10-16-2017 06:36 AM - edited 07-05-2021 07:44 AM
We have the problem, that we cannot get 2 brandnew Cisco AP 1562I to join our vWLC.
I already entered both MAC addresses into AAA -> AP Policys, we have around 150/200 licenses used, WLC version is 8.3.112.0 that supports following Outdoor and Industrial APs: 1532E, 1532I, 1552E, 1552H, 1552I, 1552C, 1552EU, 1552CU, 1552S, 1560, 1570, and IW3700
WLC has configured a NTP server and its time is in sync.
I read online, that some Mesh APs dont support multicountry configuration. the thing is, we already have 17 APs of the same models running in flexconnect mode. We dont want to use the "mesh" feature.
Another thing that bugs me, the time of the AP is running 2h behind. I can read one lots of posts that i have to adjust the WLC's time. But the WLC is correct. How can i correct the time of the AP while it hasnt joined any WLC and doesnt have any logon credentials pushed onto it? Our DHCP server provides the NTP servers IP along the rest of the DHCP configuration. But the AP doesnt seem to pick this up.
This is the output on the AP:
[*10/16/2017 13:07:12.8330] ethernet_port wired0, ip 172.16.240.91, netmask 255.255.255.0, gw 172.16.240.1, mtu 1500, bcast 172.16.240.255, dns1 172.16.222.50, dns2 172.16.222.52, domain merbag.localWTP IP address changed from 172.16.240.90 to 172.16.240.91, restart CAPWAP. [*10/16/2017 13:07:21.4747] [*10/16/2017 13:07:21.4747] AP IPv4 Address updated from 172.16.240.90 to 172.16.240.91 [*10/16/2017 13:07:21.4826] [*10/16/2017 13:07:21.4826] Lost connection to the controller, going to restart CAPWAP... [*10/16/2017 13:07:21.4827] [*10/16/2017 13:07:21.4827] Restarting CAPWAP State Machine. [*10/16/2017 13:07:21.4904] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: Discovery(2). [*10/16/2017 13:07:21.4916] [*10/16/2017 13:07:21.4916] CAPWAP State: DTLS Teardown [*10/16/2017 13:07:26.2270] [*10/16/2017 13:07:26.2270] CAPWAP State: Discovery [*10/16/2017 13:07:26.2281] Got WLC address 172.16.222.70 from DHCP. [*10/16/2017 13:07:26.2281] IP DNS query for CISCO-CAPWAP-CONTROLLER.merbag.local [*10/16/2017 13:07:26.2348] Discovery Request sent to 172.16.222.70, discovery type DHCP(2) [*10/16/2017 13:07:26.2359] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0) [*10/16/2017 13:07:26.2360] Discovery Response from 172.16.222.70 [*10/16/2017 13:07:26.0001] Discovery response from MWAR 'SRVMWWLC01'running version 8.3.112.0 is rejected. [*10/16/2017 13:07:26.0001] Failed to decode discovery response. [*10/16/2017 13:07:26.0001] CAPWAP SM handler: Failed to process message type 2 state 2. [*10/16/2017 13:07:26.0001] Failed to handle capwap control message from controller - status 4 [*10/16/2017 13:07:26.0001] Failed to process unencrypted capwap packet 0x15e9000 from 172.16.222.70 [*10/16/2017 13:07:26.0001] Failed to send capwap message 0 to the state machine. Packet already freed. [*10/16/2017 13:07:26.0002] IPv4 wtpProcessPacketFromSocket returned 4
Some output from controller:
(Cisco Controller) >show sysinfo Manufacturer's Name.............................. Cisco Systems Inc. Product Name..................................... Cisco Controller Product Version.................................. 8.3.112.0 RTOS Version..................................... 8.3.112.0 Bootloader Version............................... 8.3.15.96 Emergency Image Version.......................... 8.3.102.0 OUI File Update Time............................. Sun Sep 07 10:44:07 IST 2014 Build Type....................................... DATA + WPS System Name...................................... SRVMWWLC01 System Location.................................. System Contact................................... System ObjectID.................................. 1.3.6.1.4.1.9.1.1631 IP Address....................................... 172.16.222.70 IPv6 Address..................................... :: System Up Time................................... 1 days 3 hrs 46 mins 33 secs System Timezone Location......................... (GMT +1:00) Amsterdam, Berlin, Rome, Vienna System Stats Realtime Interval................... 5 System Stats Normal Interval..................... 180 --More-- or (q)uit Configured Country............................... Multiple Countries : CH,IT,LU State of 802.11b Network......................... Enabled State of 802.11a Network......................... Enabled Number of WLANs.................................. 7 Number of Active Clients......................... 383 OUI Classification Failure Count................. 4936 Burned-in MAC Address............................ 00:50:56:B4:29:2B Maximum number of APs supported.................. 3000 System Nas-Id.................................... WLC MIC Certificate Types........................ SHA1 Licensing Type................................... RTU vWLC config...................................... Large (Cisco Controller) >show time Time............................................. Mon Oct 16 15:07:19 2017 Timezone delta................................... 0:0 Timezone location................................ (GMT +1:00) Amsterdam, Berlin, Rome, Vienna NTP Servers NTP Polling Interval......................... 3600 Index NTP Key Index NTP Server Status NTP Msg Auth Status ------- ------------------------------------------------------------------- --------------------------- 1 0 172.16.222.50 In Sync
Can anyone help me about correcting the time? Or does the multicountry configuration seem to be the issue?
Solved! Go to Solution.
10-17-2017 04:05 AM
I hope the AP1562 trying to join as MESH in WLC.
Mesh functionality for 1562 is not supported on 8.3. Mesh supported only from 8.4.
Run the command on AP - CLI:
capwap ap mode local|flexconnect
change mode on AP as either local or flexconnect.
Let us know if it helps.
Regards,
Vengat
10-16-2017 06:41 AM
Another thing to add, just saw that the ap has a newer firmware version than our vWLC's:
[*10/16/2017 13:32:57.3961] Active version: 8.4.100.0
Our WLC has 8.3.112.0. I thought the AP just downgrades to the version the WLC serves. Do I have to enable something in order for this to work?
10-16-2017 12:48 PM
Post the complete output to the following commands:
1. WLC: sh time;
2. AP: sh version
10-17-2017 12:04 AM
as you can see in my initial post, i already posted the output of show time. If you can tell me how i can login into the access point before it joined the wlc and got its global credentials pushed onto it, i would be glad to post a show version output...
10-17-2017 12:14 AM - edited 10-17-2017 12:15 AM
1. Did you enter the correct AP mac address in cisco WLC?
2. How to connect /login to AP:
connect a console cable to AP and your LAPTOP
Login using Default username: Cisco and default password: Cisco
and paste the output of these command: sh version
Regards
Dontf orget to arte helpful posts
10-17-2017 01:22 AM - edited 10-17-2017 01:24 AM
Thanks for the information, there you go:
AP2C33.110E.7DE8>show version Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html --More-- [*10/17/2017 08:13:39.7348] DOT11_DRV[0]: set_channel Channel set to 1 [*10/17/2017 08:13:39.9380] DOT11_DRV[1]: set_channel Channel set to 108 If you require further assistance please contact us by sending email to export@cisco.com. This product contains some software licensed under the "GNU General Public License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms of "GNU General Public License, version 2", available here: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html This product contains some software licensed under the "GNU Library General Public License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms of "GNU Library General Public License, version 2", available here: http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html This product contains some software licensed under the "GNU Lesser General Public License, version 2.1" provided with ABSOLUTELY NO WARRANTY under the terms of "GNU Lesser General Public License, version 2.1", available here: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html Cisco AP Software, (ap3g3), C1562, RELEASE SOFTWARE Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2015 by Cisco Systems, Inc. Compiled Wed May 17 10:48:03 PDT 2017 ROM: Bootstrap program is U-Boot boot loader BOOTLDR: U-Boot boot loader Version 2013.01-g729a7b4 (Dec 05 2016 - 23:44:32) AP2C33.110E.7DE8 uptime is 0 days, 0 hours, 25 minutes Last reload time : Tue Oct 17 07:47:44 UTC 2017 Last reload reason : MESH reboot timer expired cisco AIR-AP1562I-E-K9 ARMv7 Processor rev 1 (v7l) with 1028384/658080K bytes of memory. Processor board ID FCZ2138Z0DP AP Running Image : 8.4.100.0 Primary Boot Image : 8.4.100.0 Backup Boot Image : 0.0.0.0 1 Gigabit Ethernet interfaces 2 802.11 Radios Radio Driver version : 9.0.5.5-W8964 Radio FW version : 9.1.8.1 NSS FW version : 2.4.18 Base ethernet MAC Address : 2C:33:11:0E:7D:E8 Part Number : 73-100839-04 PCA Assembly Number : 000-00000-00 PCA Revision Number : PCB Serial Number : FOC21323F9K Top Assembly Part Number : 068-100609-01 Top Assembly Serial Number : FCZ2138Z0DP Top Revision Number : A0 Product/Model Number : AIR-AP1562I-E-K9
And i double checked the mac address. I tried another AP as well to make sure this is not a "monday product" problem.
10-17-2017 12:21 AM - edited 10-17-2017 12:25 AM
as per the error:
Discovery response from MWAR 'SRVMWWLC01'running version 8.3.112.0 is rejected.
You need to upgarde the WLC to support these AP.
Upgrade the firmware of the controller to, say, 8.3.122.0.
Also check if the AP has ME or CAPWAP image by using sh version command. If it has ME image then you need to to convert it to CAPWAP by using the command on Consoile CLI: ap-type capwap
Regards
Dont forget to rate helpful posts
10-17-2017 01:49 AM
As i already pointed out, we have 17 aps of the same mode already running on the wlc. So the WLC version souldnt be an issue. And the 1560 series is on the supported list for WLC version 8.3.112.0 as you can check in the compatibility matrix here:
https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
AP is already in CAPWAP mode:
AP2C33.110E.7DE8#ap-type capwap [*10/17/2017 08:48:15.2732] [*10/17/2017 08:48:15.2732] .....No change in AP Type configuration...... [*10/17/2017 08:48:15.2732]
10-17-2017 03:25 AM - edited 10-17-2017 03:27 AM
I know its compatible with cisoc wlc 8.3.112.0 but still its better to go with stable version.
paste the output of the command from WLC: show auth-list
Regards
Dont forget to arte helpful posts
10-17-2017 03:42 AM
Yeah, but if we upgrade the WLC, we have to upgrade our Prime Infrastructure as well. And the version 8.4.100.0 is an early development release as well. I dont see why we would need to upgrade our WLC just to get an access point up and running that is fully supported by the current release installed.
Here is the output of the show auth-list:
(Cisco Controller) >show auth-list Authorize MIC APs against Auth-list or AAA ...... disabled Authorize LSC APs against Auth-List ............. disabled APs Allowed to Join AP with Manufacturing Installed Certificate.... yes AP with Self-Signed Certificate................ no AP with Locally Significant Certificate........ no Mac Addr Cert Type Key Hash ----------------------- ---------- ------------------------------------------ 00:81:c4:88:70:90 MIC 00:81:c4:88:70:a6 MIC 00:81:c4:88:71:18 MIC 00:81:c4:88:71:20 MIC 00:c1:64:9c:09:48 MIC 00:c1:64:9c:0a:06 MIC 00:c1:64:9c:0a:8e MIC 00:c1:64:9c:0a:98 MIC 00:c1:64:9c:0a:9e MIC 00:c1:64:9c:0a:b0 MIC 00:c1:64:9c:0e:92 MIC 00:c1:64:9c:0e:d6 MIC 2c:33:11:0e:7d:02 MIC 2c:33:11:0e:7d:e8 MIC
The last two in line are the one that are not working. Does the 2 hour time difference not cause any certification distrust? How can i adjust the clock of the AP manually? I can only find old commands that dont work on our access point.
10-17-2017 04:05 AM
I hope the AP1562 trying to join as MESH in WLC.
Mesh functionality for 1562 is not supported on 8.3. Mesh supported only from 8.4.
Run the command on AP - CLI:
capwap ap mode local|flexconnect
change mode on AP as either local or flexconnect.
Let us know if it helps.
Regards,
Vengat
10-17-2017 04:21 AM
Well that fixed it. I could set the mode only to local, even though we use our access points in flexconnect. But our WLC is configured to change all joingin APs to flexconnect on initial join and that worked great. Not sure why this ap was trying to join with mesh configuration. The 17 others we ordered from the same supplier didnt try to do that. Nevertheless, lession learned and device is up and running well. Thanks for your help.
10-17-2017 06:59 AM
Glad that it worked..
10-23-2017 02:23 AM
Is it possible to boot a 1562 from the secondary boot Image via console ?
10-23-2017 08:13 AM
I hope it is running in Mobility Express image.
normal WLC command should work. you can try :
>>> config boot backup
>>> reset system
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide