CAPWAP teardown?

Hi All,
Need help to understand how the CAPWAP tunnel work when one in the bundled (group of 4) port from portchannel group was shutdown.
Here's the logical diagram
APs <-> Access Switch <-portchannel-> Distri Switch <-portchannel-> Core Switch <-portchannel-> WLC
1 of 4 bundled uplink ports in portchannel shown in RED text was shutdown deliberately during this time the Prime Infra 1.3 reports that APs was disassociated from the controller and 1 minute later Prime Infra reports that the APs was now associated to the controller without touching any devices.
Is this a normal behaviour of a CAPWAP? If not then, what should I do?
Regards,
Dave

What is the load-balancing mechanism of your switch etherchannels ? "show etherchannel load-balance" should tells you this.
If AP to WLC capwap traffic went through the interface you shutdown, then there is possibility your AP lost connectivity to WLC momentarily. But should not take that long to revert traffic to any other interfaces.
You can do a test like this. Enable Telnet for one your AP (via WLC GUI : Wireless -> select your AP -> Advanced -> tick Telnet checkbox). Then telnet to AP & ping your WLC IP from there. Then shutdown one of your (out of 4)  your switch etherchannel interface & see whether you will see ping drops for short period of time). If packet drops see how many drops before getting the connectivity back.
HTH
Rasika
**** Pls rate all useful responses ****

Similar Messages

  • Is it possible to config H-REAP/REAP and CAPWAP in Autonomous mode with a WLC?

    I'm going to deploying all new AP as Remote-Edge AP and they will be shipped straight to site.  With a pool of WLCs deployed in central DC locations.  I would like to get local staff to deploy a basic CLI discovery script for the APs.  However, i thought LAPs don't have CLI???
    I'm thinking I must use a Lightweight AP with the WLC to use Remote-Edge AP functionality - However, I'm not sure... the configuration example at the bottom doesn't state whether it an Autonomous AP or a Lightweight one.  
    http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml
    H-REAP Controller Discovery using CLI commands
    H REAPs will most commonly discover upstream controllers via DHCP option 43 or DNS resolution. Without either of these methods available, it may be desirable to provide detailed instructions to administrators at remote sites so that each H REAP may be configured with the IP address of the controllers to which they should connect. Optionally, H REAP IP addressing may be set manually as well (if DHCP is either not available or not desired).
    This example details how an H REAP's IP address, hostname, and controller IP address may be set through the console port of the access point.
    AP_CLI#capwap ap hostname ap1130ap1130#capwap ap ip address 10.10.10.51 255.255.255.0ap1130#capwap ap ip default-gateway 10.10.10.1ap1130#capwap ap controller ip address 172.17.2.172
    Could anyone help?
    Cheers
    Adrian.

    Hi Adrian,
    Further down in the doc you linked;
    H-REAP Controller Discovery using CLI commands
    H REAPs will most commonly discover upstream controllers via DHCP       option 43 or DNS resolution. Without either of these methods available, it may       be desirable to provide detailed instructions to administrators at remote sites       so that each H REAP may be configured with the IP address of the controllers to       which they should connect. Optionally, H REAP IP addressing may be set manually       as well (if DHCP is either not available or not desired).
    This example details how an H REAP's IP address, hostname, and       controller IP address may be set through the console port of the access       point.
    AP_CLI#capwap ap hostname ap1130
    ap1130#capwap ap ip address 10.10.10.51 255.255.255.0
    ap1130#capwap ap ip default-gateway 10.10.10.1
    ap1130#capwap ap controller ip address 172.17.2.172
    Note: Access points must run the LWAPP-enabled IOS® Recovery Image Cisco           IOS Software Release 12.3(11)JX1 or later, in order to support these CLI           commands out of the box. Access points with the SKU prefix of LAP (for example,           AIR-LAP-1131AG-A-K9), shipped on or after June 13, 2006 run Cisco IOS Software           Release 12.3(11)JX1 or later. These commands are available to any access point           that ships from the manufacturer running this code level, has the code upgraded           manually to this level, or is upgraded automatically by connecting to a           controller running version 6.0 or later.
    These configuration commands are only accepted when the access point is       in Standalone mode.
    Cheers!
    Rob

  • Downgrade 3600 Capwap AP to Autonomous 3600 AP

    Hello!
    I have to prepare an 3600 Capwap AP for autonomous functionality!
    The following image was downloaded:
    ap3g2-k9w7-tar.152-2.JA
    The release notes say:
    Site-Survey Only Mode for 3600, 3500, and 1550 Access Points
    You can install Cisco IOS Release 15.2(2)JA on Cisco Aironet 3600 and 3500 Series access points and on 1550 series outdoor access points to perform site surveys. This release runs on these access points with limited functionality. You can manually adjust these settings on the site-survey access points:
    • Channel on each radio
    • Transmit power on each radio
    • Enable and disable the radios
    • Manually set basic and supported transmit rates
    • Enable advertised cell power in beacons to client to enable DTPC for doing active surveys
    • Enable and disable SSID broadcast in beacons
    • Enable open authentication
    My Question is:
    Where can i find a instruction for downgrading an AIR-CAP3602i to Autonomous 3600 AP?
    Is it complicate to get the AP running, or what do i need for "downgrading"?
    thx 4 help
    Richard

    the methos to convert is..
    download TFTPd32 from google and install it on ur PC.. point the image that you have downloaded in the TFTP server..
    connect  a ethernet cable between ur laptop and AP.. let both be in the same  subnet.. and connect a console cable and get the hyperterminal console  access and issue the command.. make sure you are able to ping the PC and the AP and vice versa!!
    AP>en
    AP#debug capwap console cli
    AP#config t
    AP(confg)int gi 0
    AP(confg-if)ip addr (same subnet as that of the laptop)
    AP(confg-if)end
    AP#archieve download-sw /force-reload /overwrite tftp:///
    AP#archieve download-sw /force-reload /overwrite tftp://<10.0.0.5>/ap3g2-k9w7-tar.152-2.JA
    you can skip the ip config part if ap getting ip from dhcp.

  • Understanding teardown from log

    Is the Reset-I always from the device on the higher security level interface (in this case 172.16.112.10/3389?
    In the second case, what conclusions can be drawn from the teardown information "TCP FINs" - who is it that send the first FIN?
    I'm strugglig to find the reasons for connections "freezing" or closing, but no errors that I can relate to the connection ids what so ever.
    asa.log:2014-02-03T15:04:32.186954+01:00 10.1.4.1 %ASA-6-302013: Built inbound TCP connection 1730891653 for wan:195.195.195.195/49624 (195.195.195.195/49624) to vlan547:172.16.112.10/3389 (212.112.9.209/3389)
    asa.log:2014-02-03T17:21:36.585964+01:00 10.1.4.1 %ASA-6-302014: Teardown TCP connection 1730891653 for wan:195.195.195.195/49624 to
    vlan547:172.16.112.10/3389 duration 2:17:05 bytes 35781464 TCP Reset-I
    asa.log:2014-02-03T13:14:51.660321+01:00 10.1.4.1 %ASA-6-302013: Built inbound TCP connection 1729135626 for wan:195.195.195.195/50005 (195.195.195.195/50005) to vlan547:172.16.112.10/3389 (212.112.9.209/3389)
    asa.log:2014-02-03T18:05:02.785968+01:00 10.1.4.1 %ASA-6-302014: Teardown TCP connection 1729135626 for wan:195.195.195.195/50005 to vlan547:172.16.112.10/3389 duration 4:50:14 bytes 36231472 TCP FINs

    Hi,
    The TCP Reset-I and TCP Reset-O should refer to the TCP RST coming from either higher or lower "security-level" interface.
    There are some other things affected by the "security-level" also in the output of the ASA. For example when you check the output of "show conn" command the host on the lowest "security-level" interface is listed first. Same goes for log messages. The host on the lowest "security-level" interface is mentioned first in the log messages for Building and Teardown the connection.
    To my understanding there is no way to determine the side which normally closed the connection from the log message itself. I would presume that the Client would usually do this but can't be 100% sure that its always like this.
    If there is not a clear indication that the firewall is doing something to the connection then I would suggest capturing traffic to find out what is happening to the connection. You can either attach some host to the network to capture all the traffic from some port or perhaps capture traffic on the ASA itself.
    You could for example configure a capture for your RDP connection like this
    access-list RDP-CAP permit tcp host host
    access-list RDP-CAP permit tcp host host
    capture RDP-CAP type raw-data access-list RDP-CAP interface outside buffer 33500000 circular-buffer
    If you are expecting a lot of data you will either have to do the capture on some other device (ASAs buffer limited to approx the above amount of Bytes) or you can either create a capture for each direction separately to maximize the amount of traffic that can be captured.
    You could also leave out the Data in the actual packets and only capture the headers by using this command
    capture RDP-CAP type raw-data access-list RDP-CAP interface outside buffer 33500000 circular-buffer headers-only
    You can naturally use both of the above commands. Naturally you will have to use a different name for the "capture", I am not sure do you have to use a different ACL.
    You can then use this command to check if there is traffic captured
    show capture
    If you wish to show capture contents on the CLI then you can use this command
    show capture RDR-CAP
    Then again you might want to load the capture to your host/server and open it with Wireshark then you could use this command
    copy /pcap capture:RDP-CAP tftp://x.x.x.x/RDP-CAP.pcap
    You can remove the capture with the command
    no capture RDP-CAP
    You will have to remove the capture ACL separately.
    I am not sure how much information can be gotten from the RDP server itself. I dont have to deal with the IT side at all usually so I don't really know to what extent you would be able to log what the actual server does during those connection issues. A traffic capture would certainly tell what happens to the data/connection.
    Hope this helps
    - Jouni

  • Error Cisco 892f-w Wireless driver lwapp and capwap controller

    Hello, greetings to cisco support community, I write to ask for help for my router, I have trouble lifting the wireless network, I hope you can help me thanks.
           Upon entering cli ap: I have this error:
    *Jul  3 22:33:04.951: %CAPWAP-3-STATIC_TO_DHCP_IP: Could not discover WLC using
    static IP. Forcing AP to use DHCP.
    *Jul  3 22:33:14.959: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination
    *Jul  3 22:33:15.083: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigne
    d DHCP address 10.10.10.4, mask 255.255.255.248, hostname AP6400.f1cf.6738
    Translating "CISCO-CAPWAP-CONTROLLER"...domain server (8.8.8.8)
    Translating "CISCO-LWAPP-CONTROLLER"...domain server (8.8.8.8)
    *Jul  3 22:33:18.959: %CAPWAP-3-ERRORLOG: Did not get log server settings from D
    HCP.
    *Jul  3 22:33:19.083: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROL
    LER
    *Jul  3 22:33:19.207: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLL
    ER
    Here is my configuration
    Natural#SHOW RUNNing-config
    Building configuration...
    Current configuration : 5681 bytes
    ! Last configuration change at 19:56:22 UTC Wed Oct 16 2013 by juanrifle
    version 15.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname Natural
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    no aaa new-model
    memory-size iomem 10
    service-module wlan-ap 0 bootimage autonomous
    crypto pki trustpoint TP-self-signed-634714217
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-634714217
    revocation-check none
    rsakeypair TP-self-signed-634714217
    crypto pki certificate chain TP-self-signed-634714217
    certificate self-signed 01
      30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
      30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 36333437 31343231 37301E17 0D313331 30313131 38343833
      395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
      532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3633 34373134
      32313730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
      E814BC99 A2374C6C C52A0828 7D8D2215 5220B891 63F3CB16 C03D6F00 F3ECF2E9
      BE71FB32 9D1388FA 608C3267 3105F7E9 4A0FADDB C3031255 2054BF5D 971D4B0F
      AD5914F8 8D7E9CF3 FBDDD586 63C8D981 3C32F53F E43CE93F 20930CFA 9F6055E7
      810AF11D D8CBF7EA D6D5B680 B9AA465C EA9D533B A8E39059 6401101F D81939C9
      02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
      23041830 168014A1 4A274F69 1972E173 6F458E3E 67212F22 A21F3F30 1D060355
      1D0E0416 0414A14A 274F6919 72E1736F 458E3E67 212F22A2 1F3F300D 06092A86
      4886F70D 01010505 00038181 006B165B E1CABC78 F125A399 A8DB860B 7A134E69
      A342D73A A5215D08 E675406C 318E1877 EFCBB5E8 747291F3 6D39D0CD DD38FE96
      E4829127 A2BB4F47 CF1BA9A1 43631C0B BE5932A7 BDE1EAEB 98F832AC 83EAB223
      141BB6A0 3ECD607B 8E126FDC 5AC8AD12 28F8DB6A 9742994B 063610C6 D5144944
      8A129632 AC689172 1B108332 44
            quit
    ip cef
    ip dhcp excluded-address 10.10.10.1
    ip dhcp excluded-address 10.10.10.145
    ip dhcp excluded-address 10.10.10.153
    ip dhcp excluded-address 10.10.10.1 10.10.10.2
    ip dhcp pool ccp-pool
    import all
    network 10.10.10.0 255.255.255.248
    default-router 10.10.10.1
    dns-server 8.8.8.8 200.87.100.10
    lease 0 2
    ip dhcp pool ccp
    dns-server 8.8.8.8 200.87.100.10
    ip dhcp pool Oficina wireless pool
    import all
    network 10.10.10.144 255.255.255.248
    default-router 10.10.10.145
    dns-server 8.8.8.8 200.87.100.10
    ip dhcp pool guest pool
    import all
    network 10.10.10.152 255.255.255.248
    default-router 10.10.10.153
    dns-server 8.8.8.8 200.87.100.10
    no ip domain lookup
    ip domain name yourdomain.com
    no ipv6 cef
    multilink bundle-name authenticated
    license udi pid CISCO892FW-A-K9 sn FTX172783RH
    username ******** privilege 15 password 0 ******
    username ******** privilege 15 secret 4 df2cx1EOReyOFTzHQGHyju0MCCMPPDggzToRobK46
    vI
    redundancy
    interface BRI0
    no ip address
    encapsulation hdlc
    shutdown
    isdn termination multidrop
    interface FastEthernet0
    no ip address
    spanning-tree portfast
    interface FastEthernet1
    no ip address
    interface FastEthernet2
    no ip address
    interface FastEthernet3
    no ip address
    interface FastEthernet4
    no ip address
    interface FastEthernet5
    no ip address
    interface FastEthernet6
    no ip address
    interface FastEthernet7
    no ip address
    interface FastEthernet8
    description modem adsl
    ip address dhcp
    ip flow ingress
    ip flow egress
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface GigabitEthernet0
    no ip address
    shutdown
    duplex auto
    speed auto
    interface wlan-ap0
    description Service module interface to manage the embedded AP
    ip unnumbered Vlan1
    arp timeout 0
    interface Wlan-GigabitEthernet0
    description Internal switch interface connecting to the embedded AP
    switchport trunk allowed vlan 1-3,1002-1005
    switchport mode trunk
    no ip address
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
    ip address 10.10.10.1 255.255.255.248
    ip nat inside
    ip virtual-reassembly in
    ip tcp adjust-mss 1452
    interface Vlan2
    description wireless oficina
    ip address 10.10.10.145 255.255.255.248
    ip nat inside
    ip virtual-reassembly in
    interface Vlan3
    description wireless guest
    ip address 10.10.10.153 255.255.255.248
    ip nat inside
    ip virtual-reassembly in
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip flow-export destination 10.10.10.5 2055
    ip nat inside source list 110 interface FastEthernet8 overload
    ip sla auto discovery
    access-list 10 permit 10.10.10.0 0.0.0.7
    access-list 23 permit 10.10.10.0 0.0.0.7
    access-list 110 permit ip 10.10.10.0 0.0.0.255 any
    access-list 120 remark wireless guest Restriction
    access-list 120 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
    access-list 120 permit ip 10.10.10.152 0.0.0.7 any
    access-list 120 deny   ip 10.10.10.152 0.0.0.7 0.0.0.0 255.255.255.0
    access-list 120 deny   ip 10.10.10.152 0.0.0.7 172.16.0.0 0.15.255.255
    access-list 120 deny   ip 10.10.10.152 0.0.0.7 192.168.0.0 0.0.255.255
    no cdp run
    control-plane
    mgcp profile default
    line con 0
    login local
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    transport output pad telnet rlogin udptn ssh
    line aux 0
    line vty 0 4
    access-class 23 in
    privilege level 15
    login local
    transport input telnet ssh
    line vty 5 15
    access-class 23 in
    privilege level 15
    login local
    transport input telnet ssh
    end
    Natural#

    Hi Andrew,
    LAP always download the image run on a WLC (in this case 3850). So no point upgrade LAP independantly as it will always sync with image run on the controller it joins.
    In this case you can upgrade 3850 to 3.3.2 (which is the latest image as of today) if you are not already running that code
    HTH
    Rasika
    **** Pls rate all useful resposnes ****

  • CAPWAP-3-DISC_AP_MGR_ERR1 errors since upgrade to 8.0.110.0

    I have upgraded a 2504 controller to 8.0.110.0. Since then I see this error message every two minutes:
    wlc: *spamApTask7: Feb 17 12:07:23.854: #CAPWAP-3-DISC_AP_MGR_ERR1: capwap_ac_sm.c:2008 The system is unable to process Primary discovery request from AP [mac-address] on interface (1), VLAN (10), could not get IPv6 AP manager
    The controller does not have IPv6 address configured (i.e. it's still ::/128).
    The error only appears for the two 1602i in the network, not for the 1131ag.
    All access points are connected to the controller and operate normally.
    How do I get rid of these errors?
    Thanks,
    Gerald

    Global IPv6 config is enabled as I need IPv6 and as far as I understand clients won't be able to use IPv6 otherwise.
    I haven't found a way to disable IPv6 for discovery...
    Gerald

  • Could not resolve CISCO-CAPWAP-CONTROLLER

    I have a access point in Singapore which is trying to connect to a controller in Canada.  Think I am having a latency issue.  Is there a way of increasing the timeout period to allow the AP to join the controller before the initial request fails?
    Thanks

    Hi
    Make sure AP regulatory domain matches the country configured on your WLC. If that all good you can configure this on AP via console & AP should go & register to your WLC.
    LAP#debug capwap console cli
    This command is meant only for debugging/troubleshooting
    Any configuration change may result in different
    behavior from centralized configuration.
    CAPWAP console CLI allow/disallow debugging is on
    LAP#capwap ap primary-base <WLC-Name> <WLC-Mgt-IP>
    If not, post the full AP console output while it is trying to register.
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • VWLC 7.4 and AP 1602 - CAPWAP fails

    Hi guys!
    In my lab, everything just worked fine. Now AP1602 is on customer site. AP gets vWLC IP address via DHCP option 43, 60. If I try to debug vWLC console with this command "debug capwap detail enable":
    (Cisco Controller) >debug capwap detail enable
    *spamApTask0: Jul 01 12:04:26.669: 68:86:a7:cb:f6:d0 CAPWAP Control Msg Received from 10.10.10.215:16281
    *spamApTask0: Jul 01 12:04:26.683: 68:86:a7:cb:f6:d0 CAPWAP Control Msg Received from 10.10.10.215:16281
    *spamApTask0: Jul 01 12:04:26.690: 68:86:a7:cb:f6:d0 CAPWAP Control Msg Received from 10.10.10.215:16281
    *spamApTask0: Jul 01 12:04:26.690: 68:86:a7:cb:f6:d0 DTLS connection 0x10fb84e0 closed by controller
    *spamApTask0: Jul 01 12:04:26.691: 68:86:a7:cb:f6:d0 CAPWAP Control Msg Received from 10.10.10.215:16281
    *spamApTask0: Jul 01 12:04:26.691: CAPWAP DTLS connection closed msg
    *spamApTask2: Jul 01 12:05:09.168: 00:1f:6c:8a:4d:41 CAPWAP Control Msg Received from 10.10.10.156:57832
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 packet received of length 123 from 10.10.10.156:57832
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Msg Type = 1 Capwap state = 0
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 1 msgEleType = 20
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 94
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 40 msgEleType = 39
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 50
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 1 msgEleType = 41
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 45
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 1 msgEleType = 44
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 40
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 10 msgEleType = 37
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Vendor specific payload from AP  34:A8:4E:BA:47:40 validated
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 26
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 22 msgEleType = 37
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Vendor specific payload from AP  34:A8:4E:BA:47:40 validated
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 0
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 1. 0 0
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 2. 232 3
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 3. 0 0
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 4. 200 0
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: AC Descriptor message element len = 40
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 acName = Cisco_92:e4:7b
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp:AC Name message element length = 58
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: WTP Radio Information msg length = 67
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: CAPWAP Control IPV4 Address len = 77
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: CAPWAP Control IPV6 Address len = 99
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: Mwar type payload len = 110
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: Time sync payload len = 125
    *spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 WTP already released
    On Web interface Management->Logs->Message logs-> "DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer 10.10.10.156
    Do you have any ideas , why it doesn't work? Why DTLS connection is closed by vWLC?

    Guys,
    I think I am talking about this bug here : CSCua55382 . We can find more details here :
    http://www.cisco.com/image/gif/paws/113677/virtual-wlan-dg-00.pdf
    Known Issue: AP(s) not joining vWLC − The AP must get the hash entry from a legacy controller before it
    joins a vWLC.
    • An AP must be at software version 7.3.1.35 and above to successfully join a virtual controller. Virtual
    controllers use SSC in order to validate an AP before joining.
    •An AP at version 7.3 can validate the SSC certificate provided by the virtual controller.
    • After successful certificate validation, an AP will check the hash key of the virtual controller in the
    list of stored keys in flash. If it matches the stored hash, validation is passed and the AP moves to the
    RUN state. If hash validation fails, it will disconnect from the controller and restart the discovery
    process.
    • The hash validation, which is an extra authorization step, will be performed only if the AP is joining a
    virtual controller. There will be a knob to turn on/off hash key validation.
    • By default, hash validation is enabled, which means that the AP needs to have the virtual controller
    hash key in its flash before it can successfully complete association with the virtual controller. If the
    knob is turned off, the AP will bypass the hash validation and move directly to the RUN state.
    • The hash key can be configured in the controller mobility configurations, which gets pushed to all the
    APs which are joined. The AP will save this configuration until it successfully associates to another
    controller. After which, it inherits the hash key configuration from the new controller.
    • Typically, APs can join a traditional controller, download the hash keys, and then join a virtual
    controller. However, if it is joined to a traditional controller, the hash validation knob can be turned
    off and it can join any virtual controller. The administrator can decide to keep the knob on or off
    This information is captured in Cisco bug ID CSCua55382.
    Exceptions:
    •If the AP does not have any hash key in its flash, it will bypass the hash validation, assuming that it is
    a first time installation.
         ♦In this case, the hash validation is bypassed irrespective of whether the hash validation knob
    is on/off.
         ♦ Once it successfully joins the controller, it will inherit the mobility group member hash configuration (if configured in the controller). After which, it can join a virtual controller only if it has a hash key entry in its database.
    • Clearing the AP configuration from the controller or on the AP console will result in the erasing of all
    the hash keys. After which, the AP joins the virtual controller as if it is a first time installation.
    ♦AP> test capwap erase
    ♦AP> test capwap restart
    So... because I connected my AP to the vWLC in my lab, it downloaded hash keys.Without erasing these keys, AP was unable to establish DTLS tunnel with another vWLC.
    Hope that helps!

  • WLC 5508 - LAP1242: Failed to handle capwap control message from controller

    Hello everyone,
    after finally successfully upgrading my WLCs from 6.0.199.4 to 7.6.100.0 there is another problem showing up...
    If I want to change any configuration regarding the APs on the WLCs (which doesn't work) I get the following error-messages from the APs:
    *spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.169: %CAPWAP-3-ERRORLOG: Validate Msg: msg type 12 does not supported payload 215
    *spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.169: %CAPWAP-3-ERRORLOG: Validate Msg: error in Unknown Payload(215) payload (received length = 9, payload type = 215)
    *spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.170: %CAPWAP-3-ERRORLOG: Failed to validate vendor specific message element type 215 len 9.
    *spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.170: %CAPWAP-3-ERRORLOG: Failed to decode Configuration update request.
    *spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.170: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 7 state 11.
    *spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.171: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    Find attached some informations regarding the AP and the 5508.
    Any suggestions are, as always, highly appriciated.
    Regards
    Manuel

    Good morning,
    if I need free space at the flash: How much is "enough" to handle config changes?
    Here you can see the filesystem of one of my accesspoints (all are affected):
    AP#dir all-filesystems
    Directory of arch:/
        2  -rwx       91288  Feb 22 2014 18:16:42 +00:00  event.log
        8  drwx         448  Feb 22 2014 18:16:38 +00:00  c1240-k9w8-mx.124-25e.JAO3
        4  drwx           0   Nov 2 2011 23:32:18 +00:00  configs
        5  -rwx         397  Feb 22 2014 18:19:03 +00:00  env_vars
        6  -rwx        6168  Feb 27 2014 18:14:24 +00:00  private-multiple-fs
    No space information available
    Directory of flash:/
        2  -rwx       91288  Feb 22 2014 18:16:42 +00:00  event.log
        8  drwx         448  Feb 22 2014 18:16:38 +00:00  c1240-k9w8-mx.124-25e.JAO3
        4  drwx           0   Nov 2 2011 23:32:18 +00:00  configs
        5  -rwx         397  Feb 22 2014 18:19:03 +00:00  env_vars
        6  -rwx        6168  Feb 27 2014 18:14:24 +00:00  private-multiple-fs
    15740928 bytes total (10614784 bytes free)
    Directory of zflash:/
        2  -rwx       91288  Feb 22 2014 18:16:42 +00:00  event.log
        8  drwx         448  Feb 22 2014 18:16:38 +00:00  c1240-k9w8-mx.124-25e.JAO3
        4  drwx           0   Nov 2 2011 23:32:18 +00:00  configs
        5  -rwx         397  Feb 22 2014 18:19:03 +00:00  env_vars
        6  -rwx        6168  Feb 27 2014 18:14:24 +00:00  private-multiple-fs
    15740928 bytes total (10614784 bytes free)
    Directory of archive:/
    No files in directory
    No space information available
    Directory of system:/
        2  dr-x           0                      memory
        1  -rw-       17631                      running-config
    No space information available
    Directory of nvram:/
       30  -rw-           0                      startup-config
       31  ----           0                      private-config
        1  ----        4100                      lwapp_ap.cfg
        6  ----         528                      lwapp_ap_tlv.cfg
    32768 bytes total (26572 bytes free)
    Regards, Manuel

  • Autonomous 1252 converted to CAPWAP will not join 5508 WLC

    WLC 5508 firmware is v6.0.188.0
    I've tried updating the autonomous 1252 via both the upgrade tool 3.4 and 'archive download-sw' from the CLI
    I've tried multiple recovery images
    c1250-rcvk9w8-tar.124-21a.JA2.tar
    c1250-rcvk9w8-tar.124-10b.JDA.tar
    After AP reboots with recovery image it joins WLC and downloads new CAPWAP image then reboots again
    AP will not rejoin WLC with updated CAPWAP firmware
    Any help with this is greatly appreciated!
    Thanks in advance and happy holidays,
    Scott
    Error Msg from 1252 console
    *Dec 18 15:52:50.691: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:52:50.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:52:50.695: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
    Additional info
    WLC Debugs Enabled:
    MAC address ................................ c4:7d:4f:39:31:e2
    Debug Flags Enabled:
      aaa detail enabled.
      capwap error enabled.
      capwap critical enabled.
      capwap events enabled.
      capwap state enabled.
      dtls event enabled.
      lwapp events enabled.
      lwapp errors enabled.
      pm pki enabled.
    WLC Debug Output:
    *Dec 18 10:51:51.575: dtls_conn_hash_search: Connection not found in hash table - Table empty.
    *Dec 18 10:51:51.575: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: called to get cert for CID 154c7072
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
    *Dec 18 10:51:51.575: sshpmGetSshPrivateKeyFromCID: called to get key for CID 154c7072
    *Dec 18 10:51:51.575: sshpmGetSshPrivateKeyFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: comparing to row 1, certname >bsnDefaultIdCert<
    *Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: comparing to row 2, certname >cscoDefaultIdCert<
    *Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: match in row 2
    *Dec 18 10:51:51.692: acDtlsCallback: Certificate installed for PKI based authentication.
    *Dec 18 10:51:51.693: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=0
    *Dec 18 10:51:51.693: local_openssl_dtls_record_inspect:   msg=ClientHello len=44 seq=0 frag_off=0 frag_len=44
    *Dec 18 10:51:51.693: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:51.693: local_openssl_dtls_send: Sending 60 bytes
    *Dec 18 10:51:51.694: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:51.694: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=1
    *Dec 18 10:51:51.694: local_openssl_dtls_record_inspect:   msg=ClientHello len=76 seq=1 frag_off=0 frag_len=76
    *Dec 18 10:51:51.695: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:51.695: local_openssl_dtls_send: Sending 544 bytes
    *Dec 18 10:51:51.695: local_openssl_dtls_send: Sending 544 bytes
    *Dec 18 10:51:51.696: local_openssl_dtls_send: Sending 314 bytes
    *Dec 18 10:51:51.712: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:51.712: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=2
    *Dec 18 10:51:51.712: local_openssl_dtls_record_inspect:   msg=Certificate len=1146 seq=2 frag_off=0 frag_len=519
    *Dec 18 10:51:51.712: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:51.712: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:51.712: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=3
    *Dec 18 10:51:51.712: local_openssl_dtls_record_inspect:   msg=Certificate len=1146 seq=2 frag_off=519 frag_len=519
    *Dec 18 10:51:51.713: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:51.713: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:51.713: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=4
    *Dec 18 10:51:51.713: local_openssl_dtls_record_inspect:   msg=Certificate len=1146 seq=2 frag_off=1038 frag_len=108
    *Dec 18 10:51:51.714: sshpmGetIssuerHandles: locking ca cert table
    *Dec 18 10:51:51.714: sshpmGetIssuerHandles: calling x509_alloc() for user cert
    *Dec 18 10:51:51.714: sshpmGetIssuerHandles: calling x509_decode()
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: <subject> C=US, ST=California, L=San Jose, O=Cisco Systems, CN=C1250-c47d4f3931e2, [email protected]
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: <issuer>  O=Cisco Systems, CN=Cisco Manufacturing CA
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: Mac Address in subject is c4:7d:4f:39:31:e2
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: Cert Name in subject is C1250-c47d4f3931e2
    *Dec 18 10:51:51.719: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.
    *Dec 18 10:51:51.719: sshpmGetCID: called to evaluate <cscoDefaultMfgCaCert>
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.719: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: called to get cert for CID 2ab15c0a
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.719: ssphmUserCertVerify: calling x509_decode()
    *Dec 18 10:51:51.730: ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (current): 2009/12/18/15:51:51
    *Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (NotBefore): 2009/11/03/00:47:36
    *Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (NotAfter): 2019/11/03/00:57:36
    *Dec 18 10:51:51.730: sshpmGetIssuerHandles: getting cisco ID cert handle...
    *Dec 18 10:51:51.730: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
    *Dec 18 10:51:51.730: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
    *Dec 18 10:51:51.731: sshpmFreePublicKeyHandle: called with 0x1f1f3b8c
    *Dec 18 10:51:51.731: sshpmFreePublicKeyHandle: freeing public key
    *Dec 18 10:51:51.731: openssl_shim_cert_verify_callback: Certificate verification - passed!
    *Dec 18 10:51:51.732: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:52.155: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:52.155: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=5
    *Dec 18 10:51:52.155: local_openssl_dtls_record_inspect:   msg=ClientKeyExchange len=258 seq=3 frag_off=0 frag_len=258
    *Dec 18 10:51:52.269: openssl_dtls_process_packet: Handshake in progress...
    *Dec 18 10:51:52.269: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246  Peer 192.168.100.54:62227
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=6
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect:   msg=CertificateVerify len=258 seq=4 frag_off=0 frag_len=258
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=ChangeCipherSpec epoch=0 seq=7
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=Handshake epoch=1 seq=0
    *Dec 18 10:51:52.269: local_openssl_dtls_record_inspect:   msg=Unknown or Encrypted
    *Dec 18 10:51:52.273: openssl_dtls_process_packet: Connection established!
    *Dec 18 10:51:52.273: acDtlsCallback: DTLS Connection 0x167c5c00 established
    *Dec 18 10:51:52.273: openssl_dtls_mtu_update: Setting DTLS MTU for link to peer 192.168.100.54:62227
    *Dec 18 10:51:52.273: local_openssl_dtls_send: Sending 91 bytes
    *Dec 18 10:53:06.183: sshpmLscTask: LSC Task received a message 4
    Aironet 1252 Console Debug:
    *Dec 16 11:07:12.055: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Dec 18 15:51:40.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:51:40.999: %CAPWAP-5-CHANGED: CAPWAP changed state to 
    *Dec 18 15:51:41.695: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:51:41.699: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:51:41.699: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
    *Dec 18 15:51:46.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
    *Dec 18 15:52:39.999: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.100.2:5246
    *Dec 18 15:52:40.039: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *Dec 18 15:52:40.039: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *Dec 18 15:52:40.051: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *Dec 18 15:52:40.051: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
    *Dec 18 15:52:40.059: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec 18 15:52:40.063: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    *Dec 18 15:52:40.079: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec 18 15:52:40.079: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *Dec 18 15:52:50.059: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Dec 18 15:52:50.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:52:50.000: %CAPWAP-5-CHANGED: CAPWAP changed state to 
    *Dec 18 15:52:50.691: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
    *Dec 18 15:52:50.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:52:50.695: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
    *Dec 18 15:52:55.691: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
    *Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
    *Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
    *Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.1

    Nathan and Leo are alluding to CSCte01087. Basically the caveat is that DTLS fails on a non-00:xx:xx:xx:xx:xx L2 first hop. e.g. if the APs are on the same VLAN as the management interface, they must have 00 MACs; if they are on a different VLAN, the WLC/AP gateway must have a 00 MAC. If the workaround below does not suit your environment, open a TAC case for an image with the fix.
      Symptom:
    An access point running 6.0.188.0 code may be unable to join a WLC5508.
    Messages similar to the following will be seen on the AP.
       %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
       %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message
    Conditions:
    At least one of the following conditions pertains:
    - The high order byte of the AP's MAC address is nonzero, and the AP is in
    the same subnet as the WLC5508's management (or AP manager) interface
    - The WLC's management (or AP manager) interface's default gateway's
    MAC address' high order byte is nonzero.
    Workaround:
    If the MAC address of the WLC's default gateway does not begin with 00,
    and if all of the APs' MAC addresses begin with 00, then: you can put
    the APs into the same subnet as the WLC's management (or AP manager)
    interface.
    In the general case, for the situation where the WLC's default gateway's
    MAC does not begin with 00, you can address this by changing it to begin
    with 00. Some methods for doing this include:
    -- use the "mac-address" command on the gateway, to set a MAC address
    that begins with 00
    -- then enable HSRP on the gateway (standby ip ww.xx.yy.zz) and use this
    IP as the WLC's gateway.
    For the case where the APs' MAC addresses do not begin with 00, then make
    sure that they are *not* in the same subnet as the WLC's management
    (AP manager) interface, but are behind a router.
    Another workaround is to downgrade to 6.0.182.0.  However, after
    downgrading the WLC to 6.0.182.0, any APs that have 6.0.188.0 IOS
    (i.e. 12.4(21a)JA2) still installed on them will be unable to join.
    Therefore, after downgrading the WLC, the APs will need to have a
    pre-12.4(21a)JA2 rcvk9w8 or k9w8 image installed on them.

  • Separate VLAN for CAPWAP

    Hello,
    I'm in the process of deploying a WLC2504 in an eviroment  which requires a private VLAN for access to file servers and other network resources, as well as a guest network for internet access. 
    As far as performance is concerned, will I get acceptable throughput on my WLANs with the CAPWAP tunnel flowing over the same subnet as the private network? I've seen some suggestions that recommend a separate VLAN dedicated to CAPWAP, but I don't know if this is just a suggestion for security. I understand that CAPWAP supports encryption of control messages, but not data transmissions without additional licensing. If this is just a suggestion for security, I don't think this is much of a concern. I don't see anyone on the private network intercepting guest transmissions. Could someone please advise me on this?

    Thanks for your clarification guys! I'm in the process of installing my fist CUWN. We are implementing 10 APs and have dealt with a few issues, namely throughput for laptops. I knew other factors could definitely come into play, but I wanted to rule topology out. Laptops are currently pulling very low internet speed tests results, whereas mobile devices seem to fare much better. I've tried testing with mostly 2.4 GHz connections from laptops, but even the 5GHz seem to struggle. I'm working with the Cisco TAC a bit on this one. Per their suggestion, I'm going to run Iperf to test internal performance before I involve network firewalls and Internet connectivity in the mix. 

  • Information about %CAPWAP-3- ERRORLOG messages

    Hello,
    Does anyone know where to find information about CAPWAP-3 messages like these ?
    %CAPWAP-3-ERRORLOG: Failed to send data transfer request.
    %CAPWAP-3-ERRORLOG: Queue already full.
    Thanks in advance.

    I'm with Scott.
    Post the entire bootup process.  This contains vital information than you can surmiss.
    Also post the output to the following commands:
    1.  WLC:  sh sysinfo;
    2.  WLC:  sh time;
    3.  AP:  sh version;
    4.  AP:  sh ip interface brief; and
    5.  AP:  sh inventory

  • How to replace the certificate of Cisco 2106 wireless LAN controller for CAPWAP ?

    I have interested in CAPWAP feature and I download the open capwap project to make Access Controller (AC) and Wireless Terminal Point (WTP). I had built the AC which used PC and WTP which used Atheros AP. The CAPWAP feature work well when I enabled the CAPWAP that used my own AC  and WTP. When I got the Cisco 2106 wireless LAN controller (Cisco WLC), I configured the Cisco WLC to instead my own AC but I got the authorize fail in Cisco WLC side. It seem the Cisco WLC could not recognize the CAPWAP message which sent form my own WTP. I think this issue just need to synchronize the certificate between Cisco WLC and WTP.So I need to replace the Cisco WLC's certificate manually. Does anyone know how to replace the certificate manually with Cisco WLC ?
    Best Regards,
    Alan

    Unfortunately this Support Community is for Cisco Small Business & Small Business Pro product offerings.  The WLC2106 is a traditional Cisco product.  You can find this type of support on the Cisco NetPro Forum for all traditional Cisco products.
    Best Regards,
    Glenn

  • %CAPWAP-3-ERRORLOG in MESH setup WLC7.6

    Hello everyone,
    I configured a MESH setup consisting of 3 AP's (1 root and 2 remote),
    however one AP (remote) cannot join the WLC anymore since I made the changes to static IP and bridge mode.
    I can't even reset the AP to factory settings to get it back to WLC appliance...
    This is the error logs from the AP - can anyone help?
    *Apr 10 16:15:59.187: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
    *Apr 10 16:15:59.231: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Apr 10 16:15:59.235: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Apr 10 16:16:00.235: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Apr 10 16:16:00.263: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Apr 10 16:16:01.263: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Apr 10 16:16:09.187: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Apr 10 16:16:09.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.88.53 peer_port: 5246
    *Apr 10 16:16:09.003: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Apr 10 16:16:09.011: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Apr 10 16:16:09.411: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.88.53 peer_port: 5246
    *Apr 10 16:16:09.411: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.88.53
    *Apr 10 16:16:09.415: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
    *Apr 10 16:16:09.415: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
    *Apr 10 16:16:09.415: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Apr 10 16:16:09.415: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 192.168.88.53
    *Apr 10 16:16:10.003: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Apr 10 16:16:10.039: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Apr 10 16:16:10.047: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Apr 10 16:16:11.083: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Apr 10 16:16:12.083: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Apr 10 16:16:14.411: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.88.53
    *Apr 10 16:16:14.415: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Apr 10 16:16:14.423: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Apr 10 16:16:15.415: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Apr 10 16:16:15.451: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Apr 10 16:16:16.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
    *Apr 10 16:17:08.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.88.53:5246
    *Apr 10 16:17:09.039: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
    *Apr 10 16:17:09.055: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *Apr 10 16:17:09.091: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Apr 10 16:17:10.059: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Apr 10 16:17:10.095: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Apr 10 16:17:10.103: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Apr 10 16:17:11.131: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Apr 10 16:17:12.131: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

    info0000246:
    Are you sure you allowed the AP on the mac filter in your WLC?  I was having the same issue today because I had forgotten to add the mac into the mac filtering, as soon as I did that the AP was able to join the controller.

  • Monitor capwap access points

    Hello ,
    After migrating from standalone access points to capwap access points ( with wireless lan controller / Cisco Prime ) , a lot of people are wondering how to monitor their AP's by receiving traps from the controllers .
    I am searching for trap list that should be accepted by a monitoring product ( ie nagios  ) in order to monitor the status of the access points .
    Where can i find this info ?
    Thank you in advance for your help ;
    Rgds.
    Hubert.

    Since all AP managed by WLC, all information available from WLC, no need to directly get this information from AP directly.
    If you want you can configure AP & WLC syslog to export to a syslog server & then analyse them. Below post may give some idea
    http://mrncciew.com/2014/09/19/wlc-syslog-analysis/
    http://mrncciew.com/2013/02/06/syslog-msg-log-in-wlc/
    HTH
    Rasika
    *** Pls rate all useful responses ****

Maybe you are looking for

  • Brand new Yoga 2 11 - Super slow web browsing

    We got a new Yoga 2 11 this morning, and the web browsing is excruciatingly slow, whether using IE, FireFox or Chrome.  The only downloads or installs of any kind have been IE & FF. Based on searching this forum, I increased the minimum processor pow

  • Read only record sets ?

    We're using a function to return a ref cursor back to VB. Works great until we try and update it. As soon as we try and update the record set we're getting an error "Multi-step operation generated errors. ". It looks to us like the record set is read

  • Layer 3 Web Authentication

    I'm using a WLC and on my SSID I'm using Layer 3 Security with Web Auth and having a guest user enter there email address to gain access to the network. The user connects to the network enters there email address and then has access to the network. C

  • How to use Radiobutton Cell Editor in Table using Master Column

    Hi Guys, I have a Table that uses a Master Column.  I need to have a field that uses a Radio Button type cell editor.  A user should only be ably to select ONE row via the Radio Button at a time. I have done all this but I only seem to be able to sel

  • Comment and uncomment in the new SE38 editor: Doing it the old way

    Prerequisites: Front-end Editor (New) The Front-End Editor is available with SAP GUI for Windows 6.40 Patch level 10 or higher. Steps: 1) Open SE38(or SE24,SE37,SE80) and click on the icon below the scroll bar (the last one on the right-bottom) this