Solved: WLC9800 - no AP's joining

Workshire · ‎03-07-2024

Good day,

I have the following issue.

I am configuring a WLC 9800 -l-f device and have the issue that the Access port is not getting the config from the controller. The AP just boots up and then flahes red and green. I think it cant get a connection to the controller or it cant get an IP from a DHCP.

Can someone just verify the switchport settings and the WLC settings for me please?

vlan 20 is for the WLC management

vlan 22 is supposed to be for AP's only

vlan 19 is the guest wifi

Switchport settings: Int gi1/0/10

switchport mode trunk

switchport trunk native vlan 20

switchport trunk allowed vlan 20,22,19

WLC config: vlan 20

name wlan mgmt

int vlan 20

ip add 192.168.10.2 255.255.255.240

ip route 0.0.0.0 0.0.0.0 192.168.10.1

wireless management interface vlan 20

vlan 22

name APs

vlan 19

name guest

int tw0/0/0

switchport trunk allowed vlan 19,20,22

switchport mode trunk

switchport trunk native vlan 20

that's about it. I can access the WLC via webinterface and can start the zero day configuration and can add wifi network etc.

I can ping the gateway and also have dhcp setup for the vlan 22 (AP's) but the AP is not getting an IP from the dhcp.

The WLC is only connected via one cable from port tw0/0/0 to the switchport gi1/0/10

they are both trunks and carry all of those mentioned vlans. I think either something is configured wrong here or maybe on the switchport where the AP is connected to.

The port on the switch for the AP is configured like this:

switchport mode trunk

switchport trunk native vlan 22

basically i am not sure why the WLC can not even "find" the AP so it can be managed by the wlc. Usually it is supposed to just work when you plug a new AP into t network socket with that config, the wlc should "discover" that new AP and then just load everything on it. But i can not get that far. Am I doing something wrong? Even I didnt finsih yet the complete WLC setup (Zero day is finished), it should at least find the AP.

can someone please give me a hint. I worked on this issue for the last 3 days almost nonstop but cant figure this out.

thank you for your help

Workshire · ‎03-12-2024

Just an update for everyone. The Issue was that the WLC were running Version 17.3 and with our AP's CW9164-l it needed to run at least Version 17.9. After updating the WLC's, the AP's were all discovered successfully. maybe someone can mark this as solution, at least this was the issue for me. Thanks all for your ideas and help.

View solution in original post

marce1000 · ‎03-07-2024

- Start with a checkup of the 9800-l-f controller configuration using the CLI command show tech wireless and feed that output into : https://cway.cisco.com/wireless-config-analyzer/

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Workshire · ‎03-07-2024

thanks, i will check that out

balaji.bandi · ‎03-07-2024

if the AP in VLAN 22, where is the VLAN 22 Layer 3 Interface and where is the DHCP Server ?

where ever layer 3 interface you need to add ip helper address to reach DHCP and get DHCP IP

if you are using DHCP you need to add option 43 to tell where the WLC conttroller for the AP join

(there are different methods you can use for AP to Join WLC) in your case Option 43 is good to use case.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Workshire · ‎03-07-2024

thanks for your input. Do i need to configure the IP helper address on the WLC or on the switch? or on both?

balaji.bandi · ‎03-07-2024

On the Switch where the Layer3 SVI for VLAN 22

what DHCP Server in the network.

Also make sure you setup WLC first before you join AP to WLC.

start from here :

https://www.youtube.com/watch?v=5FpYS_rphik

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Workshire · ‎03-07-2024

thanks for the link. now i setup the helper address and the AP gets finally an IP address but the wlc still cant "see" the AP. But also under the SVI, the VLAN 22 has an Admin status that is UP but Operational Status DOWN.

balaji.bandi · ‎03-08-2024

VLAN 22 has an Admin status that is UP but Operational Status DOWN.

until any devices connected belong to VLAN 22 on the access port that will not come.

we need to see the cnfiguration.

AP gets finally an IP address but the wlc still cant "see" the AP

connect the console to AP and post complete boot Log

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rich R · ‎03-08-2024

There's no need for VLAN 22 to be configured on the WLC at all - it's your AP VLAN. The switch needs to be routing between VLAN 20 and 22.

The WLC doesn't find the AP, the AP finds the WLC. As BB said you need to configure option 43 on the DHCP server to tell the AP where the WLC is:
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/97066-dhcp-option-43-00.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

marce1000 · ‎03-07-2024

>...Even I didnt finsih yet the complete WLC setup (Zero day is finished), it should at least find the AP.
Adding : to be honest , that is not a good strategy ; the controller should be properly configured first

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jagan.chowdam · ‎03-07-2024

I would start by verifying Layer 2 & Layer 3 first -

VLAN's 20 & 22 SVIs are defined and reachable;
DHCP server/IP reachable from both VLANs; Connect Laptop to the switch port in AP vlan and see if it get's an IP assigned and can ping WLC Mgmt IP.
AP port as Access Port on VLAN 22; (No need for trunk unless you are doing FlexConnect design)
AP-WLC discovery - Static config on AP, DHCP option 43 or DNS resolution
Verify AP Join trustpoint on WLC with command "show wireless management trustpoint" and verify if the trustpoint is set.

Validate the wireless configuration using the following exec command:

c9800#wireless config validate

What is the AP model?

Jagan Chowdam

/**Pls rate useful responses**/

Workshire · ‎03-07-2024

vlans 20 and 22 svis are defined. only vlan 20 is up and reachable. vlan 22 is not reachable

dhcp server is now reachable with the help of the ip helper address

AP port no need for trunk. MY idea is that the AP's are in VLAN 22,and getting an IP from DHCP in that network but the AP itself "carries" several SSID (With different vlans for example ssid guest with vlan 19)

AP-WLC disvovery. Not sure were to configer this option43 yet? on the AP join profile?

i executed both commands and the trustpoint is set (everything says it is available, except the FIPS suitability is not applicable.)

the AP models are the CW9164I-E. I just unpacked and connected one for now to see if the controller "sees" it.

the AP is now visible in the DHCP range but the wlc still cant see it.

Workshire · ‎03-07-2024

i was able to figure out how to enable the SVI operational lines and also add the DHCP Option 43 to the dhcp server inside the scope options and added the hex code for my environment. but still the WLC cant see the Access Point which got an IP address already from dhcp. What i tried this morning is to change the switchport on the switch from trunk to access port on vlan 22. this change did nothing , it works (or doesnt) like before.

maybe the config like this is missing:

ip dhcp pool <pool name>

network <ip network> <netmask>

default-router

dns-server

option 43 hex <hex-string>

but this needs to go on the switch right? but then i need to add this to all switches in the office?

marce1000 · ‎03-07-2024

>... but then i need to add this to all switches in the office?
- Seriously that is the definition for a dhcp server for which you only need one,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Workshire · ‎03-07-2024

yes of course i need only one dhcp server, but do I need to add this configuration on only one switch where the wlc is connected to?

ip dhcp pool <pool name>

network <ip network> <netmask>

default-router

dns-server

option 43 hex <hex-string>

because the option 43 on the scope options is pretty clear, on the dhcp server itself of course i can only set it once but im asking about that command i posted.

thanks for the help