Solved: Re: Ap 9130 can't access to 9800-L-F

sigcerder · ‎11-24-2024

Hi Collegues.
Can you help me solve a problem. There is an issue with connecting a Cisco AP 2802 access point to a Cisco 9800-L wireless controller.
The access point fails during the CAPWAP Discovery stage, and the following logs are observed on the AP console:

[*11/19/2024 18:22:27.7743] CAPWAP State: Discovery
[*11/19/2024 18:22:27.7788] Not Sending the TLV_AP_EWLC_TAGS_PAYLOAD.
[*11/19/2024 18:22:27.7791] Discovery Request sent to 10.1.2.7, discovery type STATIC_CONFIG(1)
[*11/19/2024 18:22:27.7845] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*11/19/2024 18:23:01.9391] Received Capwap watchdog update msg.
[*11/19/2024 18:23:34.6082] !!!!! {watchdogd} Unable to reach gateway for 1200 seconds

Network Diagram

Switch: Cisco CBS350 in L2 mode connects the controller and the AP.
Wireless Controller: Cisco 9800-L-F (physical) is configured with a management VLAN (VLAN 2, IP 10.1.2.7).
Access Point: Cisco AP 2802 connected in VLAN 60 (IP 10.1.60.10) on SW
Router: GW-1111 acting as the gateway and DHCP server for the network:
Router IP: 10.1.2.1.
DHCP server provides IP addresses for VLAN 60.

Error Details
The AP and controller can ping each other successfully.
However, the CAPWAP Discovery process fails, and the AP switches to standalone mode.

I guess there is a possible issues, incorrect trustpoint on the controller — does it need to be reconfigured or reissued?
What mode is recommended for configuring the controller — L2 between the router and the switch or L3?
What additional configurations are required to ensure successful CAPWAP Discovery?

GW Configuration:

interface GigabitEthernet0/1/2
description SW-C350
switchport
switchport trunk native vlan 2
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk

interface Vlan2
description NETWORK-MGMT
ip address 10.1.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly

interface Vlan60
description LWAP
ip address 10.1.60.254 255.255.255.0
ip nat inside
ip virtual-reassembly

ip default-gateway 10.1.100.254

ip dhcp pool VLAN60
network 10.1.60.0 255.255.255.0
default-router 10.1.60.254
dns-server 8.8.8.8 8.8.4.4
lease 30
!

SW Configuration:

interface vlan 2
name NETWORK_MGMT
ip address 10.1.2.2 255.255.255.0

interface GigabitEthernet7
description AP-9130
spanning-tree link-type point-to-point
switchport mode trunk
switchport access vlan none
macro description "switch "
!next command is internal.
macro auto smartport dynamic_type switch
!
interface GigabitEthernet17
description 9800
switchport mode trunk
switchport access vlan none
switchport trunk native vlan 2
!
ip dhcp snooping
ip dhcp snooping information option allowed-untrusted
ip dhcp snooping vlan 2
ip default-gateway 10.1.2.1

9800 Configuration:

vlan 60
name LWAP

interface TwoGigabitEthernet0/0/0
switchport trunk native vlan 60
switchport mode trunk
negotiation auto
!
interface TwoGigabitEthernet0/0/1
negotiation auto
!
interface TwoGigabitEthernet0/0/2
negotiation auto
!
interface TwoGigabitEthernet0/0/3
no switchport
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface TenGigabitEthernet0/1/0
description SW-C350
switchport trunk native vlan 2
switchport mode trunk
switchport nonegotiate
negotiation auto
!
interface TenGigabitEthernet0/1/1
no negotiation auto
no snmp trap link-status
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address dhcp
negotiation auto
!
interface Vlan1
no ip address
no ip proxy-arp
shutdown
!
interface Vlan2
ip address 10.1.2.7 255.255.255.0
no ip proxy-arp
!
ip default-gateway 10.1.2.1
ip route 0.0.0.0 0.0.0.0 10.1.2.1
!
!

Haydn Andrews · ‎11-26-2024

Looks like you have defined the native vlan on the WLC but not on the switch port
also recommend defining the native vlan for the AP

Can you ping the WLC from the source interface of the AP VLAN from the router?

can you do a show interfaces trunk on the switch and WLC
and show wireless interface summary on the WLC

Which physical port is connected from the WLC to the switch

You may also need this command:
wireless management interface interface-type interface-number

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

View solution in original post

Rich R · ‎11-26-2024

Which is exactly why I was asking whether they'd tried Config Analyzer @Haydn Andrews - that will highlight obvious mistakes like missing wireless management interface. So far not seen any reply ...

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

sigcerder · ‎11-24-2024

I also tried another access point, the 9130 model, and the result was the same.

Kasun Bandara · ‎11-24-2024

@sigcerder hi have you tried configuring the DHCP option 43 as mentioned by @Flavio Miranda and @balaji.bandi .

Configure DHCP OPTION 43 for Lightweight Access Points - Cisco

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Flavio Miranda · ‎11-24-2024

@sigcerder

A few considerations. The title says

AP 9130 but you mention after AP 2800.

Second, you have the AP apparently in a different vlan from the WLC management interface. If you add the AP on vlan 2, It would probably find the WLC but as you connected in vlan 60, the AP seems to be failing to find the WLC. You need to setup the WLC's IP address on the AP with capwap command or you need to inform the WLC management IP using DHCP option 43.

I see you have "ip nat inside" on vlan 60. I dont see the whole router config but It could interfere on the communication between AP and WLC.

Last, If the AP is 2800 and WLC 9800, take a look on the version and AP bundle. 2800 is a bit old already.

balaji.bandi · ‎11-24-2024

If the switch is acting as layer two only and the GW router doing all related routing, then you need to enable IP routing and

what is the IP default gateway 10.1.100.254 (where is this IP ?)

you need to fix routing and option 43 for AP to join WLC

https://www.cisco.com/c/en/us/td/docs/wireless/access_point/1552hz/installation/guide/1552hzhig/1552hz_axf.pdf

make sure you also check the compatible matrix

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leo Laohoo · ‎11-24-2024

Look at the time and date of the logs from the AP.

Make sure the WLC's time and date is correct.

sigcerder · ‎11-24-2024

I completely forgot to mention that I tried configuring Option 43 on the DHCP server and applied it to the 9130 access point. The log was as follows:

[*11/19/2024 18:05:31.5110] CAPWAP State: Discovery
[*11/19/2024 18:05:31.5141] Discovery Request sent to 10.1.2.7, discovery type STATIC_CONFIG(1)
[*11/19/2024 18:05:31.5243] Discovery Request sent to 10.1.2.7, discovery type STATIC_CONFIG(1)
[*11/19/2024 18:05:31.5282] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*11/19/2024 18:05:31.7907] AP: Got IP address from DHCP, WLC IP: 10.1.2.7

I also accessed the access point directly and manually specified the controller details (for both the 2802 and 9130 models) using the following command:
capwap ap primary-base WLC-9800 10.1.2.7

The controller is running version 17.12.3.

The 9130 AP was manually upgraded. Initially, I used it as an Embedded Wireless Controller (EWC). Unfortunately, I don’t remember the exact firmware version, but it was relatively recent—either 17.9 or 17.11, so it definitely wasn’t an AireOS-based firmware. I can check the exact version later when I return to the location.

Additionally, the address 10.1.100.254 is configured on the router (10.1.2.1), but I believe it should be removed as it is no longer relevant.

As an experiment, I added ip nat inside for VLAN 60. However, this VLAN was not intended to use NAT, and there is no difference in behavior with or without this configuration.

Most of the commands and actions were executed on the 9130 AP, but I later added the 2802 AP to verify that the issue is not with the access point itself.

Let me know if you need further details or clarification!

Flavio Miranda · ‎11-25-2024

@sigcerder

The problem seems to be connectivity.

[*11/19/2024 18:23:34.6082] !!!!! {watchdogd} Unable to reach gateway for 1200 seconds

Add the AP to vlan 2 and Will Join the wlc

sigcerder · ‎11-25-2024

I added my AP to Vlan2, but it doesn't work

show capwap client config

AdminState : ADMIN_ENABLED(1)
Name : AP2
Location : default location
Primary controller name : WLC-9800
Primary controller IP : 10.1.2.7
Secondary controller name :
Tertiary controller name :
ssh status : Disabled
ApMode : Local
ApSubMode : Not Configured
Link-Encryption : Disabled
OfficeExtend AP : Disabled
Discovery Timer : 10
Heartbeat Timer : 30
Syslog server : 255.255.255.255
Syslog Facility : 0
Syslog level : errors
AP join priority : 1
IP Prefer-mode : Unconfigured
CAPWAP UDP-Lite : Unconfigured
AP retransmit count : 5
AP retransmit timer : 3
AP lsc enable : 0
AP Policy Tag : UNKNOWN
AP RF Tag : UNKNOWN
AP Site Tag : UNKNOWN
AP Tag Source : 0
Static IP Failover : True
Static Wired IP : 10.1.2.30
Static Wired Netmask : 255.255.255.0
Static Wired Netmask : 10.1.2.1
AP lsc reboot cnt : 0
AP lsc max num of retry : 1
AP lsc mode : 0x1
AP lsc dtls fallback state : 0
SwVer : 17.6.4.56
spamStatTimer : 30
Led State Enabled : 1
Led Brightness Level : 8
Primed Interval : 0
AP ILP Pre-Standard Switch Support : Disabled
IPv4 TCP MSS Adjust : Disabled
IPv6 TCP MSS Adjust : Disabled
LinkFailure : 0
SpamReboots : 27
ApCrashes : 0
AP VLAN Tag status : Disabled 0
AP Power Injector : Disabled
Indoor Deployment : 0
Slot 0 Config:
Radio Type : RADIO_TYPE_80211bg

[*11/19/2024 18:04:56.6968] CAPWAP State: Discovery
[*11/19/2024 18:04:56.7079] Discovery Request sent to 10.1.2.7, discovery type STATIC_CONFIG(1)
[*11/19/2024 18:04:56.7094] Discovery Request sent to 10.1.2.7, discovery type STATIC_CONFIG(1)
[*11/19/2024 18:04:56.7108] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*11/19/2024 18:05:26.1569]
[*11/19/2024 18:05:26.1569] CAPWAP State: Discovery
[*11/19/2024 18:05:26.1622] Discovery Request sent to 10.1.2.7, discovery type STATIC_CONFIG(1)
[*11/19/2024 18:05:26.1640] Discovery Request sent to 10.1.2.7, discovery type STATIC_CONFIG(1)
[*11/19/2024 18:05:26.1655] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)

Configuration from SW:

interface GigabitEthernet7
spanning-tree link-type point-to-point
switchport mode trunk
switchport access vlan none
switchport trunk native vlan 2
macro description "switch "
!next command is internal.
macro auto smartport dynamic_type switch
!

Leo Laohoo · ‎11-25-2024

@sigcerder wrote:

[*11/19/2024 18:02:06.7895] Discovery Request sent to 10.1.2.7, discovery type STATIC_CONFIG(1)
[*11/19/2024 18:02:06.7913] Discovery Request sent to 10.1.2.7, discovery type STATIC_CONFIG(1)
[*11/19/2024 18:02:06.7928] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)

The AP has sent out Discovery Request but there is no response from 10,1.2.7.

Change the switch port to access (instead of a trunk).

Flavio Miranda · ‎11-26-2024

Your AP does not have connectivity with the WLC

This configuration seems to be not right. Can you change this?

interface GigabitEthernet7
spanning-tree link-type point-to-point
switchport mode trunk
switchport access vlan none
switchport trunk native vlan 2
macro description "switch "
!next command is internal.
macro auto smartport dynamic_type switch
!

default interface GigabitEthernet7

interface GigabitEthernet7

switchport mode access

switchport access vlan 2

Test only with this config.

sigcerder · ‎11-24-2024

The time and date on the controller are set correctly; I checked this first. Unfortunately, it didn't help either.

Leo Laohoo · ‎11-25-2024

Console into the AP and reboot.

Post the entire bootup process.

sigcerder · ‎11-25-2024

Complete AP loading process

MHM Cisco World · ‎11-24-2024

Share below
show ap uptime
show wireless stats ap join summary
show wireless stats ap mac address <mac of AP> join detailed
then run below debug and share output (note run debug one by one)
debug cap client error
debug cap client events

MHM