AP 1231 after CAPWAPP upgrade JOIN problems

Unanswered Question
Apr 7th, 2009
User Badges:

Hi,


I upgraded a Cisco 1231 AP from stanalone to CAPWAPP / LWAPP.


I am running 5.2.130 on my controller.


After the upgrade, I see the AP in the controller list, and then it disappears.



Part of the trace is as below.


I have 2 other APs that are on the same subnet and register fine..


I also have ip forward-protocol upd set for both capwapp and lwapp ports.





*Apr 07 10:34:17.328: 00:13:60:7c:a1:24 LWAPP Discovery Request AP Software Version: 0x3003300

*Apr 07 10:34:17.328: 00:13:60:7c:a1:24 Received a Discover Request from 00:13:60:7C:A1:24 via IP broadcast address but the source IP address (10.1.1.188) is not in any of the configured subnets. Rejecting the

*Apr 07 10:34:17.329: 00:13:60:7c:a1:24 LWAPP Discovery Request AP Software Version: 0x3003300

*Apr 07 10:34:17.329: 00:13:60:7c:a1:24 LWAPP Discovery Request AP Software Version: 0x3003300


Another snippet


In AAA state 'Idle' for AP 00:13:60:7c:a1:24

*Apr 07 10:42:01.653: Received SPAM_GOT_AAA_RESPONSE


*Apr 07 10:42:06.676: Received a packet which is a (type = JOIN_REQUEST) with session id 0


*Apr 07 10:42:06.677: 00:13:60:7c:a1:24 spam_lrad.c:6500 - Sending disassoc trap for AP 00:13:60:7c:a1:24 (state 4)

*Apr 07 10:42:06.677: 00:13:60:7c:a1:24 Deleting and removing AP 00:13:60:7c:a1:24 from fast path

*Apr 07 10:42:06.677: 00:13:60:7c:a1:24 Re-establishing connection to AP 00:13:60:7c:a1:24

*Apr 07 10:42:06.677: Could not find BoardDataPayload

*Apr 07 10:42:06.678: 00:13:60:7c:a1:24 Created AP 00:13:60:7c:a1:24

*Apr 07 10:42:06.678: 00:13:60:7c:a1:24 spamDecodeJoinReq: apSwVersion=0x3003300





A show AP summary shows this, and then the last line (last AP ) disappears after a while....



(Cisco Controller) >show ap summary


Number of APs.................................... 2


Global AP User Name.............................. apadmin

Global AP Dot1x User Name........................ Not Configured


AP Name Slots AP Model Ethernet MAC Location Port Country Priority

------------------ ----- ------------------- ----------------- ---------------- ---- ------- ------

ap1130 2 AIR-AP1131AG-E-K9 00:1b:53:c8:67:bc default location 1 GB 1

AP0013.607c.a124 0 00:13:60:7c:a1:24 default location 1 GB 1




Any ideas ?


Thanks




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
shahedvoicerite Tue, 04/07/2009 - 03:17
User Badges:

I downgraded my controller to 5.0.148.2.


My old 1131 still associates, but the new 1231 is still not associating..


I see it come up and then drop out again...



Could it be the time on the AP ??


When the upgrade took place, I think I saw the date being set to yesterdays date...



Below is a longer debug trace...




spam_tmr.c:613 - Sending disassoc trap for AP 00:13:60:7c:a1:24 (state 4)

Tue Apr 7 11:21:16 2009: 00:13:60:7c:a1:24 Deleting and removing AP 00:13:60:7c:a1:24 from fast path

Tue Apr 7 11:21:16 2009: sshpmFreePublicKeyHandle: called with 0xb971cb8

Tue Apr 7 11:21:16 2009: sshpmFreePublicKeyHandle: freeing public key

Tue Apr 7 11:21:18 2009: 00:13:60:7c:a1:24 LWAPP Discovery Request AP Software Version: 0x3003300

Tue Apr 7 11:21:18 2009: 00:13:60:7c:a1:24 Received a Discover Request from 00:13:60:7C:A1:24 via IP broadcast address but the source IP address (10.1.1.188) is not in any of the configured subnets. Rejecting the request

Tue Apr 7 11:21:18 2009: 00:13:60:7c:a1:24 LWAPP Discovery Request AP Software Version: 0x3003300

Tue Apr 7 11:21:18 2009: 00:13:60:7c:a1:24 LWAPP Discovery Request AP Software Version: 0x3003300

Tue Apr 7 11:21:28 2009: 00:13:60:7c:a1:24 Created AP 00:13:60:7c:a1:24

Tue Apr 7 11:21:28 2009: 00:13:60:7c:a1:24 spamDecodeJoinReq: apSwVersion=0x3003300

Tue Apr 7 11:21:28 2009: sshpmGetIssuerHandles: locking ca cert table

Tue Apr 7 11:21:28 2009: sshpmGetIssuerHandles: calling x509_alloc() for user cert

Tue Apr 7 11:21:28 2009: sshpmGetIssuerHandles: calling x509_decode()

Tue Apr 7 11:21:28 2009:


sshpmGetIssuerHandles: Mac Address in subject is 00:13:60:7c:a1:24



Tue Apr 7 11:21:28 2009: Tue Apr 7 11:21:28 2009: sshpmGetCID: Tue Apr 7 11:21:28 2009: sshpmGetIssuerHandles: Calculate SHA1 hash on Public Key Data

Tue Apr 7 11:21:28 2009:


sshpmGetIssuerHandles: SSC Key Hash is 59f925b1eed33876d4aea3870ab98c187fc96849

Tue Apr 7 11:21:28 2009: 00:13:60:7c:a1:24 In AAA state 'Idle' for AP 00:13:60:7c:a1:24

Tue Apr 7 11:21:28 2009: Received SPAM_GOT_AAA_RESPONSE

Tue Apr 7 11:21:28 2009: sshpmGetCertFromHandle: calling sshpmGetCertFromCID() with CID 0x11ad8e5f

Tue Apr 7 11:21:28 2009: sshpmGetCertFromCID: called to get cert for CID 11ad8e5f

Tue Apr 7 11:21:28 2009: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<



ssphmPublicKeyEncrypt: called to encrypt 16 bytes

Tue Apr 7 11:21:28 2009: ssphmPublicKeyEncrypt: successfully encrypted, out is 256 bytes

Tue Apr 7 11:21:28 2009: sshpmPrivateKeyEncrypt: called to encrypt 260 bytes

Tue Apr 7 11:21:28 2009: sshpmGetOpensslPrivateKeyFromCID: called to get key for CID 11ad8e5f

Tue Apr 7 11:21:28 2009:


Tue Apr 7 11:21:28 2009: sshpmGetOpensslPrivateKeyFromCID: match in row 2

Tue Apr 7 11:21:28 2009: sshpmPrivateKeyEncrypt: calling RSA_private_encrypt with 236 bytes

Tue Apr 7 11:21:28 2009: sshpmPrivateKeyEncrypt: RSA_private_encrypt returned 256

Tue Apr 7 11:21:28 2009: sshpmPrivateKeyEncrypt: calling RSA_private_encrypt with 24 bytes

Tue Apr 7 11:21:28 2009: sshpmPrivateKeyEncrypt: RSA_private_encrypt returned 256

Tue Apr 7 11:21:28 2009: sshpmPrivateKeyEncrypt: encrypted bytes: 512

Tue Apr 7 11:21:33 2009: 00:13:60:7c:a1:24 spam_lrad.c:6113 - Sending disassoc trap for AP 00:13:60:7c:a1:24 (state 4)

Tue Apr 7 11:21:33 2009: 00:13:60:7c:a1:24 Deleting and removing AP 00:13:60:7c:a1:24 from fast path



shahedvoicerite Tue, 04/07/2009 - 05:28
User Badges:

OK, I did the conversion a second time.


This time around, When the certificate was being generated bu the upgrade tool, I went in and changed the clock on the AP to be the correct time..(The tool was setting it 24 hrs back)


I am not sure if this solved the problem, or simply going through the upgrade tool a second time around was the issue.


But now it WORKS !!



jeff.kish Tue, 04/07/2009 - 05:42
User Badges:
  • Silver, 250 points or more

It's hard to say, but Cisco has said that the clock MUST be right or else the certificate won't be valid. I'm not sure how far off it needs to be to cause problems, though.


Glad you got it fixed!

Leo Laohoo Tue, 04/07/2009 - 15:31
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

In regards to the converting 1230 from Autonomous to LWAP and subsequent joining to the WLC, verify if the conversion is successful by going to the controller, Security -> AP Policies and under AP Authorization List you should find the ethernet/base radio MAC address. If it's not there, don't waste your time: The conversion was unsuccessful.

kristjan.edvardsson Mon, 01/09/2012 - 09:14
User Badges:

I have had the same issues with 1231 AP. The first problem was error on the AP. Doesn´t try to join the WLC because of local certificate error. It never gives any debug on the WLC. But when converting back to ios and then use the upgrade tool was better, because the upgrade to generates the self signed certificate (older ap than 2006) and fixes the time to the same as the WLC. The second issue was the SCC is not accepted by the WLC. So I had to manually create a MAC entry along with the SCC string output I got from debug pm pki events enable on the WLC. Finally after that the AP joined....

Actions

This Discussion