Hi Rasik,

I configured Telnet + Credentials in the AP so I can get the LOG.

One additional information, on version 7.6.100, I am not able to apply the CLEAR command directly in the AP (I have telnet session to the AP) in order to run tests and check the events in the AP LOG. I got the information that from the WLC on version 7.6 you can clear the log in the AP attached to this WLC.

Yes, that is the Management IP of the controller.

Next the log of the AP on which I have a telnet session and debug running:

`````````````````````````````````````````````````````````````````````````````````````````````````````````

APe4d3.f11e.a8e1#
APe4d3.f11e.a8e1#ping 172.23.111.23  
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.111.23, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/32 ms
APe4d3.f11e.a8e1#
APe4d3.f11e.a8e1#
APe4d3.f11e.a8e1#
APe4d3.f11e.a8e1#show log

APe4d3.f11e.a8e1#show log

Syslog logging: enabled (0 messages dropped, 4 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

    Console logging: level debugging, 100 messages logged, xml disabled,

                     filtering disabled

    Monitor logging: level debugging, 0 messages logged, xml disabled,

                     filtering disabled

    Buffer logging:  level debugging, 102 messages logged, xml disabled,

                    filtering disabled

    Exception Logging: size (4096 bytes)

    Count and timestamp logging messages: disabled

    Persistent logging: disabled

    Trap logging: level emergencies, 0 message lines logged

        Logging to 255.255.255.255  (udp port 514, audit disabled,

              link down),

              0 message lines logged,

              0 message lines rate-limited,

              0 message lines dropped-by-MD,

              xml disabled, sequence number disabled

              filtering disabled

        Logging Source-Interface:       VRF Name:

Log Buffer (1048576 bytes):

*Mar  1 00:00:11.491: FIPS IOS test Image Checksum successful

*Mar  1 00:00:11.491: FIPS IOS test Crypto RNG DEK Key Test successful

*Mar  1 00:00:11.491: FIPS IOS test SHA-1 successful

*Mar  1 00:00:11.491: FIPS IOS test HMAC-SHA1 successful

*Mar  1 00:00:11.491: FIPS IOS test AES CBC 128-bit Encrypt successful

*Mar  1 00:00:11.491: FIPS IOS test AES CBC 128-bit Decrypt successful

*Mar  1 00:00:11.491: FIPS IOS test IOS AES CMAC Encrypt successful

*Mar  1 00:00:11.491: FIPS IOS test IOS CCM Encrypt successful

*Mar  1 00:00:11.491: FIPS IOS test IOS CCM Decrypt successful

*Mar  1 00:00:11.523: FIPS IOS test RSA Signature Generation successful

*Mar  1 00:00:11.523: FIPS IOS test RSA Signature Verification successful

*Mar  1 00:00:11.523: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed

*Mar  1 00:00:11.527: %IFMGR-7-NO_IFINDEX_FILE: Unable to open nvram:/ifIndex-table No such file or directory

*Mar  1 00:00:11.983: Registering HW DTLS

*Mar  1 00:00:14.783: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up

*Mar  1 00:00:18.463: FIPS RADIO test AES 128-bit encrypt for TX on Dot11Radio 0 successful

*Mar  1 00:00:18.463: FIPS RADIO test AES 128-bit CCM encrypt on Dot11Radio 0 successful

*Mar  1 00:00:18.463: FIPS RADIO test AES 128-bit CCM decrypt on Dot11Radio 0 successful

*Mar  1 00:00:18.463: FIPS RADIO test AMAC AES 128-bit CMAC encrypt on Dot11Radio 0 successful

*Mar  1 00:00:18.463: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0

*Mar  1 00:00:24.591: FIPS RADIO test AES 128-bit encrypt for TX on Dot11Radio 1 successful

*Mar  1 00:00:24.591: FIPS RADIO test AES 128-bit CCM encrypt on Dot11Radio 1 successful

*Mar  1 00:00:24.595: FIPS RADIO test AES 128-bit CCM decrypt on Dot11Radio 1 successful

*Mar  1 00:00:24.595: FIPS RADIO test AMAC AES 128-bit CMAC encrypt on Dot11Radio 1 successful

*Mar  1 00:00:24.595: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1

*Mar  1 00:00:26.919: %SYS-5-RESTART: System restarted --

Cisco IOS Software, C2600 Software (AP3G2-K9W8-M), Version 15.2(4)JA1, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2013 by Cisco Systems, Inc.

Compiled Tue 30-Jul-13 22:57 by prod_rel_team

*Mar  1 00:00:26.919: %SNMP-5-COLDSTART: SNMP agent on host APe4d3.f11e.a8e1 is undergoing a cold start

*Dec 12 00:03:35.043: %PARSER-4-BADCFG: Unexpected end of configuration file.

*Dec 12 00:03:35.047: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset

*Dec 12 00:03:35.047: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset

*Dec 12 00:03:35.047: %CDP_PD-4-POWER_OK: Full power - AC_ADAPTOR inline power source

*Dec 12 00:03:35.059: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to uplwapp_crypto_init: MIC Present and Parsed Successfully

*Dec 12 00:03:35.179: %SSH-5-ENABLED: SSH 2.0 has been enabled

*Dec 12 00:03:35.179: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up

*Dec 12 00:03:35.783: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down

*Dec 12 00:03:36.031: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up

*Dec 12 00:03:36.047: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down

*Dec 12 00:03:36.047: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down

*Dec 12 00:03:36.147: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset

*Dec 12 00:03:37.139: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

*Dec 12 00:03:37.231: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up

*Dec 12 00:03:37.239: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down

*Dec 12 00:03:37.247: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset

*Dec 12 00:03:38.231: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up

*Dec 12 00:03:38.239: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down

*Dec 12 00:03:38.267: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up

*Dec 12 00:03:38.307: FIPS HW test SHA-1 successful

*Dec 12 00:03:38.307: FIPS HW test HMAC-SHA1 successful

*Dec 12 00:03:38.307: FIPS HW test AES CBC 128-bit Encrypt successful

*Dec 12 00:03:38.307: FIPS HW test AES CBC 128-bit Decrypt successful

*Dec 12 00:03:38.807: FIPS HW test SHA-1 successful

*Dec 12 00:03:38.807: FIPS HW test HMAC-SHA1 successful

*Dec 12 00:03:38.807: FIPS HW test AES CBC 128-bit Encrypt successful

*Dec 12 00:03:38.807: FIPS HW test AES CBC 128-bit Decrypt successful

*Dec 12 00:03:38.807: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed

*Dec 12 00:03:38.807: DPAA Initialization Complete

*Dec 12 00:03:38.807: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited

*Dec 12 00:03:39.267: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

*Dec 12 00:03:39.807: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up

*Dec 12 00:04:03.923: Logging LWAPP message to 255.255.255.255.

*Dec 12 00:04:08.651: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.219.96.51, mask 255.255.240.0, hostname APe4d3.f11e.a8e1

*Dec 12 00:04:18.607: %CAPWAP-5-DHCP_OPTION_43: Controller address 172.23.111.23 obtained through DHCP

*Dec 12 00:04:18.607: %CAPWAP-5-DHCP_OPTION_43: Controller address 172.23.111.20 obtained through DHCP

*Dec 12 00:04:18.607: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

*Dec 12 00:04:18.607: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.tdsb.on.ca

*Dec 12 00:04:28.611: %CAPWAP-3-ERRORLOG: Selected MWAR 'DC-WiFi-WLC1-3'(index 0).

*Dec 12 00:04:28.611: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Jan 31 21:52:00.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.23.111.23 peer_port: 5246

*Jan 31 21:52:00.467: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.23.111.23 peer_port: 5246

*Jan 31 21:52:00.467: %CAPWAP-5-SENDJOIN: sending Join Request to 172.23.111.23

*Jan 31 21:52:00.467: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.

*Jan 31 21:52:00.467: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.

*Jan 31 21:52:00.467: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller

*Jan 31 21:52:00.467: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 172.23.111.23

*Jan 31 21:52:00.927: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down

*Jan 31 21:52:00.999: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset

*Jan 31 21:52:01.007: ac_first_hop_mac - IP:10.219.96.1 Hop IP:10.219.96.1 IDB:BVI1

*Jan 31 21:52:01.011: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up

*Jan 31 21:52:01.083: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller DC-WiFi-WLC1-3

*Jan 31 21:52:01.231: %WIDS-6-ENABLED: IDS Signature is loaded and enabled

*Jan 31 21:52:01.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down

*Jan 31 21:52:01.963: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down

*Jan 31 21:52:01.971: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset

*Jan 31 21:52:02.011: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down

*Jan 31 21:52:02.955: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

*Jan 31 21:52:02.991: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up

*Jan 31 21:52:02.999: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down

*Jan 31 21:52:03.007: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset

*Jan 31 21:52:03.991: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up

*Jan 31 21:52:03.999: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down

*Jan 31 21:52:04.027: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up

*Jan 31 21:52:05.027: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

*Jan 31 21:52:33.195: %CLEANAIR-6-STATE: Slot 0 enabled

*Jan 31 21:52:34.971: %CLEANAIR-6-STATE: Slot 1 enabled

*Jan 31 21:53:47.979: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down

*Jan 31 21:53:47.987: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset

*Jan 31 21:53:48.979: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down

*Jan 31 21:53:49.007: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up

*Jan 31 21:53:50.007: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up

*Jan 31 21:54:04.999: %CLEANAIR-6-STATE: Slot 1 down

*Jan 31 21:54:21.759: %CLEANAIR-6-STATE: Slot 1 enabled

APe4d3.f11e.a8e1#                

```````````````````````````````````````````````````````````````````````````````````````````````````

DEBUGS:

APe4d3.f11e.a8e1#show debug

DTLS:

  DTLS ERROR debugging is on

LWAPP:

  LWAPP Client ERROR display debugging is on

CAPWAP:

  CAPWAP Client ERROR display debugging is on

APe4d3.f11e.a8e1#

You have to get into console of one of this AP to see what's going on.We need to see entire boot up process of one of this AP. Try this via AP console & see any difference. If not reboot the AP & attach the entire console output.

APe4d3.f11e.a8e1#capwap ap controller ip address 172.23.111.23

Also on your WLC, get "show auth-list" output to see if any AP policies configured.

HTH

Rasika

**** Pls rate all useful responses ****

Hi,

Based on the output you provided, I can see AP registered to WLC

*Jan 31 21:52:00.467: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 172.23.111.23
*Jan 31 21:52:00.927: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Jan 31 21:52:00.999: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Jan 31 21:52:01.007: ac_first_hop_mac - IP:10.219.96.1 Hop IP:10.219.96.1 IDB:BVI1
*Jan 31 21:52:01.011: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 31 21:52:01.083: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller DC-WiFi-WLC1-3

Did you see that in your WLC ? (that is show ap summary should tells you)

HTH

Rasika

Important to mention that the AP can associate to the AP and I can connect to the SSID's and navigate. I just want to know if this error message can cause any issue in the daily operation of the wireless network.

I have something else configured in the AP HA option:

No, that error msg usually comes if it having troble to register for a WLC. If your AP register to the WLC & does not loose connectivity then there is nothing to worry about.

HA configuration is always good, so AP can failover quickly if primary WLC is unavailable

HTH

Rasika

**** Pls rate all useful responses ****

Hi Rasik,

Applied the command that you indicated: CAPWAP AP CONTROLLER IP ADDRESS

In addition to that I have the following:

(Cisco Controller) >show auth-list

Authorize MIC APs against Auth-list or AAA ...... disabled

Authorize LSC APs against Auth-List ............. disabled

APs Allowed to Join

  AP with Manufacturing Installed Certificate.... yes

  AP with Self-Signed Certificate................ no

  AP with Locally Significant Certificate........ no

Mac Addr                  Cert Type    Key Hash

-----------------------   ----------   ------------------------------------------

f4:ce:46:b3:99:22         LBS-SSC      b93d297d0fb8bbb161087c2e2391beb8c293c0fa

(Cisco Controller) >

```````````````````````````````````````````````````````````````````````````````````````````````````````````````````

(Cisco Controller) >show ap summary

Number of APs.................................... 2

Global AP User Name.............................. admin

Global AP Dot1x User Name........................ Not Configured

AP Name             Slots  AP Model              Ethernet MAC       Location          Country  IP Address       Clients

------------------  -----  --------------------  -----------------  ----------------  -------  ---------------  -------

APe4d3.f11e.a8e1     2     AIR-CAP2602I-A-K9     e4:d3:f1:1e:a8:e1  default location  CA       10.219.96.51     0  

APc464.1338.cdd4     2     AIR-CAP3502I-A-K9     c4:64:13:38:cd:d4  default location  CA       172.22.81.33     0  

`````````````````````````````````````````````````````````````````````````````````````````````````````

IF the error message does not mean anything since that the AP can register to the WLC as you could see, I just want to know if I have an AP POLICY like David mentioned above so I can remove it without affecting our current wireless operation.

Could you please let me know what that AP POLICY means?

thanks again

Hi

AP policy is to restrict what APs can register to your controller. You can add list of MAC address of your AP & then only those AP will able to register.

Since you have not specifically configured AP policy you can leave it as it is. In Davide's case he has configured it & therefore unless he add the new AP MAC address into the list, WLC won't allow it to register.

HTH

Rasika

**** Pls rate all useful responses ***

thanks