Solved: Re: 1562I cannot join wlc (wrong time?)

mario.jost · ‎10-16-2017

We have the problem, that we cannot get 2 brandnew Cisco AP 1562I to join our vWLC.

I already entered both MAC addresses into AAA -> AP Policys, we have around 150/200 licenses used, WLC version is 8.3.112.0 that supports following Outdoor and Industrial APs: 1532E, 1532I, 1552E, 1552H, 1552I, 1552C, 1552EU, 1552CU, 1552S, 1560, 1570, and IW3700
WLC has configured a NTP server and its time is in sync.

I read online, that some Mesh APs dont support multicountry configuration. the thing is, we already have 17 APs of the same models running in flexconnect mode. We dont want to use the "mesh" feature.

Another thing that bugs me, the time of the AP is running 2h behind. I can read one lots of posts that i have to adjust the WLC's time. But the WLC is correct. How can i correct the time of the AP while it hasnt joined any WLC and doesnt have any logon credentials pushed onto it? Our DHCP server provides the NTP servers IP along the rest of the DHCP configuration. But the AP doesnt seem to pick this up.

This is the output on the AP:

[*10/16/2017 13:07:12.8330] ethernet_port wired0, ip 172.16.240.91, netmask 255.255.255.0, gw 172.16.240.1, mtu 1500, bcast 172.16.240.255, dns1 172.16.222.50, dns2 172.16.222.52, domain merbag.localWTP IP address changed from 172.16.240.90 to 172.16.240.91, restart CAPWAP.
[*10/16/2017 13:07:21.4747]
[*10/16/2017 13:07:21.4747] AP IPv4 Address updated from 172.16.240.90 to 172.16.240.91
[*10/16/2017 13:07:21.4826]
[*10/16/2017 13:07:21.4826] Lost connection to the controller, going to restart CAPWAP...
[*10/16/2017 13:07:21.4827]
[*10/16/2017 13:07:21.4827] Restarting CAPWAP State Machine.
[*10/16/2017 13:07:21.4904] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: Discovery(2).
[*10/16/2017 13:07:21.4916]
[*10/16/2017 13:07:21.4916] CAPWAP State: DTLS Teardown
[*10/16/2017 13:07:26.2270]
[*10/16/2017 13:07:26.2270] CAPWAP State: Discovery
[*10/16/2017 13:07:26.2281] Got WLC address 172.16.222.70 from DHCP.
[*10/16/2017 13:07:26.2281] IP DNS query for CISCO-CAPWAP-CONTROLLER.merbag.local
[*10/16/2017 13:07:26.2348] Discovery Request sent to 172.16.222.70, discovery type DHCP(2)
[*10/16/2017 13:07:26.2359] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*10/16/2017 13:07:26.2360] Discovery Response from 172.16.222.70
[*10/16/2017 13:07:26.0001] Discovery response from MWAR 'SRVMWWLC01'running version 8.3.112.0 is rejected.
[*10/16/2017 13:07:26.0001] Failed to decode discovery response.
[*10/16/2017 13:07:26.0001] CAPWAP SM handler: Failed to process message type 2 state 2.
[*10/16/2017 13:07:26.0001] Failed to handle capwap control message from controller - status 4
[*10/16/2017 13:07:26.0001] Failed to process unencrypted capwap packet 0x15e9000 from 172.16.222.70
[*10/16/2017 13:07:26.0001] Failed to send capwap message 0 to the state machine. Packet already freed.
[*10/16/2017 13:07:26.0002] IPv4 wtpProcessPacketFromSocket returned 4

Some output from controller:

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.3.112.0
RTOS Version..................................... 8.3.112.0
Bootloader Version............................... 8.3.15.96
Emergency Image Version.......................... 8.3.102.0

OUI File Update Time............................. Sun Sep 07 10:44:07 IST 2014

Build Type....................................... DATA + WPS

System Name...................................... SRVMWWLC01
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1631
IP Address....................................... 172.16.222.70
IPv6 Address..................................... ::
System Up Time................................... 1 days 3 hrs 46 mins 33 secs
System Timezone Location......................... (GMT +1:00) Amsterdam, Berlin, Rome, Vienna
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

--More-- or (q)uit

Configured Country............................... Multiple Countries : CH,IT,LU

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 7
Number of Active Clients......................... 383

OUI Classification Failure Count................. 4936

Burned-in MAC Address............................ 00:50:56:B4:29:2B
Maximum number of APs supported.................. 3000
System Nas-Id....................................
WLC MIC Certificate Types........................ SHA1
Licensing Type................................... RTU
vWLC config...................................... Large

(Cisco Controller) >show time

Time............................................. Mon Oct 16 15:07:19 2017

Timezone delta................................... 0:0
Timezone location................................ (GMT +1:00) Amsterdam, Berlin,                                                                                                                                Rome, Vienna

NTP Servers
    NTP Polling Interval.........................     3600

     Index     NTP Key Index                  NTP Server                Status                                                                                                                                         NTP Msg Auth Status
    -------  -------------------------------------------------------------------                                                                                                                               ---------------------------
       1              0                               172.16.222.50     In Sync

Can anyone help me about correcting the time? Or does the multicountry configuration seem to be the issue?

Vengatesa Prasath · ‎10-17-2017

I hope the AP1562 trying to join as MESH in WLC.

Mesh functionality for 1562 is not supported on 8.3. Mesh supported only from 8.4.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn83mr1.html#concept_A28403142D9D4CD2BE5C0B8F7A1434B9

Run the command on AP - CLI:

capwap ap mode local|flexconnect

change mode on AP as either local or flexconnect.

Let us know if it helps.

Regards,

Vengat

View solution in original post

mario.jost · ‎10-16-2017

Another thing to add, just saw that the ap has a newer firmware version than our vWLC's:

[*10/16/2017 13:32:57.3961] Active version: 8.4.100.0

Our WLC has 8.3.112.0. I thought the AP just downgrades to the version the WLC serves. Do I have to enable something in order for this to work?

Leo Laohoo · ‎10-16-2017

Post the complete output to the following commands:

1. WLC: sh time;

2. AP: sh version

mario.jost · ‎10-17-2017

as you can see in my initial post, i already posted the output of show time. If you can tell me how i can login into the access point before it joined the wlc and got its global credentials pushed onto it, i would be glad to post a show version output...

Sandeep Choudhary · ‎10-17-2017

1. Did you enter the correct AP mac address in cisco WLC?

2. How to connect /login to AP:

connect a console cable to AP and your LAPTOP

Login using Default username: Cisco and default password: Cisco

and paste the output of these command: sh version

Regards

Dontf orget to arte helpful posts

mario.jost · ‎10-17-2017

Thanks for the information, there you go:

AP2C33.110E.7DE8>show version
             Restricted Rights Legend

Use, duplication, or disclosure by the Government is subject to
restrictions as set forth in subparagraph (c) of the Commercial
Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and
subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

            Cisco Systems, Inc.
            170 West Tasman Drive
            San Jose, California 95134-1706

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
--More-- [*10/17/2017 08:13:39.7348] DOT11_DRV[0]: set_channel Channel set to 1
[*10/17/2017 08:13:39.9380] DOT11_DRV[1]: set_channel Channel set to 108

If you require further assistance please contact us by sending email to
export@cisco.com.

This product contains some software licensed under the
"GNU General Public License, version 2" provided with
ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html

This product contains some software licensed under the
"GNU Library General Public License, version 2" provided
with ABSOLUTELY NO WARRANTY under the terms of "GNU Library
General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html

This product contains some software licensed under the
"GNU Lesser General Public License, version 2.1" provided
with ABSOLUTELY NO WARRANTY under the terms of "GNU Lesser
General Public License, version 2.1", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html

Cisco AP Software, (ap3g3), C1562, RELEASE SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Wed May 17 10:48:03 PDT 2017

ROM: Bootstrap program is U-Boot boot loader
BOOTLDR: U-Boot boot loader Version 2013.01-g729a7b4 (Dec 05 2016 - 23:44:32)

AP2C33.110E.7DE8 uptime is 0 days, 0 hours, 25 minutes
Last reload time   : Tue Oct 17 07:47:44 UTC 2017
Last reload reason : MESH reboot timer expired

cisco AIR-AP1562I-E-K9 ARMv7 Processor rev 1 (v7l) with 1028384/658080K bytes of memory.
Processor board ID FCZ2138Z0DP
AP Running Image     : 8.4.100.0
Primary Boot Image   : 8.4.100.0
Backup Boot Image    : 0.0.0.0
1 Gigabit Ethernet interfaces
2 802.11 Radios
Radio Driver version : 9.0.5.5-W8964
Radio FW version : 9.1.8.1
NSS FW version : 2.4.18

Base ethernet MAC Address            : 2C:33:11:0E:7D:E8
Part Number                          : 73-100839-04
PCA Assembly Number                  : 000-00000-00
PCA Revision Number                  :
PCB Serial Number                    : FOC21323F9K
Top Assembly Part Number             : 068-100609-01
Top Assembly Serial Number           : FCZ2138Z0DP
Top Revision Number                  : A0
Product/Model Number                 : AIR-AP1562I-E-K9

And i double checked the mac address. I tried another AP as well to make sure this is not a "monday product" problem.

Sandeep Choudhary · ‎10-17-2017

as per the error:

Discovery response from MWAR 'SRVMWWLC01'running version 8.3.112.0 is rejected.

You need to upgarde the WLC to support these AP.

Upgrade the firmware of the controller to, say, 8.3.122.0.

Also check if the AP has ME or CAPWAP image by using sh version command. If it has ME image then you need to to convert it to CAPWAP by using the command on Consoile CLI: ap-type capwap

Regards

Dont forget to rate helpful posts

mario.jost · ‎10-17-2017

As i already pointed out, we have 17 aps of the same mode already running on the wlc. So the WLC version souldnt be an issue. And the 1560 series is on the supported list for WLC version 8.3.112.0 as you can check in the compatibility matrix here:

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

AP is already in CAPWAP mode:

AP2C33.110E.7DE8#ap-type capwap
[*10/17/2017 08:48:15.2732]
[*10/17/2017 08:48:15.2732] .....No change in AP Type configuration......
[*10/17/2017 08:48:15.2732]

Sandeep Choudhary · ‎10-17-2017

I know its compatible with cisoc wlc 8.3.112.0 but still its better to go with stable version.

paste the output of the command from WLC: show auth-list

Regards

Dont forget to arte helpful posts

mario.jost · ‎10-17-2017

Yeah, but if we upgrade the WLC, we have to upgrade our Prime Infrastructure as well. And the version 8.4.100.0 is an early development release as well. I dont see why we would need to upgrade our WLC just to get an access point up and running that is fully supported by the current release installed.

Here is the output of the show auth-list:

(Cisco Controller) >show auth-list 

Authorize MIC APs against Auth-list or AAA ...... disabled
Authorize LSC APs against Auth-List ............. disabled
APs Allowed to Join
  AP with Manufacturing Installed Certificate.... yes
  AP with Self-Signed Certificate................ no
  AP with Locally Significant Certificate........ no

Mac Addr                  Cert Type    Key Hash
-----------------------   ----------   ------------------------------------------
00:81:c4:88:70:90         MIC          
00:81:c4:88:70:a6         MIC          
00:81:c4:88:71:18         MIC          
00:81:c4:88:71:20         MIC          
00:c1:64:9c:09:48         MIC          
00:c1:64:9c:0a:06         MIC          
00:c1:64:9c:0a:8e         MIC          
00:c1:64:9c:0a:98         MIC          
00:c1:64:9c:0a:9e         MIC          
00:c1:64:9c:0a:b0         MIC          
00:c1:64:9c:0e:92         MIC          
00:c1:64:9c:0e:d6         MIC          
2c:33:11:0e:7d:02         MIC          
2c:33:11:0e:7d:e8         MIC

The last two in line are the one that are not working. Does the 2 hour time difference not cause any certification distrust? How can i adjust the clock of the AP manually? I can only find old commands that dont work on our access point.

Vengatesa Prasath · ‎10-17-2017

I hope the AP1562 trying to join as MESH in WLC.

Mesh functionality for 1562 is not supported on 8.3. Mesh supported only from 8.4.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn83mr1.html#concept_A28403142D9D4CD2BE5C0B8F7A1434B9

Run the command on AP - CLI:

capwap ap mode local|flexconnect

change mode on AP as either local or flexconnect.

Let us know if it helps.

Regards,

Vengat

mario.jost · ‎10-17-2017

Well that fixed it. I could set the mode only to local, even though we use our access points in flexconnect. But our WLC is configured to change all joingin APs to flexconnect on initial join and that worked great. Not sure why this ap was trying to join with mesh configuration. The 17 others we ordered from the same supplier didnt try to do that. Nevertheless, lession learned and device is up and running well. Thanks for your help.

Vengatesa Prasath · ‎10-17-2017

Glad that it worked..

Manfred Kindlhofer · ‎10-23-2017

Is it possible to boot a 1562 from the secondary boot Image via console ?

Vengatesa Prasath · ‎10-23-2017

I hope it is running in Mobility Express image.

normal WLC command should work. you can try :

>>> config boot backup

>>> reset system