Solved: Re: CW9164I-ROW can't join C9800 vWLC

SamBurgess44786 · ‎08-10-2023

Hello Cisco Community,

I've built a C9800-CL running on ESXi but I am struggling to join any of my CW9164I-ROW APs. Currently they are stuck in a discovery loop. I have tried subnet broadcast, DHCP Option 43 and DNS for CISCO-CAPWAP-CONTROLLER and even statically configured the IP for the vWLC.

The APs are currently in local mode, can pick up an IP address through DHCP and can ping the vWLC. The vWLC can ping the APs. There are plenty of licenses in our Smart Account and the vWLC can reach our Smart Account.

I've double checked the software version on the vWLC and APs is compatible based on Cisco's Interoperability Matrix and that the regulatory domains match. I'm really at a loss as to what is preventing them joining! Various logs and debugs don't seem to offer much info:

AP Running Image : 17.9.3.50

WLC Version 17.09.03

AP Discovery:

License Level and License Availability:

AP Debugs and WLC logs

[*08/08/2023 15:59:10.3498] Starting Discovery.
[*08/08/2023 15:59:20.3609]
[*08/08/2023 15:59:20.3609] CAPWAP State: Discovery
[*08/08/2023 15:59:20.3617] Did not get log server settings from DHCP.
[*08/08/2023 15:59:20.3617] IP DNS query for CISCO-CAPWAP-CONTROLLER.domain
[*08/08/2023 15:59:20.3630] DNS resolved CISCO-CAPWAP-CONTROLLER.domain
[*08/08/2023 15:59:20.3630] DNS discover IP addr: controller IP address
[*08/08/2023 15:59:20.3630] Ignoring discovery to controller 0
[*08/08/2023 15:59:20.3630] Ignoring discovery to controller 1
[*08/08/2023 15:59:20.3630] Ignoring discovery to controller 2
[*08/08/2023 15:59:20.3630] [ENC] CAPWAP_DISCOVERY_REQUEST(1)
[*08/08/2023 15:59:20.3631] .Msg Elem Type: CAPWAP_MSGELE_DISCOVERY_TYPE(20) Len 5 Total 5
[*08/08/2023 15:59:20.3631] BOARD ID: 65535.
[*08/08/2023 15:59:20.3631] BOARD REV Linux Revision.
[*08/08/2023 15:59:20.3631] .Msg Elem Type: CAPWAP_MSGELE_WTP_BOARD_DATA(38) Len 72 Total 77
[*08/08/2023 15:59:20.3631] .Msg Elem Type: CAPWAP_MSGELE_WTP_DESCRIPTOR(39) Len 44 Total 121
[*08/08/2023 15:59:20.3631] .Msg Elem Type: CAPWAP_MSGELE_WTP_FRAME_TUNNEL(41) Len 5 Total 126
[*08/08/2023 15:59:20.3631] .Msg Elem Type: CAPWAP_MSGELE_WTP_MAC_TYPE(44) Len 5 Total 131
[*08/08/2023 15:59:20.3632] .Msg Elem Type: CAPWAP_MSGELE_WTP_NAME(45) Len 20 Total 151
[*08/08/2023 15:59:20.3632] .Msg Elem Type: CAPWAP_MSGELE_LOCATION_DATA(28) Len 20 Total 171
[*08/08/2023 15:59:20.3636] .Msg Elem Type: CAPWAP_DOT11_MSGELE_WTP_RADIO_INFORMATION(1048) Len 9 Total 180
[*08/08/2023 15:59:20.3639] .Msg Elem Type: CAPWAP_DOT11_MSGELE_WTP_RADIO_INFORMATION(1048) Len 9 Total 189
[*08/08/2023 15:59:20.3642] .Msg Elem Type: CAPWAP_DOT11_MSGELE_WTP_RADIO_INFORMATION(1048) Len 9 Total 198
[*08/08/2023 15:59:20.3642] ..Vendor Type: BOARD_DATA_OPT_PAYLOAD(207) Len 14 Total 212
[*08/08/2023 15:59:20.3681] ..Vendor Type: RAD_NAME_PAYLOAD(5) Len 26 Total 238
[*08/08/2023 15:59:20.3681] Not Sending the TLV_AP_EWLC_TAGS_PAYLOAD.
[*08/08/2023 15:59:20.3681] >>>> TLV encode callback function failed: TLV_AP_EWLC_TAGS_PAYLOAD
[*08/08/2023 15:59:20.3681]
[*08/08/2023 15:59:20.3681] Encoded length 0 for payload: ...TLV Type: TLV_AP_EWLC_TAGS_PAYLOAD(1113)
[*08/08/2023 15:59:20.3681] encodeLen = 238.
[*08/08/2023 15:59:20.3681] SingleFragPkt:Len of pkt 246
[*08/08/2023 15:59:20.3681]
[*08/08/2023 15:59:20.3682] Discovery Request sent to controller IP, discovery type DNS(3)
[*08/08/2023 15:59:20.3682] [ENC] CAPWAP_DISCOVERY_REQUEST(1)
[*08/08/2023 15:59:20.3683] .Msg Elem Type: CAPWAP_MSGELE_DISCOVERY_TYPE(20) Len 5 Total 5
[*08/08/2023 15:59:20.3683] BOARD ID: 65535.
[*08/08/2023 15:59:20.3683] BOARD REV Linux Revision.
[*08/08/2023 15:59:20.3683] .Msg Elem Type: CAPWAP_MSGELE_WTP_BOARD_DATA(38) Len 72 Total 77
[*08/08/2023 15:59:20.3683] .Msg Elem Type: CAPWAP_MSGELE_WTP_DESCRIPTOR(39) Len 44 Total 121
[*08/08/2023 15:59:20.3683] .Msg Elem Type: CAPWAP_MSGELE_WTP_FRAME_TUNNEL(41) Len 5 Total 126
[*08/08/2023 15:59:20.3683] .Msg Elem Type: CAPWAP_MSGELE_WTP_MAC_TYPE(44) Len 5 Total 131
[*08/08/2023 15:59:20.3683] .Msg Elem Type: CAPWAP_MSGELE_WTP_NAME(45) Len 20 Total 151
[*08/08/2023 15:59:20.3683] .Msg Elem Type: CAPWAP_MSGELE_LOCATION_DATA(28) Len 20 Total 171
[*08/08/2023 15:59:20.3686] .Msg Elem Type: CAPWAP_DOT11_MSGELE_WTP_RADIO_INFORMATION(1048) Len 9 Total 180
[*08/08/2023 15:59:20.3689] .Msg Elem Type: CAPWAP_DOT11_MSGELE_WTP_RADIO_INFORMATION(1048) Len 9 Total 189
[*08/08/2023 15:59:20.3692] .Msg Elem Type: CAPWAP_DOT11_MSGELE_WTP_RADIO_INFORMATION(1048) Len 9 Total 198
[*08/08/2023 15:59:20.3692] ..Vendor Type: BOARD_DATA_OPT_PAYLOAD(207) Len 14 Total 212
[*08/08/2023 15:59:20.3698] ..Vendor Type: RAD_NAME_PAYLOAD(5) Len 26 Total 238
[*08/08/2023 15:59:20.3699] Not Sending the TLV_AP_EWLC_TAGS_PAYLOAD.
[*08/08/2023 15:59:20.3699] >>>> TLV encode callback function failed: TLV_AP_EWLC_TAGS_PAYLOAD
[*08/08/2023 15:59:20.3699]
[*08/08/2023 15:59:20.3699] Encoded length 0 for payload: ...TLV Type: TLV_AP_EWLC_TAGS_PAYLOAD(1113)
[*08/08/2023 15:59:20.3699] encodeLen = 238.
[*08/08/2023 15:59:20.3699] SingleFragPkt:Len of pkt 246
[*08/08/2023 15:59:20.3699]
[*08/08/2023 15:59:20.3700] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*08/08/2023 15:59:20.3700] Received Capwap watchdog update msg.
[*08/08/2023 15:59:25.0560] Received Capwap watchdog update msg.
[*08/08/2023 15:59:29.8075] Received CAPWAP_DISCOVERY_INTERVAL_EXPIRY Capwap Timer Msg.
[*08/08/2023 15:59:29.8075] Could not discover any WLC.

WLC Syslogs:

Aug 10 20:36:55.619: %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as username on vty0

Aug 10 20:36:55.534: %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as username on vty0

Aug 10 20:24:13.146: %SYS-6-LOGOUT: User username has exited tty session 1(IP address)

Aug 10 20:24:13.146: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 1 (IP address)), user username

Aug 10 20:13:11.063: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: username] [Source: ip address] [localport: 22] at 21:13:11 British Thu Aug 10 2023

Aug 10 20:12:52.763: %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as username on vty0

Aug 10 20:12:47.086: %IOSXE_RP_CFG_NOT-6-IOX_SERVICE_NOTSUPPORTED: IOx service not supported.

AP Packet Capture:

250 58.340482 src AP IP dest controller IP CAPWAP-Control 306 CAPWAP-Control - Discovery Request[Malformed Packet]

251 58.342581 src AP IP 255.255.255.255 CAPWAP-Control 306 CAPWAP-Control - Discovery Request[Malformed Packet]

Any help or advice will be greatly appreciated.

Many thanks,

Sam

Rich R · ‎08-13-2023

1. Did you follow the ESX configuration instructions - without Promiscuous Mode and Forged Transmits it will not work? See best practice guide below and the 9800-CL install guide.

2. Have you configured the 9800-CL WMI and self-signed cert? eg: "wireless management interface GigabitEthernet2" and cert as per https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#Dealingwithtrustpoints

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

Flavio Miranda · ‎08-10-2023

Hi @SamBurgess44786

Can you share the output of

show ap support-bundle summary

Leo Laohoo · ‎08-10-2023

@SamBurgess44786 wrote:
src AP IP dest controller IP CAPWAP-Control 306 CAPWAP-Control - Discovery Request[Malformed Packet]

Please try using 17.9.4.

marce1000 · ‎08-10-2023

- EWC usually needs an external tftp server for storing AP images : https://www.cisco.com/c/en/us/td/docs/wireless/controller/ewc/17-1/config-guide/ewc_cg_17_11/image_download.html#id_128466

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎08-13-2023

1. Did you follow the ESX configuration instructions - without Promiscuous Mode and Forged Transmits it will not work? See best practice guide below and the 9800-CL install guide.

2. Have you configured the 9800-CL WMI and self-signed cert? eg: "wireless management interface GigabitEthernet2" and cert as per https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#Dealingwithtrustpoints

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

SamBurgess44786 · ‎08-14-2023

Hi All,

Thank you for your replies. I'll quickly run though the steps I have taken based on the various suggestions.

@Flavio Miranda show ap support-bundle summary doesn't show any output, should it?

vWLC is now upgraded to 17.9.4 and APs upgraded to 17.9.4.27

@Rich R Enabling Promiscuous Mode and Forged Transmits fixed the issue I had whereby I couldn't reach any of my WLC SVIs, after enabling them on the ESXi network adapter that worked fine. The issue seems to have been with cert on the WMI, although WMI was setup correctly on Gi1, I assumed it would use the WLC trustpoint by default. I didn't realise it also needed adding it to the WMI.

Click on the WMI arrow and add the trustpoint here:

trustpoint added.png

I have done that and the AP has successfully joined the WLC!

Thanks for all your help! Again.

Sam