02-11-2021 07:36 AM - edited 07-05-2021 01:13 PM
Hello all,
I have setup a C9800-CL controller for a lab environment but am having problems joining a 2702i access point to it. This AP was previously joined to a 5508 WLC running an 8.5 image. I have researched this issue and came across numerous posts from various sites but nothing seems to be working. Here is what I've attempted so far:
1. Added/removed NTP from 9800 via cli
2. Tried the following from this site: https://networkphil.com/2019/08/06/troubleshooting-dtls-handshake-error-joining-cisco-2702i-access-point-to-9800-wireless-controller/
3. Ran 'debugging capwap console cli' and then ran command: 'erase /all nvram:' and reloaded the AP without saving
None of these have worked and I'm not quite sure what else to try. Does anyone have any solution or answer as to what to try next?
Thanks!
Terence
Solved! Go to Solution.
02-11-2021 12:45 PM
So the only way I was able to get the AP to join the 9800 controller was change Gi2 from a layer 2 interface to a layer 3 interface, delete the SVI used for wireless management, and remove the VLAN. Then, I configured the IP used on the SVI on the Gi2 layer 3 interface and I was able to ping and the AP joined immediately. Apparently, the OVF template used during the deployment phase sets some options based on some assumption. I don't know why it works this way but is a bit concerning.
02-13-2021 04:46 AM
You don't mention what hypervisor or version you're using but assuming vmware esx by your mention of OVF template.
Have you checked it's a supported version you're using?
Have you followed the installation guide meticulously through *every* step? https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/9800-cloud/installation/b-c9800-cl-install-guide/installing_the_controller.html
For example the following, without which, tagged (ie vlan) traffic will not work:
In the Promiscuous Mode, perform the following tasks:The Promiscuous Mode is set to Reject by default.
Note: Promiscuous mode is a security policy which can be defined at the virtual switch or port-group level in vSphere ESXi. Tagged traffic will not flow properly without this mode.
Check the check box.
From the drop-down list, select Accept to view the traffic sent and received through this switch
This is also mentioned in the troubleshooting section along with some other tips on Network Connectivity Issues.
02-11-2021 07:53 AM
- Check the controller-logs for more info, also make sure all involved parts are compatible :
https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
M.
02-11-2021 08:10 AM
I'm running Gibraltar 16.12.4a and according to the matrix, the 2700 series is supported. I'm not seeing anything else that would prevent the AP from joining the controller. Any other ideas?
02-11-2021 08:28 AM
Also, the controllers' wireless management interface is in the same VLAN as the AP but the controller cannot ping the AP. Is this expected behavior because I wouldn't think it is? However, I can ping the AP from a PC in another VLAN that has to traverse a firewall to reach it. I also checked the port our VM cluster connects to and confirmed that it's trunked and the VLAN in question is allowed across. All networking pieces are in order so I think it's strange that the controller in the same VLAN as the AP can't ping it but a PC in a different VLAN can.
02-11-2021 08:31 AM
- Strange but as stated can any activity from the AP be seen in the controller logs when it joins ?
M.
02-11-2021 08:34 AM
No I don't see any logs from the controller that indicates any communication between it and the AP.
02-11-2021 09:43 AM
- So for some reason the AP can not communicate with the controller.
M.
02-11-2021 09:48 AM
That is correct. Since this is a new setup in a lab environment, I have decided to reset the controller to day 0 and start fresh again. I am going to see if that works.
02-11-2021 12:45 PM
So the only way I was able to get the AP to join the 9800 controller was change Gi2 from a layer 2 interface to a layer 3 interface, delete the SVI used for wireless management, and remove the VLAN. Then, I configured the IP used on the SVI on the Gi2 layer 3 interface and I was able to ping and the AP joined immediately. Apparently, the OVF template used during the deployment phase sets some options based on some assumption. I don't know why it works this way but is a bit concerning.
02-13-2021 04:46 AM
You don't mention what hypervisor or version you're using but assuming vmware esx by your mention of OVF template.
Have you checked it's a supported version you're using?
Have you followed the installation guide meticulously through *every* step? https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/9800-cloud/installation/b-c9800-cl-install-guide/installing_the_controller.html
For example the following, without which, tagged (ie vlan) traffic will not work:
In the Promiscuous Mode, perform the following tasks:The Promiscuous Mode is set to Reject by default.
Note: Promiscuous mode is a security policy which can be defined at the virtual switch or port-group level in vSphere ESXi. Tagged traffic will not flow properly without this mode.
Check the check box.
From the drop-down list, select Accept to view the traffic sent and received through this switch
This is also mentioned in the troubleshooting section along with some other tips on Network Connectivity Issues.
02-16-2021 11:54 AM
I did overlook this step so I decided to factory reset the appliance, configure a trunked port on VMware following the steps you referenced, and also with the help of this page (https://www.wifireference.com/2019/08/24/cisco-catalyst-9800-cl-deployment-guide/), I was able to confirm that my AP can also join the controller.
Thanks for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide