05-17-2019 09:48 AM - edited 07-05-2021 10:25 AM
Have a customer with all APs already associated to their main vWLC running 8.3. Created a new vWLC to act as their secondary controller. Statically assigned WLCs in HA tab for all APs. None of the APs will join the controller. APs are 3602i, 3702i, and 3802i. Same code on both vWLCs.
I see the following logs on the WLC:
*spamApTask7: May 16 18:11:37.611: %CAPWAP-3-DECODE_ERR: capwap_ac_sm.c:2732 Error decoding discovery request from AP 00:00:00:00:00:00
*spamApTask7: May 16 18:11:37.611: %CAPWAP-3-INVALID_PAYLOAD3: capwap_ac_decode.c:629 The system detects an invalid vendor type 12846 in WTP descriptor message element
On the AP Join status page the APs keep rising the discovery counter, but never transition to the join phase.
Capwap debugs don't show any errors, just keep repeating the discovery phase. Packet captures show the same.
05-17-2019 12:02 PM
Check the below things on the controller.
* Time and date (NTP configuration)
* Appropriate Country Code is enabled on the WLC.
* Licensing on the Controller.
If all are fine but still the AP didn’t joined enable . Please connect console of one AP and share the Error logs on that while trying to join secondary WLC.
05-17-2019 01:29 PM
First 3 things I checked. Times are up to date, new licenses and eval licenses won't work, and country code matches both WLCs.
All the APs are currently joined to 1 controller, but when I try to fail them over to the new controller that is configured exactly the same, they don't join.
05-17-2019 11:56 PM
How is your second vWLC Setup, is the same version
Couple of the things need to check, Is the AP able to reach secondary controller IP address ?
is the DHCP configured Option 43 setup for the secondary controller ?
05-19-2019 06:49 AM
@Austin Godbey wrote:First 3 things I checked. Times are up to date, new licenses and eval licenses won't work, and country code matches both WLCs.
When you say new licenses and eval licenses won't work, does the vWLC show how many AP's it can support?
You can confirm by doing a "show license all" in the CLI
<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>
05-20-2019 08:29 AM
(Cisco Controller) >show license all
Feature name: ap_count
License type: Evaluation
License Eula: Accepted
Evaluation total period: 12 weeks 6 days
Evaluation period left: 89 days
License state: Inactive, Not-In-Use
License Nodelocked: Yes
RTU License Count: 200
Feature name: ap_count (adder)
License type: Permanent
License state: Active, Not-In-Use
License Nodelocked: No
RTU License Count: 93
==================================
Total available count : 93
Total inuse count : 0
05-20-2019 12:37 PM
05-20-2019 12:38 PM
05-20-2019 02:16 PM
05-20-2019 02:49 PM
05-20-2019 07:08 PM
Hi mate,
It seems on primary wlc, you are running Local Significant Cert.
You may have not configured it on the other WLC.
Basically AP is not joining since it is not trusting the 2nd WLC.
Can you run this command on both WLC "show certificate lsc summary"
Cheers,
Raffy
05-21-2019 07:59 AM
PRIMARY CONTROLLER
(Cisco Controller) >show certificate lsc summary
LSC Enabled...................................... No
LSC CA-Server.................................... None
LSC AP-Provisioning.............................. No
LSC Params:
Country......................................
State........................................
City.........................................
Orgn.........................................
Dept.........................................
Email........................................
KeySize...................................... 2048
LSC Certs:
CA Cert...................................... Not Configured
RA Cert...................................... Not Configured
DEV Cert..................................... Not Configured
SECONDARY CONTROLLER
(Cisco Controller) >show certificate lsc sum
LSC Enabled...................................... No
LSC CA-Server.................................... None
LSC AP-Provisioning.............................. No
LSC Params:
Country......................................
State........................................
City.........................................
Orgn.........................................
Dept.........................................
Email........................................
KeySize...................................... 2048
LSC Certs:
CA Cert...................................... Not Configured
RA Cert...................................... Not Configured
DEV Cert..................................... Not Configured
05-21-2019 11:14 AM
Issue these commands on Secondary WLC and check the status.
(Cisco Controller) >config ap cert-expiry-ignore mic enable
(Cisco Controller) >config ap cert-expiry-ignore ssc enable
05-21-2019 12:39 PM
Made this change and it did not do anything. AP still won't join.
05-21-2019 12:56 PM
Please run the below debug commands and share the output.
(Cisco Controller) >debug capwap events enable
(Cisco Controller) >debug pm pki enable
(Cisco Controller) >debug capwap packet enable
(Cisco Controller) >debug mac addr <ap-mac-address>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide