Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
1
Helpful
6
Replies

Rebooting the AP after its disconnected from WLC

sroic
Level 1
Level 1

‎03-06-2025 03:56 AM

Hi, so we have a central 9800 controller in AWS and APs in Flexconnect mode running in our offices. They are switching traffic locally and using IPsec to reach the WLC. Our main SSID is dot1x and using central authentication with ISE also in AWS.

The issue occurs when e.g. an ISP fails in an office and the APs get disconnected from WLC. If the issue is not longer then couple of minutes the APs usually reconnect back and everything is fine. But if its longer the APs don't reconnect and at this point only PSK wifis work, dot1x stops authenticating new people. Retransmit timers under AP Join profile are set to max (Count: 8, Interval: 5 sec), afaik this cannot be set to more. I don't understand why the AP doesn't keep looping indefinitely with the reconnection attempts, or at least have an option to set this.

What we are left at this point is to:

1. manually connect to AP via SSH and try capwap ap restart command which sometimes works and something doesn't.

2. manually connect to AP/switch and reboot the whole AP. This is basically what we are doing right now

 

Now, there are options to reboot the AP from the WLC and DNAC but ofcourse non of these work when the AP itself is not connected to WLC.

I'm trying to find a way how to reconnect AP back to the controller after it has been disconnected for longer then e.g. 5 min. Right now only option I see is developing a custom script that will track WLC logs and then after some timeout go to switch/AP and reboot it. Which seems like an overkill, hard to fine tune and hard to administrate in the future. Is there some integrated option that I'm missing, how do you guys do it and has this been an issue for your deployments?

Labels:
0 Helpful
6 Replies 6

Scott Fella
Hall of Fame
Hall of Fame

‎03-06-2025 06:41 AM

That should not be the case.  You do have high availability defined on the access points with the hostname and ip of the controller(s) you have in AWS?  With this, the ap should always try to join the controller as long as the ap has a valid dhcp address.  What you can do is gather data by consoling into the ap and capturing the output.  Also make sure you don't have any DHCP option of DNS that might be pointing to another controller or possibly an ip that was once used by a controller.  While you are doing this, you should also open a TAC case because it is a good idea to have someone look to see how you have everything configured. The HA for the ap's can be defined on each ap or in the ap join profile. 

-Scott
*** Please rate helpful posts ***
0 Helpful

sroic
Level 1
Level 1

‎03-07-2025 03:18 AM

We have 2 controllers in N+1 setup, both added as primary and secondary in the AP join profile and also configured on each AP itself. Also we use dhcp option 43 to point to the primary controller IP when booting up, nothing else.

Also I'm quite sure the APs don't retry the discovery process after the timeout I mentioned above but will test it once again.

I'm interested if this same issue happens to other engineers in their deployments and how do they solve it. Maybe it doesn't and we have something misconfigured but I don't see it.

0 Helpful

marce1000
Hall of Fame
Hall of Fame
In response to sroic

‎03-07-2025 04:49 AM

 

@sroic   >...Maybe it doesn't and we have something misconfigured but I don't see it.
                    It's always useful to validate the configuration of the 9800 controller in  AWS
                    using the CLI command show tech wireless and feed the output into Wireless Config Analyzer
                    Checkout all advisories!
                                      Use the command denoted in green , do not use show tech-support
                                      for WirelessAnalyzer.

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R
VIP
VIP

‎03-10-2025 08:49 AM

The APs should keep on re-trying, no special config needed.
What version of software are you using? Refer to TAC recommended link below.

 using IPsec to reach the WLC
Can you be more specific?  What are the 2 endpoints of the IPsec tunnel?
Problem is much more likely to be the IPsec than the CAPWAP - sounds like an SA timing out.

Check the WLC config as recommended by @marce1000 but this doesn't sound like a WLC config problem to me.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

sroic
Level 1
Level 1

‎03-12-2025 02:50 AM

Thank you for your inputs. We have an IPsec tunnel between local Fortigate firewall and AWS Cisco router. Will check that link for packet loss etc.

Meanwhile if this is the case that the AP keeps trying to reconnect to WLC indefinitely, what is the purpose of these retransmit timers:

sroic_0-1741772985364.png

 

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to sroic

‎03-12-2025 06:48 AM

Well that timer is in place for a reason, but maybe you have other issues on the FW.  Maybe check for stale entries or if the FW start blocking the discovery requests.  There are ports that need to be allowed for the timers to function as intended.

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card