cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7149
Views
10
Helpful
28
Replies

Join-Request not received by WLC

janesh_abey
Level 1
Level 1

Hi all,

I'm in the process of upgrading autonomous 1242(MIC) APs belongs to an external client of to make them part of the existing lwapp based infrastructure.

I could observe successful Discovery negotiation.Next,AP sends the join-request but WLC debug does not indicate receiving it.

1.wireshark packet capture indicates that Discovery & jOin processes use indentical ports at each phasee-this will rule out the firewalls.

2.no duplicate IPs

3.controllers are not exhausted with APs

4.DHCP option 43 is configured and could see it in action when I do a dhcp debug

The other interesting observation is that I could not see any certs on autonomous APs before conveting them to lwapp when I issue sh crypto pki certificates

Please refer to the attachment for debug outputs.

Any help is much appreciated.

cheers,

janesha

1 Accepted Solution

Accepted Solutions

Did you open up the FW for UDP 12223 and also did you set the ip helper and the ip forward-protocol?

-Scott
*** Please rate helpful posts ***

View solution in original post

28 Replies 28

janesh_abey
Level 1
Level 1

forgot the attachment :)

Following was used as reference

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00808f8599.shtml

gamccall
Level 4
Level 4

Discovery happens on the Management interface but Joins happen on the AP Manager interface. Is it possible that your firewall rules are not set up to allow traffic to/from the second address?

Hi,

Many thanks for the reply.Basically the firewall is managed by the client and I requested to provide open access without any rules.

Is there a way to determine what are the AP manager IPs from the controllers? and can they respond to ping requests?

cheers,

Janesh

In the GUI just click to the Controller: Interfaces section; or, from the CLI, do "show interface summary".

The AP manager address does not reliably respond to pings. You could try spanning the controller's uplink port to a sniffer. I suspect, though, that if they just open up traffic to the AP Manager address the same way it's open to the Management address, you'll discover that was your problem.

1242 AP's are fine when you upgrade them to lwapp. You will not have to enter any MIC like when you upgrade 1100's or 1200's. Do you have any LAP's on the same subnet that the upgraded AP's are on? I also suppose that you have existing LAP's on the WLC already.... just making sure. Have you checked the ap switchport and removed the trunk (if it was originally trunked) and configured it for a specific vlan?

-Scott
*** Please rate helpful posts ***

Hi,

Thanks for the reply.

No.I do not have APs on the same subnet as the upgraded AP's are on.had to create a different subnet and the SVI Vlan123 is sitting on the external clients router and we have a static route(which is redistributed and reachable by wism controllers) on our router pointing to the clients router.Other APs on different subnets are all happy an working fine :)

switchport is on access mode for vlan 123.

cheers,

j

On SVI vlan 123 where the ap's sit, could you create ip helpers using the management interface of the wlc and then globally can you enter ip forward-protocol upd 12222 and see if that makes a difference. If not, maybe you will need to take one of those ap's and convert it back to autonomous and then back to lwapp. I know if the original configuration is pretty huge, sometimes the lwapp convertion actually fails, even though the tool says it was successfull.

-Scott
*** Please rate helpful posts ***

Hi Fella,

SVI is sitting on a router which is not managed by me.I can certainly request them to add those settings on Monday.When I look at a packet capure from a working AP,I can only see UDP 12223 in action.Therefore, shouldn't we add ip forward-protocol upd 12223 instead of ip forward-protocol upd 12222?

Autonomous AP did not have a huge config as we did a write erase prior to converting it lwapp.

Thanks to your suggestion,I got another idea from it.That is to connect a lwapp AP that is working happily (which belongs to a different subnet) on to same port where the problematic AP is connected.Do you think that's a wise move?

cheers,

Janesh

If you are using secure mobility tunneling then you will need to use UDP 12223 and not 12222. If you disable secure mobility then the communication between the wlc and ap will use 12222. When secure mobility is turned on then you also have to enter this command in the cli:

config certificate compatibility on

I have ran into issues where secure mobility doesn't work.

-Scott
*** Please rate helpful posts ***

Thanks for the reply.

Packet capture indicates that we are using secure mobility tunneling.Pleases see attached.

However, few minutes ago I upgraded an Autonomous AP-within our network into lwapp and it joined the controller

Therefore, I guess the controllers are working as they suppose to.Correct me if I'm wrong.As the join-request is not received from the client-side I think this may be firewall related.

I will put the AP on their network and see whats the outcome.

This will eliminate the possibility of lwapp upgrade bring unsuccessful although the upgrade tool confirmed the conversion was a success.

Did you open up the FW for UDP 12223 and also did you set the ip helper and the ip forward-protocol?

-Scott
*** Please rate helpful posts ***

Hi,

I found the AP manager address and as you predicted it does not respond to an extended ping sourced by the new subnet.Tried the same with a subnet where the APs are happily working in lwapp and the results were the same.

Packet capture on the AP shows that Join-request is sent to the AP manager address.As expected, AP tries sending to AP manager addresses of all 4 controllers before giving up.

Client confirmed that they have opened the subnet to all traffic from my side of the network.

I will try spanning the uplink port of the controller sometime today once I dig up info on the uplink port.

Thanks for the advice.

cheers

Leo Laohoo
Hall of Fame
Hall of Fame

Hi Janesha,

Firstly, the Management's IP Address is the only ping-able IP Address.

Can the 1242 AP's ping the Management IP Address? If so, console into the AP and in enable mode, type the command "lwapp ap controller ip address ".

Hope this helps.

Hi Leo,

Thanks for the reply.

Yes.it can ping the management address.I will enter what you have suggested and see whats the outcome.

cheers,

janesha

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: