Integration of CISCO PRIME1.3 with WLC 7.5.102.0

Similar Messages

• Win 2008 R2 radius integration with WLC 5508

  Requires help in integrating Win 2008 R2 Radius server with WLC 5508

  Step by Step instructions - NPS & Wireless LAN Controller
  PEAP Authentication - http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html
  EAP-TLS
  https://kb.meraki.com/knowledge_base/radius-creating-a-policy-in-nps-to-support-eap-tls-authentication
  hope that helps, Please let me know if you have any other questions in regards to setting up your NPS server
  Please rate that post if it answers your question or helps you  to resolve the problem.

• Connecting Cisco AIR-CAP2602E over WAN with WLC - Procedural Details

  Hi,
  I have a Wireless LAN Controller Installed in one of the subnets where some AIR-CAP2602E's are connected with the WLC. WLC acts as DHCP for the AIR-CAP2602E Devices.
  I have additional AIR-CAP2602E access-points at other location (Subnet) and Need to connect them with WLC. 
  Challange faced by me is creating DHCP on Cisco 2950 (L2) or 3750 (L3) with DHCP option 43. Can any one has detailed configuration of enabling DHCP for specific VLAN on Cisco L2 and L3 Devices. 

  If you have control of the DNS environment for these network segments, just make an entry for :
  cisco-lwapp-controller aliases cisco-capwap-controller (IP list) as the CAP will hunt for those two name sets.
  My WLC provides DHCP support only to the wlans supported by the AP but not the AP it self..
  hope this helps

• Troubleshoot Cisco Airlap 1242 with WLC 4400 Series LWAPP_CLIENT_ERROR_DEBUG: spamHandleCfgReqTimer: Did not recieve the Config response

  I have a Problem with my new AIRLAP 1242 to connect with WLC 4400
  after debug in my airlap it shows :
  Reset done!
  ethernet link up, 100 mbps, full-duplex
  Ethernet port 0 initialized: link is up
  Loading "flash:/c1240-k9w8-mx.123-7.JX8/c1240-k9w8-mx.123-7.JX8"...######################################################################################################################################################################################################################################
  File "flash:/c1240-k9w8-mx.123-7.JX8/c1240-k9w8-mx.123-7.JX8" uncompressed and installed, entry point: 0x3000
  executing...
                Restricted Rights Legend
  Use, duplication, or disclosure by the Government is
  subject to restrictions as set forth in subparagraph
  (c) of the Commercial Computer Software - Restricted
  Rights clause at FAR sec. 52.227-19 and subparagraph
  (c) (1) (ii) of the Rights in Technical Data and Computer
  Software clause at DFARS sec. 252.227-7013.
             cisco Systems, Inc.
             170 West Tasman Drive
             San Jose, California 95134-1706
  Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.3(7)JX8, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2007 by Cisco Systems, Inc.
  Compiled Mon 19-Mar-07 01:42 by hqluong
  Image text-base: 0x00003000, data-base: 0x004051E0
  Initializing flashfs...
  flashfs[1]: 9 files, 3 directories
  flashfs[1]: 0 orphaned files, 0 orphaned directories
  flashfs[1]: Total bytes: 15998976
  flashfs[1]: Bytes used: 5062144
  flashfs[1]: Bytes available: 10936832
  flashfs[1]: flashfs fsck took 4 seconds.
  flashfs[1]: Initialization complete....done Initializing flashfs.
  cisco AIR-LAP1242AG-E-K9   (PowerPCElvis) processor (revision A0) with 24566K/8192K bytes of memory.
  Processor board ID FCW1411U0FZ
  PowerPCElvis CPU at 266Mhz, revision number 0x0950
  Last reset from power-on
  1 FastEthernet interface
  2 802.11 Radio(s)
  32K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address: 68:EF:BD:5F:9A:18
  Part Number                          : 73-10256-07
  PCA Assembly Number                  : 800-26918-06
  PCA Revision Number                  : A0
  PCB Serial Number                    : FOC14093XU3
  Top Assembly Part Number             : 800-29152-03
  Top Assembly Serial Number           : FCW1411U0FZ
  Top Revision Number                  : A0
  Product/Model Number                 : AIR-LAP1242AG-E-K9
  Press RETURN to get started!
  *Mar  1 00:00:05.608: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
  *Mar  1 00:00:06.858: %DOT11-2-VERSION_INVALID: Interface Dot11Radio0, unable to find required radio version 581.18
  *Mar  1 00:00:06.858: Interface Dot11Radio0, Accepting as a test version of radio firmware
  *Mar  1 00:00:06.878: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
  *Mar  1 00:00:07.234: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
  *Mar  1 00:00:08.212: %DOT11-2-VERSION_INVALID: Interface Dot11Radio1, unable to find required radio version 581.18
  *Mar  1 00:00:08.212: Interface Dot11Radio1, Accepting as a test version of radio firmware
  *Mar  1 00:00:08.232: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1
  *Mar  1 00:00:09.278: %SYS-6-LOGGERSTART: Logger process started
  *Mar  1 00:00:09.326: %SYS-5-RESTART: System restarted --
  Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.3(7)JX8, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2007 by Cisco Systems, Inc.
  Compiled Mon 19-Mar-07 01:42 by hqluong
  *Mar  1 00:00:09.332: %CDP_PD-4-POWER_OK: Full power - AC_ADAPTOR inline power source
  *Mar  1 00:00:09.388: %DOT11-6-FREQ_SCAN: Interface Dot11Radio0, Scanning frequencies for 32 seconds
  *Mar  1 00:00:10.271: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
  *Mar  1 00:00:10.332: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
  *Mar  1 00:00:10.332: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
  *Mar  1 00:00:11.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
  *Mar  1 00:00:28.331: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
  *Mar  1 00:00:28.361: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2462 selected
  *Mar  1 00:00:28.362: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
  *Mar  1 00:00:28.363: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Mar  1 00:00:28.369: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5260 selected
  *Mar  1 00:00:28.372: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
  *Mar  1 00:00:28.398: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  *Mar  1 00:00:28.399: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
  *Mar  1 00:00:28.465: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
  *Mar  1 00:00:29.398: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
  *Mar  1 00:00:29.465: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
  Translating "CISCO-LWAPP-CONTROLLER.ekahospital.com"...domain server (202.134.0.155)
  *Mar  1 00:00:38.351: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 172.31.xxx.xxx, mask 255.255.255.0, hostname AP68ef.bd5f.9a18
  *Mar  1 00:00:38.820: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2417 selected
  *Mar  1 00:00:38.827: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5200 selected (203.130.196.5)
  *Mar  1 00:00:49.835: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2422 selected
  *Mar  1 00:00:49.842: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5220 selected
  *Mar  1 00:00:49.851: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
  *Mar  1 00:00:49.852: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
  *Mar  1 00:00:49.852: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
  *Mar  1 00:00:50.852: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
  *Mar  1 00:00:50.852: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
  *Sep 18 07:02:25.504: %LWAPP-5-CHANGED: LWAPP changed state to CFG
  *Sep 18 07:02:29.288: LWAPP_CLIENT_ERROR: lwapp_name_lookup - Could Not resolve CISCO-LWAPP-CONTROLLER.MYDOMAIN.com
  *Sep 18 07:02:30.504: LWAPP_CLIENT_ERROR_DEBUG: spamHandleCfgReqTimer: Did not recieve the Config response
  *Sep 18 07:02:30.551: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET CONFIG RESPONSE.
  *Sep 18 07:02:30.551: %LWAPP-5-CHANGED: LWAPP changed state to DOWNXmodem file system is available.
  flashfs[0]: 9 files, 3 directories
  flashfs[0]: 0 orphaned files, 0 orphaned directories
  flashfs[0]: Total bytes: 15998976
  flashfs[0]: Bytes used: 5062144
  flashfs[0]: Bytes available: 10936832
  flashfs[0]: flashfs fsck took 26 seconds.
  Base ethernet MAC Address: 68:ef:bd:5f:9a:18
  Initializing ethernet port 0...
  Reset ethernet port 0...
  Reset done!
  and after that i check in my WLC that shows
  AP with Base Radio MAC xx:xx:xx:xx:xx:xx (APxxxx.xxxx.xxxx) is unable to associate.
  The reulatory domain configured on it '-e' does not match the controller's country
  code: USA
  i found that the problem about the region.
  question :
  1. is it possible to change the region in AIRLAP 1242 or in WLC?
  2. if possible how to change it?
  INFO :
  my first AIRLAP Product/Model Number : AIR-LAP1242AG-A-K9 and my new AIRLAP Product/Model Number : AIR-LAP1242AG-E-K9

  WLC GUI >> Wireless >> Country >> Select the country.
  Regards
  Surendra

• Integration of Cisco Fax Server with CUCM

  Need some help with regards to the setup of Cisco Fax Server. I have Cisco Fax Server 9.4 Enterprise Suite which will be installed on Cisco 7816 server. Now my concern is with the integration of Fax server with CUCM. I have CUCM Ver 7. Could anyone tell me what configuration is required on CUCM and I believe we need to have dial-peer on the Voice gateway as well pointing to the Fax server. If anyone has deployed then please let me know the configuration on CUCM & the voice gateway.

  Hi..
  Thank u so much guys. I was mostly looking out for the integration of Fax server with CUCM, so i think this document should help. I has this document with me but had few doubts. Hopefully it should be cleared now. I will be doing the implementation later next week so i will keep you updated. Anyway thank u so much once again.
  Regards,
  Joy

• ISE device registration webauth with wlc 7.0 lwa

  Is it possible to use the DRW feature with WLCs running 7.0 code?  All configuration examples refer to 7.2 code.  Its only for guest user device registration.  No profiling / provisioning.
  Compatibility matrix says that "Wireless Controllers support MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA with MAC filtering so it is more MAB-like."
  Thanks.

  Hi,
  The reason you need to run the upgraded code is that the radius NAC feature coupled with a mac-filtering enabled SSID will work together. On the release prior you were unable to get both features to work with one another.
  For your reference here is the item in the New Features section of the 7.2 WLC release notes:
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html#wp855314
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• What is the lowest ISE version supported with WLC 7.3.112.0

  Dears
  Kindly i want to know what is the lowest version of ISE supported with WLC 7.3.112.0 or WLC 7.3.101.0
  Please need your feedback.
  Regards,

  the lowest version of ise supported wlc 7.3 is ISE 1.2 as per document :
  Wireless LAN Controller (WLC) 2500 8
  7.3.112.0.(ED), 7.4.x, 7.5
  Yes 9
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  Wireless LAN Controller (WLC) 5500 8
  7.3.112.0.(ED), 7.4.x, 7.5
  Yes 9
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  Wireless LAN Controller (WLC) 7500 8
  7.3.112.0.(ED), 7.4.x, 7.5
  Yes 9
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  No
  Yes
  Wireless LAN Controller (WLC) 8500 8
  7.3.112.0.(ED), 7.4.x, 7.5
  Yes 9
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  No
  Yes
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
  ISE 1.1 won't support wlc 7.3 :
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-1/compatibility/ise_sdt.html
  Wireless LAN Controller (WLC) 2100, 4400
   7.0.116.0
   No6
   Yes
   No
   Yes
   Yes
   Yes
   Yes
   No
   No
   Wireless LAN Controller (WLC) 2500, 5500
   7.2.103.0
   No6
   Yes
   Yes
   Yes
   Yes
   Yes
   Yes
   Yes
   No
   WLC 7500 Series
   7.2.103.0 (basic RADIUS auth supported in 7.0.116.0)
   Yes6
   Yes
   No
   Yes (local only)
   No
   Yes
   No
   No
   No

• Client get connected occationally with WLC 5508

  Hi ,
  I have one strange problem on wireless connection.
  I just upgraded several 1131 APs to LAP with 2 new Cisco 5508 controller deployed, and we found the clients sometime can get conneted to the 1131 AP, and connection well, sometimes cannot. during our test, one conecion is ok, next one cannot, the third one seems ok again and again.
  And we also have 2 new 1140 APs, seems no such problem,
  The version for controller is  6.0.196.0, and Client is Lenevo PC with XP.
  Any suggestion? or some troubleshooting procedure I can follow?
  Thanks!
  Roy

  Thanks!
  Seems some problem with open authentication.
  On the Client, it reported cannot get associated.
  on the WLC, while I am debug client it reports:
  *Jul 14 10:18:51.844: 00:1f:3c:c2:e9:71 Sending Assoc Response to station on BSSID c4:7d:4f:47:a5:c0 (status 12)
  *Jul 14 10:18:51.889: 00:1f:3c:c2:e9:71 Ignoring 802.11 assoc request from mobile pending deletion
  *Jul 14 10:18:51.889: 00:1f:3c:c2:e9:71 Sending Assoc Response to station on BSSID c4:7d:4f:47:a5:c0 (status 12)
  *Jul 14 10:18:51.928: 00:1f:3c:c2:e9:71 Ignoring 802.11 assoc request from mobile pending deletion
  *Jul 14 10:18:51.928: 00:1f:3c:c2:e9:71 Sending Assoc Response to station on BSSID c4:7d:4f:47:ae:b0 (status 12)
  *Jul 14 10:18:52.446: 00:1f:3c:c2:e9:71 apfMsExpireCallback (apf_ms.c:418) Expiring Mobile!
  *Jul 14 10:18:52.446: 00:1f:3c:c2:e9:71 apfMsExpireMobileStation (apf_ms.c:4427) Changing state for mobile 00:1f:3c:c2:e9:71 on AP c4:7d:4f:47:ae:b0 from Associated to Disassociated
  I am using remote radius with WLC only.
  The strange thing is, when get connected, it looks fine, but I tried disconnect manually, then connect again, it reported cannot get associated, then I try again, it can get connect again,....

• An issue with WLC 5508 and 7921 phone

  Hello all!
  I have a system with WLC 5508 and some 1242 APs. And I use a lot of 7921 phones.
  One of 7921 phones was in trouble. It loses registration, disconnect conversations...
  I installed the trial WLC and run voice diagnostics.
  I  saw some of "Potentially degraded QoS in downlink direction because of  incorrect packet classification" messages and one "Fair upstream packet  loss ratio: 1,2%, which is less than threshold 2.5%"
  As I understand all of 7921 phones in these area are affected.
  what  does it mean? I set up Platinum QoS for voice WLAN. I don't have any qos  configuration string for AP and WLC ports on switches...
  any ideas?
  thanx in advance

  Sergey:
  There is one application called "WLC Config analyzer". You save your "show run-config" from your WLC in a text file and import it by this application. it will analyze the file for you and tell you what recommendations for voice are missing so you improve them.
  When importing a config file you choose what voice clinets you are using, so you need to choose cisco 7921 to it tells you what config improvemetns is needed based on 7921 needs.
  Here is the link to download the application:
  https://supportforums.cisco.com/docs/DOC-1373
  download the latest versoin.
  BTW, how many voice/data clients are connected to one AP in that area? if I remember correctly if you are utilizing voice then the max number of clients connected to one AP should not exceed 17. If you have more than this number per AP try to minimize the number of users concurrently connected to the AP then try again.
  Hope you'll find the config analyzer useful.
  If useful please don't forget to rate.
  Amjad

• Cisco 4400 - 100 WLC ap manager IP address

  I am going to implement a Cisco 4400-100 WLC. I need it to manage 100 Cisco LWAPP AP's
  Can this be done with one AP Manager IP address?
  Is it recommended to have the AP manager and manager address on the same subnet?
  How many of the 4 fibre connectors need to be used to manage 100 AP's?
  Mark Cronin

  ok, you have 2 options one is work with AP MANAGER interfaces and the other is to work with LAG, whe LAG is enable you just need one AP MANAGER interface becouse the LAG makes the redundancy and load balancing function.
  checkout this link:
  http://cisco.com/en/US/docs/wireless/technology/controller/deployment/guide/dep.html
  In this section:
  Using Link Aggregation (LAG)

• Cisco UCM with Third Party Contact Center Solution

  Hi all, hope everyone is well.
  Anyone out there running Cisco UCM with a third party contact center solution ? would love to hear your experience on this subject.
  Thanks in advance !!
  Danny

  I have not heard of any sucessful stories, which vendor are you considering and what would you not go with UCCE/UCCX?
  I used to work for Rockwell (Aspect today) which attempted to integrate their Business Contact Solution with CUCM (back on 3.3) and it worked OK for low volume calls, but never had any customer adoption.
  I have not heard of any other known ACD vendors integrating with CUCM.
  Chris

• AP 1310 with WLC 5508

  Hi,
  I have upgraded my WLC 5508 from 7.0 to 7.4 and the AP 1310 no longer can associate to WLC.
  Seems that the AP doesn't work with WLC ver 7.4
  Except changing these APs to autonomous mode, any other alternatives?
  Besides, if we change them to autonomous mode, can Prime Infrastructure manage/monitor these APs?
  thanks.

  The 1310 last support is on v7.0.x of the WLC. See the matrix below.
  http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html
  Prime Infrastructure can monitor the Autonomous access point but will not do anything else than monitor. Config changes is done via the bridge/AP itself.
  Sent from Cisco Technical Support iPhone App

• Limiting Bandwitdth per user with WLC

  Hi,
  Is there anyone who can provide a deeper explanation for "Per-User Bandwidth Contracts (k)" on the "Edit QoS Profiles" menu of a Wireless LAN Controller 4402? Does it limit each value to 0 to 60 Kbps as maximum ONLY, as indicated on the Help window?
  I want to limit 512 Kbps per user (client attached to an AP) not for WLAN.
  I read http://www.cisco.com/univercd/cc/td/doc/product/wireless/hahcont/contc.htm#wp1041926 but it is not sufficient.
  I know I can do it with 3rd party equipments, but it is possible only with APs (1010, LAP1231), Cisco switches and WLC 4402?
  JVC

  Yes I think your assumption is correct. "Per-User Bandwidth Contracts (k)" limits each value at the maximum. This I think I have read in a document stating this information.

• Cisco 5500 Series WLC Field Recovery Compatibility

  Is Software Version 7.2.111.3 compatible with Field Recovery Image Version 7.6.95.16.

  Duplicate posts.  
  Go here:  http://supportforums.cisco.com/discussion/12154556/cisco-5500-series-wlc-field-recovery-compatibility

• Help me : Problem with WLC and AP

  Hi,
  We have a few AP on our network which work fine.
  But, those which are behind our fw don't work.
  LAN WI-FI with WLC  <>--------Lan Routed---with Ap (Ok) ------------------
                                   <> -------FW <> Vlan behind Fw and APs not work fine.
  WLC = Software Version                 7.0.220.0
  Logs  on WLC :
  spamApTask2: Jun 04 11:49:59.494: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
  *spamApTask1: Jun 04 11:48:49.323: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
  *spamApTask2: Jun 04 11:47:39.149: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
  *spamApTask1: Jun 04 11:46:28.978: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
  *spamApTask2: Jun 04 11:45:18.806: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
  *spamApTask1: Jun 04 11:44:08.632: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
  *osapiBsnTimer: Jun 04 11:43:51.235: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2202 Failed to complete DTLS handshake with peer 172.37.251.71
  debud dtls :
  *spamApTask1: Jun 04 11:22:42.434: 64:a0:e7:5f:e5:70 record=Alert epoch=0 seq=2
  *spamApTask1: Jun 04 11:22:42.435: 64:a0:e7:5f:e5:70 SSL_do_handshake: SSL_ERROR_SSL while communicating with 172.37.251.71 : (null)
  *spamApTask1: Jun 04 11:22:42.435: 64:a0:e7:5f:e5:70  Requested by openssl_dtls_process_packet
  *spamApTask1: Jun 04 11:22:42.435: dtls_conn_hash_delete: Deleting hash for Local 172.18.3.2:5246  Peer 172.37.251.71:52258
  *spamApTask1: Jun 04 11:22:42.435: 64:a0:e7:5f:e5:70 DTLS Connection 0x145520d0 closed by controller
  *spamApTask1: Jun 04 11:22:42.436: dtls_conn_hash_search: Searching hash for Local 172.18.3.2:5247  Peer 172.37.251.71:52258
  Cordially,

  HI,
  - On the fw-
  a. Make sure the FW is open for udp 5246 and 5247 ports required for the capwap process.
  If this is a cisco ASA, you can set up ingress and egress packet captures to see what packets enter and leave the FW for this AP-
  cap capin interface match udp any
  cap capout interface match udp any
  **match captures bidirectional flow for the interesting traffic.
  b. Check the logs on the firewall for any drops.
  c. cap capdrop type asp-drop all
  This will tell you if the pkt was dropped and the reason for the drop
  d. You can run the packet-tracer command on the firewall tracking this udp flow-
  e.g. packet-tracer input inside udp 3.3.3.3 1212 2.2.2.3 5246 detailed
  - What AP model is this? Is it the same AP that connects to the controller if there is no fw in the path?
  - Does it use MIC or SSC cert? If SSC, make sure you have SSC checked and you will need to manually enter the hash for the AP on the controller under AP Authorization List -
  Security> AP Policies
  You can get the hash of the AP (f you dont have it) by enabling the following debug on the controller
  debug pm pki enable
  Other controller debugs for the AP-
  debug mac address
  debug capwap error enable
  debug capwap events enable
  - What about AP console log? Do you have access to that?