Lightweight Access Point joining issues to WLC Part 1

In this post I will try to cover as many as possible problems due to AP can not join to WLC.

First of all we should know that there are two types of Access Points (I am only talking about Cisco products):

  1. Autonomous AP or Standalone AP
  2. Lightweight AP

Autonomous AP doesn’t need WLC to connect and it can be used in small office / Home office scenarios. (I will not go into detail, may in later post we will see that, how it works and configuration).

Lightweight AP: This type of AP can only be used with Wireless LAN Controllers. These can be used in medium to large deployments.

How to verify if it’s an autonomous AP or Lightweight?

Here are the two ways:

  • Connect to the AP using a console cable, and login to the AP (if you need to enter credentials, default username pass are Cisco, default enable password is Cisco). As a side note, the autonomous AP code prompts by default ap> and only requires you to enter an enable passowrd. The lightweight code asks you for username and password by default, and display by default the AP MAC address as a prompt. So this might be a first indication, but all this can be changed through configuration, so this is just a note, not an exact way yet.
  • On the AP console, type show version. If the AP runs an autonomous code, the version will show the string k9w7. If the AP runs a lightweight code, the version will show k9w8.
  • Want to know more about AP versions, Go here:  Understand AP IOS Images

Now we know that only LAP have to join WLC, without WLC this these kinds of AP will not work.

Before starting to find out the cause why AP not joining, first we must understand the behind the scene.

In order for the WLC to be able to manage the LAP, the LAP should discover the controller and register with the WLC. There are different methods that an LAP uses in order to discover the WLC.

There are for main events occurs:

  1. Discovery Requests
  2. Discovery Response
  3. Join Request
  4. Join Response

Refer to: LAP Registration to WLC

So now we assume that AP got the IP address, either statically or via DHCP.

Without IP AP will not do anything, so first we need to assign a IP to AP then only it can send discovery request.

Basic things to check:

  1. Is AP got IP via DHCP?
  2. Can you ping AP from WLC or vice versa.
  3. Is this specific VLAN (in which AP got the IP) blocked by anything on switch like STP?
  4. Check the logs on AP: it must start the discovery request for WLCs.

Till now if everything is ok then we can start with some command issues due to which LAP not join to WLC.

Scenario 1: Mismatch in Regulatory Domain

I have seen this errors many times:

We must enable debug capwap <events/error> enable or debug lwapp <events/error> enable

Sample Error Logs:

802.a or 80211bg Regulatory Domain (-E) does not match with country(AU )
AP RegDomain check for the country AU failed
Regulatory Domain check Completely FAILED The AP will not be allowed to join

These errors clearly show that there is a mismatch in the regulatory domain of the LAP and the WLC. To resolve this issue, add the country for which the AP was built to the list of countries supported on the controller from Wireless > Country. We have to disable all 802.11b/g and 802.11a radios to change the controller country codes list.

wirelesscountry

In my example, I only configured DE, this Country supports -E-   regulatory domain on AP:

The WLC can supports multiple regulatory domains but each regulatory domain must be selected before an LAP can join from that domain. When you purchase APs and WLCs, ensure that they share the same regulatory domain. Only then can the LAPs register with the WLC.

Here you can check the Wireless Compliance Status, specific country with specific Regulatory domain for Access Points.

Scenario 2: Certificate and Time

AP and controller needs to exchange certificate to create a secure tunnel for communication. These Certificates have creation and expiry date. If the time and date on WLC are wrong, the AP certificate will be refused because if it is not valid yet or not valid anymore.

We must run these debug commands to find out the exact error:

debug capwap errors enable and debug pm pki enable

Sample Error logs:

Does not include valid certificate in CERTIFICATE_PAYLOAD from AP MACADDRESS. Unable to free public key.
Current time outside AP cert validity interval: make sure the controller time is set.

To resolve this kind of issue, set the controller time and date to a present value from GUI: Command > Set Time or config time command from CLI

command_settime

We can also receive this kind of message if AP certificate is not valid anymore or corrupted: In this case we must return this AP to our supplier and take a new one.

We can check the AP certificate validity by this command: show crypto ca certificates

 Scenario 3: Firewall Blocking Necessary Ports

When APs and controllers are in different subnets, make sure that routing and firewall filters allow traffic both ways.

Enable these UDP ports for LWAPP traffic:

UDP ports 12222 and 12223 must be open in both directions.

Enable these UDP ports for CAPWAP traffic:

UDP ports 5246 and 5247 must be open in both directions.

If the AP cannot access the controller on UDP port 5246 (CAPWAP Control), the discovery and join requests never reach the controller. The result is that the AP is not seen on the controller, and the debug capwap event enable command on the controller does not display any message about the AP.

If the controller cannot access the AP UDP port 5246 (CAPWAP Control), the discovery and join requests never reach the AP. The result is that the controller receives discovery requests, answers with discovery responses, but the AP does not get these responses and never moves to the join phase.

Scenario 4: Brand New Access Points

With new Access Points or even with the old AP, we can get some compatibility issues with WLC version.

Example: The 1600 and 3600 APs are new models, and require new controller codes. The 1600 AP requires controller code release 7.4.100.0 or later, and the 3600 AP requires controller code 7.2 or later. The same issue affects 802.11n APs and older controller codes. If the controller code is too old, the AP model is not recognized.

We must run these debug commands to find out the exact error:

debug capwap errors enable

Sample Error Logs

AP Associated. Base Radio MAC: MAC ADDRESS
AP Disassociated. Base Radio MAC: MAC ADDRESS
AP with MAC MAC ADDRESS is unknown.

To resolve this issue, we have to upgrade the controller code or have the AP discover a controller running the appropriate code version.

Check here the Cisco Software Compatibility Matrix

Find out the version on WLC here by GUI: Go to Monitor and check the Controller Summary

controller_summary

 

Via CLI:

(WLAN1) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.240.0
RTOS Version..................................... 7.0.240.0
Bootloader Version............................... 4.0.191.0
Emergency Image Version.......................... N/A
Build Type....................................... DATA + WPS
System Name...................................... WLAN1
System Location.................................. Test Lab
System Contact................................... Sandeep
System ObjectID.................................. 1.3.6.1.4.1.9.1.828
IP Address....................................... 10.99.80.1
System Up Time................................... 3 days 23 hrs 12 mins 31 secs
System Timezone Location......................... (GMT +1:00) Amsterdam, Berlin, Rome, Vienna
Configured Country............................... DE  - Germany
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +42 C

 

Part 2 coming soon……. 🙂

Advertisements

23 Comments

  1. Hats off to you guys taking pain and making it the profession great love you all dear, because of you all great engineers our work becomes smooth, really great efforts by you and whole other team who are doing this jobs.

    Thank you so much !!

  2. Hi,
    I having this weird issue. I setup Flexconnect AP which has a static IP address. The AP broadcasts the SSID which I created on the controller, and I can even connect to the wireless and it works swiftly. But I don’t see the AP on the controller. Could you please help me out?

    • I do faced this issue, When i checked on AP console its associated to controller. and nothing seen on controller. later on i have figured out the issue. the issue was ip conflict with other controller. same ip was used by another device. Issue got resolved after changing the ip address of controller.

  3. I would like get all AP’s ip address using Wireless Controller . My intension is that i do not want to discover AP’s and i am interested at WLC’s. So whenever i encounter AP i would like discard/filter that IP for further processing. Is there any better approach for the same .

  4. I forgot to mention my another important criteria is that i would like filter out all AP’s without communicating using SNMP. i can filter the devices based sysOID but for this i need to communicate using SNMP. Here i do not want to poll the device using SNMP

  5. Great post. but I have different set of errors.
    AP gets IP, I can ping AP from WLC, discovery phase is going good but I don’t see join phase .Below is the error from debug command
    (my APs are brand new 3802I and controller 5520 with 8.2 version)

    spamApTask5: Nov 21 13:33:40.351: apType: Ox34 bundleApImageVer:
    *spamApTask5: Nov 21 13:33:40.351: Could not find image version of bundled AP(apType: 52)!!!
    *spamApTask5: Nov 21 13:33:40.351: Unable to get AP Bundled Version. Using Controller Version!!!

    Can someone help,how to fix this

    • Patil ji,
      I responded on CSC as well.
      We need to check the AP console to find out the exact cause. But still you can check these:
      1. country code on WLC and AP must Match.
      2. correct time is configured on WLC?
      3. if AP has mesh image the add AP MAC address in WLC!
      4. this AP need min SW Image (8.2.110.0) on WLC to join!!!

      Regards
      RSCCIEW

  6. Hi there,

    After a power outage the message bellow appears on my APs. Looks like the certificate has expired.

    I’ve verified the date & time on the WLC
    Does the ios need to be upgraded? Are there any workarounds?

    *Jan 18 21:58:15.040: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Jan 18 21:58:15.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.96.0.6 peer_port: 5246
    *Jan 18 21:58:15.164: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed.
    The certificate (SN: 54A93ECE0000000A8662) has expired. Validity period ended on 17:47:34 UTC Dec 28 2016
    *Jan 18 21:58:15.165: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
    *Jan 18 21:58:15.165: %CAPWAP-3-ERRORLOG: Certificate verification failed!
    *Jan 18 21:58:15.165: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:161 Certificate verified failed!
    *Jan 18 21:58:15.165: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 10.96.0.6
    *Jan 18 21:58:15.166: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.96.0.6
    *Jan 18 21:58:15.166: %DTLS-3-BAD_RECORD: Erroneous record received from 10.96.0.6: Malformed Certificate
    *Jan 18 21:58:15.166: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
    *Jan 18 21:59:20.030: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *Jan 18 21:59:20.036: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *Jan 18 21:59:20.037: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
    *Jan 18 21:59:20.038: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Jan 18 21:59:20.039: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Jan 18 21:59:20.041: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to upwtpDecodeDiscovery Response numOfCapwapDiscoveryResp = 0
    wtpDecodeDiscovery Response numOfCapwapDiscoveryResp = 1

  7. Hi
    I’m unable to add AP to the WLC… It throws following debug log-
    Please help me.

    spamApTask2: Feb 01 16:17:40.078: a0:e0:af:cd:e1:ab Total msgEleLen = 40

    *spamApTask2: Feb 01 16:17:40.078: a0:e0:af:cd:e1:ab msgEleLength = 10 msgEleType = 37

    *spamApTask2: Feb 01 16:17:40.078: a0:e0:af:cd:e1:ab Vendor specific payload from AP a0:e0:af:cd:e1:ab validated

    *spamApTask2: Feb 01 16:17:40.078: a0:e0:af:cd:e1:ab Total msgEleLen = 26

    *spamApTask2: Feb 01 16:17:40.078: a0:e0:af:cd:e1:ab msgEleLength = 22 msgEleType = 37

    *spamApTask2: Feb 01 16:17:40.078: a0:e0:af:cd:e1:ab Vendor specific payload from AP a0:e0:af:cd:e1:ab validated

    *spamApTask2: Feb 01 16:17:40.078: a0:e0:af:cd:e1:ab Total msgEleLen = 0

    *spamApTask2: Feb 01 16:17:40.078: a0:e0:af:cd:e1:ab 1. 0 0

    *spamApTask2: Feb 01 16:17:40.079: a0:e0:af:cd:e1:ab 2. 232 3

    *spamApTask2: Feb 01 16:17:40.079: a0:e0:af:cd:e1:ab 3. 1 0

    *spamApTask2: Feb 01 16:17:40.079: a0:e0:af:cd:e1:ab 4. 12 0

    *spamApTask2: Feb 01 16:17:40.079: a0:e0:af:cd:e1:ab Discovery resp: AC Descriptor message element len = 40

    *spamApTask2: Feb 01 16:17:40.079: a0:e0:af:cd:e1:ab acName = DEMO-WC

    *spamApTask2: Feb 01 16:17:40.079: a0:e0:af:cd:e1:ab Discovery resp:AC Name message element length = 50

    *spamApTask2: Feb 01 16:17:40.079: a0:e0:af:cd:e1:ab Discovery resp: WTP Radio Information msg length = 59

    *spamApTask2: Feb 01 16:17:40.079: a0:e0:af:cd:e1:ab Discovery resp: CAPWAP Control IPV4 Address len = 69

    *spamApTask2: Feb 01 16:17:40.079: a0:e0:af:cd:e1:ab Discovery resp: CAPWAP Control IPV6 Address len = 69

    *spamApTask2: Feb 01 16:17:40.079: a0:e0:af:cd:e1:ab Discovery resp: Mwar type payload len = 80

    *spamApTask2: Feb 01 16:17:40.079: a0:e0:af:cd:e1:ab Discovery resp: Expire MIC type payload len = 94

    *spamApTask2: Feb 01 16:17:40.079: a0:e0:af:cd:e1:ab Discovery resp: Time sync payload len = 109

    *spamApTask2: Feb 01 16:17:40.079: a0:e0:af:cd:e1:ab WTP already released
    *spamApTask3: Feb 01 16:17:42.231: a0:3d:6f:1a:eb:00 CAPWAP Control Msg Received from 192.168.31.162:11873

    *spamApTask3: Feb 01 16:17:42.231: a0:e0:af:ed:0a:10 packet received of length 278 from 192.168.31.162:11873

    *spamApTask3: Feb 01 16:17:42.231: a0:e0:af:ed:0a:10 Msg Type = 3 Capwap state = 0

    *spamApTask3: Feb 01 16:17:42.231: a0:e0:af:ed:0a:10 Total msgEleLen = 234

    *spamApTask3: Feb 01 16:17:42.231: a0:e0:af:ed:0a:10 Total msgEleLen = 168

    *spamApTask3: Feb 01 16:17:42.231: a0:e0:af:ed:0a:10 Total msgEleLen = 124

    *spamApTask3: Feb 01 16:17:42.231: a0:e0:af:ed:0a:10 Total msgEleLen = 104

    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Total msgEleLen = 96

    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Total msgEleLen = 91

    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Total msgEleLen = 86

    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Total msgEleLen = 78

    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Total msgEleLen = 72

    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Vendor specific payload from AP a0:e0:af:ed:0a:10 validated

    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Total msgEleLen = 55

    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Vendor specific payload from AP a0:e0:af:ed:0a:10 validated

    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Created AP a0:e0:af:ed:0a:10
    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Join Request: Total msgEleLen = 234

    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Join Request: Total msgEleLen = 168

    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Join Request: Total msgEleLen = 124

    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Join Request: Total msgEleLen = 104

    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Join Request: Total msgEleLen = 96

    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Join Request: Total msgEleLen = 91

    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Join Request: Total msgEleLen = 86

    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Join Request: Total msgEleLen = 78

    *spamApTask3: Feb 01 16:17:42.232: a0:e0:af:ed:0a:10 Join Request: Total msgEleLen = 7

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s