No more ap manager IP addresses remain

Unanswered Question
May 17th, 2008

Can anyone think of a reason why I would receive the error "No more AP Manager IP addresses remain"? I've had this error before when the correct interface for the AP manager was not configured, and I can see it happening if you were to put the AP Manager onto a subnet that couldn't communicate with the management interface. Also, for converted APs, you need the SSC key hash. But this is a newer 1131AG, and when I converted it the CSV file was empty. I've got this AP across a WAN link with a static one to one NAT. The AP does not get a join response. I've got what I believe to be correct firewall permissions with ports 12222 and 12223. Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dennischolmes Sun, 05/18/2008 - 14:12

A single AP manager interface only supports 48 APs per gig port on the 4400 series controllers although it is recommended you only attach 25 APs per port to maintain good throughput. You can circumvent this by utilizing LAG or by assigning multiple AP manager interfaces, each tied to a different physical SFP port. See your configuration guide.

http://www.cisco.com/en/US/docs/wireless/controller/4.0/configuration/guide/c40mint.html

Scott Pickles Tue, 05/20/2008 - 12:27

Dennis,

Thanks for the response. I wish it were that simple. I'm aware of the AP limits per interface, and you can circumvent that by using LAG (up to the limit of the controller in total). The reason I posted is that I've gotten that error many times, and it is unfortunate that error messages cannot be more descriptive because it was a different cause/resolution each time. I believe I have routing issues through my firewall, and while the response may be coming from the controller, it is not reaching the AP. Ultimately, this results in the error I'm getting. I'll continue to hammer away at it, and post my follow up here as I go along.

Regards,

Scott

George Stefanick Sun, 05/25/2008 - 05:39

Dennis,

You should download the Cisco Wireless LAN Controller Message Guide.

It has a vast collection of controller messages and their meanings. I would supply the link, buti dont have it at the moment. Do a little google and im sure you will find it ... Keep it close, its a great guide!

mmcmurtry Wed, 06/04/2008 - 10:57

I saw this message after I converted an AP from autonomous to LWAPP.

On the AP console:

"LWAPP_CLIENT_ERROR_DEBUG: No more AP Manager IP addresses..."

On the WLC using "debug lwapp events enable":

"LWAPP Join Request does not include valid certificate in CERTIFICATE_PAYLOAD from AP..."

"Unable to free public key for AP..."

"Decoding Join Request failed for AP..."

Finally, the key message that pointed me in the right direction was from the event log page on the WLC:

"Failed to authorize AP with Base Radio MAC ----. Authorization key does not match with SHAI key in Controller's AP Authorization List."

The problem was APs prior to July 18,2005 did not ship with MIC (Manufacturer Installed Certificate). The conversion tool generates a SSC (Self Signed Certificate) during the conversion and this certificate must be loaded on all controllers that will host the AP. The AP joined the controller I used to convert the AP, but when I moved the AP to a different controller I saw the problem.

The conversion tool creates a Config_[date]_[number].csv for each AP. This file will contain the SSC information that must be loaded on each controller. It will contain the AP MAC address and key. You load SSCs at the controller Security -> AAA -> AP Policies page.

engineerangelo Mon, 05/26/2008 - 01:44

Hi,

Can you send me the configuration and the setup you're doing. I'll check if there's anything wrong with it. Thanks.

Regards

Scott Fella Wed, 06/04/2008 - 15:57

Have you looked at this post:

A normal LWAPP discovery/join exchange between a WLC and AP looks like this:

1. AP sends LWAPP Discovery Request to WLC

2. WLC sends LWAPP Discovery Response to AP

3. AP sends LWAPP Join Request to WLC

4. WLC sends LWAPP Join Response to AP

If you follow the log messages, you can see the AP never got the LWAPP Join Response from the WLC. The log message "No more AP manager IP addresses remain" indicates the AP has exhausted it's candidate controller list and received no LWAPP Join Responses.

So, now you have to figure out why. You might take a swag and check the date/time on your controller is current. If it's defaulted, your AP certificates will be out of the valid date/time range and so the WLC won't validate them.

I'd start by running the following debug on your AP:

debug lwapp client event

That'll tell you that the AP is sending out the LWAPP Join Request to the right controller. If it's not, then you have to investigate what's going with the discovery phase.

Next, check that the LWAPP Join Request is arriving at your controller. At your controller console:

debug lwapp events enable

You should see a message that indicates the LWAPP Join Request has arrived from your AP. It'll also tell you if it sends an LWAPP Join Response.

The point is just walk through the LWAPP state machine and find the point where it's failing.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=General&topicID=.ee6e8b8&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc00194

Scott Pickles Thu, 06/05/2008 - 07:27

All -

I have been running the debugs, and I find that the request makes it to the controller. I've also been debugging my firewall with a policy to check ports 12222 and 12223. While I'm seeing the request make it to the controller, I'm not seeing the request make it out of my firewall (i.e. no outgoing port 12222/12223 packets). So at this point, I think I've got infrastructure issues, and the error 'No more AP manager IP addresses remain' is due to the fact that the AP just isn't getting the response.

Regards,

Scott

tkhan Fri, 06/06/2008 - 03:10

Check the error messages on the APs, also make sure your controller has a valid time source via NTP or setting time manually. APs won't join the controller unless the controller has a valid timestamp.(I think the threshold is within a month or so)

Scott Pickles Fri, 06/06/2008 - 12:20

tkhan -

I've checked all the easy/normal reasons why an AP won't join (been working with this stuff since it was AireSpace). I already have APs registered, converted autonomous ones at that. So I've got AP policies for SSCs and MICs, and the time is indeed connected with an NTP server. The time issue centers around a difference between the timestamp of the certificate and the controller. Too far out of whack and the AP won't join. Whether that's a month or so, I'm not sure. But I would think it would be more like a year since there's no telling when an AP will actually make it to a customer site from the time it rolls off the line...

Regards,

Scott

dennischolmes Fri, 06/06/2008 - 14:43

Its actually a much shorter time. If the day is different then it can stop the association.

dennischolmes Fri, 06/06/2008 - 18:52

I know its short Scott but I think it would have to be longer than 4 hours just to account for time zone differences in the US.

Scott Fella Fri, 06/06/2008 - 18:56

A TAC engineer actually told me is was +-5 minutes. I actually tested it at 30 minutes and the ap's wouldn't join. I will try testing that this weekend if I remember.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode