Thanks for your response.

No DHCP, the AP has a static IP which I configured using  

capwap ap ip {ip_addr} {subnet_mask} {def_gateway} {dns_server}

Used same method to configure the controller IP address. However I noticed the AP is not able to ping any external IP addresses including IPs on its local subnet. Also, it appears the issue might be related to the fact that the AP's IP address is not on the same subnet as the WLC management interface. This is intentional, I would like to have the WLC mamagement IP on a different VLAN from the APs. The WLC currently has three separate IPs for 

• management interface 
• APs 
• Wireless Clients

Through console access, I can see the AP repeaetedly sending a CAPWAP discovery to the WLC3504, first through unicast to the WLC's IP, then broadcast on 255.255.255.255.  The WLC3504 receives these requests but sends no response. On the WLC webpage it shows the join attempt with the following error:

Last Error Occurred                 Lwapp discovery request rejected
Last Error Occurred Reason          Discovery request decoding with subnet broadcast and wrong AP IP address
Last Join Error Timestamp           Feb 12 15:05:23.340

Wondering whether I need some additional configuration on the AP or controller. I have attached a text file showing the AP boot messages. 

are AP and WLC IP are in same subnet ?

If yes then its ok elase configure a method fo WLC discovery (DNS/DHCP43)..etc

For testing purpose, put AP in same vlan as WLC and see if AP joins or not !!

if still fails then paste the output of these commands:

sh version from AP

sh sysinfo from WLC

Regards

Dont forget to rate helpful posts

This is the AP interface configuration

TRANS-IAP-91-002#show ip interface brief
Interface  IP-Address      Method   Status                 Protocol   Speed      Duplex
wired0     10.2.91.2      static   up                     up         100        full
wired1     unassigned      unset    down                   down       n/a        unknown
wifi0      n/a             n/a      administatively down   down       n/a        n/a
wifi1      n/a             n/a      administatively down   down       n/a        n/a

and WLC has

(Cisco Controller) >show interface summary 

 Number of Interfaces.......................... 7

Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
-------------------------------- ---- -------- --------------- ------- ------ -----
wifiClients-interface            1    50       10.2.50.254    Dynamic No     No   
management                       1    201      10.2.201.100   Static  Yes    No   
redundancy-management            1    201      0.0.0.0         Static  No     No   
redundancy-port                  -    untagged 0.0.0.0         Static  No     No   
service-port                     N/A  N/A      0.0.0.0         DHCP    No     No   
APVLANinterface                  1    90       10.2.91.1      Dynamic No     No   
virtual                          N/A  N/A      192.0.2.1       Static  No     No  

But it appears the WLC does not agree with receiving join requests on that interface.

(Cisco Controller) show> ap join stats summary all 
Number of APs.............................................. 1 

Base Mac             AP EthernetMac       AP Name                 IP Address         Status
70:70:8b:85:88:20    N A                  TRANS-IAP-91-002    10.2.91.2         Not Joined

(Cisco Controller) show> ap join stats detailed 70:70:8b:85:88:20 

Sync phase statistics
- Time at sync request received............................ Not applicable
- Time at sync completed................................... Not applicable

Discovery phase statistics
- Discovery requests received.............................. 253
- Successful discovery responses sent...................... 0
- Unsuccessful discovery request processing................ 253
- Reason for last unsuccessful discovery attempt........... Discovery request decoding with subnet broadcast and wrong AP IP address
- Time at last successful discovery attempt................ Not applicable
- Time at last unsuccessful discovery attempt.............. Feb 13 07:40:21.880

Join phase statistics
- Join requests received................................... 0
- Successful join responses sent........................... 0
- Unsuccessful join request processing..................... 0
- Reason for last unsuccessful join attempt................ Not applicable
- Time at last successful join attempt..................... Not applicable
- Time at last unsuccessful join attempt................... Not applicable

Configuration phase statistics

- Configuration requests received.......................... 0
- Successful configuration responses sent.................. 0
- Unsuccessful configuration request processing............ 0
- Reason for last unsuccessful configuration attempt....... Not applicable
- Time at last successful configuration attempt............ Not applicable
- Time at last unsuccessful configuration attempt.......... Not applicable

Last AP message decryption failure details
- Reason for last message decryption failure............... Not applicable

Last AP disconnect details
- Reason for last AP connection failure.................... Not applicable
- Last AP disconnect reason................................ Not applicable

Last join error summary
- Type of error that occurred last......................... Lwapp discovery request rejected
- Reason for error that occurred last...................... Discovery request decoding with subnet broadcast and wrong AP IP address
- Time at which the last join error occurred............... Feb 13 07:40:21.880

AP disconnect details
- Reason for last AP connection failure.................... Not applicable
                                                                           Ethernet Mac : 00:00:00:00:00:00  Ip Address : 10.23.91.2

Here's the output of AP show ver 

TRANS-IAP-91-002#show ver

             Restricted Rights Legend

Use, duplication, or disclosure by the Government is subject to
restrictions as set forth in subparagraph (c) of the Commercial
Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and
subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

            Cisco Systems, Inc.
            170 West Tasman Drive
            San Jose, California 95134-1706

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

This product contains some software licensed under the
"GNU General Public License, version 2" provided with
ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html

This product contains some software licensed under the
"GNU Library General Public License, version 2" provided
with ABSOLUTELY NO WARRANTY under the terms of "GNU Library
General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html

This product contains some software licensed under the
"GNU Lesser General Public License, version 2.1" provided
with ABSOLUTELY NO WARRANTY under the terms of "GNU Lesser
General Public License, version 2.1", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html

This product contains some software licensed under the
"GNU General Public License, version 3" provided with
ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, Version 3", available here:
http://www.gnu.org/licenses/gpl.html.

This product contains some software licensed under the
"GNU Affero General Public License, version 3" provided
with ABSOLUTELY NO WARRANTY under the terms of
"GNU Affero General Public License, version 3", available here:
http://www.gnu.org/licenses/agpl-3.0.html.

Cisco AP Software, (ap3g3), [wnbu-bld-lnx13:/local/BUILD/workspace/v8_5_throttle_ME/barbados/router]
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Sun Mar 25 01:43:26 PDT 2018

ROM: Bootstrap program is U-Boot boot loader
BOOTLDR: U-Boot boot loader Version 2013.01-g5b3f225 (Jan 19 2018 - 15:21:10)

TRANS-IAP-91-002 uptime is 0 days, 0 hours, 2 minutes
Last reload time   : Tue Feb 12 09:30:33 UTC 2019
Last reload reason : Capwap Discovery Failed

cisco AIR-AP2802I-A-K9 ARMv7 Processor rev 1 (v7l) with 1028584/593300K bytes of memory.
Processor board ID FGL2133A2BN
AP Running Image     : 8.5.124.34
Primary Boot Image   : 8.5.124.34
Backup Boot Image    : 8.3.112.0
AP Image type    : MOBILITY EXPRESS IMAGE
AP Configuration : NOT MOBILITY EXPRESS CAPABLE
2 Gigabit Ethernet interfaces
2 802.11 Radios
Radio Driver version : 9.0.5.5-W8964
Radio FW version : 9.1.8.1
NSS FW version : 2.4.24

Base ethernet MAC Address            : 50:0F:80:4C:4E:C2
Part Number                          : 73-100821-03
PCA Assembly Number                  : 000-00000-00
PCA Revision Number                  :
PCB Serial Number                    : FDO213111JU
Top Assembly Part Number             : 068-100534-01
Top Assembly Serial Number           : FGL2133A2BN
Top Revision Number                  : A0
Product/Model Number                 : AIR-AP2802I-A-K9

And, here's the output of controller show sysinfo

(Cisco Controller) >show sysinfo 

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.5.131.0
RTOS Version..................................... 8.5.131.0
Bootloader Version............................... 8.5.103.0
Emergency Image Version.......................... 8.5.103.0

OUI File Last Update Time........................ N/A
Build Type....................................... DATA + WPS
System Name...................................... EVL-RADIO-WLC
System Location.................................. 
System Contact................................... 
System ObjectID.................................. 1.3.6.1.4.1.9.1.2427
Redundancy Mode.................................. Disabled
IP Address....................................... 10.2.201.100
IPv6 Address..................................... ::
Last Reset....................................... Cold reset due to PLL_DC_OK 
System Up Time................................... 4 days 18 hrs 20 mins 56 secs
System Timezone Location......................... (GMT -7:00) Mountain Time (US and Canada)
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... CA  - Canada
Operating Environment............................ Commercial (10 to 35 C)
Internal Temp Alarm Limits....................... -10 to 80 C
Internal Temperature............................. +60 C
Mgig Temp Alarm Limits........................... -10 to 78 C
Mgig Temperature................................. +44 C
External Temp Alarm Limits....................... -10 to 71 C
External Temperature............................. +36 C
Fan Status....................................... OK
Fan Speed Mode................................... Disable
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 0
OUI Classification Failure Count................. 0
Burned-in MAC Address............................ CC:70:ED:15:4D:00
Maximum number of APs supported.................. 150
System Nas-Id.................................... 
WLC MIC Certificate Types........................ SHA1/SHA2
Licensing Type................................... RTU

I'm unable to use DHCP in my environment for now, but I'll try to give the AP an IP address in the WLC management subnet and point it to the WLCs management IP. Will post further results afterwards.

Thanks for your assistance.

AP Mgr is disabled on the interface, you need to enable it:
APVLANinterface 1 90 10.2.91.1 Dynamic No No

In the GUI the option is named "Enable Dynamic AP Management" which you have to enable under Controller -> Interfaces ->  APVLANinterface.

[edit]

Also your AP is just running with 100 Mbps on it's LAN, this will cause bottlenecks with modern clients. 

I have tried enabling it several times both on GUI and CLI but the WLC says its already enabled even though I can see that its not.

(Cisco Controller) >config interface ap-manager APVLANinterface enable 
AP manager interface already exist on port.

PS: Apologies for inconsistency in second subnet of IP address, I made some changes and 10.23 is used on all devices, not 10.2 as shown in earlier posts.

Thanks for the suggestion. Will upgrade as soon as service contract issue with the Reseller is resolved. Cisco support says I have no coverage.

I had LAG disabled from the start.

What I have done is put both AP and WLC management interface on the same IP subnet as suggested earlier. This issue was still unresolved but the debugs showed that the controller was receiving the join request and sending a response. However, AP wasn't responding. On the other side, the AP debugs showed that it was not receiving any response from the WLC. So I plugged both AP and WLC to the same switch and the AP was finally able to join the WLC. 

At first, I thought my VLAN wasn't being trunked across the network properly. But, that makes no sense, because I have the WLC and another device on the same VLAN and both can be pinged from every other network device. I noticed that the AP is now able to ping the WLC, but unable to ping any other network device, including those on the same subnet and same switch. This is the output of "sh ip route" from the AP

TRANS-IAP-91-001#show ip route
IPv4:
  gateway-ip  : 10.23.90.1
  gateway-mac :
IPv6:
  gateway-ip  :
  gateway-mac :

The GW IP is correct, but it is somehow unable to resolve the GW's L2 address. Seems abnormal to me.

Update:

Although my current setup will not allow DHCP when in operation, I decided to test with DHCP and Option 43 using a new AP. The AP cycled endlessly through a loop displaying 

[*09/11/2018 08:53:24.4840] aptrace_register_sysproc_fn: duplicate registeration for 'wired'
[*09/11/2018 08:53:28.5899] Waiting for uplink IPv4 configuration
[*09/11/2018 08:53:33.5911] Waiting for uplink IPv4 configuration
[*09/11/2018 08:53:38.5922] Waiting for uplink IPv4 configuration
[*09/11/2018 08:53:39.5924] Resetting wired0 and[09/11/2018 08:53:39.6200] wired0: stopped
 restart DHCP client
[09/11/2018 08:53:41.7100] wired0 emac 2: link up
[09/11/2018 08:53:41.7600] wired0: link up
[09/11/2018 08:53:41.8100] wired0: started

Then I found this thread and the corresponding bug which might have also affected 2800 APs. So I reset the AP to factory default and then set its IP address manually using

capwap ap ip {ip_addr} {subnet_mask} {default_GW} {dns_srv1} {dns_srv2} {domain}

Immediately, the AP joined the WLC3504, without having to configure the WLC IP using capwap ip commands.

Perhaps, the APs need a software upgrade. It is running on version 8.5.131.0