Solved: Re: AIR-AP1832I-Z-K9 to existing wireless controller with exisiting APs

tux182 · ‎05-06-2019

Hi All

As the title suggests i have a Cisco Virtual Wireless Controller with 4 existing WAPS (they are also AIR-AP1832I-Z-K9). I now have a new AIR-AP1832I-Z-K9 which i need to add

I've found so much info on Cisco/commands etc - i feel a bit swamped with which is right and relevant for my environment. Not to mention some commands work in the CLI and some dont... I've managed to get onto the new AP via serial cable and using POE. So i do have a little info. I'm determined to do this.

That all said - if there is a good guide out there relevant to me - i'd love to see it if anyone posts the URL

The controller and WAPs have static IPs. The WAPs are on 8.6.101.0 firmware and the new one is on 8.3.143.0. So obviously i will need to update too.

In my mind i need to perform the follow (not necessarily in this order)

Set static IP on new WAP (192.168.1.105/24)
Set name on new WAP (WAP05)
Join WAP to exisiting APs on WC
Update firmware to match exisiting fleet
Unsure if i have to be concerned that the time/date do not match at present

The exisitng WAPs are mounted high on the celing - so i would of liked to get on via serial to at least look at the config via CLI. Or maybe this isnt needed.

You can see from one of the screenshots it sees the exisiting wireless controller (192.168.1.100) but cant join and goes in a loop

The controllers GUI does not detect/prompt me to accept a new AP, from what i can see

Thanks to any guidance in advance

patoberli · ‎05-07-2019

Ok, your debug also looks good, as far as I can see.
*spamApTask3: May 08 12:18:48.861: MAC DTLS Session established se rver (192.168.1.100:5246), client (192.168.10.133:5248)
*spamApTask3: May 08 12:18:48.861: MAC Starting wait join timer fo r AP: 192.168.10.133:5248

Do you have free licenses on the WLC, or are maybe all used up?

It could also, with a very low possibility, be a wiring issue (broken cable).

View solution in original post

RaffyLindogan · ‎05-06-2019

Hi mate,

I got comment on few things:

1. Software 8.6 is still on ED. 8.3 version is deemed stable at the moment ( you can review the release notes if which ever suits your network)

2. Regarding AP joining the WLC,

a. You have to ensure that time is synchronized between AP and WLC

b. Don't worry about the software as once AP join the WLC, part of the process is image will be downloaded to the APs to match the WLC software

c. You can assign either static ip on AP or have a DHCP server for your AP vlans

I want to confirm now if you see any logs on the WLC for the AP. Check as well if APs are on the correct vlans.

Please provide the "show log" output on one of the APs. Also you can run a debug capwap events on the WLC.

Cheers,

Raffy

tux182 · ‎05-06-2019

Hi Raffy

Not sure how i can do 'show log' if i cant physically get to the APs and thus serial?

'Also you can run a debug capwap events on the WLC'

Can you explain how i do this?

Many thanks

RaffyLindogan · ‎05-06-2019

Hi mate,

Try to configure the clock using these commands:

clock set hh:mm:ssdaymonth year

or

clock set hh:mm:ssmonth day year

clock timezone zonehours-offset [minutes-offset]

copy run start

See below regarding the debug on WLC:

debug mac addr <ap-mac-address>
(in xx:xx:xx:xx:xx format)

debug client <ap-mac-address>

debug capwap events enable
debug lwapp errors enable
debug pm pki enable

Cheers,

Raffy

tux182 · ‎05-06-2019

Hi Raffy - thanks for that. Some success...

The clock commands are supposed to be run on the AP i presume?

No matching commands there. See below list of commands.

APDCF7.1964.0D88#
Exec mode commands
ap-type Set the access point type
archive Archive commands
capwap CAPWAP exec commands
clear Reset functions
config Configure parameters
copy Copy a file
debug Debugging functions (see also 'undebug')
delete Delete a file
disable Turn off privileged commands
enable Turn on privileged commands
exec-timeout Set the exec-timeout
logging Logging commands
logout Logout out from CLI
more Display a file
no Negate a command or set its defaults
ping Send echo messages
reload Halt and perform a cold restart
show Show running system information
terminal Terminal parameters
test Test susbystems, memory and interfaces
traceroute Trace route to destination undebug Disable debugging functions (see also 'debug')
APDCF7.1964.0D88#

As for the debug on the controller. The first 2 lines went in fine. 3rd one went a bit weird (see below)

(Cisco Controller) >debug lwapp errors enable

HELP:
Special keys:
DEL, BS .... delete previous character
Ctrl-A .... go to beginning of line
Ctrl-E .... go to end of line
Ctrl-F .... go forward one character
Ctrl-B .... go backward one character
Ctrl-D .... delete current character
Ctrl-U, X .. delete to beginning of line
Ctrl-K .... delete to end of line
Ctrl-W .... delete previous word
Ctrl-T .... transpose previous character
Ctrl-P .... go to previous line in history buffer
Ctrl-N .... go to next line in history buffer
Ctrl-Z .... return to root command prompt
Tab, <SPACE> command-line completion
Exit .... go to next lower command prompt
? .... list choices

(Cisco Controller) >debug pm pki enable

(Cisco Controller) >*spamApTask3: May 07 16:28:08.716: sshpmGetCID: called to ev aluate <cscoSha2IdCert>

*spamApTask3: May 07 16:28:08.725: OpenSSL Get Issuer Handles: locking ca cert t able

*spamApTask3: May 07 16:28:08.725: OpenSSL Get Issuer Handles: x509 subject_name /C=US/ST=California/L=San Jose/O=Cisco Systems/CN=AP1G4-DCF719640D88/emailAddre ss=support@cisco.com

*spamApTask3: May 07 16:28:08.725: OpenSSL Get Issuer Handles: issuer_name /O=Ci sco/CN=Cisco Manufacturing CA SHA2

*spamApTask3: May 07 16:28:08.725: OpenSSL Get Issuer Handles: CN AP1G4-DCF71964 0D88

*spamApTask3: May 07 16:28:08.725: OpenSSL Get Issuer Handles: issuerCertCN Cis co Manufacturing CA SHA2

*spamApTask3: May 07 16:28:08.725: GetMac: MAC: dcf7.1964.0d88

*spamApTask3: May 07 16:28:08.725: OpenSSL Get Issuer Handles: openssl Mac Addre ss in subject is dc:f7:19:64:0d:88

*spamApTask3: May 07 16:28:08.725: OpenSSL Get Issuer Handles: Cert Name in subj ect is AP1G4-DCF719640D88

*spamApTask3: May 07 16:28:08.725: OpenSSL Get Issuer Handles: Extracted cert is suer from subject name.

*spamApTask3: May 07 16:28:08.725: NMSP:: Algo name matched SHA256

*spamApTask3: May 07 16:28:08.725: OpenSSL Get Issuer Handles: Cert is issued by Cisco Systems.

*spamApTask3: May 07 16:28:08.725: Retrieving x509 cert for CertName cscoMfgSha2 CaCert

*spamApTask3: May 07 16:28:08.725: sshpmGetCID: called to evaluate <cscoMfgSha2C aCert>

*spamApTask3: May 07 16:28:08.725: sshpmGetCID: Found matching CA cert cscoMfgSh a2CaCert in row 7
*spamApTask3: May 07 16:28:08.725: Found CID 2e0c4f15 for certname cscoMfgSha2Ca Cert

*spamApTask3: May 07 16:28:08.725: CACertTable: Found matching CID cscoMfgSha2Ca Cert in row 7 x509 0x7f9d4aef4f48
*spamApTask3: May 07 16:28:08.725: Retrieving x509 cert for CertName cscoRootSha 2CaCert

*spamApTask3: May 07 16:28:08.725: sshpmGetCID: called to evaluate <cscoRootSha2 CaCert>

*spamApTask3: May 07 16:28:08.725: sshpmGetCID: Found matching CA cert cscoRootS ha2CaCert in row 6
*spamApTask3: May 07 16:28:08.725: Found CID 2f98fa63 for certname cscoRootSha2C aCert

*spamApTask3: May 07 16:28:08.725: CACertTable: Found matching CID cscoRootSha2C aCert in row 6 x509 0x7f9d4aef5218
*spamApTask3: May 07 16:28:08.725: Verify User Certificate: X509 Cert Verificati on return code: 1
*spamApTask3: May 07 16:28:08.725: Verify User Certificate: X509 Cert Verificati on result text: ok
*spamApTask3: May 07 16:28:08.725: sshpmGetCID: called to evaluate <cscoMfgSha2C aCert>

*spamApTask3: May 07 16:28:08.725: sshpmGetCID: Found matching CA cert cscoMfgSh a2CaCert in row 7
*spamApTask3: May 07 16:28:08.725: Verify User Certificate: OPENSSL X509_Verify: AP Cert Verfied Using >cscoMfgSha2CaCert<

*spamApTask3: May 07 16:28:08.725: OpenSSL Get Issuer Handles: Check cert validi ty times (allow expired NO)
*spamApTask3: May 07 16:28:08.725: sshpmGetCID: called to evaluate <cscoDefaultI dCert>

*spamApTask3: May 07 16:28:08.725: sshpmGetCID: Found matching ID cert cscoDefau ltIdCert in row 2
*spamApTask3: May 07 16:28:08.725: sshpmFreePublicKeyHandle: called with 0x7f9d4 aa59d68

*spamApTask3: May 07 16:28:08.725: sshpmFreePublicKeyHandle: freeing public key

Also - please forgive me if there are some basic things not completed here. newbie to the CLI cisco world (but i'm trying!) :)

RaffyLindogan · ‎05-07-2019

Hi mate,

It should be on configure mode.

Try this.

conf t
clock set hh:mm:ss day month year
clock set hh:mm:ss month day year
clock timezone zonehours-offset
copy run start

that was a typo as well on this other one.
It should be "debug capwap errors enable "

Cheers,

Raffy

tux182 · ‎05-07-2019

Not available as a command

You can see i only have 'config boot' as an option in this screenshot

Login - username + password ( > prompt)

'enable' (enter password again) ( # prompt)

Then command

Am i missing something?

tux182 · ‎05-07-2019

Result from the follow commands on WLC

debug client (MAC)
debug capwap events enable
debug capwap errors enable
debug pm pki enable

(Cisco Controller) >*spamApTask3: May 08 12:18:34.557: MAC Deletin g AP entry 192.168.10.133:5248 from temporary database.
*spamApTask3: May 08 12:18:48.820: MAC DTLS connection not found, creating new connection for 192.168.10.133 (5248) 192.168.1.100 (5246)

*spamApTask3: May 08 12:18:48.820: sshpmGetCID: called to evaluate <cscoSha2IdCe rt>

*spamApTask3: May 08 12:18:48.820: sshpmGetCID: failed to find matching cert nam e cscoSha2IdCert

*spamApTask3: May 08 12:18:48.820: GetIDCert: Using SHA2 Id cert on WLC

*spamApTask3: May 08 12:18:48.820: sshpmGetCID: called to evaluate <cscoDefaultI dCert>

*spamApTask3: May 08 12:18:48.820: sshpmGetCID: Found matching ID cert cscoDefau ltIdCert in row 2
*spamApTask3: May 08 12:18:48.820: Get Cert from CID: For CID 1a6e63d4 certType 1
*spamApTask3: May 08 12:18:48.820: Get Cert from CID: Found match of ID Cert in row 2
*spamApTask3: May 08 12:18:48.820: sshpmGetCID: called to evaluate <cscoSha2IdCe rt>

*spamApTask3: May 08 12:18:48.820: sshpmGetCID: failed to find matching cert nam e cscoSha2IdCert

*spamApTask3: May 08 12:18:48.820: GetDERIDKey: Using SHA2 Id cert Private Keys on WLC

*spamApTask3: May 08 12:18:48.820: sshpmGetCID: called to evaluate <cscoDefaultI dCert>

*spamApTask3: May 08 12:18:48.820: sshpmGetCID: Found matching ID cert cscoDefau ltIdCert in row 2
*spamApTask3: May 08 12:18:48.820: GetPrivateKey: called to get key for CID 1a6e 63d4

*spamApTask3: May 08 12:18:48.820: Private Key found row 2 KeyBufLen 2048 Keylen 1191 PrivateKeyPtr 0x7f9d4b0fc810

*spamApTask3: May 08 12:18:48.828: OpenSSL Get Issuer Handles: locking ca cert t able

*spamApTask3: May 08 12:18:48.828: OpenSSL Get Issuer Handles: x509 subject_name /C=US/ST=California/L=San Jose/O=Cisco Systems/CN=AP1G4-DCF719640D88/emailAddre ss=support@cisco.com

*spamApTask3: May 08 12:18:48.828: OpenSSL Get Issuer Handles: issuer_name /O=Ci sco/CN=Cisco Manufacturing CA SHA2

*spamApTask3: May 08 12:18:48.828: OpenSSL Get Issuer Handles: CN AP1G4-DCF71964 0D88

*spamApTask3: May 08 12:18:48.828: OpenSSL Get Issuer Handles: issuerCertCN Cis co Manufacturing CA SHA2

*spamApTask3: May 08 12:18:48.828: GetMac: MAC: dcf7.1964.0d88

*spamApTask3: May 08 12:18:48.828: OpenSSL Get Issuer Handles: openssl Mac Addre ss in subject is MAC

*spamApTask3: May 08 12:18:48.828: OpenSSL Get Issuer Handles: Cert Name in subj ect is AP1G4-DCF719640D88

*spamApTask3: May 08 12:18:48.828: OpenSSL Get Issuer Handles: Extracted cert is suer from subject name.

*spamApTask3: May 08 12:18:48.828: NMSP:: Algo name matched SHA256

*spamApTask3: May 08 12:18:48.828: OpenSSL Get Issuer Handles: Cert is issued by Cisco Systems.

*spamApTask3: May 08 12:18:48.828: Retrieving x509 cert for CertName cscoMfgSha2 CaCert

*spamApTask3: May 08 12:18:48.828: sshpmGetCID: called to evaluate <cscoMfgSha2C aCert>

*spamApTask3: May 08 12:18:48.828: sshpmGetCID: Found matching CA cert cscoMfgSh a2CaCert in row 7
*spamApTask3: May 08 12:18:48.828: Found CID 2e0c4f15 for certname cscoMfgSha2Ca Cert

*spamApTask3: May 08 12:18:48.828: CACertTable: Found matching CID cscoMfgSha2Ca Cert in row 7 x509 0x7f9d4aef4f48
*spamApTask3: May 08 12:18:48.828: Retrieving x509 cert for CertName cscoRootSha 2CaCert

*spamApTask3: May 08 12:18:48.828: sshpmGetCID: called to evaluate <cscoRootSha2 CaCert>

*spamApTask3: May 08 12:18:48.828: sshpmGetCID: Found matching CA cert cscoRootS ha2CaCert in row 6
*spamApTask3: May 08 12:18:48.828: Found CID 2f98fa63 for certname cscoRootSha2C aCert

*spamApTask3: May 08 12:18:48.828: CACertTable: Found matching CID cscoRootSha2C aCert in row 6 x509 0x7f9d4aef5218
*spamApTask3: May 08 12:18:48.828: Verify User Certificate: X509 Cert Verificati on return code: 1
*spamApTask3: May 08 12:18:48.828: Verify User Certificate: X509 Cert Verificati on result text: ok
*spamApTask3: May 08 12:18:48.828: sshpmGetCID: called to evaluate <cscoMfgSha2C aCert>

*spamApTask3: May 08 12:18:48.828: sshpmGetCID: Found matching CA cert cscoMfgSh a2CaCert in row 7
*spamApTask3: May 08 12:18:48.828: Verify User Certificate: OPENSSL X509_Verify: AP Cert Verfied Using >cscoMfgSha2CaCert<

*spamApTask3: May 08 12:18:48.828: OpenSSL Get Issuer Handles: Check cert validi ty times (allow expired NO)
*spamApTask3: May 08 12:18:48.828: sshpmGetCID: called to evaluate <cscoDefaultI dCert>

*spamApTask3: May 08 12:18:48.828: sshpmGetCID: Found matching ID cert cscoDefau ltIdCert in row 2
*spamApTask3: May 08 12:18:48.828: sshpmFreePublicKeyHandle: called with 0x7f9d4 aa8ee98

*spamApTask3: May 08 12:18:48.828: sshpmFreePublicKeyHandle: freeing public key

*spamApTask3: May 08 12:18:48.861: MAC DTLS Session established se rver (192.168.1.100:5246), client (192.168.10.133:5248)
*spamApTask3: May 08 12:18:48.861: MAC Starting wait join timer fo r AP: 192.168.10.133:5248

tux182 · ‎05-06-2019

I ran debug capwap events enable on the controller

I see my AP mentioned in the logs

*spamApTask3: May 07 15:34:26.316: dc:f7:19:64:9c:a0 DTLS connection closed event receivedserver (192.168.1.100/5246) client (192.168.10.133/5248)
*spamApTask3: May 07 15:34:26.316: dc:f7:19:64:9c:a0 No entry exists for AP (192.168.10.133/5248)
*spamApTask3: May 07 15:34:26.316: dc:f7:19:64:0d:88 Deleting AP entry 192.168.10.133:5248 from temporary database.

fsedanoc · ‎05-06-2019

Hello,

As per your screenshot it seems time on AP is Apr 3, while certificate on the controller is only valid starting Apr 17.

Can you update your DHCP server so it sends out NTP information?

Thanks,

tux182 · ‎05-06-2019

yes, I can look into it - but it looks like another rabbit hole already..

In short 004 in DHCP should/could be looking at an external source?

tux182 · ‎05-06-2019

OK now configured 042 (DHCP) with the internal time server IP listed

Rebooted AP

AP still references 17 April 2017

patoberli · ‎05-07-2019

Can your WLC / AP reach the NTP server you have configured?
Is the time on the WLC correct?
Regarding the software, please don't use 8.6, this version train is deprecated. Use 8.8.120.0 or 8.5.140.0.

For the AP, typically you put it into the same VLAN as the ap-management interface of the WLC. The AP will then (after it has received an IP address from the DHCP server, including valid Gateway address) discover the WLC by sending a broadcast packet (or DHCP, or DNS). Then it will connect to the WLC, down-/upgrade its software, reboot and connect again. That's it. Not entirely sure if it works exactly the same with the VM WLC though.
It will take the same configuration as all the other access points already in use. Only reason it doesn't use the same configuration is in the case of configured AP Groups. If you don't have any, then it takes the default profile, like all other APs.

tux182 · ‎05-07-2019

Hi - yes, both can ping NTP server

Time on WLC is correct.

Thanks for the explanation - but how do i do this?

It seems the AP and WLC can see each other already (see previous logs)

patoberli · ‎05-07-2019

Ok, your debug also looks good, as far as I can see.
*spamApTask3: May 08 12:18:48.861: MAC DTLS Session established se rver (192.168.1.100:5246), client (192.168.10.133:5248)
*spamApTask3: May 08 12:18:48.861: MAC Starting wait join timer fo r AP: 192.168.10.133:5248

Do you have free licenses on the WLC, or are maybe all used up?

It could also, with a very low possibility, be a wiring issue (broken cable).