Thanks Manannalage,

See below outputs.I also noticed the interface connected to the controller keeps on counting errors.

Am connecting the controller to one switch.

Switch
==========================================================================
VILLA-MEDINA-SW2#sh int g0/2
GigabitEthernet0/2 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 2c3f.384a.201a (bia 2c3f.384a.201a)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 133/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 1000Mb/s, link type is auto, media type is 1000BaseSX SFP
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:59, output 00:00:01, output hang never
Last clearing of "show interface" counters 00:01:19
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1 packets input, 1843 bytes, 0 no buffer
Received 1 broadcasts (1 multicasts)
24 runts, 0 giants, 0 throttles
24 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 1 multicast, 0 pause input
0 input packets with dribble condition detected
45 packets output, 3345 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
VILLA-MEDINA-SW2#sh run int g0/2
Building configuration...

Current configuration : 36 bytes
!
interface GigabitEthernet0/2
end

VILLA-MEDINA-SW2#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID
CONTROLLER1 Gig 0/2 166 H AIR-CT550 Gig 0/0/3
SEPA4934C403F1F Fas 0/5 161 H P M IP Phone Port 1
VILLA-MEDINA-SW2#

Controller
===============================================================

(Cisco Controller) >show interface detail management
Interface Name................................... management
MAC Address................................... f8:c2:88:8c:a9:20
IP Address....................................... 192.168.0.3
IP Netmask....................................... 255.255.254.0
IP Gateway....................................... 192.168.0.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 1
Quarantine-vlan.................................. 0
Active Physical Port............................. 3
Primary Physical Port............................ 3
Backup Physical Port............................. Unconfigured
DHCP Proxy Mode.................................. Global
Primary DHCP Server.............................. 192.168.0.48
Secondary DHCP Server............................ 192.168.0.10
DHCP Option 82................................... Disabled
IPv4 ACL......................................... Unconfigured
mDNS Profile Name................................ Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Enabled

--More-- or (q)uit

(Cisco Controller) >show interface summary

Number of Interfaces.......................... 5

Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
-------------------------------- ---- -------- --------------- ------- ------ -----
management 3 1 192.168.0.3 Static Yes No
redundancy-management 3 1 0.0.0.0 Static No No
redundancy-port - untagged 0.0.0.0 Static No No
service-port N/A N/A 172.16.0.3 Static No No
virtual N/A N/A 1.1.1.1 Static No No

(Cisco Controller) >

My question is, are you just testing right now or is this how your final setup will be?  The only thing I would change is on the WLC management interface, change the vlan to 0.  This is untagged as on your switch, your using vlan 1 which is untagged.  Also, since you only defined one port on the controller, make sure only port 3 is connected to the switch, all other ports should not be connected.  Make sure that the service port doesn't have connectivity to the management interface also.

Hope this helps

-Scott

Thanks Scott!

Is a test setup.The final setup will not be on VLAN 1.

Changing Management VLAN to 0 worked.

Now am am facing challenges  with  joining Air CAP 1532 APs to the WLC

Can you provide the AP facing switchport configuration?

Are the APs on the same VLAN as the controller(VLAN 1)?

-David

Hi David

See below config and yes the APs are in same VLAN as contoller.

I can see the AP in AP join menu but is not joined.I can as well ping the AP from controller

VILLA-MEDINA-SW2#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID
AP1005.ca2a.811e Fas 0/2 161 T AIR-CAP15 Gig 0
CONTROLLER1 Gig 0/1 137 H AIR-CT550 Gig 0/0/3
SWITCH1
Fas 0/13 125 S I WS-C2960- Gig 0/1
VILLA-MEDINA-SW2#sh run int f0/2
Building configuration...

Current configuration : 84 bytes
!
interface FastEthernet0/2
switchport voice vlan 100
spanning-tree portfast
end

VILLA-MEDINA-SW2#sh run int g0/1
Building configuration...

Current configuration : 36 bytes
!
interface GigabitEthernet0/1
end

VILLA-MEDINA-SW2#

Whats the output of the AP join stats? If you click the mac address of the AP.

Hi David,

The error is "RADIUS authorization is pending for the AP"

I disabled radius server but AP is not still joining

Have you checked under Security > AP Policies? Try with only MIC checked.

Or you can add the mac-address of AP under Security > Mac filtering > add mac of AP as shown in your previous screenshot.

I tried with MIC checked,added MAC of AP .Also in general settings the total number of allowed APs was set to zero,changed to 25 and now the error is 

Join failed as dtls connection not found

The time  and timezone in the WLC is set 

Hi Friends,

Am still stuck with AP not joining the controller.IP of the controller is 192.168.0.3 After checking Console of the AP I noticed below messages.

Am able to  ping the WLC from the AP

==========================================================

*Mar 1 00:01:56.447: %MESH-6-CAPWAP_RESTART: Mesh Capwap re-started
*Mar 1 00:02:00.299: %CAPWAP-3-ERRORLOG: Invalid event 29 & state 4 combination.
*Mar 1 00:02:00.299: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message. Event 29, state 4
*Mar 1 00:02:00.299: %CAPWAP-3-ERRORLOG: Failed to handle timer message.
*Mar 1 00:02:00.299: %CAPWAP-3-ERRORLOG: Failed to process timer message.
*Mar 1 00:02:01.479: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Mar 1 00:02:01.527: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Mar 1 00:02:01.795: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:02:02.795: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar 1 00:02:03.795: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.unsoma.local
*Mar 1 00:02:14.795: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Nov 7 09:35:47.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.0.3 peer_port: 5246
*Nov 7 09:35:47.495: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.0.3 peer_port: 5246
*Nov 7 09:35:47.495: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.0.3
*Nov 7 09:35:52.495: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.0.3
*Nov 7 09:36:46.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.0.3:5246
*Nov 7 09:36:47.031: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Nov 7 09:36:47.079: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Nov 7 09:36:47.355: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
AP1005.ca2a.811e#
*Nov 7 09:36:57.355: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Nov 7 09:36:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.0.3 peer_port: 5246
*Nov 7 09:36:55.495: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.0.3 peer_port: 5246
*Nov 7 09:36:55.495: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.0.3
*Nov 7 09:37:00.495: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.0.3

*Mar 1 00:01:56.447: %MESH-6-CAPWAP_RESTART: Mesh Capwap re-started

This line indicate AP has mesh image. So you should add AP Ethernet MAC address under Security > AAA > AP Policies > Add in order to register this AP to WLC.

Give it a try & see

HTH

Rasika

Hi Rasika,

Unfortunatley had that MAC in MAC filtering  list,so it doesnt allow me to add it in AP policies.

How can I remove the MAC address in MAC filtering list?

The AP was able to resolve domain after adding cisco-capwap-controller object in DNS server pointing to the controller.

The controller is connected to trunk port and thge AP on Switchport.I can ping the controller management interface from the AP.

On AP join stat in WLC I see "Regulatory domain check has failed for the AP" as per attached screenshot

In security --> AP Policies,the MAC address of the AP is added as per attached screenshot

when I do capwapp test I see below output

AP1005.ca2a.811e#capwap ap ip address 192.168.0.3 255.255.254.0
You should configure Domain and Name Server from controller CLI/GUI.
AP1005.ca2a.811e#

WLAN is active in the WLC.

=========================

(Cisco Controller) >show wlan summary

Number of WLANs.................................. 1

WLAN ID WLAN Profile Name / SSID Status Interface Name PMIPv6 Mobility
------- ------------------------------------- -------- -------------------- ---------------
1 TEST / TEST Enabled management none

(Cisco Controller) >

At the console of the AP I see below logs

======================================================

*Nov 8 14:48:51.499: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Nov 8 14:48:51.499: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Nov 8 14:48:51.499: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 192.168.0.3
*Nov 8 14:49:51.499: %CAPWAP-3-ERRORLOG: Post Join timer has expired.Cleaning up
*Nov 8 14:49:51.499: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.0.3:5246
*Nov 8 14:49:51.531: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Nov 8 14:49:51.579: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Nov 8 14:49:51.855: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Nov 8 14:50:01.855: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Nov 8 14:49:59.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.0.3 peer_port: 5246
*Nov 8 14:49:59.495: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.0.3 peer_port: 5246
*Nov 8 14:49:59.495: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.0.3
*Nov 8 14:49:59.495: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Nov 8 14:49:59.495: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Nov 8 14:49:59.495: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Nov 8 14:49:59.495: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 192.168.0.3
*Nov 8 14:57:43.495: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Nov 8 14:57:43.495: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Nov 8 14:57:43.495: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Nov 8 14:57:43.495: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 192.168.0.3
AP1005.ca2a.811e#
AP1005.ca2a.811e#capwap ap ip address 192.168.0.3 255.255.254.0
You should configure Domain and Name Server from controller CLI/GUI.
AP1005.ca2a.811e#