Solved: Cisco 9800LC not receiving join requests from APs

Apao · ‎02-02-2022

I had to recover a WLC after the password was lost. After successfully doing so using ROMMON, I somehow changed up something in the configuration during the webui configuration wizard to the point where the APs are no longer able to reach the WLC. I know I messed up on the networking somewhere, but can't seem to pinpoint it. Any help would be greatly appreciated. Thanks!

The APs are plugged into a switch with the config:

interface GigabitEthernet0/4
 description Cisco WAP
 switchport trunk allowed vlan 300-309
 switchport trunk native vlan 301
 switchport mode trunk

The WLC is plugged into the switch with config:

interface GigabitEthernet0/3
 description Cisco 9800 WLC
 switchport mode trunk

And the config for the WLC:

Building configuration...

Current configuration : bytes
!
! Last configuration change at 
!
version 16.12
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname 
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
no logging console
enable secret 
!
no aaa new-model
clock timezone Central 0 0
vtp mode off
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
  active
  destination transport-method http
  no destination transport-method email
!
no ip igmp snooping vlan 309
login on-success log
!
subscriber templating
!
parameter-map type webauth global
 virtual-ip ipv4 192.0.2.1
!
parameter-map type webauth day0_web_auth_
 type webauth
!
no device-tracking logging theft
access-session mac-move deny
multilink bundle-name authenticated
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
crypto pki trustpoint TP-self-signed-4
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-
 revocation-check none
 rsakeypair TP-self-signed-
!
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
crypto pki certificate chain TP-self-signed-
 certificate self-signed 01
license udi pid C9800-L-C-K9 
memory free low-watermark processor 
!
service-template webauth-global-inactive
 inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
 linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
 voice vlan
service-template DEFAULT_CRITICAL_DATA_TEMPLATE
diagnostic bootup level minimal
!
username admin privilege 15 password 
!
redundancy
 mode sso
!
vlan configuration 309
vlan internal allocation policy ascending
!
vlan 300
 name 300
!
vlan 301
 name 301
!
vlan 309
 name 309
class-map match-any AVC-Reanchor-Class
 match protocol cisco-jabber-audio
 match protocol cisco-jabber-video
 match protocol webex-media
 match protocol webex-app-sharing
 match protocol webex-control
 match protocol webex-meeting
 match protocol wifi-calling
!
interface TwoGigabitEthernet0/0/0
 switchport trunk native vlan 301
 switchport mode trunk
 negotiation auto
!
interface TwoGigabitEthernet0/0/1
 negotiation auto
!
interface TwoGigabitEthernet0/0/2
 negotiation auto
!
interface TwoGigabitEthernet0/0/3
 negotiation auto
!
interface TenGigabitEthernet0/1/0
 negotiation auto
!
interface TenGigabitEthernet0/1/1
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address 172.30.0.4 255.255.255.0
 negotiation auto
!
interface Vlan1
 ip address 172.30.0.5 255.255.255.0
 no mop enabled
!
interface Vlan301
 ip address 172.30.1.10 255.255.255.0
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.30.1.1
control-plane
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 password 
 login
 length 0
line vty 5 15
 password 
 login
 length 0
!
ntp server 129.250.35.251

wireless aaa policy default-aaa-policy
wireless cts-sxp profile default-sxp-profile
wireless management interface Vlan301
wireless profile airtime-fairness default-atf-policy 0
wireless profile flex default-flex-profile
 description "default flex profile"
wireless profile mesh default-mesh-profile
 description "default mesh profile"
wireless profile policy Vlan309
 vlan 309
 no shutdown
wireless profile policy default-policy-profile
 autoqos mode voice
 description "default policy profile"
 service-policy input platinum-up
 service-policy output platinum
 vlan 300
 no shutdown
wireless tag site default-site-tag
 description "default site tag"
wireless tag policy default-policy-tag
 description "default policy-tag"
 wlan NAME policy default-policy-profile
 wlan NAME-guest policy Vlan309
wireless tag rf default-rf-tag
 description "default RF tag"
wireless fabric control-plane default-control-plane

Arshad Safrulla · ‎02-03-2022

Hi,

Remove the Native VLAN configuration from both WLC and the upstream switch.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

View solution in original post

jagan.chowdam · ‎02-02-2022

Verify trustpoint by issuing the command

c980#show wireless management trustpoint

If not there reassign the MIC by using the following commands:

c9800(config)#no wireless management trustpoint

c9800(config)#wireless management trustpoint CISCO_IDEVID_SUDI

Note: This command needs to be run at the exec prompt (not in config mode).

● Validate the wireless configuration using the following exec command:

c9800#wireless config validate

CJ

/** Please rate all useful responses **/

Apao · ‎02-03-2022

It looks like that trustpoint is the default.

Trustpoint Name  : CISCO_IDEVID_SUDI
Certificate Info : Available
Certificate Type : MIC
Private key Info : Available
FIPS suitability : Not Applicable

Trying to reassign results in

% switch-1:dbm:wireless:Default Cisco SUDI trustpoint name is not allowed

Arshad Safrulla · ‎02-03-2022

Hi,

Remove the Native VLAN configuration from both WLC and the upstream switch.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Apao · ‎02-03-2022

Thank you so much! This did the trick. Can you please explain to this beginner why that was the issue?

Arshad Safrulla · ‎02-03-2022

Your WMI is VLAN301, this needs to go tagged over the WLC uplink. Refer the below best practices guide which explains the same in detail.

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#:~:text=9000%20switch%20family.-,Wireless%20management%20interface%20VLAN%20tag,-Cisco%20recommends%20using

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

marce1000 · ‎02-02-2022

- Have a sanity check of the controller configuration, for that use (CLI) show tech wireless , have the output processed by : https://cway.cisco.com/tools/WirelessAnalyzer/

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '