Solved: C9105 AP does not join C9800 WLC

ygi · ‎01-14-2022

Hello

We are facing a curious issue that I cannot manage to solve, maybe one of you can spot what I did wrong.

Here is the context:

2x C9800-L-C in redundancy mode
Dozen of C9105AXI and C9105AXW
WLC located in DataCenter with LAN side using LACP and WMI set on a VLAN interface
AP discover WLC over DNS
WLC set with 2 VRF (Management and AP exchange, and no VFR for the Wireless VLAN to the router) for trafic isolation purpose (guest WiFi only)
Basic configuration so far (Wizard based)
WLC is in version 17.7.1
AP are in version 8.10.130.0

The issue we have is weird, all our AP does the Discovery Request and get the Discovery Response, but never pass to the Join steps.

AP can ping the WLC WMI IP.

WLC can ping from WMI IP the AP.

In attachment there is a packet capture screenshot from the WLC point of view for example.

Here is the log from the AP side:

[01/11/2022 15:29:10.6930] DNS resolved CISCO-CAPWAP-CONTROLLER.local.example.com
[01/11/2022 15:29:10.6930] DNS discover IP addr: 10.0.13.2
[01/11/2022 15:29:10.6980] Discovery Request sent to 10.0.13.2, discovery type DNS(3)
[01/11/2022 15:29:10.7010] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[01/11/2022 15:29:10.7020]
[01/11/2022 15:29:10.7020] CAPWAP State: Discovery
[01/11/2022 15:29:40.2660]
[01/11/2022 15:29:40.2660] CAPWAP State: Discovery
[01/11/2022 15:29:40.2680] IP DNS query for CISCO-CAPWAP-CONTROLLER.local.example.com
[01/11/2022 15:29:40.2710] DNS resolved CISCO-CAPWAP-CONTROLLER.local.example.com
[01/11/2022 15:29:40.2710] DNS discover IP addr: 10.0.13.2
[01/11/2022 15:29:40.2840] Discovery Request sent to 10.0.13.2, discovery type DNS(3)
[01/11/2022 15:29:40.2910] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[01/11/2022 15:30:09.7750]
[01/11/2022 15:30:09.7750] CAPWAP State: Discovery
[01/11/2022 15:30:09.7770] IP DNS query for CISCO-CAPWAP-CONTROLLER.local.example.com
[01/11/2022 15:30:09.7820] DNS resolved CISCO-CAPWAP-CONTROLLER.local.example.com
[01/11/2022 15:30:09.7820] DNS discover IP addr: 10.0.13.2
[01/11/2022 15:30:09.7870] Discovery Request sent to 10.0.13.2, discovery type DNS(3)
[01/11/2022 15:30:09.8300] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[01/11/2022 15:30:39.3480]
[01/11/2022 15:30:39.3480] CAPWAP State: Discovery
[01/11/2022 15:30:39.3500] IP DNS query for CISCO-CAPWAP-CONTROLLER.local.example.com
[01/11/2022 15:30:39.3530] DNS resolved CISCO-CAPWAP-CONTROLLER.local.example.com
[01/11/2022 15:30:39.3530] DNS discover IP addr: 10.0.13.2
[01/11/2022 15:30:39.3690] Discovery Request sent to 10.0.13.2, discovery type DNS(3)
[*01/11/2022 15:30:39.3770] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)

If someone here have an idea of what I did wrong, that could help.

Thanks a lot

Flavio Miranda · ‎01-14-2022

Hi

From the logs, I saw a lot of discovery but didn´t see any capwap request/response. Also, you could perform a test using a vlan only, whithout VRF.

View solution in original post

marce1000 · ‎01-14-2022

- Can you have an overall sanity check of the 9800 configuration by using (CLI) show tech wireless and have the output analyzed by : https://cway.cisco.com/tools/WirelessAnalyzer/

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

ygi · ‎01-15-2022

The problem was coming from the VRF. Thanks Flavio and Marce to led us here.

Removing VRF config from the WMI settings solved the issue.

Not sure why it didn't previously when we did other tests.

We will rely on ACL and VLAN to secure the network.

View solution in original post

Flavio Miranda · ‎01-14-2022

Hi

From the logs, I saw a lot of discovery but didn´t see any capwap request/response. Also, you could perform a test using a vlan only, whithout VRF.

ygi · ‎01-14-2022

AP and WLC are in two different location.

We tried to remove the VRF (but still can't rely on Layer 2 discovery) and the result is the same.

There is no firewall inbetween.

Leo Laohoo · ‎01-14-2022

@ygi wrote:

WLC is in version 17.7.1

Is there any operational/critical reason why the WLC is loaded with 17.7.X?

Please check to make sure the APs are not loaded with eWLC firmware.

ygi · ‎01-14-2022

17.7.1 is just the last one we tested.

It was shipped with a 16 one which is incompatible with 9105 so we updated to 17.6.2 initially and since it didn't changed anything we also tried 17.7.1.

Do you see any issue with that release?

(Once on site today I will check the firmware, but I don't think eWLC works on 9105)

Leo Laohoo · ‎01-14-2022

Try 17.3.4c.

ygi · ‎01-15-2022

For whatever reason I can download all version from 17.4+ but not the 17.3 branch. I've opened a request to Cisco support for that

marce1000 · ‎01-14-2022

- Can you have an overall sanity check of the 9800 configuration by using (CLI) show tech wireless and have the output analyzed by : https://cway.cisco.com/tools/WirelessAnalyzer/

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

ygi · ‎01-15-2022

Here is the result.

Is there a real limitation with VRF on this hardware? Not really confortable with the idea of no isolating guest access in a VRF.

Currently the setup is:

- VRF for management

- VRF for ap link

- no VRF for VLAN assigned to WLAN

Does that make sense to you?

ygi · ‎01-15-2022

The problem was coming from the VRF. Thanks Flavio and Marce to led us here.

Removing VRF config from the WMI settings solved the issue.

Not sure why it didn't previously when we did other tests.

We will rely on ACL and VLAN to secure the network.

Flavio Miranda · ‎01-15-2022

Hi

If you can spend a bit more money, a very good solution is to use Anchor WLC. You can put the Anchor WLC in a DMZ, maybe you can use VRF on this scenrio if you do not want to use Firewall.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html#anc12

Rich R · ‎01-15-2022

If you go through all the webinars and best practice guides Cisco do not recommend using SVI on 9800 but rather terminate the IP on a router or switch where you're expected to provide whatever security is required (so your separation on the WLC is by vlan). If you use SVIs then you will need ACLs as you say because they're all in the same global default VRF.

As far as I know the only thing which can be in a separate VRF is the management and even that did not work properly until 17.6.1.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-6/config-guide/b_wl_17_6_cg/m_config-wmi.html

I don't think there are any plans to support VRF for wireless functions though.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

ygi · ‎01-16-2022

I didn't see that parts in the guides I've read, and more over:

the CLI does not provide any alerts when you configure it
the web UI is 100% made to allow VRF for that use

Also, there is another huge limitation (or bug actually): the WMI interface can only be loopback, GigabitEthernet, or SVI.

You cannot configure WMI on the twoGigabitEthernet, not on the tenGigabitEthernet, and not on the Port-Channel.

The system refuse it.

So when you are in double attachment between your WLC and you distribution stack, you have really limited options:

loopback and routing table fun
SVI