topic Re: Test 9800-CL Wireless Controller setup and configuration as a third controller in Wireless

Test 9800-CL Wireless Controller setup and configuration as a third controller

Group IT — Mon, 05 Jul 2021 18:11:37 GMT

Hi All,

I thought I was getting to grips with the wireless world but I am finding that I am a little out of my depth setting up a test Cisco Catalyst 9800-CL Wireless Controller.

This will be my third controller, this one I am testing in a VMWare ESXi environment which sits on my live network.

So I have controller one at our HQ "CISCO-CAPWAP-CONTROLLER" is on 10.11.0.230, controller two is in a datacentre "CISCO-CAPWAP-CONTROLLER" and is on 10.11.202.230. I have introduced controller three which is the test 9800-CL Wireless Controller at our HQ also "CISCO-CAPWAP-CONTROLLER" and is on IP 10.11.0.199.

I have a test C9120AXI-E which is plugged into a trunked port. Quite rightly so, the older controllers are rejecting it, but it never seems to attempt to connect to the 9800-CL. It seems to just repeat the following process:

 CAPWAP State: Discovery
[*10/23/2019 14:04:17.6470] IP DNS query for CISCO-CAPWAP-CONTROLLER.mydomain.local
[*10/23/2019 14:04:17.6500] DNS resolved CISCO-CAPWAP-CONTROLLER.mydomain.local
[*10/23/2019 14:04:17.6500] DNS discover IP addr: 10.11.0.199
[*10/23/2019 14:04:17.6500] DNS discover IP addr: 10.11.0.230
[*10/23/2019 14:04:17.6500] DNS discover IP addr: 10.11.202.230
[*10/23/2019 14:04:17.6510] Discovery Request sent to 10.11.0.199, discovery type DNS(3)
[*10/23/2019 14:04:17.6520] Discovery Request sent to 10.11.202.230, discovery type DNS(3)
[*10/23/2019 14:04:17.6530] Discovery Request sent to 10.11.0.230, discovery type DNS(3)
[*10/23/2019 14:04:17.6540] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*10/23/2019 14:04:17.6560] Discovery Response from 10.11.0.230
[*10/23/2019 14:04:17.6610] Discovery response from MWAR 'wlc-h003214' running version 8.5.151.0 is rejected.
[*10/23/2019 14:04:17.6610] Failed to decode discovery response(status = 4).
[*10/23/2019 14:04:17.6610] CAPWAP SM handler: Failed to process message type 2 state 2.
[*10/23/2019 14:04:17.6610] Failed to handle capwap control message from controller - status 4
[*10/23/2019 14:04:17.6610] Failed to process unencrypted capwap packet 0x55a0066000 from 10.11.0.230
[*10/23/2019 14:04:17.6610] Failed to send message to CAPWAP state machine, msgId 0
[*10/23/2019 14:04:17.6610] Failed to send capwap message 0 to the state machine. Packet already freed.
[*10/23/2019 14:04:17.6610] IPv4 wtpProcessPacketFromSocket returned 4
[*10/23/2019 14:04:17.6620] Discovery Response from 10.11.202.230
[*10/23/2019 14:04:17.6650] Discovery response from MWAR 'wlc-h000453' running version 8.5.151.0 is rejected.
[*10/23/2019 14:04:17.6650] Failed to decode discovery response(status = 4).
[*10/23/2019 14:04:17.6650] CAPWAP SM handler: Failed to process message type 2 state 2.
[*10/23/2019 14:04:17.6650] Failed to handle capwap control message from controller - status 4
[*10/23/2019 14:04:17.6650] Failed to process unencrypted capwap packet 0x55a0064000 from 10.11.202.230
[*10/23/2019 14:04:17.6650] Failed to send message to CAPWAP state machine, msgId 0
[*10/23/2019 14:04:17.6650] Failed to send capwap message 0 to the state machine. Packet already freed.
[*10/23/2019 14:04:17.6650] IPv4 wtpProcessPacketFromSocket returned 4

So from what I can see, DNS is configured correctly so that the AP can see all of the available controllers but I doesn't seem to be requesting to join the 9800-CL.

Can anyone advise what step I have missed or where I can check whats going wrong?

Thanks in advance.

Re: Test 9800-CL Wireless Controller setup and configuration as a third controller

MrDude — Thu, 24 Oct 2019 08:17:10 GMT

Hi,

Can you check the wireless management trustpoint?

show wireless management trustpoint

It should look something like:
Trustpoint Name : CISCO_IDEVID_SUDI
Certificate Info : Available
Certificate Type : MIC
Private key Info : Available
FIPS suitability : Not Applicable

If this isn't the case you can generate it with: wireless config vwlc-ssc key-size 2048 signature-algo sha256 password ThisisaPassword01

Re: Test 9800-CL Wireless Controller setup and configuration as a third controller

Group IT — Thu, 24 Oct 2019 10:41:04 GMT

Hi Mr Dude,

Thanks for the suggestion. I ran the command as you suggested and indeed I do not have any Trustpoint listed. However, I can't seem to get the controller into config mode. Config t. conf t. doesn't seem to work and enable isn't accepted either. I tried to run it and got the following:

v000002>wireless config vwlc-ssc key-size 2048 signature-algo sha256 password superpassword
^
% Invalid input detected at '^' marker.

Am I doing something really silly?

Thanks.

Re: Test 9800-CL Wireless Controller setup and configuration as a third controller

MrDude — Fri, 25 Oct 2019 12:01:13 GMT

Hi, it looks like you need to go in to enable mode first. You shouldn't have to go in to configuration terminal to run the command.

Re: Test 9800-CL Wireless Controller setup and configuration as a third controller

Group IT — Tue, 03 Dec 2019 10:15:54 GMT

Hey sorry! I have only just got back round to taking a look at this.

I think the problem was the the command to generate certificate had not specified an encryption level but still after it does not report any trustpoint.

wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 7 ThisisaPassword0

wlc>show wireless management trustpoint
Trustpoint Name :
Certificate Info : Not Available
Private key Info : Not Available
FIPS suitability : Not Applicable