CAPWAP teardown?
Hi All,
Need help to understand how the CAPWAP tunnel work when one in the bundled (group of 4) port from portchannel group was shutdown.
Here's the logical diagram
APs <-> Access Switch <-portchannel-> Distri Switch <-portchannel-> Core Switch <-portchannel-> WLC
1 of 4 bundled uplink ports in portchannel shown in RED text was shutdown deliberately during this time the Prime Infra 1.3 reports that APs was disassociated from the controller and 1 minute later Prime Infra reports that the APs was now associated to the controller without touching any devices.
Is this a normal behaviour of a CAPWAP? If not then, what should I do?
Regards,
Dave
What is the load-balancing mechanism of your switch etherchannels ? "show etherchannel load-balance" should tells you this.
If AP to WLC capwap traffic went through the interface you shutdown, then there is possibility your AP lost connectivity to WLC momentarily. But should not take that long to revert traffic to any other interfaces.
You can do a test like this. Enable Telnet for one your AP (via WLC GUI : Wireless -> select your AP -> Advanced -> tick Telnet checkbox). Then telnet to AP & ping your WLC IP from there. Then shutdown one of your (out of 4) your switch etherchannel interface & see whether you will see ping drops for short period of time). If packet drops see how many drops before getting the connectivity back.
HTH
Rasika
**** Pls rate all useful responses ****
Similar Messages
-
Is it possible to config H-REAP/REAP and CAPWAP in Autonomous mode with a WLC?
I'm going to deploying all new AP as Remote-Edge AP and they will be shipped straight to site. With a pool of WLCs deployed in central DC locations. I would like to get local staff to deploy a basic CLI discovery script for the APs. However, i thought LAPs don't have CLI???
I'm thinking I must use a Lightweight AP with the WLC to use Remote-Edge AP functionality - However, I'm not sure... the configuration example at the bottom doesn't state whether it an Autonomous AP or a Lightweight one.
http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml
H-REAP Controller Discovery using CLI commands
H REAPs will most commonly discover upstream controllers via DHCP option 43 or DNS resolution. Without either of these methods available, it may be desirable to provide detailed instructions to administrators at remote sites so that each H REAP may be configured with the IP address of the controllers to which they should connect. Optionally, H REAP IP addressing may be set manually as well (if DHCP is either not available or not desired).
This example details how an H REAP's IP address, hostname, and controller IP address may be set through the console port of the access point.
AP_CLI#capwap ap hostname ap1130ap1130#capwap ap ip address 10.10.10.51 255.255.255.0ap1130#capwap ap ip default-gateway 10.10.10.1ap1130#capwap ap controller ip address 172.17.2.172
Could anyone help?
Cheers
Adrian.Hi Adrian,
Further down in the doc you linked;
H-REAP Controller Discovery using CLI commands
H REAPs will most commonly discover upstream controllers via DHCP option 43 or DNS resolution. Without either of these methods available, it may be desirable to provide detailed instructions to administrators at remote sites so that each H REAP may be configured with the IP address of the controllers to which they should connect. Optionally, H REAP IP addressing may be set manually as well (if DHCP is either not available or not desired).
This example details how an H REAP's IP address, hostname, and controller IP address may be set through the console port of the access point.
AP_CLI#capwap ap hostname ap1130
ap1130#capwap ap ip address 10.10.10.51 255.255.255.0
ap1130#capwap ap ip default-gateway 10.10.10.1
ap1130#capwap ap controller ip address 172.17.2.172
Note: Access points must run the LWAPP-enabled IOS® Recovery Image Cisco IOS Software Release 12.3(11)JX1 or later, in order to support these CLI commands out of the box. Access points with the SKU prefix of LAP (for example, AIR-LAP-1131AG-A-K9), shipped on or after June 13, 2006 run Cisco IOS Software Release 12.3(11)JX1 or later. These commands are available to any access point that ships from the manufacturer running this code level, has the code upgraded manually to this level, or is upgraded automatically by connecting to a controller running version 6.0 or later.
These configuration commands are only accepted when the access point is in Standalone mode.
Cheers!
Rob -
Downgrade 3600 Capwap AP to Autonomous 3600 AP
Hello!
I have to prepare an 3600 Capwap AP for autonomous functionality!
The following image was downloaded:
ap3g2-k9w7-tar.152-2.JA
The release notes say:
Site-Survey Only Mode for 3600, 3500, and 1550 Access Points
You can install Cisco IOS Release 15.2(2)JA on Cisco Aironet 3600 and 3500 Series access points and on 1550 series outdoor access points to perform site surveys. This release runs on these access points with limited functionality. You can manually adjust these settings on the site-survey access points:
• Channel on each radio
• Transmit power on each radio
• Enable and disable the radios
• Manually set basic and supported transmit rates
• Enable advertised cell power in beacons to client to enable DTPC for doing active surveys
• Enable and disable SSID broadcast in beacons
• Enable open authentication
My Question is:
Where can i find a instruction for downgrading an AIR-CAP3602i to Autonomous 3600 AP?
Is it complicate to get the AP running, or what do i need for "downgrading"?
thx 4 help
Richardthe methos to convert is..
download TFTPd32 from google and install it on ur PC.. point the image that you have downloaded in the TFTP server..
connect a ethernet cable between ur laptop and AP.. let both be in the same subnet.. and connect a console cable and get the hyperterminal console access and issue the command.. make sure you are able to ping the PC and the AP and vice versa!!
AP>en
AP#debug capwap console cli
AP#config t
AP(confg)int gi 0
AP(confg-if)ip addr (same subnet as that of the laptop)
AP(confg-if)end
AP#archieve download-sw /force-reload /overwrite tftp:///
AP#archieve download-sw /force-reload /overwrite tftp://<10.0.0.5>/ap3g2-k9w7-tar.152-2.JA
you can skip the ip config part if ap getting ip from dhcp. -
Understanding teardown from log
Is the Reset-I always from the device on the higher security level interface (in this case 172.16.112.10/3389?
In the second case, what conclusions can be drawn from the teardown information "TCP FINs" - who is it that send the first FIN?
I'm strugglig to find the reasons for connections "freezing" or closing, but no errors that I can relate to the connection ids what so ever.
asa.log:2014-02-03T15:04:32.186954+01:00 10.1.4.1 %ASA-6-302013: Built inbound TCP connection 1730891653 for wan:195.195.195.195/49624 (195.195.195.195/49624) to vlan547:172.16.112.10/3389 (212.112.9.209/3389)
asa.log:2014-02-03T17:21:36.585964+01:00 10.1.4.1 %ASA-6-302014: Teardown TCP connection 1730891653 for wan:195.195.195.195/49624 to
vlan547:172.16.112.10/3389 duration 2:17:05 bytes 35781464 TCP Reset-I
asa.log:2014-02-03T13:14:51.660321+01:00 10.1.4.1 %ASA-6-302013: Built inbound TCP connection 1729135626 for wan:195.195.195.195/50005 (195.195.195.195/50005) to vlan547:172.16.112.10/3389 (212.112.9.209/3389)
asa.log:2014-02-03T18:05:02.785968+01:00 10.1.4.1 %ASA-6-302014: Teardown TCP connection 1729135626 for wan:195.195.195.195/50005 to vlan547:172.16.112.10/3389 duration 4:50:14 bytes 36231472 TCP FINsHi,
The TCP Reset-I and TCP Reset-O should refer to the TCP RST coming from either higher or lower "security-level" interface.
There are some other things affected by the "security-level" also in the output of the ASA. For example when you check the output of "show conn" command the host on the lowest "security-level" interface is listed first. Same goes for log messages. The host on the lowest "security-level" interface is mentioned first in the log messages for Building and Teardown the connection.
To my understanding there is no way to determine the side which normally closed the connection from the log message itself. I would presume that the Client would usually do this but can't be 100% sure that its always like this.
If there is not a clear indication that the firewall is doing something to the connection then I would suggest capturing traffic to find out what is happening to the connection. You can either attach some host to the network to capture all the traffic from some port or perhaps capture traffic on the ASA itself.
You could for example configure a capture for your RDP connection like this
access-list RDP-CAP permit tcp host host
access-list RDP-CAP permit tcp host host
capture RDP-CAP type raw-data access-list RDP-CAP interface outside buffer 33500000 circular-buffer
If you are expecting a lot of data you will either have to do the capture on some other device (ASAs buffer limited to approx the above amount of Bytes) or you can either create a capture for each direction separately to maximize the amount of traffic that can be captured.
You could also leave out the Data in the actual packets and only capture the headers by using this command
capture RDP-CAP type raw-data access-list RDP-CAP interface outside buffer 33500000 circular-buffer headers-only
You can naturally use both of the above commands. Naturally you will have to use a different name for the "capture", I am not sure do you have to use a different ACL.
You can then use this command to check if there is traffic captured
show capture
If you wish to show capture contents on the CLI then you can use this command
show capture RDR-CAP
Then again you might want to load the capture to your host/server and open it with Wireshark then you could use this command
copy /pcap capture:RDP-CAP tftp://x.x.x.x/RDP-CAP.pcap
You can remove the capture with the command
no capture RDP-CAP
You will have to remove the capture ACL separately.
I am not sure how much information can be gotten from the RDP server itself. I dont have to deal with the IT side at all usually so I don't really know to what extent you would be able to log what the actual server does during those connection issues. A traffic capture would certainly tell what happens to the data/connection.
Hope this helps
- Jouni -
Error Cisco 892f-w Wireless driver lwapp and capwap controller
Hello, greetings to cisco support community, I write to ask for help for my router, I have trouble lifting the wireless network, I hope you can help me thanks.
Upon entering cli ap: I have this error:
*Jul 3 22:33:04.951: %CAPWAP-3-STATIC_TO_DHCP_IP: Could not discover WLC using
static IP. Forcing AP to use DHCP.
*Jul 3 22:33:14.959: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination
*Jul 3 22:33:15.083: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigne
d DHCP address 10.10.10.4, mask 255.255.255.248, hostname AP6400.f1cf.6738
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (8.8.8.8)
Translating "CISCO-LWAPP-CONTROLLER"...domain server (8.8.8.8)
*Jul 3 22:33:18.959: %CAPWAP-3-ERRORLOG: Did not get log server settings from D
HCP.
*Jul 3 22:33:19.083: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROL
LER
*Jul 3 22:33:19.207: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLL
ER
Here is my configuration
Natural#SHOW RUNNing-config
Building configuration...
Current configuration : 5681 bytes
! Last configuration change at 19:56:22 UTC Wed Oct 16 2013 by juanrifle
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Natural
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
no aaa new-model
memory-size iomem 10
service-module wlan-ap 0 bootimage autonomous
crypto pki trustpoint TP-self-signed-634714217
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-634714217
revocation-check none
rsakeypair TP-self-signed-634714217
crypto pki certificate chain TP-self-signed-634714217
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36333437 31343231 37301E17 0D313331 30313131 38343833
395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3633 34373134
32313730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
E814BC99 A2374C6C C52A0828 7D8D2215 5220B891 63F3CB16 C03D6F00 F3ECF2E9
BE71FB32 9D1388FA 608C3267 3105F7E9 4A0FADDB C3031255 2054BF5D 971D4B0F
AD5914F8 8D7E9CF3 FBDDD586 63C8D981 3C32F53F E43CE93F 20930CFA 9F6055E7
810AF11D D8CBF7EA D6D5B680 B9AA465C EA9D533B A8E39059 6401101F D81939C9
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014A1 4A274F69 1972E173 6F458E3E 67212F22 A21F3F30 1D060355
1D0E0416 0414A14A 274F6919 72E1736F 458E3E67 212F22A2 1F3F300D 06092A86
4886F70D 01010505 00038181 006B165B E1CABC78 F125A399 A8DB860B 7A134E69
A342D73A A5215D08 E675406C 318E1877 EFCBB5E8 747291F3 6D39D0CD DD38FE96
E4829127 A2BB4F47 CF1BA9A1 43631C0B BE5932A7 BDE1EAEB 98F832AC 83EAB223
141BB6A0 3ECD607B 8E126FDC 5AC8AD12 28F8DB6A 9742994B 063610C6 D5144944
8A129632 AC689172 1B108332 44
quit
ip cef
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.145
ip dhcp excluded-address 10.10.10.153
ip dhcp excluded-address 10.10.10.1 10.10.10.2
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
dns-server 8.8.8.8 200.87.100.10
lease 0 2
ip dhcp pool ccp
dns-server 8.8.8.8 200.87.100.10
ip dhcp pool Oficina wireless pool
import all
network 10.10.10.144 255.255.255.248
default-router 10.10.10.145
dns-server 8.8.8.8 200.87.100.10
ip dhcp pool guest pool
import all
network 10.10.10.152 255.255.255.248
default-router 10.10.10.153
dns-server 8.8.8.8 200.87.100.10
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO892FW-A-K9 sn FTX172783RH
username ******** privilege 15 password 0 ******
username ******** privilege 15 secret 4 df2cx1EOReyOFTzHQGHyju0MCCMPPDggzToRobK46
vI
redundancy
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
no ip address
spanning-tree portfast
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
no ip address
interface FastEthernet5
no ip address
interface FastEthernet6
no ip address
interface FastEthernet7
no ip address
interface FastEthernet8
description modem adsl
ip address dhcp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport trunk allowed vlan 1-3,1002-1005
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Vlan2
description wireless oficina
ip address 10.10.10.145 255.255.255.248
ip nat inside
ip virtual-reassembly in
interface Vlan3
description wireless guest
ip address 10.10.10.153 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export destination 10.10.10.5 2055
ip nat inside source list 110 interface FastEthernet8 overload
ip sla auto discovery
access-list 10 permit 10.10.10.0 0.0.0.7
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 110 permit ip 10.10.10.0 0.0.0.255 any
access-list 120 remark wireless guest Restriction
access-list 120 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
access-list 120 permit ip 10.10.10.152 0.0.0.7 any
access-list 120 deny ip 10.10.10.152 0.0.0.7 0.0.0.0 255.255.255.0
access-list 120 deny ip 10.10.10.152 0.0.0.7 172.16.0.0 0.15.255.255
access-list 120 deny ip 10.10.10.152 0.0.0.7 192.168.0.0 0.0.255.255
no cdp run
control-plane
mgcp profile default
line con 0
login local
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
end
Natural#Hi Andrew,
LAP always download the image run on a WLC (in this case 3850). So no point upgrade LAP independantly as it will always sync with image run on the controller it joins.
In this case you can upgrade 3850 to 3.3.2 (which is the latest image as of today) if you are not already running that code
HTH
Rasika
**** Pls rate all useful resposnes **** -
I have upgraded a 2504 controller to 8.0.110.0. Since then I see this error message every two minutes:
wlc: *spamApTask7: Feb 17 12:07:23.854: #CAPWAP-3-DISC_AP_MGR_ERR1: capwap_ac_sm.c:2008 The system is unable to process Primary discovery request from AP [mac-address] on interface (1), VLAN (10), could not get IPv6 AP manager
The controller does not have IPv6 address configured (i.e. it's still ::/128).
The error only appears for the two 1602i in the network, not for the 1131ag.
All access points are connected to the controller and operate normally.
How do I get rid of these errors?
Thanks,
GeraldGlobal IPv6 config is enabled as I need IPv6 and as far as I understand clients won't be able to use IPv6 otherwise.
I haven't found a way to disable IPv6 for discovery...
Gerald -
Could not resolve CISCO-CAPWAP-CONTROLLER
I have a access point in Singapore which is trying to connect to a controller in Canada. Think I am having a latency issue. Is there a way of increasing the timeout period to allow the AP to join the controller before the initial request fails?
ThanksHi
Make sure AP regulatory domain matches the country configured on your WLC. If that all good you can configure this on AP via console & AP should go & register to your WLC.
LAP#debug capwap console cli
This command is meant only for debugging/troubleshooting
Any configuration change may result in different
behavior from centralized configuration.
CAPWAP console CLI allow/disallow debugging is on
LAP#capwap ap primary-base <WLC-Name> <WLC-Mgt-IP>
If not, post the full AP console output while it is trying to register.
HTH
Rasika
**** Pls rate all useful responses **** -
VWLC 7.4 and AP 1602 - CAPWAP fails
Hi guys!
In my lab, everything just worked fine. Now AP1602 is on customer site. AP gets vWLC IP address via DHCP option 43, 60. If I try to debug vWLC console with this command "debug capwap detail enable":
(Cisco Controller) >debug capwap detail enable
*spamApTask0: Jul 01 12:04:26.669: 68:86:a7:cb:f6:d0 CAPWAP Control Msg Received from 10.10.10.215:16281
*spamApTask0: Jul 01 12:04:26.683: 68:86:a7:cb:f6:d0 CAPWAP Control Msg Received from 10.10.10.215:16281
*spamApTask0: Jul 01 12:04:26.690: 68:86:a7:cb:f6:d0 CAPWAP Control Msg Received from 10.10.10.215:16281
*spamApTask0: Jul 01 12:04:26.690: 68:86:a7:cb:f6:d0 DTLS connection 0x10fb84e0 closed by controller
*spamApTask0: Jul 01 12:04:26.691: 68:86:a7:cb:f6:d0 CAPWAP Control Msg Received from 10.10.10.215:16281
*spamApTask0: Jul 01 12:04:26.691: CAPWAP DTLS connection closed msg
*spamApTask2: Jul 01 12:05:09.168: 00:1f:6c:8a:4d:41 CAPWAP Control Msg Received from 10.10.10.156:57832
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 packet received of length 123 from 10.10.10.156:57832
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Msg Type = 1 Capwap state = 0
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 1 msgEleType = 20
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 94
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 40 msgEleType = 39
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 50
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 1 msgEleType = 41
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 45
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 1 msgEleType = 44
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 40
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 10 msgEleType = 37
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Vendor specific payload from AP 34:A8:4E:BA:47:40 validated
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 26
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 msgEleLength = 22 msgEleType = 37
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Vendor specific payload from AP 34:A8:4E:BA:47:40 validated
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Total msgEleLen = 0
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 1. 0 0
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 2. 232 3
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 3. 0 0
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 4. 200 0
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: AC Descriptor message element len = 40
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 acName = Cisco_92:e4:7b
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp:AC Name message element length = 58
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: WTP Radio Information msg length = 67
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: CAPWAP Control IPV4 Address len = 77
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: CAPWAP Control IPV6 Address len = 99
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: Mwar type payload len = 110
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 Discovery resp: Time sync payload len = 125
*spamApTask2: Jul 01 12:05:09.168: 34:a8:4e:ba:47:40 WTP already released
On Web interface Management->Logs->Message logs-> "DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer 10.10.10.156
Do you have any ideas , why it doesn't work? Why DTLS connection is closed by vWLC?Guys,
I think I am talking about this bug here : CSCua55382 . We can find more details here :
http://www.cisco.com/image/gif/paws/113677/virtual-wlan-dg-00.pdf
Known Issue: AP(s) not joining vWLC − The AP must get the hash entry from a legacy controller before it
joins a vWLC.
• An AP must be at software version 7.3.1.35 and above to successfully join a virtual controller. Virtual
controllers use SSC in order to validate an AP before joining.
•An AP at version 7.3 can validate the SSC certificate provided by the virtual controller.
• After successful certificate validation, an AP will check the hash key of the virtual controller in the
list of stored keys in flash. If it matches the stored hash, validation is passed and the AP moves to the
RUN state. If hash validation fails, it will disconnect from the controller and restart the discovery
process.
• The hash validation, which is an extra authorization step, will be performed only if the AP is joining a
virtual controller. There will be a knob to turn on/off hash key validation.
• By default, hash validation is enabled, which means that the AP needs to have the virtual controller
hash key in its flash before it can successfully complete association with the virtual controller. If the
knob is turned off, the AP will bypass the hash validation and move directly to the RUN state.
• The hash key can be configured in the controller mobility configurations, which gets pushed to all the
APs which are joined. The AP will save this configuration until it successfully associates to another
controller. After which, it inherits the hash key configuration from the new controller.
• Typically, APs can join a traditional controller, download the hash keys, and then join a virtual
controller. However, if it is joined to a traditional controller, the hash validation knob can be turned
off and it can join any virtual controller. The administrator can decide to keep the knob on or off
This information is captured in Cisco bug ID CSCua55382.
Exceptions:
•If the AP does not have any hash key in its flash, it will bypass the hash validation, assuming that it is
a first time installation.
♦In this case, the hash validation is bypassed irrespective of whether the hash validation knob
is on/off.
♦ Once it successfully joins the controller, it will inherit the mobility group member hash configuration (if configured in the controller). After which, it can join a virtual controller only if it has a hash key entry in its database.
• Clearing the AP configuration from the controller or on the AP console will result in the erasing of all
the hash keys. After which, the AP joins the virtual controller as if it is a first time installation.
♦AP> test capwap erase
♦AP> test capwap restart
So... because I connected my AP to the vWLC in my lab, it downloaded hash keys.Without erasing these keys, AP was unable to establish DTLS tunnel with another vWLC.
Hope that helps! -
WLC 5508 - LAP1242: Failed to handle capwap control message from controller
Hello everyone,
after finally successfully upgrading my WLCs from 6.0.199.4 to 7.6.100.0 there is another problem showing up...
If I want to change any configuration regarding the APs on the WLCs (which doesn't work) I get the following error-messages from the APs:
*spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.169: %CAPWAP-3-ERRORLOG: Validate Msg: msg type 12 does not supported payload 215
*spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.169: %CAPWAP-3-ERRORLOG: Validate Msg: error in Unknown Payload(215) payload (received length = 9, payload type = 215)
*spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.170: %CAPWAP-3-ERRORLOG: Failed to validate vendor specific message element type 215 len 9.
*spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.170: %CAPWAP-3-ERRORLOG: Failed to decode Configuration update request.
*spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.170: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 7 state 11.
*spamApTask7: Feb 27 14:34:00.558: 00:3a:9a:d6:5d:30 Test-AP-09-03: *Feb 27 13:34:00.171: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
Find attached some informations regarding the AP and the 5508.
Any suggestions are, as always, highly appriciated.
Regards
ManuelGood morning,
if I need free space at the flash: How much is "enough" to handle config changes?
Here you can see the filesystem of one of my accesspoints (all are affected):
AP#dir all-filesystems
Directory of arch:/
2 -rwx 91288 Feb 22 2014 18:16:42 +00:00 event.log
8 drwx 448 Feb 22 2014 18:16:38 +00:00 c1240-k9w8-mx.124-25e.JAO3
4 drwx 0 Nov 2 2011 23:32:18 +00:00 configs
5 -rwx 397 Feb 22 2014 18:19:03 +00:00 env_vars
6 -rwx 6168 Feb 27 2014 18:14:24 +00:00 private-multiple-fs
No space information available
Directory of flash:/
2 -rwx 91288 Feb 22 2014 18:16:42 +00:00 event.log
8 drwx 448 Feb 22 2014 18:16:38 +00:00 c1240-k9w8-mx.124-25e.JAO3
4 drwx 0 Nov 2 2011 23:32:18 +00:00 configs
5 -rwx 397 Feb 22 2014 18:19:03 +00:00 env_vars
6 -rwx 6168 Feb 27 2014 18:14:24 +00:00 private-multiple-fs
15740928 bytes total (10614784 bytes free)
Directory of zflash:/
2 -rwx 91288 Feb 22 2014 18:16:42 +00:00 event.log
8 drwx 448 Feb 22 2014 18:16:38 +00:00 c1240-k9w8-mx.124-25e.JAO3
4 drwx 0 Nov 2 2011 23:32:18 +00:00 configs
5 -rwx 397 Feb 22 2014 18:19:03 +00:00 env_vars
6 -rwx 6168 Feb 27 2014 18:14:24 +00:00 private-multiple-fs
15740928 bytes total (10614784 bytes free)
Directory of archive:/
No files in directory
No space information available
Directory of system:/
2 dr-x 0 memory
1 -rw- 17631 running-config
No space information available
Directory of nvram:/
30 -rw- 0 startup-config
31 ---- 0 private-config
1 ---- 4100 lwapp_ap.cfg
6 ---- 528 lwapp_ap_tlv.cfg
32768 bytes total (26572 bytes free)
Regards, Manuel -
Autonomous 1252 converted to CAPWAP will not join 5508 WLC
WLC 5508 firmware is v6.0.188.0
I've tried updating the autonomous 1252 via both the upgrade tool 3.4 and 'archive download-sw' from the CLI
I've tried multiple recovery images
c1250-rcvk9w8-tar.124-21a.JA2.tar
c1250-rcvk9w8-tar.124-10b.JDA.tar
After AP reboots with recovery image it joins WLC and downloads new CAPWAP image then reboots again
AP will not rejoin WLC with updated CAPWAP firmware
Any help with this is greatly appreciated!
Thanks in advance and happy holidays,
Scott
Error Msg from 1252 console
*Dec 18 15:52:50.691: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
*Dec 18 15:52:50.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
*Dec 18 15:52:50.695: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
*Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
*Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
Additional info
WLC Debugs Enabled:
MAC address ................................ c4:7d:4f:39:31:e2
Debug Flags Enabled:
aaa detail enabled.
capwap error enabled.
capwap critical enabled.
capwap events enabled.
capwap state enabled.
dtls event enabled.
lwapp events enabled.
lwapp errors enabled.
pm pki enabled.
WLC Debug Output:
*Dec 18 10:51:51.575: dtls_conn_hash_search: Connection not found in hash table - Table empty.
*Dec 18 10:51:51.575: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: called to get cert for CID 154c7072
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
*Dec 18 10:51:51.575: sshpmGetSshPrivateKeyFromCID: called to get key for CID 154c7072
*Dec 18 10:51:51.575: sshpmGetSshPrivateKeyFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
*Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: comparing to row 1, certname >bsnDefaultIdCert<
*Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: comparing to row 2, certname >cscoDefaultIdCert<
*Dec 18 10:51:51.576: sshpmGetSshPrivateKeyFromCID: match in row 2
*Dec 18 10:51:51.692: acDtlsCallback: Certificate installed for PKI based authentication.
*Dec 18 10:51:51.693: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=0
*Dec 18 10:51:51.693: local_openssl_dtls_record_inspect: msg=ClientHello len=44 seq=0 frag_off=0 frag_len=44
*Dec 18 10:51:51.693: openssl_dtls_process_packet: Handshake in progress...
*Dec 18 10:51:51.693: local_openssl_dtls_send: Sending 60 bytes
*Dec 18 10:51:51.694: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246 Peer 192.168.100.54:62227
*Dec 18 10:51:51.694: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=1
*Dec 18 10:51:51.694: local_openssl_dtls_record_inspect: msg=ClientHello len=76 seq=1 frag_off=0 frag_len=76
*Dec 18 10:51:51.695: openssl_dtls_process_packet: Handshake in progress...
*Dec 18 10:51:51.695: local_openssl_dtls_send: Sending 544 bytes
*Dec 18 10:51:51.695: local_openssl_dtls_send: Sending 544 bytes
*Dec 18 10:51:51.696: local_openssl_dtls_send: Sending 314 bytes
*Dec 18 10:51:51.712: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246 Peer 192.168.100.54:62227
*Dec 18 10:51:51.712: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=2
*Dec 18 10:51:51.712: local_openssl_dtls_record_inspect: msg=Certificate len=1146 seq=2 frag_off=0 frag_len=519
*Dec 18 10:51:51.712: openssl_dtls_process_packet: Handshake in progress...
*Dec 18 10:51:51.712: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246 Peer 192.168.100.54:62227
*Dec 18 10:51:51.712: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=3
*Dec 18 10:51:51.712: local_openssl_dtls_record_inspect: msg=Certificate len=1146 seq=2 frag_off=519 frag_len=519
*Dec 18 10:51:51.713: openssl_dtls_process_packet: Handshake in progress...
*Dec 18 10:51:51.713: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246 Peer 192.168.100.54:62227
*Dec 18 10:51:51.713: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=4
*Dec 18 10:51:51.713: local_openssl_dtls_record_inspect: msg=Certificate len=1146 seq=2 frag_off=1038 frag_len=108
*Dec 18 10:51:51.714: sshpmGetIssuerHandles: locking ca cert table
*Dec 18 10:51:51.714: sshpmGetIssuerHandles: calling x509_alloc() for user cert
*Dec 18 10:51:51.714: sshpmGetIssuerHandles: calling x509_decode()
*Dec 18 10:51:51.719: sshpmGetIssuerHandles: <subject> C=US, ST=California, L=San Jose, O=Cisco Systems, CN=C1250-c47d4f3931e2, [email protected]
*Dec 18 10:51:51.719: sshpmGetIssuerHandles: <issuer> O=Cisco Systems, CN=Cisco Manufacturing CA
*Dec 18 10:51:51.719: sshpmGetIssuerHandles: Mac Address in subject is c4:7d:4f:39:31:e2
*Dec 18 10:51:51.719: sshpmGetIssuerHandles: Cert Name in subject is C1250-c47d4f3931e2
*Dec 18 10:51:51.719: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.
*Dec 18 10:51:51.719: sshpmGetCID: called to evaluate <cscoDefaultMfgCaCert>
*Dec 18 10:51:51.719: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
*Dec 18 10:51:51.719: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
*Dec 18 10:51:51.719: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
*Dec 18 10:51:51.719: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
*Dec 18 10:51:51.719: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
*Dec 18 10:51:51.719: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
*Dec 18 10:51:51.719: sshpmGetCertFromCID: called to get cert for CID 2ab15c0a
*Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<
*Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<
*Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<
*Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<
*Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<
*Dec 18 10:51:51.719: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
*Dec 18 10:51:51.719: ssphmUserCertVerify: calling x509_decode()
*Dec 18 10:51:51.730: ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<
*Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (current): 2009/12/18/15:51:51
*Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (NotBefore): 2009/11/03/00:47:36
*Dec 18 10:51:51.730: sshpmGetIssuerHandles: ValidityString (NotAfter): 2019/11/03/00:57:36
*Dec 18 10:51:51.730: sshpmGetIssuerHandles: getting cisco ID cert handle...
*Dec 18 10:51:51.730: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
*Dec 18 10:51:51.730: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
*Dec 18 10:51:51.731: sshpmFreePublicKeyHandle: called with 0x1f1f3b8c
*Dec 18 10:51:51.731: sshpmFreePublicKeyHandle: freeing public key
*Dec 18 10:51:51.731: openssl_shim_cert_verify_callback: Certificate verification - passed!
*Dec 18 10:51:51.732: openssl_dtls_process_packet: Handshake in progress...
*Dec 18 10:51:52.155: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246 Peer 192.168.100.54:62227
*Dec 18 10:51:52.155: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=5
*Dec 18 10:51:52.155: local_openssl_dtls_record_inspect: msg=ClientKeyExchange len=258 seq=3 frag_off=0 frag_len=258
*Dec 18 10:51:52.269: openssl_dtls_process_packet: Handshake in progress...
*Dec 18 10:51:52.269: dtls_conn_hash_search: Searching hash for Local 192.168.100.2:5246 Peer 192.168.100.54:62227
*Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=Handshake epoch=0 seq=6
*Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: msg=CertificateVerify len=258 seq=4 frag_off=0 frag_len=258
*Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=ChangeCipherSpec epoch=0 seq=7
*Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: record=Handshake epoch=1 seq=0
*Dec 18 10:51:52.269: local_openssl_dtls_record_inspect: msg=Unknown or Encrypted
*Dec 18 10:51:52.273: openssl_dtls_process_packet: Connection established!
*Dec 18 10:51:52.273: acDtlsCallback: DTLS Connection 0x167c5c00 established
*Dec 18 10:51:52.273: openssl_dtls_mtu_update: Setting DTLS MTU for link to peer 192.168.100.54:62227
*Dec 18 10:51:52.273: local_openssl_dtls_send: Sending 91 bytes
*Dec 18 10:53:06.183: sshpmLscTask: LSC Task received a message 4
Aironet 1252 Console Debug:
*Dec 16 11:07:12.055: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Dec 18 15:51:40.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.2 peer_port: 5246
*Dec 18 15:51:40.999: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Dec 18 15:51:41.695: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
*Dec 18 15:51:41.699: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
*Dec 18 15:51:41.699: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
*Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
*Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Dec 18 15:51:41.699: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
*Dec 18 15:51:46.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
*Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
*Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
*Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Dec 18 15:51:46.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
*Dec 18 15:52:39.999: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.100.2:5246
*Dec 18 15:52:40.039: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Dec 18 15:52:40.039: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Dec 18 15:52:40.051: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Dec 18 15:52:40.051: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Dec 18 15:52:40.059: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 18 15:52:40.063: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Dec 18 15:52:40.079: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 18 15:52:40.079: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Dec 18 15:52:50.059: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Dec 18 15:52:50.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.2 peer_port: 5246
*Dec 18 15:52:50.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Dec 18 15:52:50.691: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.100.2 peer_port: 5246
*Dec 18 15:52:50.695: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
*Dec 18 15:52:50.695: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
*Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
*Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Dec 18 15:52:50.695: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.100.2
*Dec 18 15:52:55.691: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.2
*Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 192.168.100.2
*Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
*Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Dec 18 15:52:55.691: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.1Nathan and Leo are alluding to CSCte01087. Basically the caveat is that DTLS fails on a non-00:xx:xx:xx:xx:xx L2 first hop. e.g. if the APs are on the same VLAN as the management interface, they must have 00 MACs; if they are on a different VLAN, the WLC/AP gateway must have a 00 MAC. If the workaround below does not suit your environment, open a TAC case for an image with the fix.
Symptom:
An access point running 6.0.188.0 code may be unable to join a WLC5508.
Messages similar to the following will be seen on the AP.
%CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
%CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message
Conditions:
At least one of the following conditions pertains:
- The high order byte of the AP's MAC address is nonzero, and the AP is in
the same subnet as the WLC5508's management (or AP manager) interface
- The WLC's management (or AP manager) interface's default gateway's
MAC address' high order byte is nonzero.
Workaround:
If the MAC address of the WLC's default gateway does not begin with 00,
and if all of the APs' MAC addresses begin with 00, then: you can put
the APs into the same subnet as the WLC's management (or AP manager)
interface.
In the general case, for the situation where the WLC's default gateway's
MAC does not begin with 00, you can address this by changing it to begin
with 00. Some methods for doing this include:
-- use the "mac-address" command on the gateway, to set a MAC address
that begins with 00
-- then enable HSRP on the gateway (standby ip ww.xx.yy.zz) and use this
IP as the WLC's gateway.
For the case where the APs' MAC addresses do not begin with 00, then make
sure that they are *not* in the same subnet as the WLC's management
(AP manager) interface, but are behind a router.
Another workaround is to downgrade to 6.0.182.0. However, after
downgrading the WLC to 6.0.182.0, any APs that have 6.0.188.0 IOS
(i.e. 12.4(21a)JA2) still installed on them will be unable to join.
Therefore, after downgrading the WLC, the APs will need to have a
pre-12.4(21a)JA2 rcvk9w8 or k9w8 image installed on them. -
Hello,
I'm in the process of deploying a WLC2504 in an eviroment which requires a private VLAN for access to file servers and other network resources, as well as a guest network for internet access.
As far as performance is concerned, will I get acceptable throughput on my WLANs with the CAPWAP tunnel flowing over the same subnet as the private network? I've seen some suggestions that recommend a separate VLAN dedicated to CAPWAP, but I don't know if this is just a suggestion for security. I understand that CAPWAP supports encryption of control messages, but not data transmissions without additional licensing. If this is just a suggestion for security, I don't think this is much of a concern. I don't see anyone on the private network intercepting guest transmissions. Could someone please advise me on this?Thanks for your clarification guys! I'm in the process of installing my fist CUWN. We are implementing 10 APs and have dealt with a few issues, namely throughput for laptops. I knew other factors could definitely come into play, but I wanted to rule topology out. Laptops are currently pulling very low internet speed tests results, whereas mobile devices seem to fare much better. I've tried testing with mostly 2.4 GHz connections from laptops, but even the 5GHz seem to struggle. I'm working with the Cisco TAC a bit on this one. Per their suggestion, I'm going to run Iperf to test internal performance before I involve network firewalls and Internet connectivity in the mix.
-
Information about %CAPWAP-3- ERRORLOG messages
Hello,
Does anyone know where to find information about CAPWAP-3 messages like these ?
%CAPWAP-3-ERRORLOG: Failed to send data transfer request.
%CAPWAP-3-ERRORLOG: Queue already full.
Thanks in advance.I'm with Scott.
Post the entire bootup process. This contains vital information than you can surmiss.
Also post the output to the following commands:
1. WLC: sh sysinfo;
2. WLC: sh time;
3. AP: sh version;
4. AP: sh ip interface brief; and
5. AP: sh inventory -
How to replace the certificate of Cisco 2106 wireless LAN controller for CAPWAP ?
I have interested in CAPWAP feature and I download the open capwap project to make Access Controller (AC) and Wireless Terminal Point (WTP). I had built the AC which used PC and WTP which used Atheros AP. The CAPWAP feature work well when I enabled the CAPWAP that used my own AC and WTP. When I got the Cisco 2106 wireless LAN controller (Cisco WLC), I configured the Cisco WLC to instead my own AC but I got the authorize fail in Cisco WLC side. It seem the Cisco WLC could not recognize the CAPWAP message which sent form my own WTP. I think this issue just need to synchronize the certificate between Cisco WLC and WTP.So I need to replace the Cisco WLC's certificate manually. Does anyone know how to replace the certificate manually with Cisco WLC ?
Best Regards,
AlanUnfortunately this Support Community is for Cisco Small Business & Small Business Pro product offerings. The WLC2106 is a traditional Cisco product. You can find this type of support on the Cisco NetPro Forum for all traditional Cisco products.
Best Regards,
Glenn -
%CAPWAP-3-ERRORLOG in MESH setup WLC7.6
Hello everyone,
I configured a MESH setup consisting of 3 AP's (1 root and 2 remote),
however one AP (remote) cannot join the WLC anymore since I made the changes to static IP and bridge mode.
I can't even reset the AP to factory settings to get it back to WLC appliance...
This is the error logs from the AP - can anyone help?
*Apr 10 16:15:59.187: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Apr 10 16:15:59.231: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Apr 10 16:15:59.235: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 10 16:16:00.235: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Apr 10 16:16:00.263: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 10 16:16:01.263: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Apr 10 16:16:09.187: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Apr 10 16:16:09.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.88.53 peer_port: 5246
*Apr 10 16:16:09.003: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Apr 10 16:16:09.011: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 10 16:16:09.411: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.88.53 peer_port: 5246
*Apr 10 16:16:09.411: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.88.53
*Apr 10 16:16:09.415: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Apr 10 16:16:09.415: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Apr 10 16:16:09.415: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Apr 10 16:16:09.415: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 192.168.88.53
*Apr 10 16:16:10.003: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Apr 10 16:16:10.039: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 10 16:16:10.047: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Apr 10 16:16:11.083: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 10 16:16:12.083: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Apr 10 16:16:14.411: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.88.53
*Apr 10 16:16:14.415: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Apr 10 16:16:14.423: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 10 16:16:15.415: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Apr 10 16:16:15.451: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 10 16:16:16.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Apr 10 16:17:08.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.88.53:5246
*Apr 10 16:17:09.039: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Apr 10 16:17:09.055: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Apr 10 16:17:09.091: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 10 16:17:10.059: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Apr 10 16:17:10.095: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Apr 10 16:17:10.103: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 10 16:17:11.131: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 10 16:17:12.131: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to upinfo0000246:
Are you sure you allowed the AP on the mac filter in your WLC? I was having the same issue today because I had forgotten to add the mac into the mac filtering, as soon as I did that the AP was able to join the controller. -
Hello ,
After migrating from standalone access points to capwap access points ( with wireless lan controller / Cisco Prime ) , a lot of people are wondering how to monitor their AP's by receiving traps from the controllers .
I am searching for trap list that should be accepted by a monitoring product ( ie nagios ) in order to monitor the status of the access points .
Where can i find this info ?
Thank you in advance for your help ;
Rgds.
Hubert.Since all AP managed by WLC, all information available from WLC, no need to directly get this information from AP directly.
If you want you can configure AP & WLC syslog to export to a syslog server & then analyse them. Below post may give some idea
http://mrncciew.com/2014/09/19/wlc-syslog-analysis/
http://mrncciew.com/2013/02/06/syslog-msg-log-in-wlc/
HTH
Rasika
*** Pls rate all useful responses ****
Maybe you are looking for
-
Brand new Yoga 2 11 - Super slow web browsing
We got a new Yoga 2 11 this morning, and the web browsing is excruciatingly slow, whether using IE, FireFox or Chrome. The only downloads or installs of any kind have been IE & FF. Based on searching this forum, I increased the minimum processor pow
-
We're using a function to return a ref cursor back to VB. Works great until we try and update it. As soon as we try and update the record set we're getting an error "Multi-step operation generated errors. ". It looks to us like the record set is read
-
I'm using a WLC and on my SSID I'm using Layer 3 Security with Web Auth and having a guest user enter there email address to gain access to the network. The user connects to the network enters there email address and then has access to the network. C
-
How to use Radiobutton Cell Editor in Table using Master Column
Hi Guys, I have a Table that uses a Master Column. I need to have a field that uses a Radio Button type cell editor. A user should only be ably to select ONE row via the Radio Button at a time. I have done all this but I only seem to be able to sel
-
Comment and uncomment in the new SE38 editor: Doing it the old way
Prerequisites: Front-end Editor (New) The Front-End Editor is available with SAP GUI for Windows 6.40 Patch level 10 or higher. Steps: 1) Open SE38(or SE24,SE37,SE80) and click on the icon below the scroll bar (the last one on the right-bottom) this