cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1190
Views
25
Helpful
9
Replies

LWAP is interupting TFTP image download with WLC discovery process

SurCullsALot
Level 1
Level 1

I am trying to set an AP from LW to Autonomous.

I have managed to connect to the AP and used the command

“debug capwap console cli” to gain access to exec mode and start a tftp image download.

The AP interrupts the image download with messages that it can’t find a WLC using static and will force DHCP. After a while of DHCP attempts it forces a complete reload to go back to the static address. The first AP console message breaks the image download and I cant reinitiate it, due to the socket error.

Is there any way to issue a command that will stop the AP attempting to connect to a WLC long enough for me to download a fresh image?

 

Thanks in advance

2 Accepted Solutions

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

You need to get isolated to set up, AP and your Laptop can do this work. rather connecting to Switch in a production network.

https://www.youtube.com/watch?v=O2qNFVZ-KRQ

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Thank you rrudling, rolling back to JA12 worked a treat. Joined the WLC without issue.

View solution in original post

9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

You need to get isolated to set up, AP and your Laptop can do this work. rather connecting to Switch in a production network.

https://www.youtube.com/watch?v=O2qNFVZ-KRQ

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you, this is pretty much what I was doing but I hadnt discovered the mode button.

Rich R
VIP
VIP

I always have my APs using DHCP and never seen this problem so using static may actually be the cause because that is a built-in recovery mechanism for misconfigured static IP.  With mine the AP keeps on downloading while the discovery continues without disrupting the download.  I don't know of any way to stop the discovery process but you can avoid the static->DHCP recovery mechanism by using DHCP instead of static IP.

Thanks, you nailed it. I installed a lightweight image as I didnt know if an autonomous image would try to connect to the WLC. However I left a static IP on the BVI interface and a default gateway somewhere on the switch, not sure where the DG is actually stored.

I was able to get into config mode using the debug capwap command, and I was able to remove the static IP and DG, but I could save the config to nvram, because lightweight image. So rather than spend an hour on the interwebs looking for some super secret command I thought I would roll back to the autonomous image, remove the static IP and DG, then reload a lightweight image. This lead to me making the post.

It turns out that while I couldnt save to nvram, there is a command in debug capwap that resets the AP to factory default. Which is nice because that removed the static IP and DG.

So now I have a light weight AP that has DHCP configured on the BVI, and has rolled through 47 of the available DHCP pool addresss whilst trying to form a connection to the WLC. It doesnt sound so good, but from my perspective I am getting closer to getting this AP connected to the WLC.

I think I have misunderstood how WLC ports work. I can ping both the mamangment and service ports, but I can only access the WLC GUI using the service port address. Everything I have read tells me I should be connecting to the maangment interface to access the GUI. Which leaves me wodering if the AP is also not able to access the managment interface.

 

Rich R
VIP
VIP

There are "capwap ap" commands for configuring the IP/DHCP config too ...
GUI on service port is normal.
What WLC?
What version of software is the WLC running?
What AP?
What version of software is the AP running?

If you're playing with old AP and/or WLC you probably want to have a careful read through
https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

 

Hello rrudling

WLC 5508

Cisco AireOS Version 8.0.152.0

Firmware Version FPGA 1.3, Env 1.6, USB console 1.27

 

1702i Access Point

ap3g2-k9w8-tar.153-3.JPI5.tar

The AP is set to factory default.

According to the 1702 guide it is supported by WLC software 8.x and above. I have issued the commands on the WLC to ignore certificates.

 

Turns out the initial problem I had with connection is that I did not understand how to set up Option 43 correctly. My first attempt was "option 43 ip 10.1.20.253".

I have now set the Option 60 and 43 field correctly yusing ascii and hex strings, and get positive messages from the AP that it has recieved a WLC address via DHCP. However I am now having a problem with certificates, which again I think might be my fault.

*Dec 25 05:29:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.20.253 peer_port: 5246

*Dec 25 05:29:23.491: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.1.20.253 peer_port: 5246

*Dec 25 05:29:23.491: %CAPWAP-5-SENDJOIN: sending Join Request to 10.1.20.253

*Dec 25 05:29:23.491: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.1.20.253

*Dec 25 05:29:23.491: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.1.20.253:5246

*Dec 25 05:29:33.495: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

 

When I initialy set up the WLC, I needed to change some of the security settings in CLI to make a HTTPS connection with a browser. I will have a look at those settings later tonight and see if it makes a difference.

Thanks for your help

I was wrong, the settings I changed in the CLI previously were only related to secure web connections.

I checked the certificates expiry data on the WLC and they are all around 2029, apart from the Airespace certs that run till 2015.

The one that seems to be important according to the field notice is Cisco SHA1 device cert

On my device

Certificate Name: Cisco SHA1 device cert

Validity : Start : 2013 Jan  5th, 16:29:21 GMT

             End   : 2023 Jan  5th, 16:39:21 GMT

If the certificates are valid, then does the field notice apply? Is there any other reason that the AP might not be able to join?

 

The field notice applies when AP and/or WLC certs have expired.  It's only fixed when both are running new code *with* the config workaround applied.  The AP must successfully join a WLC to pick up the config from the WLC.  A workaround (if certs are expired) as per the FN, is to turn off NTP and set time to when both certs are valid.

But more likely your problem here is incompatible code versions. 15.3(3)JPI5 = IOS-XE 16.12.3
https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html#ctr-ap_support
I don't think that will be able to talk to 8.0.152.0.  Install 15.3.3-JA12 on your AP then it should be able to join the WLC:
https://software.cisco.com/download/home/286281141/type/280775090/release/15.3.3-JA12

Thank you rrudling, rolling back to JA12 worked a treat. Joined the WLC without issue.

Review Cisco Networking for a $25 gift card