Join-Request not received by WLC

Answered Question
Apr 17th, 2009

Hi all,

I'm in the process of upgrading autonomous 1242(MIC) APs belongs to an external client of to make them part of the existing lwapp based infrastructure.

I could observe successful Discovery negotiation.Next,AP sends the join-request but WLC debug does not indicate receiving it.

1.wireshark packet capture indicates that Discovery & jOin processes use indentical ports at each phasee-this will rule out the firewalls. duplicate IPs

3.controllers are not exhausted with APs

4.DHCP option 43 is configured and could see it in action when I do a dhcp debug

The other interesting observation is that I could not see any certs on autonomous APs before conveting them to lwapp when I issue sh crypto pki certificates

Please refer to the attachment for debug outputs.

Any help is much appreciated.



I have this problem too.
0 votes
Correct Answer by Scott Fella about 7 years 5 months ago

Did you open up the FW for UDP 12223 and also did you set the ip helper and the ip forward-protocol?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.8 (4 ratings)
gamccall Fri, 04/17/2009 - 07:25

Discovery happens on the Management interface but Joins happen on the AP Manager interface. Is it possible that your firewall rules are not set up to allow traffic to/from the second address?

janesh_abey Fri, 04/17/2009 - 07:58


Many thanks for the reply.Basically the firewall is managed by the client and I requested to provide open access without any rules.

Is there a way to determine what are the AP manager IPs from the controllers? and can they respond to ping requests?



gamccall Fri, 04/17/2009 - 08:41

In the GUI just click to the Controller: Interfaces section; or, from the CLI, do "show interface summary".

The AP manager address does not reliably respond to pings. You could try spanning the controller's uplink port to a sniffer. I suspect, though, that if they just open up traffic to the AP Manager address the same way it's open to the Management address, you'll discover that was your problem.

Scott Fella Fri, 04/17/2009 - 12:34

1242 AP's are fine when you upgrade them to lwapp. You will not have to enter any MIC like when you upgrade 1100's or 1200's. Do you have any LAP's on the same subnet that the upgraded AP's are on? I also suppose that you have existing LAP's on the WLC already.... just making sure. Have you checked the ap switchport and removed the trunk (if it was originally trunked) and configured it for a specific vlan?

janesh_abey Fri, 04/17/2009 - 13:15


Thanks for the reply.

No.I do not have APs on the same subnet as the upgraded AP's are on.had to create a different subnet and the SVI Vlan123 is sitting on the external clients router and we have a static route(which is redistributed and reachable by wism controllers) on our router pointing to the clients router.Other APs on different subnets are all happy an working fine :)

switchport is on access mode for vlan 123.



Scott Fella Fri, 04/17/2009 - 13:31

On SVI vlan 123 where the ap's sit, could you create ip helpers using the management interface of the wlc and then globally can you enter ip forward-protocol upd 12222 and see if that makes a difference. If not, maybe you will need to take one of those ap's and convert it back to autonomous and then back to lwapp. I know if the original configuration is pretty huge, sometimes the lwapp convertion actually fails, even though the tool says it was successfull.

janesh_abey Fri, 04/17/2009 - 14:01

Hi Fella,

SVI is sitting on a router which is not managed by me.I can certainly request them to add those settings on Monday.When I look at a packet capure from a working AP,I can only see UDP 12223 in action.Therefore, shouldn't we add ip forward-protocol upd 12223 instead of ip forward-protocol upd 12222?

Autonomous AP did not have a huge config as we did a write erase prior to converting it lwapp.

Thanks to your suggestion,I got another idea from it.That is to connect a lwapp AP that is working happily (which belongs to a different subnet) on to same port where the problematic AP is connected.Do you think that's a wise move?



Scott Fella Sat, 04/18/2009 - 08:28

If you are using secure mobility tunneling then you will need to use UDP 12223 and not 12222. If you disable secure mobility then the communication between the wlc and ap will use 12222. When secure mobility is turned on then you also have to enter this command in the cli:

config certificate compatibility on

I have ran into issues where secure mobility doesn't work.

janesh_abey Sun, 04/19/2009 - 14:25

Thanks for the reply.

Packet capture indicates that we are using secure mobility tunneling.Pleases see attached.

However, few minutes ago I upgraded an Autonomous AP-within our network into lwapp and it joined the controller

Therefore, I guess the controllers are working as they suppose to.Correct me if I'm wrong.As the join-request is not received from the client-side I think this may be firewall related.

I will put the AP on their network and see whats the outcome.

This will eliminate the possibility of lwapp upgrade bring unsuccessful although the upgrade tool confirmed the conversion was a success.

Correct Answer
Scott Fella Sun, 04/19/2009 - 18:07

Did you open up the FW for UDP 12223 and also did you set the ip helper and the ip forward-protocol?

janesh_abey Fri, 04/17/2009 - 13:48


I found the AP manager address and as you predicted it does not respond to an extended ping sourced by the new subnet.Tried the same with a subnet where the APs are happily working in lwapp and the results were the same.

Packet capture on the AP shows that Join-request is sent to the AP manager address.As expected, AP tries sending to AP manager addresses of all 4 controllers before giving up.

Client confirmed that they have opened the subnet to all traffic from my side of the network.

I will try spanning the uplink port of the controller sometime today once I dig up info on the uplink port.

Thanks for the advice.


Leo Laohoo Fri, 04/17/2009 - 21:19

Hi Janesha,

Firstly, the Management's IP Address is the only ping-able IP Address.

Can the 1242 AP's ping the Management IP Address? If so, console into the AP and in enable mode, type the command "lwapp ap controller ip address ".

Hope this helps.

janesh_abey Sun, 04/19/2009 - 14:27

Hi Leo,

Thanks for the reply. can ping the management address.I will enter what you have suggested and see whats the outcome.



janesh_abey Sun, 04/19/2009 - 17:58

Hi Leo,

Unfortunately, AP does not allow me to configure lwapp ap controller ip address x.x.x.x command.

However, I created a dummy ACl and enabled logging for the IP range of the controllers and AP manager addresses.Applied this on the uplink to client and I cannot see the traffic to AP-manager coming through although I can see the Discovery-request coming through.So it is definitely something blocking on the client side.



Leo Laohoo Sun, 04/19/2009 - 18:00

Hi Janesha,

Configure? You don't need to enter into configuration mode. Just enable mode and enter the command.

janesh_abey Sun, 04/19/2009 - 18:27

Hi Leo,

My apologies as I did not word it properly.Basically,AP does not accpet the command under enable mode.



Leo Laohoo Sun, 04/19/2009 - 18:49

Hi Janesha,

Wait a second ... The AP doesn't accept the command? Is the AP running on the Autonomous IOS or the LWAP image?

Leo Laohoo Sun, 04/19/2009 - 18:50

Hi Janesha,

Wait a second ... The AP doesn't accept the command? Is the AP running on the Autonomous IOS or the LWAP image?

janesh_abey Sun, 04/19/2009 - 19:50

Well I converted it to lwapp using the upgrade tool.Therefore it is running lwapp image.

janesh_abey Mon, 04/20/2009 - 14:12

FW is managed by the client and according to him everything all the traffic from our side is permitted to the subnet where the APs are on and vice-versa.

Leo Laohoo Mon, 04/20/2009 - 15:05

Hi Janesha,

On the AP, can you post the result of the command "dir"?

Scott Fella Mon, 04/20/2009 - 15:12


If you can see traffic going to the mangement interface, then the ap's are doing what ther are suppose to.... the issue I though is that you were not seeing traffic when you spanned the wlc ports. This is because UDP 12223 is not reaching the wlc or that you have a duplicate ap-manager ip address, which you don't have since you have other ap's on the wlc. When the client say's they have everything open, are you sure there isn't another FW in the path.

janesh_abey Tue, 04/21/2009 - 02:52

Hi Fella,Leo,Gamccall and all,

The problem I had was that Join-request from Ap not received by the controller AP- manager interface.

Problem is solved.It was their freaking FWSM which was dropping packets to the AP-manager.Sorry for wasting forums valuable time.



gamccall Tue, 04/21/2009 - 05:27

Not a waste- this is why we're here. The next time someone runs into this problem, you'll be able to answer it for them =)

Glad you got things squared away!

Leo Laohoo Tue, 04/21/2009 - 14:24

Hi Janesha,

Now you can tell the client "it's your freakin' FWSM's fault!". :}


This Discussion



Trending Topics - Security & Network