cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22197
Views
0
Helpful
21
Replies

APs won't join vWLC 8.3

Austin Godbey
Level 1
Level 1

Have a customer with all APs already associated to their main vWLC running 8.3. Created a new vWLC to act as their secondary controller. Statically assigned WLCs in HA tab for all APs. None of the APs will join the controller. APs are 3602i, 3702i, and 3802i. Same code on both vWLCs.

 

I see the following logs on the WLC:

*spamApTask7: May 16 18:11:37.611: %CAPWAP-3-DECODE_ERR: capwap_ac_sm.c:2732 Error decoding discovery request from AP 00:00:00:00:00:00
*spamApTask7: May 16 18:11:37.611: %CAPWAP-3-INVALID_PAYLOAD3: capwap_ac_decode.c:629 The system detects an invalid vendor type 12846 in WTP descriptor message element

 

On the AP Join status page the APs keep rising the discovery counter, but never transition to the join phase.

 

Capwap debugs don't show any errors, just keep repeating the discovery phase. Packet captures show the same.

21 Replies 21

Check the below things on the controller.

 

* Time and date (NTP configuration)

* Appropriate Country Code is enabled on the WLC.

* Licensing on the Controller.

 

If all are fine but still the AP didn’t joined enable . Please connect console of one AP and share the Error logs on that while trying to join secondary WLC.

 

 

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

First 3 things I checked. Times are up to date, new licenses and eval licenses won't work, and country code matches both WLCs.

 

All the APs are currently joined to 1 controller, but when I try to fail them over to the new controller that is configured exactly the same, they don't join.

How is your second vWLC Setup, is the same version

Couple of the things need to check, Is the AP able to reach secondary controller IP address ?

is the  DHCP configured  Option 43 setup for the secondary controller ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help


@Austin Godbey wrote:

First 3 things I checked. Times are up to date, new licenses and eval licenses won't work, and country code matches both WLCs.

When you say new licenses and eval licenses won't work, does the vWLC show how many AP's it can support?

 

You can confirm by doing a "show license all" in the CLI

 

 

 

<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>

(Cisco Controller) >show license all

Feature name: ap_count
License type: Evaluation
License Eula: Accepted
Evaluation total period: 12 weeks 6 days
Evaluation period left: 89 days
License state: Inactive, Not-In-Use
License Nodelocked: Yes
RTU License Count: 200

Feature name: ap_count (adder)
License type: Permanent
License state: Active, Not-In-Use
License Nodelocked: No
RTU License Count: 93


==================================
Total available count : 93
Total inuse count : 0

Austin Godbey
Level 1
Level 1
I see the following from 'debug capwap errors' on the AP (removed names and IPs):

May 20 17:28:53 kernel: [*05/20/2019 17:28:53.0000] CAPWAP State: DTLS Setup
May 20 17:28:53 kernel: [*05/20/2019 17:28:53.0002] dtls_new_connection: Connection 0x24f0a00 is already there for this server port 5246, Deleting it. Number of connections: 388
May 20 17:28:53 kernel: [*05/20/2019 17:28:53.0002]
May 20 17:28:53 kernel: [*05/20/2019 17:28:53.0004] dtls_connectionDB_add_connection: Number of DTLS connections exceeded two
May 20 17:28:53 kernel: [*05/20/2019 17:28:53.0369] dtls_load_ca_certs: LSC Root Certificate not present
May 20 17:28:53 kernel: [*05/20/2019 17:28:53.0369]
May 20 17:28:53 kernel: [*05/20/2019 17:28:53.0375] dtls_verify_con_cert: Controller certificate verification error
May 20 17:28:53 kernel: [*05/20/2019 17:28:53.0375] dtls_process_packet: controller cert verification failed
May 20 17:28:53 kernel: [*05/20/2019 17:28:53.0397] DTLS: Received packet 0x256c000 caused DTLS to close connection
May 20 17:28:53 kernel: [*05/20/2019 17:28:53.0398] sendPacketToDtls: DTLS: Closing connection 0x24f0a00.
May 20 17:28:53 kernel: [*05/20/2019 17:28:53.0398]
May 20 17:28:53 kernel: [*05/20/2019 17:28:53.0398] Lost connection to the controller, going to restart CAPWAP...
May 20 17:28:53 kernel: [*05/20/2019 17:28:53.0398]
May 20 17:28:53 kernel: [*05/20/2019 17:28:53.0401] DTLS: Error while processing DTLS packet 0x250a000.
May 20 17:28:53 kernel: [*05/20/2019 17:28:53.0401] Restarting CAPWAP State Machine.
May 20 17:28:53 kernel: [*05/20/2019 17:28:57.7510] No more AP manager addresses remain..
May 20 17:28:53 kernel: [*05/20/2019 17:28:57.7510] No valid AP manager found for controller '***-****-*' (ip: *.*.*.*)
May 20 17:28:53 kernel: [*05/20/2019 17:28:57.7510] Failed to join controller ***-****-*.
May 20 17:28:53 kernel: [*05/20/2019 17:28:57.7510] Failed to join controller.
May 20 17:28:53 kernel: [*05/20/2019 17:28:53.0000]

Also I just updated from 8.3.112 to 8.3.143 in case it was a bug with that release. APs still won't join controller.

Have you tried to clear the CAPWAP settings on one of the AP's?

Yes if we're talking about Wireless>AP>General "Clear all config" or "Clear config Except Static IP"

Hi mate,

 

It seems on primary wlc, you are running Local Significant Cert.

You may have not configured it on the other WLC.

Basically AP is not joining since it is not trusting the 2nd WLC.

Can you run this command on both WLC "show certificate lsc summary"

 

Cheers,


Raffy

 

PRIMARY CONTROLLER

(Cisco Controller) >show certificate lsc summary

LSC Enabled...................................... No
LSC CA-Server.................................... None

LSC AP-Provisioning.............................. No

LSC Params:
Country......................................
State........................................
City.........................................
Orgn.........................................
Dept.........................................
Email........................................
KeySize...................................... 2048

LSC Certs:
CA Cert...................................... Not Configured
RA Cert...................................... Not Configured
DEV Cert..................................... Not Configured

 

SECONDARY CONTROLLER

(Cisco Controller) >show certificate lsc sum

LSC Enabled...................................... No
LSC CA-Server.................................... None

LSC AP-Provisioning.............................. No

LSC Params:
Country......................................
State........................................
City.........................................
Orgn.........................................
Dept.........................................
Email........................................
KeySize...................................... 2048

LSC Certs:
CA Cert...................................... Not Configured
RA Cert...................................... Not Configured
DEV Cert..................................... Not Configured

Issue these commands on Secondary WLC and check the status.

 

(Cisco Controller) >config ap cert-expiry-ignore mic enable
(Cisco Controller) >config ap cert-expiry-ignore ssc enable

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

Made this change and it did not do anything. AP still won't join.

Please run the below debug commands and share the output.

 

(Cisco Controller) >debug capwap events enable
(Cisco Controller) >debug pm pki enable
(Cisco Controller) >debug capwap packet enable
(Cisco Controller) >debug mac addr <ap-mac-address>

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: