Re: AP can ping WLC but still not associating

Moudar · ‎06-27-2024

Hi

I have an Access Point (AP) powered via Power over Ethernet (PoE) from a power injector. When the switch reloads for any reason, the AP loses connectivity with the Wireless LAN Controller (WLC) and fails to re-associate, even though it can ping the WLC and resolve the IP address of the WLC using DNS for cisco-capwap-controller.

It shows this log again and again:

Not in Bound state.
*Jun 27 14:36:58.875: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
*Jun 27 14:37:01.947: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.3.3, mask 255.255.255.0, hostname TBA

The only way to restore normal operation is to disconnect and reconnect the PoE (restart the AP). Only then does it successfully discover the WLC without any issues.

Any ideas?

klnnnnng · ‎06-27-2024

Hi,

what WLC are you running? I guess that all discovery, retry and heartbeat timers just time out and the AP needs to be rebooted.

You can try playing with the retransmit, retry and heartbeat timers.

Regards

marce1000 · ‎06-27-2024

- It looks like because of the power injector there is a race condition , between controller discovery and acquiring an IP which can only be done , if the switch has full network connectivity. Do you have the possibility of using switch-based-poe ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Leo Laohoo · ‎06-27-2024

@Moudar wrote:
Could not discover WLC.

What is the IP address of the WLC and what is the DHCP Option 43?

Rich R · ‎06-28-2024

What model of AP?
What model of WLC?
What version of software?
Since you are using DHCP why not use option 43 instead of DNS?
Is it possible you have option 43 and DNS configured with different IPs?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Moudar · ‎06-28-2024

WLC 5520 version 8.10.190

AP 9120

My setup is a bit unusual.

I have a 9120 AP connected to a Check Point SMB firewall. This firewall has a VPN connection to the central office where the WLC is located.

The setup works, but only if the firewall reboots. After a firewall reboot, the AP can still be reached via SSH, it can ping the WLC, and it can resolve the cisco-capwap DNS. However, it displays the message I mentioned earlier and refuses to associate.

To resolve this, I log in to the AP and run 'capwap ap restart,' after which it associates immediately.

Rich R · ‎06-28-2024

We've had problems before with customers trying to put firewalls and IDS/IPS between the APs and WLC and the CAPWAP (UDP 5246 & 5247) can sometimes be incorrectly detected as some sort of DOS attack and then gets rate limited. Make sure you don't have any of that happening on the firewall.

Otherwise I'd say you need to do a simultaneous packet capture on either side of the firewall to work out what is getting dropped/blocked and preventing the AP from joining.

You might also want to upgrade to recommended version 8.10.196.0.

I also suggest using option 43 instead of DNS for WLC discovery.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390