Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
938
Views
0
Helpful
6
Replies

FlexConnect Support: Branch AP is not joining to WLC

ejgreco
Level 1
Level 1

‎10-27-2022 01:55 PM

In our lab environment, we have a Catalyst 9800-CL WLC and SD-WAN. I am trying to get an AP at a branch home office to join the controller, but I am not having any success. The AP is set to mode local, and I do not see a way to change that to FlexConnect from the AP's CLI. The AP is able to ping the controller. The AP shows up in the controller under Monitoring > Wireless > AP Statistics > Join Statistics: Status not joined. I can only assume that means it is hitting the controller and the controller recognizes its existence.

I followed this guide to configure FlexConnect: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213945-understand-flexconnect-on-9800-wireless.html up until the last step, tagging the AP to a policy in the WLC. I did statically tag the AP to a policy tag and site tag via Configuration > Tags & Profiles > Tags > AP > Static, but that did not work. Below is the debug of one of many attempted CAPWAP joins:

Oct 27 20:42:45 kernel: [*10/27/2022 20:42:45.7694] CAPWAP State: Discovery
Oct 27 20:42:45 kernel: [*10/27/2022 20:42:45.7714] Discovery Request sent to 10.1.13.10, discovery type STATIC_CONFIG(1)
Oct 27 20:42:45 kernel: [*10/27/2022 20:42:45.7716] IP DNS query for CISCO-CAPWAP-CONTROLLER.[domain_removed]
Oct 27 20:42:45 kernel: [*10/27/2022 20:42:45.7963] DNS resolved CISCO-CAPWAP-CONTROLLER.[domain_removed]
Oct 27 20:42:45 kernel: [*10/27/2022 20:42:45.7963] DNS discover IP addr: 10.1.13.10
Oct 27 20:42:45 kernel: [*10/27/2022 20:42:45.7975] Discovery Request sent to 10.1.13.10, discovery type STATIC_CONFIG(1)
Oct 27 20:42:45 kernel: [*10/27/2022 20:42:45.7986] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
Oct 27 20:42:45 kernel: [*10/27/2022 20:42:45.7988] Discovery Response from 10.1.13.10
Oct 27 20:42:45 kernel: [*10/27/2022 20:42:45.8187] systemd[1]: Starting dhcpv6 client watcher...
Oct 27 20:42:45 kernel: [*10/27/2022 20:42:45.8194] Discovery Response from 10.1.13.10
Oct 27 20:42:45 kernel: [*10/27/2022 20:42:45.8963] systemd[1]: Stopping DHCPv6 client...
Oct 27 20:42:45 kernel: [*10/27/2022 20:42:45.8979] systemd[1]: Stopped DHCPv6 client.
Oct 27 20:42:45 kernel: [*10/27/2022 20:42:45.9386] systemd[1]: Starting DHCPv6 client...
Oct 27 20:42:45 kernel: [*10/27/2022 20:42:45.9793] systemd[1]: Started DHCPv6 client.
lient watcher.5 kernel: [*10/27/2022 20:42:45.9957] systemd[1]: Started dhcpv6 c--More--
Oct 27 20:42:55 kernel: [*10/27/2022 20:42:55.0001]
Oct 27 20:42:55 kernel: [*10/27/2022 20:42:55.0001] CAPWAP State: DTLS Setup
Oct 27 20:42:55 kernel: [*10/27/2022 20:42:55.3886] First connect to vWLC, accept vWLC by default
Oct 27 20:42:55 kernel: [*10/27/2022 20:42:55.3886]
Oct 27 20:42:55 kernel: [*10/27/2022 20:42:55.3947]
Oct 27 20:42:55 kernel: [*10/27/2022 20:42:55.3947] Successfully added VWLC root SSC
Oct 27 20:42:55 kernel: [*10/27/2022 20:42:55.3947]
Oct 27 20:42:55 kernel: [*10/27/2022 20:42:55.3953]
Oct 27 20:42:55 kernel: [*10/27/2022 20:42:55.3953] CAPWAP State: Join
Oct 27 20:42:55 kernel: [*10/27/2022 20:42:55.3971] Sending Join request to 10.1.13.10 through port 5264
Oct 27 20:43:52 kernel: [*10/27/2022 20:43:52.0183]
Oct 27 20:43:52 kernel: [*10/27/2022 20:43:52.0183] CAPWAP State: DTLS Teardown
Oct 27 20:43:52 kernel: [*10/27/2022 20:43:52.0294] Aborting image download(0x0): Dtls cleanup,
Oct 27 20:43:52 kernel: [*10/27/2022 20:43:52.0938] do ABORT, part2 is active part
Oct 27 20:43:52 upgrade: Cleanup tmp files ...
Oct 27 20:43:52 kernel: [*10/27/2022 20:43:52.1119] upgrade.sh: Cleanup tmp files ...
Oct 27 20:43:57 kernel: [*10/27/2022 20:43:57.7695] ipv6 gw config loop in Ac discovery
Oct 27 20:43:59 kernel: [*10/27/2022 20:43:59.7697] ipv6 gw config loop in Ac discovery
Oct 27 20:44:01 kernel: [*10/27/2022 20:44:01.7699] ipv6 gw config loop in Ac discovery
Oct 27 20:44:03 kernel: [*10/27/2022 20:44:03.7701] ipv6 gw config loop in Ac discovery
Oct 27 20:44:05 kernel: [*10/27/2022 20:44:05.7703] ipv6 gw config loop in Ac discovery

0 Helpful
6 Replies 6

Haydn Andrews
VIP Alumni
VIP Alumni

‎10-27-2022 05:40 PM

Do you have DHCP option 43 on the branch DHCP server for the AP management side pointing to the Lab WLC?

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
0 Helpful

ejgreco
Level 1
Level 1

‎10-28-2022 06:06 AM - edited ‎10-28-2022 06:07 AM

Yes. At first, I had option 43 pointing to the WLC's management IP. When I changed it to the HQ AP management SVI IP that resolves from CISCO-CAPWAP-CONTROLLER.[domain] DNS requests (10.1.13.10 in the logs above), I still have the same issue.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to ejgreco

‎10-28-2022 07:19 AM

My suggestion is to get an ap (what model ap) connected to the controller locally first to make sure the ap was able to join.  Then you can send that ap to the home office to see if the ap joins or not.  At least that eliminates some variables to help troubleshooting.  Is it safe to say that the home office is connected via SD-WAN or just NAT behind an ISP?

-Scott
*** Please rate helpful posts ***
0 Helpful

ejgreco
Level 1
Level 1

‎10-28-2022 07:32 AM

Yeah, that was my planned final step - join it at the HQ office. If successful there, just tag it for my home office and put it in FlexConnect mode. AP model is 9130AXI, so it should be an easy join with the C9800 WLC. My home office is connected via SD-WAN, so I might also have a config issue if FlexConnect over SD-WAN is different from standard FlexConnect over just an ISP.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to ejgreco

‎10-28-2022 07:51 AM

The configuration is different if the AP is behind a NAT.  That is when you need to configure the public ip on the management interface and the ap needs to point to that.  If the AP "is like on a local lan" then it should join as if the ap is on the HQ location.

-Scott
*** Please rate helpful posts ***
0 Helpful

Rich R
VIP
VIP

‎10-28-2022 10:00 AM

What version of software is your WLC running?
What version of software is the AP running?
What is the full part number of your AP? (which will tell us the regulatory domain)
What country is your WLC configured for?
What do the WLC logs show?
Do a packet capture of UDP 5246 between AP and WLC (either on a router/switch in between or the WLC itself) to see what's happening in the AP join which might show why it's aborting.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card