01-15-2023 11:37 PM - edited 01-16-2023 03:05 AM
hi all,
I was using Cisco 2500 WLC with 8.3 version and 1700 AP, that was ok. After i upgrade WLC version to 8.5 AP cant join the WLC.
AP get the ip from DHCP, I added manually wlc to ap via capwap ap controller ip address command. I can ping the wlc from ap but not joined.
Here is logs from wlc:
*spamApTask0: Dec 02 13:56:33.485: ap_mac Received LWAPP DISCOVERY REQUEST to wlc_mac on port '1'
*spamApTask0: Dec 02 13:56:33.485: ap_mac Discarding discovery request in LWAPP from AP supporting CAPWAP
*spamApTask5: Dec 02 13:58:43.469: ap_mac Discovery Request from 172.18.7.13:31506
*spamApTask5: Dec 02 13:58:43.469: ap_mac Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 30, MaxLicense=5 joined Aps =0
*spamApTask5: Dec 02 13:58:43.469: ap_mac apType = 71 apModel: AIR-CAP1702I-E-K9
*spamApTask5: Dec 02 13:58:43.470: ap_mac Discovery Response sent to 172.18.7.13 port 31506
*spamApTask5: Dec 02 13:58:43.470: ap_mac Discovery Response sent to 172.18.7.13:31506
*spamApTask5: Dec 02 13:58:43.470: ap_mac Discovery Request from 172.18.7.13:31506
*spamApTask5: Dec 02 13:58:43.470: ap_mac Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 30, MaxLicense=5 joined Aps =0
*spamApTask5: Dec 02 13:58:43.470: ap_mac apType = 71 apModel: AIR-CAP1702I-E-K9
*spamApTask5: Dec 02 13:58:43.470: ap_mac Discovery Response sent to 172.18.7.13 port 31506
*spamApTask5: Dec 02 13:58:43.470: ap_mac Discovery Response sent to 172.18.7.13:31506
*spamApTask0: Dec 02 13:58:43.470: ap_mac Received LWAPP DISCOVERY REQUEST to wlc_mac on port '1'
*spamApTask0: Dec 02 13:58:43.470: ap_mac Discarding discovery request in LWAPP from AP supporting CAPWAP
Here is logs from AP:
Jan 16 07:28:29.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 212.156.208.74 peer_port: 5246
Jan 16 07:28:29.000: UDP: sent src=172.18.7.13(31506), dst=xxx_my_public_ipxx(5246), length=103
Jan 16 07:28:30.999: UDP: sent src=172.18.7.13(31506), dst=xxx_my_public_ipxx(5246), length=103
Jan 16 07:28:34.999: UDP: sent src=172.18.7.13(31506), dst=xxx_my_public_ipxx(5246), length=103
Jan 16 07:28:42.999: UDP: sent src=172.18.7.13(31506), dst=xxx_my_public_ipxx(5246), length=103
Jan 16 07:28:58.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmi!
Jan 16 07:29:28.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 212.156.208.74:5246
Jan 16 07:29:28.999: UDP: sent src=172.18.7.13(31506), dst=xxx_my_public_ipxx(5246), length=47
Jan 16 07:29:28.999: UDP: sent src=172.18.7.13(31506), dst=10.0.3.72(5246), length=217
Jan 16 07:29:28.999: UDP: sent src=172.18.7.13(31506), dst=10.0.3.72(5246), length=217
Jan 16 07:29:28.999: UDP: sent src=172.18.7.13(31505), dst=10.0.3.72(12223), length=118
Jan 16 07:29:28.999: UDP: sent src=172.18.7.13(31506), dst=255.255.255.255(5246), length=217
Jan 16 07:29:28.999: UDP: rcvd src=10.0.3.72(5246), dst=172.18.7.13(31506), length=139
Jan 16 07:29:28.999: UDP: rcvd src=10.0.3.72(5246), dst=172.18.7.13(31506), length=139
Jan 16 07:29:38.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.
Thanks,
Solved! Go to Solution.
01-16-2023 12:27 AM
Are you joining the AP from behind a NAT? If so please check firewall policies or NAT/PAT rules.
01-15-2023 11:46 PM
- Check if you could be impacted by : https://www.cisco.com/c/en/us/support/docs/wireless/aironet-700-series-access-points/218447-ios-ap-image-download-fails-due-to-expir.html
https://bst.cisco.com/bugsearch/bug/CSCwd80290
M.
01-16-2023 12:05 AM
Actually I don't use 9800 like in this document, is it important?
01-16-2023 01:45 AM
>Actually I don't use 9800 like in this document, is it important?
- The particular issue are is also relevant for aireos based controllers and airos is mentioned too in these documents ,
M.
01-16-2023 12:27 AM
Are you joining the AP from behind a NAT? If so please check firewall policies or NAT/PAT rules.
01-16-2023 02:12 AM
I can ping wlc from ap, and ping ap from wlc interface. No deny log on firewall. Before upgrade connection was ok and i did not change network configs.
01-17-2023 03:10 AM
It was because of NAT, on Controller -> Interfaces -> Management -> NAT address configuration.
01-16-2023 02:14 AM - edited 01-16-2023 02:15 AM
what is the full version 8.5.X Only one AP ? - how about reset factory and check.
Couple of things to check :
1. show license summary (check is the Licenses are ok ?)
2. some troubleshoot tips :
Post complete boot AP.
Other note - check matrix :
https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
01-16-2023 02:24 AM - edited 01-16-2023 02:25 AM
I did factory reset on AP, still same. I am testing so there is only one ap in the wlc.
Wlc licenses:
(Cisco Controller) >show license summary
License Store: Primary License Storage
StoreIndex: 0 Feature: base Version: 1.0
License Type: Permanent
License State: Active, Not in Use
License Count: Non-Counted
License Priority: Medium
License Store: Primary License Storage
StoreIndex: 0 Feature: base-ap-count Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: 5 / 5 (Active/In-use)
License Priority: Medium
License Store: Evaluation License Storage
StoreIndex: 1 Feature: base-ap-count Version: 1.0
License Type: Evaluation
License State: Inactive
Evaluation total period: 12 weeks 6 days
Evaluation period left: 12 weeks 4 days
License Count: 75 / 0 (Active/In-use)
License Priority: Low
BTW I see the peer ip is my public ip on AP logs, is it ok?
%CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip
then try wlc again and again.
%DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to public_ip:5246
01-16-2023 03:05 AM
are you sure you testing only 1 AP
see below :
License Count: 5 / 5 (Active/In-use)
01-16-2023 03:07 AM
yes, no ap on wlc right now
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: