cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14444
Views
0
Helpful
13
Replies

Failed to handle capwap control message from controller

david_mayor
Level 1
Level 1

Hello,

I am struggling in associating a 1242 AP's with WLC's.

Show version of the AP:

Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.4(25e)JAM2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 29-Jul-13 11:32 by prod_rel_team

ROM: Bootstrap program is C1240 boot loader
BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.3(7)JA1, RELEASE SOFTWARE (fc1)

AP0019.56b0.855e uptime is 9 minutes
System returned to ROM by power-on
System image file is "flash:/c1240-k9w8-mx.124-25e.JAM2/c1240-k9w8-mx.124-25e.JAM2"

Show inventory of the AP:

AME: "AP1240", DESCR: "Cisco Aironet 1240 Series (IEEE 802.11a/g) Access Point"

PID: AIR-LAP1242AG-E-K9, VID: V01, SN: FCZ10408384

When trying to attach it to a WLC 5508 running 6.0.199.4, the AP keeps on downloading image and power cycling.

When trying to attach it to a WLC 5508 running 7.4.110.0, the AP shows the following message :

Jan 30 08:24:56.372: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE

*Jan 30 08:24:56.373: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.71.142.7:5246

*Jan 30 08:24:56.427: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255

*Jan 30 08:24:56.445: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down

*Jan 30 08:24:56.445: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down

*Jan 30 08:24:56.447: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up

*Jan 30 08:24:56.484: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up

*Jan 30 08:24:57.445: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down

*Jan 30 08:24:57.473: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down

*Jan 30 08:24:57.478: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset

*Jan 30 08:24:58.466: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up

*Jan 30 08:24:58.473: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down

*Jan 30 08:24:58.503: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up

*Jan 30 08:24:58.508: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down

*Jan 30 08:24:58.513: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset

*Jan 30 08:24:59.503: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

*Jan 30 08:24:59.508: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down

*Jan 30 08:24:59.532: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up

*Jan 30 08:25:00.532: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up

*Jan 30 08:25:06.483: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Jan 30 08:25:07.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.71.142.7 peer_port: 5246

*Jan 30 08:25:08.565: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.71.142.7 peer_port: 5246

*Jan 30 08:25:08.567: %CAPWAP-5-SENDJOIN: sending Join Request to 10.71.142.7

*Jan 30 08:25:08.598: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.

*Jan 30 08:25:08.599: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.

*Jan 30 08:25:08.599: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller

*Jan 30 08:25:08.599: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 10.71.142.7 Jan 30 08:24:56.372: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Jan 30 08:24:56.373: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.71.142.7:5246
*Jan 30 08:24:56.427: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Jan 30 08:24:56.445: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Jan 30 08:24:56.445: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Jan 30 08:24:56.447: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 30 08:24:56.484: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jan 30 08:24:57.445: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Jan 30 08:24:57.473: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Jan 30 08:24:57.478: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Jan 30 08:24:58.466: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Jan 30 08:24:58.473: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jan 30 08:24:58.503: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 30 08:24:58.508: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Jan 30 08:24:58.513: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Jan 30 08:24:59.503: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jan 30 08:24:59.508: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Jan 30 08:24:59.532: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jan 30 08:25:00.532: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Jan 30 08:25:06.483: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jan 30 08:25:07.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.71.142.7 peer_port: 5246
*Jan 30 08:25:08.565: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.71.142.7 peer_port: 5246
*Jan 30 08:25:08.567: %CAPWAP-5-SENDJOIN: sending Join Request to 10.71.142.7
*Jan 30 08:25:08.598: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Jan 30 08:25:08.599: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Jan 30 08:25:08.599: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Jan 30 08:25:08.599: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 10.71.142.7

Any idea ?

Many thanks !

13 Replies 13

Sandeep Choudhary
VIP Alumni
VIP Alumni

Can you paste the sh sysinfo from wlc.

Also paste the output of thsi command from wlc: debug pm pki       enable

Regards

Here is show sysinfo output from WLC running 7.4.110.0:

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.4.110.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS

System Name...................................... gvenwc0006
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. Disabled
IP Address....................................... 10.71.142.7
Last Reset....................................... Software reset
System Up Time................................... 101 days 23 hrs 9 mins 43 secs
System Timezone Location.........................
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

Configured Country............................... Multiple Countries:CH,NL,GB,AE,AT,DE,ES,IT,RU,SE,TR
Operating Environment............................ Commercial (0 to 40 C)

--More-- or (q)uit
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +39 C
External Temperature............................. +25 C
Fan Status....................................... OK

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Disabled
Number of WLANs.................................. 7
Number of Active Clients......................... 85

Memory Current Usage............................. Unknown
Memory Average Usage............................. Unknown
CPU Current Usage................................ Unknown
CPU Average Usage................................ Unknown

Burned-in MAC Address............................ 44:2B:03:B4:45:00
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 50

why do have so many country configured on WLC??

did you need this or what ???

Also check this :

Security > AP Policies, and check the Accept the Manufactored Installed Certicate box.

Reagrds

The WLC is WLC for H-REAP AP's. We have 30 AP's working fine with that setup. We need that because AP's are from multiple countries.

All boxes in AP Policies were already checked.

Many thanks.

Hi,

Can you console to AP and reboot it then paste the entire bootup process here.

did you checked this box: Authorize MIC APs against auth-list or AAA

If yes then you must enter the mac address of AP in AP Authorization List.

Reagrds

I have added the MAC to the AP Aurthorization List. Here is the reboot:

: 5246Xmodem file system is available.
flashfs[0]: 12 files, 4 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 15998976
flashfs[0]: Bytes used: 7335936
flashfs[0]: Bytes available: 8663040
flashfs[0]: flashfs fsck took 32 seconds.
Base ethernet MAC Address: 00:19:56:b0:85:5e
Initializing ethernet port 0...
Reset ethernet port 0...
Reset done!
ethernet link up, 100 mbps, full-duplex
Ethernet port 0 initialized: link is up
Loading "flash:/c1240-k9w8-mx.124-25e.JAM2/c1240-k9w8-mx.124-25e.JAM2"...##########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################

File "flash:/c1240-k9w8-mx.124-25e.JAM2/c1240-k9w8-mx.124-25e.JAM2" uncompressed and installed, entry point: 0x3000
executing...

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706

Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.4(25e)JAM2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 29-Jul-13 11:32 by prod_rel_team


Proceeding with system init

Proceeding to unmask interrupts
Initializing flashfs...

flashfs[2]: 12 files, 4 directories
flashfs[2]: 0 orphaned files, 0 orphaned directories
flashfs[2]: Total bytes: 15740928
flashfs[2]: Bytes used: 7335936
flashfs[2]: Bytes available: 8404992
flashfs[2]: flashfs fsck took 5 seconds.
flashfs[2]: Initialization complete....done Initializing flashfs.

Radio0  present A506 7100 E8000000 A0000000 80000000 3
Rate table has 12 entries (0 SGI/0 BF variants)

Radio1  present A506 6700 E8000100 A0040000 80010000 2
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-LAP1242AG-E-K9   (PowerPCElvis) processor (revision A0) with 27638K/5120K bytes of memory.
Processor board ID FCZ10408384
PowerPCElvis CPU at 262Mhz, revision number 0x0950
Last reset from power-on
LWAPP image version 7.4.110.0
1 FastEthernet interface
2 802.11 Radio(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:19:56:B0:85:5E
Part Number                          : 73-10256-05
PCA Assembly Number                  : 800-26918-04
PCA Revision Number                  : B0
PCB Serial Number                    : FOC10384AHS
Top Assembly Part Number             : 800-26965-03
Top Assembly Serial Number           : FCZ10408384
Top Revision Number                  : A0
Product/Model Number                 : AIR-LAP1242AG-E-K9
% Please define a domain-name first.


Press RETURN to get started!


*Mar  1 00:00:06.684: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
*Mar  1 00:00:08.106: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
*Mar  1 00:00:09.482: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1
*Mar  1 00:00:09.553: %LINK-6-UPDOWN: Interface FastEthernet0, changed state to up
*Mar  1 00:00:09.582: %LWAPP-4-CLIENTEVENTLOG: Read and initialized AP event log (contains, 1024 messages)

*Mar  1 00:00:10.639: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
*Mar  1 00:00:11.782: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.4(25e)JAM2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 29-Jul-13 11:32 by prod_rel_team
*Mar  1 00:00:11.782: %SNMP-5-COLDSTART: SNMP agent on host AP0019.56b0.855e is undergoing a cold start
*Mar  1 00:00:12.050: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar  1 00:00:12.050: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar  1 00:00:12.050: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar  1 00:00:12.290: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar  1 00:00:12.290: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to resetlwapp_crypto_init: MIC Present and Parsed Successfully

*Mar  1 00:00:13.051: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar  1 00:00:13.051: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar  1 00:00:14.849: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar  1 00:00:20.673: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.64.94.52, mask 255.255.255.0, hostname AP0019.56b0.855e

*Mar  1 00:00:30.761: Logging LWAPP message to 255.255.255.255.

Translating "CISCO-CAPWAP-CONTROLLER.emea.givaudan.com"...domain server (10.65.79.222)

Translating "CISCO-LWAPP-CONTROLLER.emea.givaudan.com"...domain server (10.65.79.222)

*Mar  1 00:00:40.807: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.71.142.7 obtained through DHCP
*Mar  1 00:00:40.807: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.71.142.8 obtained through DHCP
*Mar  1 00:00:40.807: %CAPWAP-5-DHCP_OPTION_43: Controller address 0.0.1.90 obtained through DHCP
*Mar  1 00:00:40.808: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar  1 00:00:40.862: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.emea.givaudan.com
*Mar  1 00:00:40.915: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER.emea.givaudan.com
*Mar  1 00:00:42.844: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar  1 00:00:43.876: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar  1 00:00:44.876: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Mar  1 00:00:44.915: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar  1 00:00:45.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar  1 00:00:50.918: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jan 30 09:01:15.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.71.142.7 peer_port: 5246
*Jan 30 09:01:16.553: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.71.142.7 peer_port: 5246
*Jan 30 09:01:16.554: %CAPWAP-5-SENDJOIN: sending Join Request to 10.71.142.7
*Jan 30 09:01:16.586: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Jan 30 09:01:16.586: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Jan 30 09:01:16.586: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Jan 30 09:01:16.586: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 10.71.142.7
*Jan 30 09:01:34.766: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(UNKNOWN_MESSAGE_T., 1)5)
*Jan 30 09:01:34.766: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Jan 30 09:01:34.767: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.71.142.7:5246
*Jan 30 09:01:34.825: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Jan 30 09:01:34.849: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Jan 30 09:01:34.849: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Jan 30 09:01:34.851: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 30 09:01:34.906: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jan 30 09:01:35.848: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Jan 30 09:01:35.876: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Jan 30 09:01:35.881: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Jan 30 09:01:36.869: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Jan 30 09:01:36.876: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jan 30 09:01:36.907: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 30 09:01:36.912: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Jan 30 09:01:36.917: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Jan 30 09:01:37.907: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jan 30 09:01:37.912: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Jan 30 09:01:37.935: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jan 30 09:01:38.935: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Jan 30 09:01:44.906: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jan 30 09:01:45.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.71.142.7 peer_port: 5246

It keeps on doing that.

many thanks

Hi David,

With these log I am not able to find the root cause.

Paste the output from wlc:

1. debug pm pki enable

2. debug capwap events       enable

Reagrds

here is the debug output:

login as: groupwls


(Cisco Controller)
User: groupwls
Password:************
Your password does not meet the strong password requirements.For added security,                                                                              set a new password that meets these requirements. To prevent this message from                                                                              showing again, disable the strong password feature.
(Cisco Controller) >debug pm pki enable

(Cisco Controller) >debug capwap events enable

(Cisco Controller) >*spamApTask2: Jan 30 09:46:38.639: 00:19:07:c6:39:60 DTLS connection not found, creating new connection for 10:64:94:52 (2134) 10:71:142:8 (5246)

*spamApTask2: Jan 30 09:46:38.640: sshpmGetCID: called to evaluate

*spamApTask2: Jan 30 09:46:38.640: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamApTask2: Jan 30 09:46:38.640: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamApTask2: Jan 30 09:46:38.640: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamApTask2: Jan 30 09:46:38.640: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamApTask2: Jan 30 09:46:38.640: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamApTask2: Jan 30 09:46:38.640: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamApTask2: Jan 30 09:46:38.640: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamApTask2: Jan 30 09:46:38.640: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamApTask2: Jan 30 09:46:38.640: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamApTask2: Jan 30 09:46:38.640: sshpmGetCertFromCID: called to get cert for CID 155224fa

*spamApTask2: Jan 30 09:46:38.640: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultIdCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCID: called to evaluate

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetSshPrivateKeyFromCID: called to get key for CID 155224fa

*spamApTask2: Jan 30 09:46:38.641: sshpmGetSshPrivateKeyFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetSshPrivateKeyFromCID: comparing to row 1, certname >bsnDefaultIdCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetSshPrivateKeyFromCID: comparing to row 2, certname >cscoDefaultIdCert<

*spamApTask2: Jan 30 09:46:38.641: sshpmGetSshPrivateKeyFromCID: match in row 2

*spamApTask2: Jan 30 09:46:38.883: sshpmGetIssuerHandles: locking ca cert table

*spamApTask2: Jan 30 09:46:38.883: sshpmGetIssuerHandles: calling x509_alloc() for user cert

*spamApTask2: Jan 30 09:46:38.883: sshpmGetIssuerHandles: calling x509_decode()

*spamApTask2: Jan 30 09:46:38.887: sshpmGetIssuerHandles: C=US, ST=California, L=San Jose, O=Cisco Systems, CN=C1240-001956b0855e, MAILTO=support@cisco.com

*spamApTask2: Jan 30 09:46:38.887: sshpmGetIssuerHandles:   O=Cisco Systems, CN=Cisco Manufacturing CA

*spamApTask2: Jan 30 09:46:38.887: sshpmGetIssuerHandles: Mac Address in subject is 00:19:56:b0:85:5e

*spamApTask2: Jan 30 09:46:38.887: sshpmGetIssuerHandles: Cert Name in subject is C1240-001956b0855e

*spamApTask2: Jan 30 09:46:38.887: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.

*spamApTask2: Jan 30 09:46:38.887: sshpmGetCID: called to evaluate

*spamApTask2: Jan 30 09:46:38.887: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamApTask2: Jan 30 09:46:38.887: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamApTask2: Jan 30 09:46:38.887: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamApTask2: Jan 30 09:46:38.887: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamApTask2: Jan 30 09:46:38.887: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamApTask2: Jan 30 09:46:38.887: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamApTask2: Jan 30 09:46:38.887: sshpmGetCertFromCID: called to get cert for CID 2f6d981f

*spamApTask2: Jan 30 09:46:38.887: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<

*spamApTask2: Jan 30 09:46:38.887: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<

*spamApTask2: Jan 30 09:46:38.887: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<

*spamApTask2: Jan 30 09:46:38.887: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<

*spamApTask2: Jan 30 09:46:38.887: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<

*spamApTask2: Jan 30 09:46:38.887: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<

*spamApTask2: Jan 30 09:46:38.887: ssphmUserCertVerify: calling x509_decode()

*spamApTask2: Jan 30 09:46:38.898: ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<

*spamApTask2: Jan 30 09:46:38.898: sshpmGetIssuerHandles: ValidityString (current): 2014/01/30/09:46:38

*spamApTask2: Jan 30 09:46:38.898: sshpmGetIssuerHandles: ValidityString (NotBefore): 2006/10/05/13:05:43

*spamApTask2: Jan 30 09:46:38.898: sshpmGetIssuerHandles: ValidityString (NotAfter): 2016/10/05/13:15:43

*spamApTask2: Jan 30 09:46:38.898: sshpmGetIssuerHandles: getting cisco ID cert handle...

*spamApTask2: Jan 30 09:46:38.898: sshpmGetCID: called to evaluate

*spamApTask2: Jan 30 09:46:38.898: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamApTask2: Jan 30 09:46:38.898: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamApTask2: Jan 30 09:46:38.898: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamApTask2: Jan 30 09:46:38.898: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamApTask2: Jan 30 09:46:38.898: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamApTask2: Jan 30 09:46:38.898: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamApTask2: Jan 30 09:46:38.898: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamApTask2: Jan 30 09:46:38.898: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamApTask2: Jan 30 09:46:38.898: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamApTask2: Jan 30 09:46:38.906: sshpmFreePublicKeyHandle: called with 0x2c058e50

*spamApTask2: Jan 30 09:46:38.906: sshpmFreePublicKeyHandle: freeing public key

*spamApTask2: Jan 30 09:46:40.169: 00:19:07:c6:39:60 Allocated index from main list, Index: 312

*spamApTask2: Jan 30 09:46:40.169: 00:19:07:c6:39:60 DTLS keys for Control Plane are plumbed successfully for AP 10.64.94.52. Index 313

*spamApTask2: Jan 30 09:46:40.169: 00:19:07:c6:39:60 DTLS Session established server (10.71.142.8:5246), client (10.64.94.52:2134)
*spamApTask2: Jan 30 09:46:40.169: 00:19:07:c6:39:60 Starting wait join timer for AP: 10.64.94.52:2134

*spamApTask2: Jan 30 09:46:40.199: 00:19:07:c6:39:60 Join Request from 10.64.94.52:2134

*spamApTask2: Jan 30 09:46:40.200: 00:19:07:c6:39:60 Deleting AP entry 10.64.94.52:2134 from temporary database.
*spamApTask2: Jan 30 09:46:40.201: 00:19:07:c6:39:60 Join Version: = 117730816

*spamApTask2: Jan 30 09:46:40.201: 00:19:07:c6:39:60 Join resp: CAPWAP Maximum Msg element len = 87

*spamApTask2: Jan 30 09:46:40.201: 00:19:07:c6:39:60 Join Response sent to 10.64.94.52:2134

*spamApTask2: Jan 30 09:46:40.201: 00:19:07:c6:39:60 CAPWAP State: Join

*spamApTask2: Jan 30 09:46:40.201: 00:19:07:c6:39:60 capwap_ac_platform.c:1225 - Operation State 0 ===> 4
*apfReceiveTask: Jan 30 09:46:40.201: 00:19:07:c6:39:60 Register LWAPP event for AP 00:19:07:c6:39:60 slot 0
*apfReceiveTask: Jan 30 09:46:40.201: WARP IEs: (12)

*apfReceiveTask: Jan 30 09:46:40.202:      [0000] dd 0a 00 c0 b9 01 00 00 00 08 01 01

*apfReceiveTask: Jan 30 09:46:40.202: WARP IEs: (12)

*apfReceiveTask: Jan 30 09:46:40.202:      [0000] dd 0a 00 c0 b9 01 00 00 00 08 01 01

*apfReceiveTask: Jan 30 09:46:40.202: WARP IEs: (12)

*apfReceiveTask: Jan 30 09:46:40.202:      [0000] dd 0a 00 c0 b9 01 00 00 00 08 01 01

*apfReceiveTask: Jan 30 09:46:40.203: 00:19:07:c6:39:60 Register LWAPP event for AP 00:19:07:c6:39:60 slot 1
*apfReceiveTask: Jan 30 09:46:40.203: WARP IEs: (12)

*apfReceiveTask: Jan 30 09:46:40.203:      [0000] dd 0a 00 c0 b9 01 00 00 00 08 01 01

*apfReceiveTask: Jan 30 09:46:40.203: WARP IEs: (12)

*apfReceiveTask: Jan 30 09:46:40.203:      [0000] dd 0a 00 c0 b9 01 00 00 00 08 01 01

*apfReceiveTask: Jan 30 09:46:40.203: WARP IEs: (12)

*apfReceiveTask: Jan 30 09:46:40.203:      [0000] dd 0a 00 c0 b9 01 00 00 00 08 01 01

*spamApTask2: Jan 30 09:46:41.021: 00:19:07:c6:39:60 Configuration Status from 10.64.94.52:2134

*spamApTask2: Jan 30 09:46:41.022: 00:19:07:c6:39:60 CAPWAP State: Configure

*spamApTask2: Jan 30 09:46:41.022: 00:19:07:c6:39:60 Updating IP info for AP 00:19:07:c6:39:60 -- static 0, 10.64.94.52/255.255.255.0, gtw 10.64.94.254
*spamApTask2: Jan 30 09:46:41.022: 00:19:07:c6:39:60 Updating IP 10.64.94.52 ===> 10.64.94.52 for AP 00:19:07:c6:39:60
*spamApTask2: Jan 30 09:46:41.023: 00:19:07:c6:39:60 Setting MTU to 1485
*spamApTask2: Jan 30 09:46:44.028: 00:19:07:c6:39:60 Configuration Status from 10.64.94.52:2134

*spamApTask2: Jan 30 09:46:44.028: 00:19:07:c6:39:60 CAPWAP State: Configure

*spamApTask2: Jan 30 09:46:44.028: 00:19:07:c6:39:60 Updating IP info for AP 00:19:07:c6:39:60 -- static 0, 10.64.94.52/255.255.255.0, gtw 10.64.94.254
*spamApTask2: Jan 30 09:46:44.028: 00:19:07:c6:39:60 Updating IP 10.64.94.52 ===> 10.64.94.52 for AP 00:19:07:c6:39:60
*spamApTask2: Jan 30 09:46:44.029: 00:19:07:c6:39:60 Setting MTU to 1485
*spamApTask2: Jan 30 09:46:47.021: 00:19:07:c6:39:60 Configuration Status from 10.64.94.52:2134

*spamApTask2: Jan 30 09:46:47.021: 00:19:07:c6:39:60 CAPWAP State: Configure

*spamApTask2: Jan 30 09:46:47.021: 00:19:07:c6:39:60 Updating IP info for AP 00:19:07:c6:39:60 -- static 0, 10.64.94.52/255.255.255.0, gtw 10.64.94.254
*spamApTask2: Jan 30 09:46:47.021: 00:19:07:c6:39:60 Updating IP 10.64.94.52 ===> 10.64.94.52 for AP 00:19:07:c6:39:60
*spamApTask2: Jan 30 09:46:47.022: 00:19:07:c6:39:60 Setting MTU to 1485
*spamApTask2: Jan 30 09:46:50.021: 00:19:07:c6:39:60 Configuration Status from 10.64.94.52:2134

*spamApTask2: Jan 30 09:46:50.021: 00:19:07:c6:39:60 CAPWAP State: Configure

*spamApTask2: Jan 30 09:46:50.021: 00:19:07:c6:39:60 Updating IP info for AP 00:19:07:c6:39:60 -- static 0, 10.64.94.52/255.255.255.0, gtw 10.64.94.254
*spamApTask2: Jan 30 09:46:50.021: 00:19:07:c6:39:60 Updating IP 10.64.94.52 ===> 10.64.94.52 for AP 00:19:07:c6:39:60
*spamApTask2: Jan 30 09:46:50.022: 00:19:07:c6:39:60 Setting MTU to 1485
*spamApTask2: Jan 30 09:46:53.021: 00:19:07:c6:39:60 Configuration Status from 10.64.94.52:2134

*spamApTask2: Jan 30 09:46:53.021: 00:19:07:c6:39:60 CAPWAP State: Configure

*spamApTask2: Jan 30 09:46:53.021: 00:19:07:c6:39:60 Updating IP info for AP 00:19:07:c6:39:60 -- static 0, 10.64.94.52/255.255.255.0, gtw 10.64.94.254
*spamApTask2: Jan 30 09:46:53.021: 00:19:07:c6:39:60 Updating IP 10.64.94.52 ===> 10.64.94.52 for AP 00:19:07:c6:39:60
*spamApTask2: Jan 30 09:46:53.022: 00:19:07:c6:39:60 Setting MTU to 1485
*spamApTask2: Jan 30 09:46:56.021: 00:19:07:c6:39:60 Configuration Status from 10.64.94.52:2134

*spamApTask2: Jan 30 09:46:56.021: 00:19:07:c6:39:60 CAPWAP State: Configure

*spamApTask2: Jan 30 09:46:56.021: 00:19:07:c6:39:60 Updating IP info for AP 00:19:07:c6:39:60 -- static 0, 10.64.94.52/255.255.255.0, gtw 10.64.94.254
*spamApTask2: Jan 30 09:46:56.021: 00:19:07:c6:39:60 Updating IP 10.64.94.52 ===> 10.64.94.52 for AP 00:19:07:c6:39:60
*spamApTask2: Jan 30 09:46:56.022: 00:19:07:c6:39:60 Setting MTU to 1485
*spamApTask2: Jan 30 09:46:59.019: 00:19:07:c6:39:60 DTLS keys for Control Plane deleted successfully for AP 10.64.94.52

*spamApTask2: Jan 30 09:46:59.026: 00:19:07:c6:39:60 DTLS connection closed event receivedserver (10:71:142:8/5246) client (10:64:94:52/2134)
*spamApTask2: Jan 30 09:46:59.026: 00:19:07:c6:39:60 Entry exists for AP (10:64:94:52/2134)
*spamApTask2: Jan 30 09:46:59.026: 00:19:07:c6:39:60 apfSpamProcessStateChangeInSpamContext: Deregister LWAPP event for AP 00:19:07:c6:39:60 slot 0
*apfReceiveTask: Jan 30 09:46:59.026: 00:19:07:c6:39:60 Deregister LWAPP event for AP 00:19:07:c6:39:60 slot 0
*spamApTask2: Jan 30 09:46:59.027: 00:19:07:c6:39:60 apfSpamProcessStateChangeInSpamContext: Deregister LWAPP event for AP 00:19:07:c6:39:60 slot 1
*apfReceiveTask: Jan 30 09:46:59.027: 00:19:07:c6:39:60 Deregister LWAPP event for AP 00:19:07:c6:39:60 slot 1
*spamApTask2: Jan 30 09:46:59.028: 00:19:07:c6:39:60 No AP entry exist in temporary database for 10.64.94.52:2134
*spamApTask0: Jan 30 09:46:59.127: 00:19:07:c6:39:60 Received LWAPP DISCOVERY REQUEST to 44:2b:03:b4:39:cf on port '13'
*spamApTask3: Jan 30 09:46:59.128: 00:19:07:c6:39:60 Discovery Request from 10.64.94.52:2135

*spamApTask3: Jan 30 09:46:59.128: 00:19:07:c6:39:60 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 50, joined Aps =0
*spamApTask3: Jan 30 09:46:59.128: 00:19:07:c6:39:60 Discovery Response sent to 10.64.94.52:2135

*spamApTask3: Jan 30 09:46:59.129: 00:19:07:c6:39:60 Discovery Response sent to 10.64.94.52:2135

*spamApTask0: Jan 30 09:46:59.129: 00:19:07:c6:39:60 Discarding discovery request in LWAPP from AP supporting CAPWAP

*spamApTask0: Jan 30 09:47:28.995: 00:19:07:c6:39:60 Received LWAPP DISCOVERY REQUEST to 44:2b:03:b4:39:cf on port '13'
*spamApTask2: Jan 30 09:47:28.996: 00:19:07:c6:39:60 Discovery Request from 10.64.94.52:2134

*spamApTask2: Jan 30 09:47:28.996: 00:19:07:c6:39:60 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 50, joined Aps =0
*spamApTask2: Jan 30 09:47:28.996: 00:19:07:c6:39:60 Discovery Response sent to 10.64.94.52:2134

*spamApTask2: Jan 30 09:47:28.996: 00:19:07:c6:39:60 Discovery Response sent to 10.64.94.52:2134

*spamApTask0: Jan 30 09:47:28.996: 00:19:07:c6:39:60 Discarding discovery request in LWAPP from AP supporting CAPWAP

*spamApTask0: Jan 30 09:47:58.856: 00:19:07:c6:39:60 Received LWAPP DISCOVERY REQUEST to 44:2b:03:b4:39:cf on port '13'
*spamApTask3: Jan 30 09:47:58.857: 00:19:07:c6:39:60 Discovery Request from 10.64.94.52:2135

*spamApTask3: Jan 30 09:47:58.857: 00:19:07:c6:39:60 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 50, joined Aps =0
*spamApTask3: Jan 30 09:47:58.857: 00:19:07:c6:39:60 Discovery Response sent to 10.64.94.52:2135

*spamApTask3: Jan 30 09:47:58.857: 00:19:07:c6:39:60 Discovery Response sent to 10.64.94.52:2135

*spamApTask0: Jan 30 09:47:58.857: 00:19:07:c6:39:60 Discarding discovery request in LWAPP from AP supporting CAPWAP

*sshpmLscTask: Jan 30 09:48:10.688: sshpmLscTask: LSC Task received a message 4

HI David,

There is nothing wrong in logs.

Now You must check your swicth config, routing / Firewall Policies....(dont forget to open the port 5246, 5247).

Reagrds

Have you tried to clear the AP and upload a new RCV image and start the ap from scratch?

I would upload this image to the AP first

c1240-rcvk9w8-tar.124-25e.JAO3.tar

http://software.cisco.com/download/release.html?mdfid=280237322&flowid=7588&softwareid=280775090&release=12.4.25e-JAO3&relind=AVAILABLE&rellifecycle=ED&reltype=latest

I would then delete all the other images in flash: and also delete these two files

delete flash:private-config
delete flash:private-multiple-fs

Erase the nvram:

Enter the username and password
debug LWAPP console cli
erase /all nvram:
[confirm]
undebug all
reload
[confirm]

When the AP comes back up, from the console issue: lwapp ap controller IP address

See if the AP joins


Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Hi Scott,

Can you just show me how to download the new image to the AP ?

Thanks a lot !

David

HI David,

One other reason that H-REAP APs do not join WLCs is if the Proxy             ARP is disabled on the gateway for the H-REAP APs. From the AP console, this             message is logged:


*Jan 30 09:01:34.766: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(UNKNOWN_MESSAGE_T., 1)5)

This can be caused by Cisco bug ID CSCse92856. This problem applies             only to AP1130 and AP1240. This problem does not apply to AP1000s, AP1100, or             AP1200.

This problem occurs when these conditions are met:

  1. HREAP mode is used in the WLAN. Local mode is not affected by                 this issue. Native VLAN mapping is required.

  2. The APs have to be on a different IP subnet than the AP Manager                 of the WLCs.

  3. Proxy ARP is disabled on the default gateway for the                 AP.

  4. The H-REAP AP gets the default gateway from a DHCP                 server.

In order to resolve this issue, enable Proxy ARP on the default             gateway router of the AP.

Try this.

Regards

Dont forget to rate helpful posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: