cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
865
Views
25
Helpful
6
Replies

Cisco 9800LC not receiving join requests from APs

Apao
Beginner
Beginner

I had to recover a WLC after the password was lost. After successfully doing so using ROMMON, I somehow changed up something in the configuration during the webui configuration wizard to the point where the APs are no longer able to reach the WLC. I know I messed up on the networking somewhere, but can't seem to pinpoint it. Any help would be greatly appreciated. Thanks!

 

The APs are plugged into a switch with the config:

interface GigabitEthernet0/4
description Cisco WAP switchport trunk allowed vlan 300-309 switchport trunk native vlan 301 switchport mode trunk

The WLC is plugged into the switch with config:

interface GigabitEthernet0/3
 description Cisco 9800 WLC
 switchport mode trunk

And the config for the WLC:

Building configuration...

Current configuration : bytes
!
! Last configuration change at 
!
version 16.12
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname 
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
no logging console
enable secret 
!
no aaa new-model
clock timezone Central 0 0
vtp mode off
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
  active
  destination transport-method http
  no destination transport-method email
!
no ip igmp snooping vlan 309
login on-success log
!
subscriber templating
!
parameter-map type webauth global
 virtual-ip ipv4 192.0.2.1
!
parameter-map type webauth day0_web_auth_
 type webauth
!
no device-tracking logging theft
access-session mac-move deny
multilink bundle-name authenticated
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
crypto pki trustpoint TP-self-signed-4
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-
 revocation-check none
 rsakeypair TP-self-signed-
!
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
crypto pki certificate chain TP-self-signed-
 certificate self-signed 01
license udi pid C9800-L-C-K9 
memory free low-watermark processor 
!
service-template webauth-global-inactive
 inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
 linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
 voice vlan
service-template DEFAULT_CRITICAL_DATA_TEMPLATE
diagnostic bootup level minimal
!
username admin privilege 15 password 
!
redundancy
 mode sso
!
vlan configuration 309
vlan internal allocation policy ascending
!
vlan 300
 name 300
!
vlan 301
 name 301
!
vlan 309
 name 309
class-map match-any AVC-Reanchor-Class
 match protocol cisco-jabber-audio
 match protocol cisco-jabber-video
 match protocol webex-media
 match protocol webex-app-sharing
 match protocol webex-control
 match protocol webex-meeting
 match protocol wifi-calling
!
interface TwoGigabitEthernet0/0/0
 switchport trunk native vlan 301
 switchport mode trunk
 negotiation auto
!
interface TwoGigabitEthernet0/0/1
 negotiation auto
!
interface TwoGigabitEthernet0/0/2
 negotiation auto
! interface TwoGigabitEthernet0/0/3 negotiation auto ! interface TenGigabitEthernet0/1/0 negotiation auto ! interface TenGigabitEthernet0/1/1 negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 172.30.0.4 255.255.255.0 negotiation auto ! interface Vlan1 ip address 172.30.0.5 255.255.255.0 no mop enabled ! interface Vlan301 ip address 172.30.1.10 255.255.255.0 ! ip forward-protocol nd ! ip http server ip http authentication local ip http secure-server ip route 0.0.0.0 0.0.0.0 172.30.1.1 control-plane ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 password login length 0 line vty 5 15 password login length 0 ! ntp server 129.250.35.251 wireless aaa policy default-aaa-policy wireless cts-sxp profile default-sxp-profile wireless management interface Vlan301 wireless profile airtime-fairness default-atf-policy 0 wireless profile flex default-flex-profile description "default flex profile" wireless profile mesh default-mesh-profile description "default mesh profile" wireless profile policy Vlan309 vlan 309 no shutdown wireless profile policy default-policy-profile autoqos mode voice description "default policy profile" service-policy input platinum-up service-policy output platinum vlan 300 no shutdown wireless tag site default-site-tag description "default site tag" wireless tag policy default-policy-tag description "default policy-tag" wlan NAME policy default-policy-profile wlan NAME-guest policy Vlan309 wireless tag rf default-rf-tag description "default RF tag" wireless fabric control-plane default-control-plane

 

1 Accepted Solution

Accepted Solutions

Hi, 

Remove the Native VLAN configuration from both WLC and the upstream switch.

 

View solution in original post

6 Replies 6

jagan.chowdam
Enthusiast
Enthusiast

Verify trustpoint by issuing the command

c980#show wireless management trustpoint

 

If not there reassign the MIC by using the following commands:

c9800(config)#no wireless management trustpoint

c9800(config)#wireless management trustpoint CISCO_IDEVID_SUDI 

 

Note: This command needs to be run at the exec prompt (not in config mode).

 

●      Validate the wireless configuration using the following exec command:

c9800#wireless config validate

 

CJ

 

/** Please rate all useful responses **/

 

It looks like that trustpoint is the default. 

Trustpoint Name  : CISCO_IDEVID_SUDI
Certificate Info : Available
Certificate Type : MIC
Private key Info : Available
FIPS suitability : Not Applicable

Trying to reassign results in 

% switch-1:dbm:wireless:Default Cisco SUDI trustpoint name is not allowed

Hi, 

Remove the Native VLAN configuration from both WLC and the upstream switch.

 

Thank you so much! This did the trick. Can you please explain to this beginner why that was the issue? 

marce1000
VIP
VIP

 

 - Have a sanity check of the controller configuration, for that use (CLI) show tech wireless , have  the output processed by : https://cway.cisco.com/tools/WirelessAnalyzer/

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: