999: %CAPWAP-5-CHANGED: CAPWAP changed state to 
    *Dec 18 15:51:41.695: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:51:41.699: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:51:41.699: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
    *Dec 18 15:51:46.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
    *Dec 18 15:52:39.999: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.100.2:5246
    *Dec 18 15:52:40.039: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *Dec 18 15:52:40.039: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *Dec 18 15:52:40.051: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *Dec 18 15:52:40.051: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
    *Dec 18 15:52:40.059: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec 18 15:52:40.063: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    *Dec 18 15:52:40.079: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec 18 15:52:40.079: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *Dec 18 15:52:50.059: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Dec 18 15:52:50.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:52:50.000: %CAPWAP-5-CHANGED: CAPWAP changed state to 
    *Dec 18 15:52:50.691: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:52:50.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:52:50.695: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
    *Dec 18 15:52:55.691: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.1

    Nathan and Leo are alluding to CSCte01087. Basically the caveat is that DTLS fails on a non-00:xx:xx:xx:xx:xx L2 first hop. e.g. if the APs are on the same VLAN as the management interface, they must have 00 MACs; if they are on a different VLAN, the WLC/AP gateway must have a 00 MAC. If the workaround below does not suit your environment, open a TAC case for an image with the fix.
      Symptom:
    An access point running 6.0.188.0 code may be unable to join a WLC5508.
    Messages similar to the following will be seen on the AP.
       %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
       %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message
    Conditions:
    At least one of the following conditions pertains:
    - The high order byte of the AP's MAC address is nonzero, and the AP is in
    the same subnet as the WLC5508's management (or AP manager) interface
    - The WLC's management (or AP manager) interface's default gateway's
    MAC address' high order byte is nonzero.
    Workaround:
    If the MAC address of the WLC's default gateway does not begin with 00,
    and if all of the APs' MAC addresses begin with 00, then: you can put
    the APs into the same subnet as the WLC's management (or AP manager)
    interface.
    In the general case, for the situation where the WLC's default gateway's
    MAC does not begin with 00, you can address this by changing it to begin
    with 00. Some methods for doing this include:
    -- use the "mac-address" command on the gateway, to set a MAC address
    that begins with 00
    -- then enable HSRP on the gateway (standby ip ww.xx.yy.zz) and use this
    IP as the WLC's gateway.
    For the case where the APs' MAC addresses do not begin with 00, then make
    sure that they are *not* in the same subnet as the WLC's management
    (AP manager) interface, but are behind a router.
    Another workaround is to downgrade to 6.0.182.0.  However, after
    downgrading the WLC to 6.0.182.0, any APs that have 6.0.188.0 IOS
    (i.e. 12.4(21a)JA2) still installed on them will be unable to join.
    Therefore, after downgrading the WLC, the APs will need to have a
    pre-12.4(21a)JA2 rcvk9w8 or k9w8 image installed on them.

  • I can't see AP on WLC

    Hi,
    I'm trying to find out why my APs can't join to WLC. Both are in the same Vlan, AP has a static IP (the same subnet).
    Thanks for any advice
    (Cisco Controller) >*spamApTask1: Oct 24 21:13:25.715: 4c:4e:35:c7:0f:ab CAPWAP Control Msg Received from 172.16.1.56:28923
    *spamApTask1: Oct 24 21:13:25.716: 50:06:04:ba:95:80 length = 4, packet received from 50:6:4:ba:95:80
    *spamApTask1: Oct 24 21:13:25.716: 50:06:04:ba:95:80 packet received of length 123 from 172.16.1.56:28923
    *spamApTask1: Oct 24 21:13:25.716: <<<<  Start of CAPWAP Packet  >>>>
    *spamApTask1: Oct 24 21:13:25.716: CAPWAP Control mesg Recd from 172.16.1.56, Port 28923
    *spamApTask1: Oct 24 21:13:25.716:              HLEN 4,   Radio ID 0,    WBID 1
    *spamApTask1: Oct 24 21:13:25.716:              Msg Type   :   CAPWAP_DISCOVERY_REQUEST
    *spamApTask1: Oct 24 21:13:25.716:              Msg Length : 99
    *spamApTask1: Oct 24 21:13:25.716:              Msg SeqNum : 0
    *spamApTask1: Oct 24 21:13:25.716:  
    *spamApTask1: Oct 24 21:13:25.716:       Type : CAPWAP_MSGELE_DISCOVERY_TYPE, Length 1
    *spamApTask1: Oct 24 21:13:25.716:              Discovery Type : CAPWAP_DISCOVERY_TYPE_UNKNOWN
    *spamApTask1: Oct 24 21:13:25.716:  
    *spamApTask1: Oct 24 21:13:25.716:       Type : CAPWAP_MSGELE_WTP_DESCRIPTOR, Length 40
    *spamApTask1: Oct 24 21:13:25.716:              Maximum Radios Supported  : 2
    *spamApTask1: Oct 24 21:13:25.716:              Radios in Use             : 2
    *spamApTask1: Oct 24 21:13:25.716:              Encryption Capabilities   : 0x00 0x01
    *spamApTask1: Oct 24 21:13:25.716:  
    *spamApTask1: Oct 24 21:13:25.716:       Type : CAPWAP_MSGELE_WTP_FRAME_TUNNEL, Length 1
    *spamApTask1: Oct 24 21:13:25.716:              WTP Frame Tunnel Mode : NATIVE_FRAME_TUNNEL_MODE
    *spamApTask1: Oct 24 21:13:25.716:  
    *spamApTask1: Oct 24 21:13:25.716:       Type : CAPWAP_MSGELE_WTP_MAC_TYPE, Length 1
    *spamApTask1: Oct 24 21:13:25.716:              WTP Mac Type  : SPLIT_MAC
    *spamApTask1: Oct 24 21:13:25.716:  
    *spamApTask1: Oct 24 21:13:25.716:       Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 10
    *spamApTask1: Oct 24 21:13:25.716:              Vendor Identifier  : 0x00409600
    *spamApTask1: Oct 24 21:13:25.716:
            IE            :   UNKNOWN IE 207
    *spamApTask1: Oct 24 21:13:25.716:      IE Length     :   4
    *spamApTask1: Oct 24 21:13:25.716:      Decode routine not available, Printing Hex Dump
    *spamApTask1: Oct 24 21:13:25.716: 00000000: 01 00 00 01                                       ....
    *spamApTask1: Oct 24 21:13:25.716:  
    *spamApTask1: Oct 24 21:13:25.716:       Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 22
    *spamApTask1: Oct 24 21:13:25.716:              Vendor Identifier  : 0x00409600
    *spamApTask1: Oct 24 21:13:25.716:
            IE            :   RAD_NAME_PAYLOAD
    *spamApTask1: Oct 24 21:13:25.716:      IE Length     :   16
    *spamApTask1: Oct 24 21:13:25.716:      Rad  Name     :  
    *spamApTask1: Oct 24 21:13:25.716:
    *spamApTask1: Oct 24 21:13:25.716: <<<<  End of CAPWAP Packet  >>>>
    *spamApTask1: Oct 24 21:13:25.716: 50:06:04:ba:95:80 Msg Type = 1 Capwap state = 0
    *spamApTask1: Oct 24 21:13:25.716: 50:06:04:ba:95:80 Discovery Request from 172.16.1.56:28923
    *spamApTask1: Oct 24 21:13:25.716: 50:06:04:ba:95:80 Discovery request: Total msgEleLen = 99
    *spamApTask1: Oct 24 21:13:25.716: 50:06:04:ba:95:80 msgEleLength = 1 msgEleType = 20
    *spamApTask1: Oct 24 21:13:25.716: 50:06:04:ba:95:80 Discovery Type = Unknown
    *spamApTask1: Oct 24 21:13:25.716: 50:06:04:ba:95:80 Total msgEleLen = 94
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 msgEleLength = 40 msgEleType = 39
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 Total msgEleLen = 50
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 msgEleLength = 1 msgEleType = 41
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 Total msgEleLen = 45
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 msgEleLength = 1 msgEleType = 44
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 Total msgEleLen = 40
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 msgEleLength = 10 msgEleType = 37
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 Vendor specific payload from AP  50:06:04:BA:95:80 validated
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 Discovery request: Vendor payload type = 207, length = 10
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 Total msgEleLen = 26
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 msgEleLength = 22 msgEleType = 37
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 Vendor specific payload from AP  50:06:04:BA:95:80 validated
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 Discovery request: Vendor payload type = 5, length = 22
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 Total msgEleLen = 0
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 50, joined Aps =0
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 1. 0 0
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 2. 232 3
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 3. 0 0
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 4. 50 0
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 msgLength = 36
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 Discovery resp: AC Descriptor message element len = 40
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 acName = wireless controller
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 Discovery resp:AC Name message element length = 71
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 Discovery resp: WTP Radio Information msg length = 80
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 Discovery resp: CAPWAP Control IPV4 Address len = 90
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 Discovery resp: CAPWAP Control IPV6 Address len = 112
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 Discovery resp: Mwar type payload len = 123
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 Discovery resp: Time sync payload len = 138
    *spamApTask1: Oct 24 21:13:25.717: 50:06:04:ba:95:80 encodeLen = 138 len = 16
    *spamApTask1: Oct 24 21:13:25.718: 50:06:04:ba:95:80 Discovery Response sent to 172.16.1.56:28923
    *spamApTask1: Oct 24 21:13:25.718: 50:06:04:ba:95:80 Discovery Response sent to 172.16.1.56:28923
    *spamApTask1: Oct 24 21:13:25.718: 50:06:04:ba:95:80 WTP already released
    *spamApTask1: Oct 24 21:13:25.718: 50:06:04:ba:95:80 CAPWAP Control Msg Received from 172.16.1.56:28923
    *spamApTask1: Oct 24 21:13:25.718: 50:06:04:ba:95:80 length = 4, packet received from 50:6:4:ba:95:80
    *spamApTask1: Oct 24 21:13:25.718: 50:06:04:ba:95:80 packet received of length 123 from 172.16.1.56:28923
    *spamApTask1: Oct 24 21:13:25.718: <<<<  Start of CAPWAP Packet  >>>>
    *spamApTask1: Oct 24 21:13:25.718: CAPWAP Control mesg Recd from 172.16.1.56, Port 28923
    *spamApTask1: Oct 24 21:13:25.718:              HLEN 4,   Radio ID 0,    WBID 1
    *spamApTask1: Oct 24 21:13:25.718:              Msg Type   :   CAPWAP_DISCOVERY_REQUEST
    *spamApTask1: Oct 24 21:13:25.718:              Msg Length : 99
    *spamApTask1: Oct 24 21:13:25.718:              Msg SeqNum : 0
    *spamApTask1: Oct 24 21:13:25.718:  
    *spamApTask1: Oct 24 21:13:25.718:       Type : CAPWAP_MSGELE_DISCOVERY_TYPE, Length 1
    *spamApTask1: Oct 24 21:13:25.718:              Discovery Type : CAPWAP_DISCOVERY_TYPE_UNKNOWN
    *spamApTask1: Oct 24 21:13:25.718:  
    *spamApTask1: Oct 24 21:13:25.718:       Type : CAPWAP_MSGELE_WTP_DESCRIPTOR, Length 40
    *spamApTask1: Oct 24 21:13:25.718:              Maximum Radios Supported  : 2
    *spamApTask1: Oct 24 21:13:25.718:              Radios in Use             : 2
    *spamApTask1: Oct 24 21:13:25.718:              Encryption Capabilities   : 0x00 0x01
    *spamApTask1: Oct 24 21:13:25.718:  
    *spamApTask1: Oct 24 21:13:25.718:       Type : CAPWAP_MSGELE_WTP_FRAME_TUNNEL, Length 1
    *spamApTask1: Oct 24 21:13:25.718:              WTP Frame Tunnel Mode : NATIVE_FRAME_TUNNEL_MODE
    *spamApTask1: Oct 24 21:13:25.718:  
    *spamApTask1: Oct 24 21:13:25.718:       Type : CAPWAP_MSGELE_WTP_MAC_TYPE, Length 1
    *spamApTask1: Oct 24 21:13:25.718:              WTP Mac Type  : SPLIT_MAC
    *spamApTask1: Oct 24 21:13:25.718:  
    *spamApTask1: Oct 24 21:13:25.718:       Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 10
    *spamApTask1: Oct 24 21:13:25.718:              Vendor Identifier  : 0x00409600
    *spamApTask1: Oct 24 21:13:25.718:
            IE            :   UNKNOWN IE 207
    *spamApTask1: Oct 24 21:13:25.718:      IE Length     :   4
    *spamApTask1: Oct 24 21:13:25.718:      Decode routine not available, Printing Hex Dump
    *spamApTask1: Oct 24 21:13:25.718: 00000000: 01 00 00 01                                       ....
    *spamApTask1: Oct 24 21:13:25.718:  
    *spamApTask1: Oct 24 21:13:25.718:       Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 22
    *spamApTask1: Oct 24 21:13:25.718:              Vendor Identifier  : 0x00409600
    *spamApTask1: Oct 24 21:13:25.718:
            IE            :   RAD_NAME_PAYLOAD
    *spamApTask1: Oct 24 21:13:25.718:      IE Length     :   16
    *spamApTask1: Oct 24 21:13:25.718:      Rad  Name     :  
    *spamApTask1: Oct 24 21:13:25.718: AP4c4e.35c7.0fab
    *spamApTask1: Oct 24 21:13:25.718: <<<<  End of CAPWAP Packet  >>>>
    *spamApTask1: Oct 24 21:13:25.718: 50:06:04:ba:95:80 Msg Type = 1 Capwap state = 0
    *spamApTask1: Oct 24 21:13:25.718: 50:06:04:ba:95:80 Discovery Request from 172.16.1.56:28923
    *spamApTask1: Oct 24 21:13:25.718: 50:06:04:ba:95:80 Discovery request: Total msgEleLen = 99
    *spamApTask1: Oct 24 21:13:25.718: 50:06:04:ba:95:80 msgEleLength = 1 msgEleType = 20
    *spamApTask1: Oct 24 21:13:25.718: 50:06:04:ba:95:80 Discovery Type = Unknown
    *spamApTask1: Oct 24 21:13:25.718: 50:06:04:ba:95:80 Total msgEleLen = 94
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 msgEleLength = 40 msgEleType = 39
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Total msgEleLen = 50
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 msgEleLength = 1 msgEleType = 41
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Total msgEleLen = 45
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 msgEleLength = 1 msgEleType = 44
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Total msgEleLen = 40
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 msgEleLength = 10 msgEleType = 37
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Vendor specific payload from AP  50:06:04:BA:95:80 validated
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Discovery request: Vendor payload type = 207, length = 10
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Total msgEleLen = 26
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 msgEleLength = 22 msgEleType = 37
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Vendor specific payload from AP  50:06:04:BA:95:80 validated
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Discovery request: Vendor payload type = 5, length = 22
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Total msgEleLen = 0
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 50, joined Aps =0
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 1. 0 0
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 2. 232 3
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 3. 0 0
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 4. 50 0
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 msgLength = 36
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Discovery resp: AC Descriptor message element len = 40
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 acName = wireless controller
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Discovery resp:AC Name message element length = 71
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Discovery resp: WTP Radio Information msg length = 80
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Discovery resp: CAPWAP Control IPV4 Address len = 90
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Discovery resp: CAPWAP Control IPV6 Address len = 112
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Discovery resp: Mwar type payload len = 123
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Discovery resp: Time sync payload len = 138
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 encodeLen = 138 len = 16
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Discovery Response sent to 172.16.1.56:28923
    *spamApTask1: Oct 24 21:13:25.719: 50:06:04:ba:95:80 Discovery Response sent to 172.16.1.56:28923
    *spamApTask1: Oct 24 21:13:25.720: 50:06:04:ba:95:80 WTP already released

    (Cisco Controller) >debug capwap events enable
    (Cisco Controller) >debug capwap errors enable
    *spamApTask2: Oct 24 22:58:49.417: 50:06:04:ba:95:80 Discovery Request from 172.16.1.56:28924
    *spamApTask2: Oct 24 22:58:49.417: 50:06:04:ba:95:80 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 50, joined Aps =0
    *spamApTask2: Oct 24 22:58:49.418: 50:06:04:ba:95:80 Discovery Response sent to 172.16.1.56:28924
    *spamApTask2: Oct 24 22:58:49.418: 50:06:04:ba:95:80 Discovery Response sent to 172.16.1.56:28924
    *spamApTask2: Oct 24 22:58:49.418: 50:06:04:ba:95:80 Discovery Request from 172.16.1.56:28924
    *spamApTask2: Oct 24 22:58:49.418: 50:06:04:ba:95:80 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 50, joined Aps =0
    *spamApTask2: Oct 24 22:58:49.418: 50:06:04:ba:95:80 Discovery Response sent to 172.16.1.56:28924
    *spamApTask2: Oct 24 22:58:49.418: 50:06:04:ba:95:80 Discovery Response sent to 172.16.1.56:28924
    regards
    Hubert

  • AP 3702 not join the WLC

    Hi,
    I have two WLC 8500 working in SSO and with nat enable feature configure in management interface.
    SSO is working, but i have to configure NAT before SSO becasuse when SSO is up, ip address and nat are greyed out in managemente interface.
    Some AP's must join the controller in the private address of the management interface and others AP must join in the public ip address configured in NAT address. 
    for some reason, there are a lot of AP's that can't join the controller, i have 3 ap's joined in the public ip address and 3 ap's joined in the private ip address
    config network ap-discovery nat-only disable is already configured, from the console of one AP that can't not join i see the following:
    *Sep 10 12:32:48.115: %CAPWAP-3-ERRORLOG: Selected MWAR 'GI12WLC001A'(index 0).
    *Sep 10 12:32:48.115: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Sep 10 12:35:48.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 212.89.5.130 peer_port: 5246
    *Sep 10 12:36:17.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2176 Max retransmission count reached!
    *Sep 10 12:36:47.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 212.89.5.130:5246
    *Sep 10 12:36:47.999: %CAPWAP-3-ERRORLOG: Selected MWAR 'GI12WLC001A'(index 0).
    *Sep 10 12:36:47.999: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Sep 10 12:35:48.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.35.0.78 peer_port: 5246
    the AP is trying both private and public ip address to join the WLC but can't join properly.
    From the WLC console:
    debug capwap errors enable:
    *spamApTask4: Sep 10 13:13:49.837: 00:10:db:ff:50:06 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  10.35.1.13:47807)since DTLS session is not established 
    *spamApTask3: Sep 10 13:13:49.958: 1c:6a:7a:5b:e0:30 ApModel: AIR-CAP3702I-E-K9
    *spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!
    *spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!
    *spamApTask3: Sep 10 13:13:49.958: 1c:6a:7a:5b:e0:30 ApModel: AIR-CAP3702I-E-K9
    *spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!
    *spamApTask3: Sep 10 13:13:49.958: Unknown AP type. Using Controller Version!!!
    *spamApTask2: Sep 10 13:13:52.103: 00:10:db:ff:50:06 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  10.35.1.11:21207)since DTLS session is not established 
    *spamApTask1: Sep 10 13:13:52.224: 1c:6a:7a:5e:0f:10 ApModel: AIR-CAP3702I-E-K9
    *spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!
    *spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!
    *spamApTask1: Sep 10 13:13:52.224: 1c:6a:7a:5e:0f:10 ApModel: AIR-CAP3702I-E-K9
    *spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!
    *spamApTask1: Sep 10 13:13:52.224: Unknown AP type. Using Controller Version!!!
    the AP model are the same, this is not the problem, but for some reason there are AP's that have problems with the NAT configuration, if i disable NAT option, every AP with private ip address config can join the WLC.
    I've tried to break SSO, desconfigure NAT, and private ip address AP join the controller without problem.
    anybody can give me a clue?
    Regards!

    it seens like DTLS connection can't be stablished between AP and WLC.
    The AP sends discovery request
    the WLC respond with two discovery responds, the firts one, contains the public ip address of the WLC and the second one contains the private ip address.
    once discovery proccess is complete, the AP tries to send DTLS hello packet to the WLC, but this packet never arrives to WLC.
    because hello doesn't arrive, the AP sends a close notify alert to the WLC and tries to send the DTLS hello packet to the WLC private address with same result.
    the AP get into a loop trying to send DTLS hello packets to both private and public address.
    DTLS hello packet never arrive, but close notify alert arrive to WLC.
    theres is FW in the middle doing NAT, but i can understand why close notify alert packets error arrives WLC and Hello DTLS packets don't. this packets uses the same protocol UDP and the same port.
    Regards

Maybe you are looking for

  • Calendar will no longer sync

    Hello, Using Desktop manager 5.0.1, I can no longer sync Microsoft Outlook Calendar 2007 with my BB 9700.  My Desktop manager installed quite a few updates this morning, prior to this syncing problem.  Outlook Contacts and Task appear to be syncing o

  • Colors in Excel Sheet

    I am using the type pools OLE2 to put colors in the Excel sheet. What is the property to fill color in the Excel sheet cell. Also I need to merge cells in the excel sheet. Can some one send me some sample code if you have? Please help.Its urgent.

  • So I may have messed up with disk utility.

    So I was messing around with disk utility and was partitioning out some of my hard drive. I then accidently quit disk utility part of the way through.  So now, part of it's partitioned out, but it wont show up.  And since I can't find it, I can't get

  • Files won't open from finder or by dragging to application icon in dock

    Clicking or double clicking on a file in finder causes it to blink as if it is opening but it does not open. Dragging the file to its application in the dock causes the application to open but the file does not open. I can only open a file from insid

  • Upgrading from FCS1 to FCS2

    I have FCS1 Academic running on two machines at work. An Intel iMac and a Power Mac G5. Should I uninstall FCS1 before installing 2. It seems people on this forum like to use an actual FCS_Remover that you download and run. Is that what I should do?