Solved: AP not joining the WLC controller

Fatim Zahra Berrada Lamine · ‎06-16-2016

Hello,

I have 4 AIR-CAP1702I-E-K9 Access point which join the controller for some time (2 hours), then disassociate from the controller randomly.

Please see attached the controller configuration.

This logs keeps appearing on the AP when it is no more associated to the controller

*Jun 16 07:36:01.175: %AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type radius (UNKNOWN)
*Jun 16 07:36:01.175: %DOT11-7-AUTH_FAILED: Station e4b3.1820.d1f9 Authentication failed
*Jun 16 07:36:11.967: %DOT11-7-AUTH_FAILED: Station e4b3.1820.d1f9 Authentication failed
*Jun 16 07:36:12.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.26.0.46:5246
*Jun 16 07:36:12.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Jun 16 07:36:13.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.26.0.46 peer_port: 5246
*Jun 16 07:36:42.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0xCEAD6C4!

Do you have any idea about this issue ?

Thank you all for your help!

Leo Laohoo · ‎06-17-2016

Another thing ... Upgrade the firmware of the controller. 8.0.121.0 has been pulled by Cisco due to stability reasons.

View solution in original post

Leo Laohoo · ‎06-16-2016

Multiple Countries:AE,BH,CM,DZ,EG,FR,GH,KW,LB,MA,NG,OM,QA,SA,TN,TR,ZA

I think this is the cause. Too many coflicting Regulatory Domains.

Fatim Zahra Berrada Lamine · ‎06-16-2016

Those are not conflicting. They are country codes. I do not see the relation between country codes and DTLS ?

Leo Laohoo · ‎06-16-2016

Those are not conflicting.

Said who? Country codes enabled are mixed ME and European.

If the AP is "-E" then try to enable only European countries and see if the APs join.

Another thing, software running on the 8540 is 8.0.121.0. Cisco has pulled this version due to stability issues.

Fatim Zahra Berrada Lamine · ‎06-16-2016

Does this change something if the country code selected on on of those AP is FR for france (the AP is in France as well). Even with that configured, the AP will suffer a country code conflict ?

Leo Laohoo · ‎06-16-2016

This ain't going to work. Whoever is giving these "recommendation" to enable multiple Regulatory Domain needs to stop. This is because the APs come with SPECIFIC Regulatory Domain codes hard-coded in them.

In 2015, Cisco released the 1700/2700/3700 with new "Universal Regulatory Domain" of "-UX". This means the controller can have multiple & conflicting Regulatory Domain enabled and the AP will know which codes to use.

Read this: Cisco Aironet Universal AP Priming and Cisco AirProvision User Guide

Fatim Zahra Berrada Lamine · ‎06-17-2016

I read the guide, and understand that besides the AP "-UX", the others can have conflicting issue regarding the regulatory domain codes.

I am checking this, trying to see if we can modify it.

However I just want to make sure you have all the information about the situation. The APs having the issue are 4 over 480 ones not having the issue. They join the controller and then disjoin, it is unstable.

On the concerned location, we have 5 APs, 1 is stable, and 4 unstable. When they disconnect from the controller, I have to force the configuration using.

============================

debug capwap console cli

capwap ap controller ip address X.X.X.X

reload

============================

Please see attached the difference I could notice between the AP which is stable and the 4 AP unstable.

> The model, the stable AP is an AIR-CAP1602I-E-K9

> The PoE Status, the stable AP is using a power injector while the others are using PoE

> The Sw version loaded, the stable AP have the primary and backup Sw version, while the others have only the primary

Leo Laohoo · ‎06-17-2016

Hmmmm ...

When one of the APs kick itself from the controller, remote into it. Do a "sh log" and see if you see any of the two (or both) log entries:

*Aug 16 03:56:05.075: bsnInitRcbSlot: slot 0 has venus radio(UNSUPPORT)
*Aug 16 03:56:05.075: bsnInitRcbSlot: slot 1 has venus radio(UNSUPPORT)

If any one of the two lines are present, then look into the flash of the AP for one or two files: event.r0 &/or event.r1. Open up the file(s) and see if you see the following messages:

Radio stopped due to external code download failed                                      
Number of supported simultaneous BSSID on Dot11Radio0: 16
Carrier Set:  () (-A)

Fatim Zahra Berrada Lamine · ‎06-17-2016

None of this shows on the AP when it kicks itself from the controller. Please see attached

Fatim Zahra Berrada Lamine · ‎06-17-2016

An other information, when the APs join again the wlc, they have the PoE status "Power injector/normal mode" before switch by itself to "PoE/Full Power".

Leo Laohoo · ‎06-17-2016

Another thing ... Upgrade the firmware of the controller. 8.0.121.0 has been pulled by Cisco due to stability reasons.

Fatim Zahra Berrada Lamine · ‎06-30-2016

Hello Leo

The issue was resolved after changing the PoE switch configuration, and adding its mac address to the field AP injector, override checked on the WLC.

Thank you for your help on this

Leo Laohoo · ‎06-16-2016

Product Version.................................. 8.0.121.0

Ok, there's another culprit. This time it's a bug with this particular software.

Remote into the AP. (Even if Telnet/SSH is not enabled and the APs are not joined to the controller, enable it.)

Post the complete output to the command "sh ip interface brief".

Fatim Zahra Berrada Lamine · ‎06-16-2016

FR229-AP005#show ip int brief
Interface IP-Address OK? Method Status Protocol
BVI1 172.26.210.14 YES DHCP up up
BVI2 unassigned YES unset up up
BVI3 unassigned YES unset up up
Dot11Radio0 unassigned NO unset up up
Dot11Radio0.1 unassigned YES unset up up
Dot11Radio0.18 unassigned YES unset up up
Dot11Radio0.19 unassigned YES unset up up
Dot11Radio1 unassigned NO unset up up
Dot11Radio1.1 unassigned YES unset up up
Dot11Radio1.18 unassigned YES unset up up
Dot11Radio1.19 unassigned YES unset up up
GigabitEthernet0 unassigned NO unset up up
GigabitEthernet1 unassigned NO unset administratively down down
Virtual-WLAN0 unassigned NO unset up up
Virtual-WLAN0.1 unassigned NO unset up up
Virtual-WLAN0.2 unassigned NO unset up up
Virtual-WLAN0.3 unassigned NO unset up up
Virtual-WLAN0.4 unassigned NO unset up up
Virtual-WLAN0.5 unassigned NO unset up up
Virtual-WLAN0.6 unassigned NO unset up up
Virtual-WLAN0.7 unassigned NO unset up up
Virtual-WLAN0.8 unassigned NO unset up up
Virtual-WLAN0.9 unassigned NO unset up up
Virtual-WLAN0.10 unassigned NO unset up up
Virtual-WLAN0.11 unassigned NO unset up up
Virtual-WLAN0.12 unassigned NO unset up up
Virtual-WLAN0.13 unassigned NO unset up up
Virtual-WLAN0.14 unassigned NO unset up up
Virtual-WLAN0.15 unassigned NO unset up up
Virtual-WLAN0.16 unassigned NO unset up up

Leo Laohoo · ‎06-16-2016

Looks clean. Radios are not "reset". So I'm still suspecting the conflicting Regulatory Domain.