cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
168831
Views
15
Helpful
4
Comments
Vinay Sharma
Level 7
Level 7

 

Introduction

In this document we will discuss an overview of the Wireless LAN Controller Discovery and Join Process and some of the issues why a Lightweight Access Point fails to join a WLC. We will also see how to troubleshoot these issues in different practical scenarios faced by Cisco customers.

Problem Description

Lightweight Access Point (LAP) not Joining a Wireless LAN Controller (WLC). Before we discuss different troubleshooting scenarios we need to understand what is happing behind the scene and what is the expected behavior when discovery and joining happens.

Overview - Discovery and Join Process a WLC

Order for an LAP to register to a WLC:-

  • The LAPs issue a DHCP discovery request to get an IP address, unless it has previously had a static IP address configured.
  • The LAP sends LWAPP discovery request messages to the WLCs.
  • Any WLC that receives the LWAPP discovery request responds with an LWAPP discovery response message.
  • From the LWAPP discovery responses that the LAP receives, the LAP selects a WLC to join.
  • The LAP then sends an LWAPP join request to the WLC and expects an LWAPP join response.
  • The WLC validates the LAP and then sends an LWAPP join response to the LAP.
  • The LAP validates the WLC, which completes the discovery and join process. The LWAPP join process includes

     mutual authentication and encryption key derivation, which is used to secure the join process and future LWAPP control messages.

  • The LAP registers with the controller.

How to determine where to send the LWAPP discovery requests (step 2). The LAP uses a discovery algorithm in order to determine the list of WLCs to which the LAP can send the discovery request messages.This procedure describes the hunting process:-

  • The LAP issues a DHCP request to a DHCP server in order to get an IP address, unless an assignment was made previously with a static IP address.
  • If Layer 2 LWAPP mode is supported on the LAP, the LAP broadcasts an LWAPP discovery message in a Layer 2 LWAPP frame.
  • Any WLC that is connected to the network and that is configured for Layer 2 LWAPP mode responds with a Layer 2 discovery response.
  • If the LAP does not support Layer 2 mode, or if the WLC or the LAP fails to receive an LWAPP discovery response to the Layer 2 LWAPP discovery message broadcast, the LAP proceeds to step 3.
  • If step 1 fails, or if the LAP or the WLC does not support Layer 2 LWAPP mode, the LAP attempts a Layer 3 LWAPP WLC discovery.
  • If step 3 fails, the LAP resets and returns to step 1.

Layer 2 LWAPP WLC Discovery Algorithm

LWAPP communication between the AP and the WLC can be in native, Layer 2 Ethernet frames. This is known as Layer 2

LWAPP mode.

Note:- Layer 2 LWAPP mode is not supported on Cisco 2000 Series WLCs. These WLCs support only Layer 3 LWAPP mode.

The LAPs that support Layer 2 LWAPP mode broadcast a LWAPP discovery request message in a Layer 2 LWAPP frame. If there is a WLC in the network configured for Layer 2 LWAPP mode, the controller responds with a discovery response.

The LAP then moves to the join phase. This debug lwapp events enable command output shows the sequence of events that occur when a LAP using Layer 2 LWAPP mode registers with the WLC:-

1.jpg

Layer 3 LWAPP WLC Discovery Algorithm

The LAPs use the Layer 3 discovery algorithm if the Layer 2 discovery method is not supported or if the Layer 2

discovery  method fails. The Layer 3 discovery algorithm uses different options in order to attempt to discover WLCs.

The Layer 3 LWAPP WLC discovery algorithm is used to build a controller list. After a controller list is built, the AP

selects a WLC and attempts to join the WLC.

The LWAPP Layer 3 WLC discovery algorithm repeats until at least one WLC is found and joined.

After the LAP gets an IP address from the DHCP server, the LAP begins this discovery process:

  • The LAP broadcasts a Layer 3 LWAPP discovery message on the local IP subnet. Any WLC that is configured for Layer 3 LWAPP mode and that is connected to the same local subnet receives the Layer 3 LWAPP discovery message.
  • Each of the WLCs that receives the LWAPP discovery message replies with a unicast LWAPP discovery response message to the LAP.

lap_registration1.jpg

 

When the LAP powers up, it sends out a DHCP request, with the hope that a DHCP server will provide an IP address. After the LAP gets an IP address from the DHCP server, the LAP broadcasts a Layer 3 LWAPP discovery message on to its local subnet. Because the WLC is also on the same subnet, the WLC receives the LWAPP discovery request from the LAP and responds with a Layer 3 LWAPP discovery response.

(Cisco Controller) >debug lwapp events enableMon May 22 12:00:21 2006: Received LWAPP DISCOVERY REQUEST from AP 00:0b:85:5b:fb:d0 to ff:ff:ff:ff:ff:ff on port '1'Mon May 22 12:00:21 2006: Successful transmission of LWAPP Discovery-Response to AP 00:0b:85:5b:fb:d0 on Port 1

Troubleshooting Scenario 1

Unable to join 1200 series AP with 4402 controller running 5.2.178 version and AP was just converted from autonomous to lwapp.

Here is what the AP is showing when it is booting up and fails to join.

*Apr 13 16:48:04.012: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Apr 13 16:48:04.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 1.1.1.3
peer_port: xxyy
*Apr 13 16:48:04.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Apr 13 16:48:05.715: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 1.1.1.3
*Apr 13 16:48:05.715: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Apr 13 16:48:05.715: %DTLS-5-PEER_DISCONNECT: Peer 1.1.1.3 has closed connection.
*Apr 13 16:48:05.716: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 1.1.1.3:xxyy
*Apr 13 16:48:05.717: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

Solution

If you use Cisco Aironet to LWAPP conversion tool then check the directory where the upgrade tool is installed and see if it created a file (.csv) that contains the SSC for the AP. Then manually add that into the WLC under Security and then AP policies link.

Troubleshooting Scenario 2

1231 LAP unable to join WISM running 6.0.199.4. Also took SSC (the SHA key) key from the upgrade
tool and added to both controller under security/ap policy and the ap still will not come up.

Here is what the AP is showing when it is booting up and fails to join.

*Mar 25 16:14:07.720: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
*Mar 25 16:15:11.129: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 25 16:15:11.130: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 25 16:15:11.130: bsnInitRcbSlot: slot 1 has NO radio
*Mar 25 16:15:11.145: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to
administratively down
*Mar 25 16:15:11.165: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 25 16:15:11.167: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 25 16:15:11.179: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 25 16:15:11.185: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 25 16:15:11.197: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 25 16:15:21.164: %CAPWAP-3-ERRORLOG: Selected MWAR 'c6509-2-wism-8-2'(index 0).
*Mar 25 16:15:21.164: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Mar 25 16:15:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 1.1.1.2
peer_port: xxyy
*Mar 25 16:15:23.002: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Mar 25 16:15:24.804: %CAPWAP-5-DTLSREQSUCC: DTLS connection created successfully
peer_ip:1.1.1.2  peer_port: xxyy
*Mar 25 16:15:24.806: %CAPWAP-5-SENDJOIN: sending Join Request to 1.1.1.2
*Mar 25 16:15:24.807: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Mar 25 16:15:24.811: %DTLS-5-ALERT: Received WARNING : Close notify alert from 1.1.1.2
*Mar 25 16:15:24.811: %DTLS-5-PEER_DISCONNECT: Peer 192.168.251.184 has closed connection.
*Mar 25 16:15:24.811: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 1.1.1.2:xxyy

Solution

It has been noticed in some cases that if incorrect time is set on different WLCs within mobility group, then AP fail to join these WLCs due to the mismatch and would not join the desired controller. Most of the time APs join the controller after correcting the time.

Troubleshooting Scenario 3

Error message on the AP after conversion to LWAPP, get error message:-

*Mar 1 00:00:23.535: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
*Mar 1 00:00:23.550: LWAPP_CLIENT_ERROR_DEBUG: lwapp_crypto_init_ssc_keys_and_certs
no certs in the  SSC Private File
*Mar 1 00:00:23.550: LWAPP_CLIENT_ERROR_DEBUG:
*Mar  00:00:23.551: lwapp_crypto_init: PKI_StartSession failed
*Mar 1 00:00:23.720: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT.
Reload Reason: FAILED CRYPTO INIT.
*Mar 1 00:00:23.721: %LWAPP-5-CHANGED: LWAPP changed state to DOWN

The AP reloads after 30 seconds and starts the process over again.

Solution

It is a SSC AP. Convert back to an autonomous IOS image. Clear the configuration by issuing the write erase command and reload. Do not save the configuration when reloading.

Troubleshooting Scenario 4

Dropping primary discovery request from AP XX:AA:BB:XX:DD:DD - maximum APs joined 6/6

Solution

There is a limit to the number of LAPs that can be supported by a WLC. Each WLC supports a certain number of LAPs, which depends on the model and platform. This error message is seen on the WLC when it receives a discovery request after it has reached its maximum AP capacity.

Here is the number of LAPs supported on the different WLC platform and models:-

  • The 2100 series controller supports up to 6, 12, or 25 LAPs. This depends on the model of the WLC.
  • The 4402 supports up to 50 LAPs, while the 4404 supports up to 100. This makes it ideal for large-sized enterprises and large-density applications.
  • The Catalyst 6500 Series Wireless Services Module (WiSM) is an integrated Catalyst 6500 switch and two Cisco 4404 controllers that supports up to 300 LAPs.
  • The Cisco 7600 Series Router WiSM is an integrated Cisco 7600 router and two Cisco 4404 controllers that supports up to 300 LAPs.
  • The Cisco 28/37/38xx Series Integrated Services Router is an integrated 28/37/38xx router and Cisco controller network module that supports up to 6, 8, 12, or 25 LAPs, depending on the version of the network module. The versions that support 8, 12, or 25 APs and the NME-AIR-WLC6-K9 6-access-point version feature a high-speed processor and more on-board memory than the NM-AIR-WLC6-K9 6-access-point version.
  • The Catalyst 3750G Integrated WLC Switch is an integrated Catalyst 3750 switch and Cisco 4400 series controller that supports up to 25 or 50 LAPs.

Troubleshooting Scenario 5

When Tried to add UK and US together on WLC, message box show error "Mesh APs are not currently

supported for multiple country configuration. Use single country configuration or remove Mesh

APs from the network".

Solution

Yes, Mesh access points do not support multiple country codes. If you have configured multiple

country codes then the Mesh AP's will not join the controller.

Please find the link given below that explains the guidelines to be followed while configuring

country codes: http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/

http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/

Troubleshooting Scenario 6

Getting the following errors on access point model is AIR-AP1242AG-E-K9:-

*Jun 16 13:08:02.392: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Jun 16 13:08:02.493: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*Jun 16 13:08:02.493: %CAPWAP-3-ERRORLOG: Starting config timer
*Jun 16 13:08:02.496: %DTLS-5-ALERT: Received WARNING : Close notify alert from x.y.z.v
*Jun 16 13:08:02.496: %DTLS-5-PEER_DISCONNECT: Peer x.y.z.x has closed connection.
*Jun 16 13:08:02.497: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to x.y.z.x:xxxx

Solution

The access point model is AIR-AP1 242 AG-E-K9 which has -E as the regulatory domain which means it is designed to operate in the European countries. The  controller by default is configured with US as the country code, which has a different set of FCC regulations.

If the access points are to be installed in Europe then we need to add your country code to the list of countries on the WLC and this should resolve the issue.

To change the country code, from the GUI of the WLC, go to Wireless ->Country and select or add your country.

Troubleshooting Scenario 7

LAPs with Mesh image not able to join WLC
 
The Lightweight Access Point does not register with the WLC. The log displays this the error message
 
AAA Authentication Failure for UserName:5475xxx8bf9c User
Type: WLAN USER

Solution

This can happen if the Lightweight Access Point was shipped with a mesh image and is in Bridge mode. If the LAP was ordered with mesh software on it, you need to add the LAP to the AP authorization list. Choose Security > AP Policies and add AP to the Authorization List. The AP should then join, download the image from the controller, then register with the WLC in bridge mode. Then you need to change the AP to local mode. The LAP downloads the image, reboots and registers back to the controller in local mode.
 
 
 
 

Tips and Tricks

In case you face issues in getting an AP to discover the controller dynamically, you can enter the

commands given below to add the ip address of the controller statically on the access point:

To enable console access on lightweight AP:-

Command: debug lwapp console cli

To add the controller ip address statically:

Command: lwapp ap controller ip <ip address>

Please note, if your controller is running a version beyond 5.2, use "capwap" in the commands instead

of "lwapp".

Debugging CAPWAP

Use these CLI commands to obtain CAPWAP debug information:

•  debug capwap events {enable | disable}—Enables or disables debugging of CAPWAP events.
•   debug capwap errors {enable | disable}—Enables or disables debugging of CAPWAP errors.
•   debug capwap detail {enable | disable}—Enables or disables debugging of CAPWAP details.
•   debug capwap info {enable | disable}—Enables or disables debugging of CAPWAP information.
•   debug capwap packet {enable | disable}—Enables or disables debugging of CAPWAP packets.
•   debug capwap payload {enable | disable}—Enables or disables debugging of CAPWAP payloads.
•   debug capwap hexdump {enable | disable}—Enables or disables debugging of the CAPWAP
hexadecimal dump.

Source

https://supportforums.cisco.com/message/3323594

Reference Links

  

Comments
Gareth Gudger
Level 1
Level 1

Another common cause for APs discovering but not joining a Wireless LAN Controller is that the AP is stuck in MESH mode. This article describes a quick remedy if that is the problem.

http://supertekboy.com/2014/01/13/cisco-lightweight-access-point-will-not-join-to-a-wireless-lan-controller/

rishisemwal
Level 1
Level 1

Hi,

We bought wireless kit recently from cisco and we are using CAP1552I-A-K9 outdoor AP and 5508 WLAN controller. One of AP does not connect on controller now. I have made this AP RAP and given static IP on it and it was working fine. latter on I have removed IP address from mac filter, once I apply it did not show off on the controller. I have restarted AP, even did factory default but it does not connect on the controller. Could you please help me to resolve this issue. 

Mar  1 01:24:21.731: %MESH-3-TIMER_EXPIRED: Mesh Lwapp join timer expired
*Mar  1 01:24:21.731: %MESH-3-TIMER_EXPIRED: Mesh Lwapp join failed expired
*Mar  1 01:24:21.731: %MESH-6-LINK_UPDOWN: Mesh station bcf1.f222.457c link Down

*Mar  1 01:24:58.067: %MESH-6-CAPWAP_RESTART: Mesh Capwap re-started
% CDP is not supported on this interface, or for this encapsulation

------------------

Cisco IOS Software, C1550 Software (C1520-K9W8-M), Version 15.2(4)JB6, RELEASE S
OFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 22-Aug-14 13:14 by prod_rel_team

ROM: Bootstrap program is C1550 boot loader
BOOTLDR: C1550 Boot Loader (C1520-BOOT-M) LoaderVersion 15.2(2a)JA, RELEASE SOFT
WARE (fc1)

APbcf1.f222.4560 uptime is 20 minutes
System returned to ROM by reload
System image file is "flash:/c1520-k9w8-mx.152-4.JB6/c1520-k9w8-xx.152-4.JB6"
Last reload reason:

Holger Seiler
Community Member

Hi rishisemwal,

please be sure that the access point is included at the MAC filter.

Please check that the Mesh authentication method is the same as at your mesh-APs (wireless-->mesh-->security)

Harish Chopra
Cisco Employee
Cisco Employee

Hi, 

Is it possible to capture the AP join issues via snmp OID or any Mib using which I can poll and check the issues APs are facing in joining the WLC. This will help me to understand if the Join issue is due to a general issue or any specific issue if the join issues are happening with majority of the access points. 

 

Thanks in advance for help. 

 

regards

Harish

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: