08-08-2011 07:14 AM - edited 11-18-2020 02:54 AM
In this document we will discuss an overview of the Wireless LAN Controller Discovery and Join Process and some of the issues why a Lightweight Access Point fails to join a WLC. We will also see how to troubleshoot these issues in different practical scenarios faced by Cisco customers.
Lightweight Access Point (LAP) not Joining a Wireless LAN Controller (WLC). Before we discuss different troubleshooting scenarios we need to understand what is happing behind the scene and what is the expected behavior when discovery and joining happens.
Order for an LAP to register to a WLC:-
mutual authentication and encryption key derivation, which is used to secure the join process and future LWAPP control messages.
How to determine where to send the LWAPP discovery requests (step 2). The LAP uses a discovery algorithm in order to determine the list of WLCs to which the LAP can send the discovery request messages.This procedure describes the hunting process:-
LWAPP communication between the AP and the WLC can be in native, Layer 2 Ethernet frames. This is known as Layer 2
LWAPP mode.
Note:- Layer 2 LWAPP mode is not supported on Cisco 2000 Series WLCs. These WLCs support only Layer 3 LWAPP mode.
The LAPs that support Layer 2 LWAPP mode broadcast a LWAPP discovery request message in a Layer 2 LWAPP frame. If there is a WLC in the network configured for Layer 2 LWAPP mode, the controller responds with a discovery response.
The LAP then moves to the join phase. This debug lwapp events enable command output shows the sequence of events that occur when a LAP using Layer 2 LWAPP mode registers with the WLC:-
The LAPs use the Layer 3 discovery algorithm if the Layer 2 discovery method is not supported or if the Layer 2
discovery method fails. The Layer 3 discovery algorithm uses different options in order to attempt to discover WLCs.
The Layer 3 LWAPP WLC discovery algorithm is used to build a controller list. After a controller list is built, the AP
selects a WLC and attempts to join the WLC.
The LWAPP Layer 3 WLC discovery algorithm repeats until at least one WLC is found and joined.
After the LAP gets an IP address from the DHCP server, the LAP begins this discovery process:
When the LAP powers up, it sends out a DHCP request, with the hope that a DHCP server will provide an IP address. After the LAP gets an IP address from the DHCP server, the LAP broadcasts a Layer 3 LWAPP discovery message on to its local subnet. Because the WLC is also on the same subnet, the WLC receives the LWAPP discovery request from the LAP and responds with a Layer 3 LWAPP discovery response.
(Cisco Controller) >debug lwapp events enableMon May 22 12:00:21 2006: Received LWAPP DISCOVERY REQUEST from AP 00:0b:85:5b:fb:d0 to ff:ff:ff:ff:ff:ff on port '1'Mon May 22 12:00:21 2006: Successful transmission of LWAPP Discovery-Response to AP 00:0b:85:5b:fb:d0 on Port 1
Unable to join 1200 series AP with 4402 controller running 5.2.178 version and AP was just converted from autonomous to lwapp.
Here is what the AP is showing when it is booting up and fails to join.
*Apr 13 16:48:04.012: %CAPWAP-3-ERRORLOG: Go join a capwap controller *Apr 13 16:48:04.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 1.1.1.3 peer_port: xxyy *Apr 13 16:48:04.001: %CAPWAP-5-CHANGED: CAPWAP changed state to *Apr 13 16:48:05.715: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 1.1.1.3 *Apr 13 16:48:05.715: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer. *Apr 13 16:48:05.715: %DTLS-5-PEER_DISCONNECT: Peer 1.1.1.3 has closed connection. *Apr 13 16:48:05.716: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 1.1.1.3:xxyy *Apr 13 16:48:05.717: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
If you use Cisco Aironet to LWAPP conversion tool then check the directory where the upgrade tool is installed and see if it created a file (.csv) that contains the SSC for the AP. Then manually add that into the WLC under Security and then AP policies link.
1231 LAP unable to join WISM running 6.0.199.4. Also took SSC (the SHA key) key from the upgrade
tool and added to both controller under security/ap policy and the ap still will not come up.
Here is what the AP is showing when it is booting up and fails to join.
*Mar 25 16:14:07.720: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination. *Mar 25 16:15:11.129: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY *Mar 25 16:15:11.130: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY *Mar 25 16:15:11.130: bsnInitRcbSlot: slot 1 has NO radio *Mar 25 16:15:11.145: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down *Mar 25 16:15:11.165: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up *Mar 25 16:15:11.167: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset *Mar 25 16:15:11.179: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up *Mar 25 16:15:11.185: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset *Mar 25 16:15:11.197: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up *Mar 25 16:15:21.164: %CAPWAP-3-ERRORLOG: Selected MWAR 'c6509-2-wism-8-2'(index 0). *Mar 25 16:15:21.164: %CAPWAP-3-ERRORLOG: Go join a capwap controller *Mar 25 16:15:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 1.1.1.2 peer_port: xxyy *Mar 25 16:15:23.002: %CAPWAP-5-CHANGED: CAPWAP changed state to *Mar 25 16:15:24.804: %CAPWAP-5-DTLSREQSUCC: DTLS connection created successfully peer_ip:1.1.1.2 peer_port: xxyy *Mar 25 16:15:24.806: %CAPWAP-5-SENDJOIN: sending Join Request to 1.1.1.2 *Mar 25 16:15:24.807: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN *Mar 25 16:15:24.811: %DTLS-5-ALERT: Received WARNING : Close notify alert from 1.1.1.2 *Mar 25 16:15:24.811: %DTLS-5-PEER_DISCONNECT: Peer 192.168.251.184 has closed connection. *Mar 25 16:15:24.811: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 1.1.1.2:xxyy
It has been noticed in some cases that if incorrect time is set on different WLCs within mobility group, then AP fail to join these WLCs due to the mismatch and would not join the desired controller. Most of the time APs join the controller after correcting the time.
Error message on the AP after conversion to LWAPP, get error message:-
*Mar 1 00:00:23.535: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY *Mar 1 00:00:23.550: LWAPP_CLIENT_ERROR_DEBUG: lwapp_crypto_init_ssc_keys_and_certs no certs in the SSC Private File *Mar 1 00:00:23.550: LWAPP_CLIENT_ERROR_DEBUG: *Mar 00:00:23.551: lwapp_crypto_init: PKI_StartSession failed *Mar 1 00:00:23.720: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: FAILED CRYPTO INIT. *Mar 1 00:00:23.721: %LWAPP-5-CHANGED: LWAPP changed state to DOWN
The AP reloads after 30 seconds and starts the process over again.
It is a SSC AP. Convert back to an autonomous IOS image. Clear the configuration by issuing the write erase command and reload. Do not save the configuration when reloading.
Dropping primary discovery request from AP XX:AA:BB:XX:DD:DD - maximum APs joined 6/6
There is a limit to the number of LAPs that can be supported by a WLC. Each WLC supports a certain number of LAPs, which depends on the model and platform. This error message is seen on the WLC when it receives a discovery request after it has reached its maximum AP capacity.
Here is the number of LAPs supported on the different WLC platform and models:-
When Tried to add UK and US together on WLC, message box show error "Mesh APs are not currently
supported for multiple country configuration. Use single country configuration or remove Mesh
APs from the network".
Yes, Mesh access points do not support multiple country codes. If you have configured multiple
country codes then the Mesh AP's will not join the controller.
Please find the link given below that explains the guidelines to be followed while configuring
country codes: http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/
http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/
Getting the following errors on access point model is AIR-AP1242AG-E-K9:-
*Jun 16 13:08:02.392: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN *Jun 16 13:08:02.493: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG *Jun 16 13:08:02.493: %CAPWAP-3-ERRORLOG: Starting config timer *Jun 16 13:08:02.496: %DTLS-5-ALERT: Received WARNING : Close notify alert from x.y.z.v *Jun 16 13:08:02.496: %DTLS-5-PEER_DISCONNECT: Peer x.y.z.x has closed connection. *Jun 16 13:08:02.497: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to x.y.z.x:xxxx
The access point model is AIR-AP1 242 AG-E-K9 which has -E as the regulatory domain which means it is designed to operate in the European countries. The controller by default is configured with US as the country code, which has a different set of FCC regulations.
If the access points are to be installed in Europe then we need to add your country code to the list of countries on the WLC and this should resolve the issue.
To change the country code, from the GUI of the WLC, go to Wireless ->Country and select or add your country.
In case you face issues in getting an AP to discover the controller dynamically, you can enter the
commands given below to add the ip address of the controller statically on the access point:
To enable console access on lightweight AP:-
Command: debug lwapp console cli
To add the controller ip address statically:
Command: lwapp ap controller ip <ip address>
Please note, if your controller is running a version beyond 5.2, use "capwap" in the commands instead
of "lwapp".
Use these CLI commands to obtain CAPWAP debug information:
• debug capwap events {enable | disable}—Enables or disables debugging of CAPWAP events. • debug capwap errors {enable | disable}—Enables or disables debugging of CAPWAP errors. • debug capwap detail {enable | disable}—Enables or disables debugging of CAPWAP details. • debug capwap info {enable | disable}—Enables or disables debugging of CAPWAP information. • debug capwap packet {enable | disable}—Enables or disables debugging of CAPWAP packets. • debug capwap payload {enable | disable}—Enables or disables debugging of CAPWAP payloads. • debug capwap hexdump {enable | disable}—Enables or disables debugging of the CAPWAP hexadecimal dump.
https://supportforums.cisco.com/message/3323594
Another common cause for APs discovering but not joining a Wireless LAN Controller is that the AP is stuck in MESH mode. This article describes a quick remedy if that is the problem.
Hi,
We bought wireless kit recently from cisco and we are using CAP1552I-A-K9 outdoor AP and 5508 WLAN controller. One of AP does not connect on controller now. I have made this AP RAP and given static IP on it and it was working fine. latter on I have removed IP address from mac filter, once I apply it did not show off on the controller. I have restarted AP, even did factory default but it does not connect on the controller. Could you please help me to resolve this issue.
Mar 1 01:24:21.731: %MESH-3-TIMER_EXPIRED: Mesh Lwapp join timer expired
*Mar 1 01:24:21.731: %MESH-3-TIMER_EXPIRED: Mesh Lwapp join failed expired
*Mar 1 01:24:21.731: %MESH-6-LINK_UPDOWN: Mesh station bcf1.f222.457c link Down
*Mar 1 01:24:58.067: %MESH-6-CAPWAP_RESTART: Mesh Capwap re-started
% CDP is not supported on this interface, or for this encapsulation
------------------
Cisco IOS Software, C1550 Software (C1520-K9W8-M), Version 15.2(4)JB6, RELEASE S
OFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 22-Aug-14 13:14 by prod_rel_team
ROM: Bootstrap program is C1550 boot loader
BOOTLDR: C1550 Boot Loader (C1520-BOOT-M) LoaderVersion 15.2(2a)JA, RELEASE SOFT
WARE (fc1)
APbcf1.f222.4560 uptime is 20 minutes
System returned to ROM by reload
System image file is "flash:/c1520-k9w8-mx.152-4.JB6/c1520-k9w8-xx.152-4.JB6"
Last reload reason:
Hi rishisemwal,
please be sure that the access point is included at the MAC filter.
Please check that the Mesh authentication method is the same as at your mesh-APs (wireless-->mesh-->security)
Hi,
Is it possible to capture the AP join issues via snmp OID or any Mib using which I can poll and check the issues APs are facing in joining the WLC. This will help me to understand if the Join issue is due to a general issue or any specific issue if the join issues are happening with majority of the access points.
Thanks in advance for help.
regards
Harish
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: