cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1053
Views
0
Helpful
9
Replies
flokki123
Participant

WLC 2504 with AP 1700

Hi all,

 

I have the problem that my APs wont join my WLC for some reason.

On the DHCP server I can tell that all 4 APs get an IP address and I also can ping them but dont see them on my WLC.

When I look at the WLC log I can see the following messages:

 

*fp_main_task: Mar 27 15:33:36.004: %SSHPM-4-AES_AP_ONLY: sshpmcert.c:4919 Cisco APs will not be able to join this controller
*fp_main_task: Mar 27 15:33:36.004: %LOG-6-Q_IND: sshpmcert.c:4561 Found Manufacturing-installed device certificates
*fp_main_task: Mar 27 15:33:36.001: %SSHPM-6-MANUF_CERT_INFO: sshpmcert.c:4561 Found Manufacturing-installed device certificates

 

Unfortunately, I couldnt find anything about the first message online.

I configured Option 43 on the DHCP server and used the MGMT IP of the WLC in hex.

Any ideas? The first log message is somehow suspucious!?

 

Thanks!

 

 

9 REPLIES 9
marce1000
VIP Advisor

 

 - Which software version is the controller running ?. Make sure it is compatible with the AP-type.

 M.

Haydn Andrews
Rising star

Which software version are you running on the WLC.

The 1700 is only compatible with 8.0.x and above.

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

 

Do you have any other 1700 series APs on the WLC?

Is the time on the WLC correct?

Try adding the AP Ethernet mac address to the AP Policies and see how you go as well

 

Can you console the AP and provide the logs from it when it tries to join.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Hi all,

 

thanks for all your replies!

FW running on the WLC is 8.1.x, which should be compatible to the APs.

Time is correct on the WLC.

I can ping all the AP IPs from the WLC.

When I turn on debugging for CAPWAP I dont see any related packets on the WLC?

There is another backup WLC in my mobility group to which I cannot connect yet. Might this be the problem? It says "Control and Data Path Down" for the connection to the other WLC. But I would think that this has nothing to do with the APs not joing the controller, right!?

At the moment I dont have any access to the APs.

 

BR

You have two issue which you need to address separately. As far as the mobility if the WLC’s are not in the same subnet, most likely you have an acl or fw rule blocking the mobility ports.

Now with your AP, can you place the AP on the same management subnet as the wlc is on? I’m assuming the aps are local to where the controllers are at? Can you post the show cdp neighbor detail from the switch?
-Scott
*** Please rate helpful posts ***

Hi Scott,

 

thanks for your reply!

 

Here the "cdp neig detail" output from the switch the APs are connected to:

 

Device ID: XXX-AP001
Entry address(es):
IP address: 172.29.x.x
IPv6 address: FE80::7A72:x:x:x:x (link-local)
Platform: cisco AIR-CAP1702I-E-K9, Capabilities: Trans-Bridge Source-Route-Bridge IGMP
Interface: GigabitEthernet0/1, Port ID (outgoing port): GigabitEthernet0
Holdtime : 158 sec

Version :
Cisco IOS Software, C1700 Software (AP3G2-K9W8-M), Version 15.3(3)JD14, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Fri 23-Mar-18 09:21 by prod_rel_team

advertisement version: 2
Duplex: full
Power drawn: 15.400 Watts
Power request id: 51247, Power management id: 2
Power request levels are:15400 13000 0 0 0
Management address(es):
IP address: 172.29.x.x

 

 

 

From the switch the WLC is connected to:

 

Device ID: XXX

Interface address(es):
IPv4 Address: 172.29.X.X
IPv6 Address: fe80::ba38:x:x:x:x
Platform: AIR-CT2504-K9, Capabilities: Host
Interface: Ethernet1/18, Port ID (outgoing port): GigabitEthernet0/0/1
Holdtime: 160 sec

Version:
Manufacturer's Name: Cisco Systems Inc. Product Name: Cisco Controller Product Version: 8.1.131.0 RTOS Version: Erro Bootloader Version: 1.0.20 Build Type: DATA + WPS

Advertisement Version: 2
Duplex: full

 

 

The WLC is connected via a trunk and the APs are connected as access ports to VLAN 100. The trunk to the WLC is allowed to carry VLAN 100.

Unfortunately, I cannot connect them together directly.

Just as info for you, I also included now the string "Cisco AP c1700" as option 60 with my DHCP server.

According to the "setup guide" its necessary.

 

BR

Well the AP is lightweight which is good but might not be 100% if it was converted. Place the AP on the same subnet as the WLC and see if it joins. Do one first, once it joins, then you can move it back to the other vlan.  If that is the issue, then you know your option is not working. 
-Scott
*** Please rate helpful posts ***

Hi Scott,

 

thanks for your help.

I will do this and see what happens.

One last question, what FW version is getting pushed down to the APs from the WLC?

When I look at the WLCs flash there are only the active and backup FW versions.

But that are not the FW versions used for the APs, right? How can I tell the WLC which FW version to use for the APs?

 

Thanks!

The wlc will push the image to the AP. If you look at the config boot, you will see “active”, which is what the controller booted from and “default” which is the image the wlc will boot from on the next reload. So whatever the image the controller is currently on, that’s the image that will get pushed down to the AP. So even if you boot the controller on a different code, the controller will push the other image to the AP. 
-Scott
*** Please rate helpful posts ***
Sandeep Choudhary
VIP Mentor

paste the output of these commands:

 

From WLC: sh sysinfo

FRom AP: sh version

 

Also boot the AP and paste the complete bootup process here .

 

Reagards

Dont forget to rate helpful posts

Content for Community-Ad