CAPWAP tunnel flapping

A couple of weeks ago we did an upgrade to controller code 7.0.235.3 on our WiSM's and upgraded WCS to 7.0.230.0.
Since then, I have one AIR-LAP1252AG-A-K9 that will not stay up.
AP04
CAPWAP Up Time
4 h 13 m 46 s
CAPWAP Join Taken Time
1 m 22 s
Users keep complaining about getting kicked off or not being able to join.
There is another 1252 AP on the same switch that feeds this one that seems to be working ok, so I don't think it's a network issue.
AP03
CAPWAP Up Time
6 d 3 h 27 m 41 s
CAPWAP Join Taken Time
25 s
Any idea if the code upgrade would have anything to do with this? Could it be a hardware issue or a cabling issue?
Users did not report this problem until after the upgrade.

Joe -- I might open a TAC case for this. As this is impacting your user performance.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Similar Messages

DMVPN - One Spoke VPN tunnel flap - deleting SA reason "IKMP_ERR_NO_RETRANS"

Dear All,
Please help to find the reason for below DMVPN IP sec tunnel flap.
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
x.x.x.x y.y.y.y   MM_NO_STATE       4983 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
#sh log | i 4984
04:58:47.155: ISAKMP:(4984): OU = DE_FRA_ASR1001_R2
Feb 12 04:58:47.155: ISAKMP:(4984): processing SIG payload. message ID = 0
Feb 12 04:58:47.159: ISAKMP:(4984):SA authentication status:
Feb 12 04:58:47.159: ISAKMP:(4984):SA has been authenticated with x.x.x.x
Feb 12 04:58:47.159: ISAKMP:(4984):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 12 04:58:47.159: ISAKMP:(4984):Old State = IKE_I_MM5 New State = IKE_I_MM6
Feb 12 04:58:47.159: ISAKMP:(4984):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 12 04:58:47.159: ISAKMP:(4984):Old State = IKE_I_MM6 New State = IKE_I_MM6
Feb 12 04:58:47.163: ISAKMP:(4984):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 12 04:58:47.163: ISAKMP:(4984):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Feb 12 04:58:47.163: ISAKMP:(4984):Need XAUTH
Feb 12 04:58:47.163: ISAKMP:(4984): initiating peer config to x.x.x.x 0. ID = -847734916
Feb 12 04:58:47.163: ISAKMP:(4984): sending packet to x.x.x.x my_port 500 peer_port 500 (I) CONF_XAUTH
Feb 12 04:58:47.163: ISAKMP:(4984):Sending an IKE IPv4 Packet.
Feb 12 04:58:47.167: ISAKMP:(4984):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Feb 12 04:58:47.167: ISAKMP:(4984):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
Feb 12 04:58:47.203: ISAKMP (4984): received packet from x.x.x.x dport 500 sport 500 Global (I) CONF_XAUTH
Feb 12 04:58:47.207: ISAKMP:(4984): processing HASH payload. message ID = -1617704027
Feb 12 04:58:47.207: ISAKMP:(4984):Processing delete with reason payload
Feb 12 04:58:47.207: ISAKMP:(4984):delete doi = 1
Feb 12 04:58:47.207: ISAKMP:(4984):delete protocol id = 1
Feb 12 04:58:47.207: ISAKMP:(4984):delete spi_size = 16
Feb 12 04:58:47.207: ISAKMP:(4984):delete num spis = 1
Feb 12 04:58:47.207: ISAKMP:(4984):delete_reason = 28
Feb 12 04:58:47.207: ISAKMP:(4984): processing DELETE_WITH_REASON payload, message ID = -1617704027, reason: Unknown delete reason!
Feb 12 04:58:47.207: ISAKMP:(4984):peer does not do paranoid keepalives.
Feb 12 04:58:47.207: ISAKMP:(4984):peer does not do paranoid keepalives.
Feb 12 04:58:47.207: ISAKMP:(4984):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) CONF_XAUTH    (peer x.x.x.x)
Feb 12 04:58:47.207: ISAKMP:(4984):deleting node -1617704027 error FALSE reason "Informational (in) state 1"
Feb 12 04:58:47.211: ISAKMP:(4984): sending packet to x.x.x.x my_port 500 peer_port 500 (I) CONF_XAUTH
Feb 12 04:58:47.211: ISAKMP:(4984):Sending an IKE IPv4 Packet.
Feb 12 04:58:47.211: ISAKMP:(4984):purging node 20363770
Feb 12 04:58:47.211: ISAKMP:(4984):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Feb 12 04:58:47.211: ISAKMP:(4984):Old State = IKE_XAUTH_REQ_SENT New State = IKE_DEST_SA
Feb 12 04:58:47.211: ISAKMP:(4984):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) CONF_XAUTH    (peer x.x.x.x)
Feb 12 04:58:47.215: ISAKMP:(4984):deleting node 1519432799 error FALSE reason "IKE deleted"
Feb 12 04:58:47.215: ISAKMP:(4984):deleting node -847734916 error FALSE reason "IKE deleted"
Feb 12 04:58:47.215: ISAKMP:(4984):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 12 04:58:47.215: ISAKMP:(4984):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Thanks for your kind response

I gave up on fixing what was there and rebuilt from scratch including regenerating the key with the same modulus. And now it works. I don't know what fixed it, could even have been curruption of the startup-config since I replaced that, but it's working and right now that's all I care about.

Mobility tunnel flapping

I am trying to understand what this error could mean to determine if I really have an issue or not.
I have one mobility anchor connected to two foreign controllers. I have a mobility tunnel on one WLAN only. I get emails from our Prime management server saying the following...
Virtual Domain: ROOT-DOMAIN
NCS has detected one or more alarms of category Controller and severity Critical in Virtual Domain ROOT-DOMAIN for the following items:
1. Message: Controller '10.140.x.x'. All anchors of WLAN 'HopeNet' are down.
E-mail will be suppressed up to 30 minutes for these alarms.
I have not noticied any network disruption during this time, but have not been connected to the SSID when I get the emails. And usually, as soon as I get the 'DOWN' email, i get an 'UP' email. Also, they seem to occur at random times.
Any ideas to the meaning of this? Thanks.

Hi Josh:
This would really be more of a wireless LAN controller/mobility anchor question than a Prime Infrastructure question. Prime Infrastructure is just the management station, and is only emailing notifications because the wireless LAN controller is sending it [Prime Infrastructure] SNMP traps about the tunnel being up and down.
The wireless LAN controllers use eping and mping to determine reachability between the anchor and foreign controllers. If one of those tests fail, the wireless LAN controller will send the tunnel down trap. Once they start passing again, the wireless LAN controller will send the tunnel up trap.
What this means is that something in the network is causing the eping and mping to fail. You may want to open a TAC service request against the anchor controller to have someone look at the mobility anchor status flipping.

Capwap tunnel encryption

I'm trying to understand the AES algorithm applied to CAPWAP control channel tranactions.
I understand the use of AES-CCM but this can theoretically operate with 128/192 or 256 bit key sizes.
Does anyone know the specifics applied to the Cisco WLC implementation (v6.0 s/ware) ?

I answered my own question by doing a Wireshark and looking at AP/WLC client/server hellos.
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA

CAPWAP tunnel through NAT interface

I'm not sure if anyone has tried this but are there any complications with connecting a lightweight AP through a NAT'd interface back to the WLC? I know I'll have to open 5246 and 5247, but are there any other issues that I should be aware of?

We have a neighboring hospital where some of our docs want to set up a clinic using their iPads back to our network. Right now, we have a NAT'd interface from their network to ours and I haven't been able to test setting up an AP through a NAT interface. I forgot about Office Extends and now remember from your Twitter updates from CL11. I'll probably go that route. Are there any issues that may come up from using Office Extends?

Separate VLAN for CAPWAP

Hello,
I'm in the process of deploying a WLC2504 in an eviroment which requires a private VLAN for access to file servers and other network resources, as well as a guest network for internet access.
As far as performance is concerned, will I get acceptable throughput on my WLANs with the CAPWAP tunnel flowing over the same subnet as the private network? I've seen some suggestions that recommend a separate VLAN dedicated to CAPWAP, but I don't know if this is just a suggestion for security. I understand that CAPWAP supports encryption of control messages, but not data transmissions without additional licensing. If this is just a suggestion for security, I don't think this is much of a concern. I don't see anyone on the private network intercepting guest transmissions. Could someone please advise me on this?

Thanks for your clarification guys! I'm in the process of installing my fist CUWN. We are implementing 10 APs and have dealt with a few issues, namely throughput for laptops. I knew other factors could definitely come into play, but I wanted to rule topology out. Laptops are currently pulling very low internet speed tests results, whereas mobile devices seem to fare much better. I've tried testing with mostly 2.4 GHz connections from laptops, but even the 5GHz seem to struggle. I'm working with the Cisco TAC a bit on this one. Per their suggestion, I'm going to run Iperf to test internal performance before I involve network firewalls and Internet connectivity in the mix.

Performance with encrypted CAPWAP?

Does anyone have experience with encrypting CAPWAP tunnels on between your AP's and WLC's?
According to:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/6-0/configuration/guide/Controller60CG/c60lwap.html#wp1508163
"Encryption limits throughput at both the controller and the access point, and maximum throughput is desired for most enterprise networks."
My question is- has anyone enabled encryption and seen if there is actually degradation in throughput? We are considering enabling encryption on a couple hundred APs and dont want this extra overhead to bog things down on the controllers or APs.
Thanks

Hi Chad,
No we dont have large number of APs in our enviournment.
But my recommandation is: Enable only when you need like for mesh or office extends AP(to add security).
I will not recommand to enable on local mode APs.
As per cisco:
Encryption limits throughput at both the controller and the access point, and maximum throughput is desired for most enterprise networks.
Regards
Dont forget to rate helpful posts

CAPWAP goes down but AP is up

I have a few APs that keep doing this where WCS generates alarms saying that the AP is down and a/b/g interface is all down. If I check the WCS, I see the AP up for more than 10 days or so but the CAPWAP is up only for 4 minutes. Eventually clients associate to that AP but they see downtime.
Is it because the AP is bad (hardware issue)?
CAPWAP Up Time
4 m 17 s
AP Up Time
10 d 0 h 24 m 4 s
Meena

Well based on the uptime we know one thing is for sure. Something interrupted the capwap tunnel between the AP and the WLC and this is what triggered the alarm. And you are correct. Clients will be impacted. The most common thing you will see is that the AP moves from one WLC to another WLC. However, if you are sure this is not the case.
Then something else could have intruped the tunnel.
Down vlan
A number of missed heart beats (between the AP and WLC)
Routing issue
I know... Im strecthing it ... The list could go on ...
shoot me an email of the address. I can shoot over at lunch ...

How many EoIP tunnels at the same time? (One Anchor -- HA Pair )

Hi Experts,
With AP SSO, there should be two CAPWAP tunnels between an AP and the HA controller pair at the same time. Is it correct?
Then how many EoIP tunnels between the internet anchor controller and the foreign controller HA pair at the same time?
Thanks
Cedar

Hi Cedar,
in AP SSO, only single CAPWAP tunnel maintan at a time & see the below reference for details.
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd3504.shtml
There is only one CAPWAP tunnel maintained at a time between the APs and the WLC that is in an Active state. The overall goal for the addition of AP SSO support to the Cisco Unified Wireless LAN was to reduce major downtime in wireless networks due to failure conditions that may occur due to box failover or network failover.This allows the access point (AP) to establish a CAPWAP tunnel with the Active WLC and share a mirror copy of the AP database with the Standby WLC. The APs do not go into the Discovery state when the Active WLC fails and the Standby WLC takes over the network as the Active WLC.
in the same sense, EoIP tunnel limitation will be 71 for a anchor controller. See below
https://supportforums.cisco.com/thread/2123756
HTH
Rasika
*** Pls rate all useful responses ****

CAPWAP teardown?

Hi All,
Need help to understand how the CAPWAP tunnel work when one in the bundled (group of 4) port from portchannel group was shutdown.
Here's the logical diagram
APs <-> Access Switch <-portchannel-> Distri Switch <-portchannel-> Core Switch <-portchannel-> WLC
1 of 4 bundled uplink ports in portchannel shown in RED text was shutdown deliberately during this time the Prime Infra 1.3 reports that APs was disassociated from the controller and 1 minute later Prime Infra reports that the APs was now associated to the controller without touching any devices.
Is this a normal behaviour of a CAPWAP? If not then, what should I do?
Regards,
Dave

What is the load-balancing mechanism of your switch etherchannels ? "show etherchannel load-balance" should tells you this.
If AP to WLC capwap traffic went through the interface you shutdown, then there is possibility your AP lost connectivity to WLC momentarily. But should not take that long to revert traffic to any other interfaces.
You can do a test like this. Enable Telnet for one your AP (via WLC GUI : Wireless -> select your AP -> Advanced -> tick Telnet checkbox). Then telnet to AP & ping your WLC IP from there. Then shutdown one of your (out of 4) your switch etherchannel interface & see whether you will see ping drops for short period of time). If packet drops see how many drops before getting the connectivity back.
HTH
Rasika
**** Pls rate all useful responses ****

CAPWAP Question

Hello,
I have some questions regarding the Flexconnect CAPWAP tunnel for Flexconnect APs with local switching.
1. If I have 10 Flexconnect APs at my branch, would that create 10 CAPWAP tunnels to the WLC located in HQ.
2. How often the flexconnect AP will send the CAPWAP to WLC?
3. What is the size of flexconnect CAPWAP tunnel keepalives?
4. By default, is CAPWAP tunnel (regardless local or flexconnec) encrypted?
5. The DMZ firewall, what ports should be allowed for the guest traffic (anchor WLC)? Is it just 5246 or 5246 and 5247?
6. Is EoIP encrypted or clear text?
I remember reading something like instead of using EoIP for mobility anchor or foreign wlc, CAPWAP can also be used. I am not sure if this is true or not.
Thanks

1. If I have 10 Flexconnect APs at my branch, would that create 10 CAPWAP tunnels to the WLC located in HQ.
> You might be getting confuesd with mobility tunnels. The AP can support the max it is licensed for
2. How often the flexconnect AP will send the CAPWAP to WLC?
>
AP Heartbeat Timeout—AP Heartbeat timeout value that you can enter. The valid range is 10 to 30 for the Cisco 7500 Series Controller and 1 to 30 for other platforms.
Local Mode AP Fast Heartbeat Timer State—Fast heartbeat timer that you can enable or disable for access points in local mode. The default is disable.
3. What is the size of flexconnect CAPWAP tunnel keepalives?
> Look at the previous question
4. By default, is CAPWAP tunnel (regardless local or flexconnec) encrypted?
> Only if you enable Data Encryption, by default this is not enabled. Typically use only on OfficeExtend
5. The DMZ firewall, what ports should be allowed for the guest traffic (anchor WLC)? Is it just 5246 or 5246 and 5247?
>This doesn't matter since guest traffic would be central switching and you would have a mobility anchor to the guest anchor WLC
6. Is EoIP encrypted or clear text?
> Data is not encrypted unless you enable Data Encryption with the DTLS license.
Some links:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080901caa.shtml
http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml#ft
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

CAPWAP bandwidth usage

Can anyone tell me how much bandwidth
CAPWAP requires per WAP-3502 across
the WAN to a WLC-5508 ?
I am using a wan analyzer and it appears that each of my WAP is consuming roughly 30kbs of WAN bandwidth back to the WLC at my location.
That seems a bit high to me considering it is a backbone/infrastructure protocol and not actually carrying user requested data (all my WAP are in local switching mode).
If anyone can shed some light on this for me that would be great, thanks !
Mike

Surendra,
thank you for your post & link.
That document is the closet I have seen that actually talks about bandwidth and control packets.
The document could be out of date though because it is talking about the LWAP which is the layer 2 control not really employed by the newer WAPs.
CAPWAP has replaced it and is a layer 3 control protocal.
From my own bandwidth monitoring using Scrutinizer, it appears CAPWAP uses 30kbps for control communications to the WLC.
Now IF you do NOT do local switching in H-Reap then the data payload is also encrypted and passed to the controller through the CAPWAP tunnel.
At least that is what I read in a document.
Since we are doing all local switching w/ HReap I cannot say if this is true or not.

Logs %C4K_EBM-4-HOSTFLAPPING: STANDBY:Host 0C:07:AC:00:00:1B

Hi Guys,
Good Day! Im receving this type of log on my 4507 switch. Appreciate if someone could give us an explanation on this and how to resolve this item. I cant find also the MAC address owner in ieee either
Jun 16 09:59:56 EDT: %C4K_EBM-4-HOSTFLAPPING: Host 0C:07:AC:00:00:1B in vlan 29 is moving from port Gi5/13 to port Gi5/20
.Jun 16 10:00:03 EDT: %C4K_EBM-4-HOSTFLAPPING: STANDBY:Host 0C:07:AC:00:00:1B in vlan 29 is moving from port Gi5/2 to port Gi5/20

Years have gone by, so sure you have figured this out. But since I stumbled on it, I figure someone who needs help may too. This is typically caused by a LAN loop.
- If those are both ports go to 'user' devices: there may be a misconnection such as PC port and switch port of a VoIP phone connected to the wall plate, thus bridging (LAN looping). It could also be a dual uplinked hub or 'dumb' switch not running STP. I would make sure that any Cisco switch userports that have 'spanning-tree portfast' enabled are also running 'spanning-tree bpduguard enable' to ensure that frames only expected from switches (BPDUs) can trigger a port shut if seen. If you cannot run bpduguard, you should not run portfast! Small unmanaged switches often do not run STP, do be careful that they do not become dual uplinked.
- Wireless Roaming (ports go to APs or switches feeding APs): When layer two wireless bridges connected users directly to the LAN (not CAPWAP tunneled to a controller) either because they are autonomous more or 'FlexConnect' is enabled (users for select WLANs/SSIDs locally bridged), MACs may 'flap' if rapidly hopping beween two APs.
- Trunking Misconfguration: Verify "ALL" trunking in your network does NOT have PortFast enabled. Flaps on one switch may not indicate it is the miconfgured switch, only that it is seeing flappping. The entire LAN most be looked at. Portfast disables loop avoidance, STP.

AIR-LAP1242G-E-K9 do not work with AIR-CT5508-K9 while AIR-LAP1142N-E-K9 do

Hello,
we do have a site where we need to deploy AIR-LAP1142N-E-K9 and AIR-LAP1242G-E-K9 APs. We have two AIR-CT5508-K9 controllers with SW version                  6.0.188.0.
AIR-LAP1142N-E-K9s work okay, as expected, we do not have any problems with them.
However AIR-LAP1242G-E-K9s do not, there is a problem with establishing CAPWAP tunnel with the controller.The AP is seen on the controller for a while, with 0 time up-time, cannot change any settings on the AP via controller, and after a while it disapears from the controller, apears again and this repeats.
The APs and controllers are connected to the LAN campus.
Controllers via two 1G links configured as Etherchannel to WS-C6506-E VSS switch with s72033-ipservicesk9_wan-vz.122-33.SXI1.bin on it.
APs to WS-C3750G-48PS with c3750-ipbasek9-mz.122-50.SE2.bin on it. 3750 is connected to the C6505 via two 1G links configured as Etherchannel.
Below I copied the log I captured on 1242 and the controller. Highlighted ones are the ones which I think might bring a clue.
I performed some troubleshooting steps.
- As we have some other controllers available over WAN, I tested the 1242 AP with 2100, 4400 and also with the same model AIR-CT5508-K9 with SW version                  6.0.188.0 over WAN and this worked always okay.
- I wanted to be sure that I eliminate any kind of out of sequence packet issue, so I brought down all redundancy L2 links so that the L2 path from the AP to the controller was only through one leg links.
- I also brought the second controller down to eliminate potential issue with having two of them up.
- The AP gets its IP from DHCP configured on the C6506 switch, I am always able to ssh to AP, so the IP connectivity does not seem to be an issue.
- I have more 1242s, all behave in the same way. I also connected them to some other 3750 switches we have in the campus, always the same.
- As this seems to be maybe a kind of ssl issue, I tried to play with controller settings, like enabling Accept... options under Security/AP Policy,but this did not help.
- I also tried to reboot the controller, no improvement.
- The APs came from the factory, so in the beginning everything was factory default in them. They were always able to download the image from the controller in the very initial phase. I still do have some of them untouched, so I can perform any troubleshooting steps with the fresh one.
I can reproduce this, can also send debugging logs if needed.
Any idea on what could be wrong is highly appreciated.
Thank you.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This Discussion has been converted into document:- https://supportforums.cisco.com/docs/DOC-23054
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
AIR-LAP1242G-E-K9 10.0.13.28 log
*Mar 1 00:00:05.922: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
*Mar 1 00:00:07.536: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot1 1Radio 0
*Mar 1 00:00:07.672: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 304 messages)
*Mar 1 00:00:09.809: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
*Mar 1 00:00:09.874: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.4(21a)JA2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 02-Nov-09 18:42 by prod_rel_team
*Mar 1 00:00:09.874: %SNMP-5-COLDSTART: SNMP agent on host wuen4028 is undergoing a cold start
*Mar 1 00:00:09.964: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 1 00:00:09.967: bsnInitRcbSlot: slot 1 has NO radio
*Mar 1 00:00:10.191: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar 1 00:00:10.191: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:00:10.430: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:00:10.818: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
*Mar 1 00:00:11.212: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:00:18.315: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 10.0.13.28, mask 2 55.255.255.0, hostname wuen4028
*Mar 1 00:00:28.988: Logging LWAPP message to 255.255.255.255.
*Mar 1 00:00:31.456: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:00:31.495: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:00:32.457: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:00:32.457: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
*Mar 1 00:00:38.810: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar 1 00:00:47.811: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Mar 1 00:00:56.812: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER
*Mar 1 00:01:07.815: %CAPWAP-3-ERRORLOG: Selected MWAR 'wuen4001'(index 0).
*Mar 1 00:01:07.815: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Feb 11 07:52:24.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.13.5 peer_port: 5246
*Feb 11 07:52:24.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Feb 11 07:52:25.441: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.0.13.5 peer_port: 5246
*Feb 11 07:52:25.443: %CAPWAP-5-SENDJOIN: sending Join Request to 10.0.13.5
*Feb 11 07:52:25.443: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Feb 11 07:52:25.445: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 10.0.13.5
*Feb 11 07:52:25.445: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
*Feb 11 07:52:25.445: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Feb 11 07:52:25.445: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 10.0.13.5
*Feb 11 07:52:30.441: %CAPWAP-5-SENDJOIN: sending Join Request to 10.0.13.5
*Feb 11 07:52:30.442: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 10.0.13.5
*Feb 11 07:52:30.443: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
*Feb 11 07:52:30.443: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Feb 11 07:52:30.443: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 10.0.13.5
*Feb 11 07:52:47.644: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Feb 11 07:53:23.999: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 10.0.13.5:5246
*Feb 11 07:53:24.000: %CAPWAP-3-ERRORLOG: Selected MWAR 'wuen4001'(index 0).
*Feb 11 07:53:24.000: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Feb 11 07:52:24.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.13.5 peer_port: 5246
*Feb 11 07:52:24.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Feb 11 07:52:24.001: %DTLS-5-PEER_DISCONNECT: Peer 10.0.13.5 has closed connection.
*Feb 11 07:52:24.001: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 10.0.13.5:5246
*Feb 11 07:52:24.002: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
*Feb 11 07:52:24.123: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is not established.
wuen4028#
AIR-CT5508-K9 10.0.13.5 log
*Feb 11 09:00:54.824: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to c
omplete DTLS handshake with peer 10.0.13.28
                                           *Feb 11 08:59:53.798: %DOT1X-3-MAX_EA
P_RETRIES: 1x_auth_pae.c:2862 Max EAP identity request retries (3) exceeded for
client 00:1f:3b:93:dd:4f
*Feb 11 08:59:51.197: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2862 Max EAP ident
ity request retries (3) exceeded for client 00:c0:a8:e1:b1:71
--More-- or (q)uit
*Feb 11 08:59:21.212: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:292 RRM LOG: Airewave Di
rector: Could not find valid channel lists for 802.11bg
*Feb 11 08:58:39.766: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to c
omplete DTLS handshake with peer 10.0.13.28
                                           *Feb 11 08:57:06.131: %RRM-3-RRM_LOGM
SG: rrmChanUtils.c:292 RRM LOG: Airewave Director: Could not find valid channel
lists for 802.11bg
*Feb 11 08:56:24.504: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to c
omplete DTLS handshake with peer 10.0.13.28
                                           *Feb 11 08:55:09.693: %DOT1X-3-MAX_EA
P_RETRIES: 1x_auth_pae.c:2862 Max EAP identity request retries (3) exceeded for
client 00:1f:3b:93:dd:4f
*Feb 11 08:54:51.040: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:292 RRM LOG: Airewave Di
rector: Could not find valid channel lists for 802.11bg
*Feb 11 08:53:56.493: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:426 Max EAP retransmis
sions exceeded for client 00:1f:3b:93:dd:4f
*Feb 11 08:53:34.497: %DTL-3-OSARP_DEL_FAILED: dtl_arp.c:1380 Unable to delete a
n ARP entry for 10.0.13.28 from the operating system. ioctl operation failed
*Feb 11 08:52:35.936: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:292 RRM LOG: Airewave Di
rector: Could not find valid channel lists for 802.11bg
*Feb 11 08:52:26.492: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:426 Max EAP retransmis
sions exceeded for client 00:1f:3b:93:dd:4f
*Feb 11 08:50:07.680: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:426 Max EAP retransmis
sions exceeded for client 00:1f:3b:93:e6:57
*Feb 11 08:48:37.458: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2862 Max EAP ident
ity request retries (3) exceeded for client 00:1f:3b:93:e6:57
*Feb 11 08:47:37.438: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:426 Max EAP retransmis
sions exceeded for client 00:1f:3b:93:e6:57
*Feb 11 08:47:34.438: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2862 Max EAP ident
ity request retries (3) exceeded for client 00:16:44:1d:0f:53
*Feb 11 08:46:32.422: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL-ke
y M3 retransmissions exceeded for client 00:16:44:1d:0f:53
*Feb 11 08:46:06.790: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2862 Max EAP ident
ity request retries (3) exceeded for client 00:1f:3b:95:61:bd
*Feb 11 08:46:06.789: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication abor
ted for client 00:1f:3b:95:61:bd
*Feb 11 08:46:06.210: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2862 Max EAP ident
ity request retries (3) exceeded for client 00:1f:3b:93:e6:57
*Feb 11 08:45:34.304: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2862 Max EAP ident
ity request retries (3) exceeded for client 00:1f:3b:95:61:bd
*Feb 11 08:45:34.303: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication abor
ted for client 00:1f:3b:95:61:bd
*Feb 11 08:45:01.298: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:292 RRM LOG: Airewave Di
rector: Could not find valid channel lists for 802.11bg
*Feb 11 08:44:38.076: %SIM-3-PORT_UP: sim.c:9547 Physical port 2 is up!.
*Feb 11 08:44:38.037: %SIM-3-PORT_UP: sim.c:9547 Physical port 1 is up!.
--More-- or (q)uit
*Feb 11 08:44:38.009: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
figuration file 'cliWebInitParms.cfg'
*Feb 11 08:44:37.980: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
figuration file 'rrcEngineInitParms.cfg'
*Feb 11 08:44:37.980: %CNFGR-3-INV_COMP_ID: cnfgr.c:2105 Invalid Component Id :
Unrecognized (81) in cfgConfiguratorInit.
*Feb 11 08:44:37.928: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
figuration file 'rfidInitParms.cfg'
*Feb 11 08:44:37.915: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
figuration file 'dhcpParms.cfg'
*Feb 11 08:44:37.903: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
figuration file 'bcastInitParms.cfg'
*Feb 11 08:44:37.834: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
figuration file 'rrmInitParms.cfg'
*Feb 11 08:44:27.331: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
figuration file 'apfInitParms.cfg'
*Feb 11 08:44:27.226: %MM-3-MEMBER_ADD_FAILED: mm_dir.c:903 Could not add Mobili
ty Member. Reason: IP already assigned, Member-Count:1,MAC: 00:00:00:00:00:00, I
P: 0.0.0.0
*Feb 11 08:44:27.023: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
figuration file 'mmInitParms.cfg'
*Feb 11 08:44:27.013: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
figuration file 'aaaapiInitParms.cfg'
*Feb 11 08:44:27.011: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
figuration file 'pemInitParms.cfg'
*Feb 11 08:44:26.898: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
figuration file 'dot1xInitParms.cfg'
*Feb 11 08:44:26.868: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
figuration file 'capwapInitParms.cfg'
*Feb 11 08:44:26.718: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
figuration file 'spamInitParms.cfg'
*Feb 11 08:44:25.650: %SSHPM-3-FREAD_FAILED: sshpmlscscep.c:1395 Error reading f
ile /mnt/application/lscca_pem.crt
*Feb 11 08:44:06.435: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
figuration file 'sshpmInitParms.cfg'

Thanks for such quick response and suggestions.
Yes, I seem not to to be 100% perfect as for the list of troubleshooting steps I took.
I had already tried the two commands you mentioned. I tried again, this time with some other 1242, but these do not help.
Yes, I was already thinking that this could be in theory a licensing issue. The controller is bougth with 25 licenses.
In the beginnign I had one 1142 on it and tried to enable 1242s which did not work. Now I have five 1142s on it, as this worked okay, I guess it could not be a licensing issue.
I think that I can see in the log files that the machines communicate to each other, L2 or L3 paths seem to be working okay. I forgot to mention that I am using option 43 on the DHCP server, so the AP clearly finds its way to the controller. What's more both APs and the controllers are in the same VLAN, so they are in the same broadcast domain.
Below is sho ver from the AP. The AP seems to have Certificate type - manufacture installed, so I guess there should not be a problem with the certificate, especially knowing that the AP works with other controllers over WAN.
My guess these messages seen on AP especially "Invalid event 38 & state 3 combination" might tell us what's wrong.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
*Feb 11 07:52:24.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Feb 11 07:52:24.001: %DTLS-5-PEER_DISCONNECT: Peer 10.0.13.5 has closed connection.
*Feb 11 07:52:24.001: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 10.0.13.5:5246
*Feb 11 07:52:24.002: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
*Feb 11 07:52:24.123: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is not established.
Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.4(21a)JA2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 02-Nov-09 18:42 by prod_rel_team
ROM: Bootstrap program is C1240 boot loader
BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.4(13d)JA, RELEASE SOFTWARE (fc2)
AP9caf.ca00.1c78 uptime is 17 minutes
System returned to ROM by power-on
System image file is "flash:/c1240-k9w8-mx.124-21a.JA2/c1240-k9w8-mx.124-21a.JA2"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-LAP1242G-E-K9    (PowerPCElvis) processor (revision A0) with 24566K/8192K bytes of memory.
Processor board ID FCZ135082GH
PowerPCElvis CPU at 262Mhz, revision number 0x0950
Last reset from power-on
LWAPP image version 6.0.188.0
1 FastEthernet interface
1 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 9C:AF:CA:00:1C:78
Part Number                          : 73-11479-01
PCA Assembly Number                  : 800-30493-01
PCA Revision Number                  : A0
PCB Serial Number                    : FOC13484GYY
Top Assembly Part Number             : 800-29589-03
Top Assembly Serial Number           : FCZ135082GH
Top Revision Number                  : A0
Product/Model Number                 : AIR-LAP1242G-E-K9
Configuration register is 0xF
AP9caf.ca00.1c78#

AP that will work across subnets?

Hello,
We currently have a few 2106 wireless controllers and a dozen Aironet 1121 access points at our main location. We have radius authentication as well as certificates etc. This setup works great and has for years. We have a few satellite offices that now need wireless access. They connect via an IPSec VPN but are on different subnets. If I remember correctly when setting this all up I read somewhere that the AP's that we currently have would not work on the different subnets...they would not be able to use the radius etc. If this is correct, which access point would be the proper one to use out in the satellite offices?
Thank you for your help.
Michael

Michael,
Not exactly true. You could have 1121 across the VPN at the remote site, but all the client traffic would backhaul through the LWAPP/CAPWAP tunnel and ingress/egress at the WLC.
Now if you want all the local traffic to stay loca, then yes the 1121 would not work. You would need to use HREAP, this is supported on teh 1130/1240/1250/1140 series of AP.

CAPWAP tunnel flapping

Similar Messages

Maybe you are looking for