Showing results for 
Search instead for 
Did you mean: 

Cisco 9800LC not receiving join requests from APs


I had to recover a WLC after the password was lost. After successfully doing so using ROMMON, I somehow changed up something in the configuration during the webui configuration wizard to the point where the APs are no longer able to reach the WLC. I know I messed up on the networking somewhere, but can't seem to pinpoint it. Any help would be greatly appreciated. Thanks!


The APs are plugged into a switch with the config:

interface GigabitEthernet0/4
description Cisco WAP switchport trunk allowed vlan 300-309 switchport trunk native vlan 301 switchport mode trunk

The WLC is plugged into the switch with config:

interface GigabitEthernet0/3
 description Cisco 9800 WLC
 switchport mode trunk

And the config for the WLC:

Building configuration...

Current configuration : bytes
! Last configuration change at 
version 16.12
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
vrf definition Mgmt-intf
 address-family ipv4
 address-family ipv6
no logging console
enable secret 
no aaa new-model
clock timezone Central 0 0
vtp mode off
 ! If contact email address in call-home is configured as
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
profile "CiscoTAC-1"
  destination transport-method http
  no destination transport-method email
no ip igmp snooping vlan 309
login on-success log
subscriber templating
parameter-map type webauth global
 virtual-ip ipv4
parameter-map type webauth day0_web_auth_
 type webauth
no device-tracking logging theft
access-session mac-move deny
multilink bundle-name authenticated
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
crypto pki trustpoint TP-self-signed-4
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-
 revocation-check none
 rsakeypair TP-self-signed-
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
crypto pki certificate chain TP-self-signed-
 certificate self-signed 01
license udi pid C9800-L-C-K9 
memory free low-watermark processor 
service-template webauth-global-inactive
 inactivity-timer 3600
 linksec policy must-secure
 linksec policy should-secure
 voice vlan
diagnostic bootup level minimal
username admin privilege 15 password 
 mode sso
vlan configuration 309
vlan internal allocation policy ascending
vlan 300
 name 300
vlan 301
 name 301
vlan 309
 name 309
class-map match-any AVC-Reanchor-Class
 match protocol cisco-jabber-audio
 match protocol cisco-jabber-video
 match protocol webex-media
 match protocol webex-app-sharing
 match protocol webex-control
 match protocol webex-meeting
 match protocol wifi-calling
interface TwoGigabitEthernet0/0/0
 switchport trunk native vlan 301
 switchport mode trunk
 negotiation auto
interface TwoGigabitEthernet0/0/1
 negotiation auto
interface TwoGigabitEthernet0/0/2
 negotiation auto
! interface TwoGigabitEthernet0/0/3 negotiation auto ! interface TenGigabitEthernet0/1/0 negotiation auto ! interface TenGigabitEthernet0/1/1 negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address negotiation auto ! interface Vlan1 ip address no mop enabled ! interface Vlan301 ip address ! ip forward-protocol nd ! ip http server ip http authentication local ip http secure-server ip route control-plane ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 password login length 0 line vty 5 15 password login length 0 ! ntp server wireless aaa policy default-aaa-policy wireless cts-sxp profile default-sxp-profile wireless management interface Vlan301 wireless profile airtime-fairness default-atf-policy 0 wireless profile flex default-flex-profile description "default flex profile" wireless profile mesh default-mesh-profile description "default mesh profile" wireless profile policy Vlan309 vlan 309 no shutdown wireless profile policy default-policy-profile autoqos mode voice description "default policy profile" service-policy input platinum-up service-policy output platinum vlan 300 no shutdown wireless tag site default-site-tag description "default site tag" wireless tag policy default-policy-tag description "default policy-tag" wlan NAME policy default-policy-profile wlan NAME-guest policy Vlan309 wireless tag rf default-rf-tag description "default RF tag" wireless fabric control-plane default-control-plane


1 Accepted Solution

Accepted Solutions


Remove the Native VLAN configuration from both WLC and the upstream switch.


View solution in original post

6 Replies 6


Verify trustpoint by issuing the command

c980#show wireless management trustpoint


If not there reassign the MIC by using the following commands:

c9800(config)#no wireless management trustpoint

c9800(config)#wireless management trustpoint CISCO_IDEVID_SUDI 


Note: This command needs to be run at the exec prompt (not in config mode).


●      Validate the wireless configuration using the following exec command:

c9800#wireless config validate




/** Please rate all useful responses **/


It looks like that trustpoint is the default. 

Trustpoint Name  : CISCO_IDEVID_SUDI
Certificate Info : Available
Certificate Type : MIC
Private key Info : Available
FIPS suitability : Not Applicable

Trying to reassign results in 

% switch-1:dbm:wireless:Default Cisco SUDI trustpoint name is not allowed


Remove the Native VLAN configuration from both WLC and the upstream switch.


Thank you so much! This did the trick. Can you please explain to this beginner why that was the issue? 



 - Have a sanity check of the controller configuration, for that use (CLI) show tech wireless , have  the output processed by :


-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: