problem converting air-ap1131ag-a-k9 to Lwapp

Unanswered Question
Jun 13th, 2009

i have a person on my team who converted some autonomoous air-ap1131ag-a-k9 to lwapp. I don't think they did it right.

what they did is , booted the ap ( at this point it was running in autonomous mode), set the ip to 192.168.1.200 and their laptop to 192.168.1.100 connected the laptop directly to the AP. (I have found out that these AP's were old AP's that previously had configs on them, ( static ips, a whole config) they came from another building , they were the ones that other lwapps replaced.)

they then went to the web gui of the AP , went to software upgrade and loaded the lwapp recovery image on the ap (c1130-rcvk9w8-tar.124-10b.JA3.tar). the software loaded fine, and converted the AP . and thats all they did

(I had mentioned that we should use the upgrade tool, but they didn't listen)

the aps got mounted , on the ceiling in the hospital, but when they went to turn them on, they didnt show up right on the controller , they kept joining and unjoining..

i think there is a problem with the SSC, i remember, something like the time had to be the same on the ap and on the WLC.

anyways, these could be older AP's before 2005 ( unknown to me) which would mean they dont hav MIC's and have SSC. and the ap is refusing them is my thought.

the WLC is setup to accept self signed certs.

anyways...

these aps are now mounted on the ceilings , and when you do a show cdp nei, it has an ip address from when it was an autonomous ap.

Also, what is the best process you have found to convert Old autonomous 1131 AP's to lightweight mode?

thanks

the controller is running 4.2.176 WLC code. i currently don't have Access to WCS or a spare controller to use with the upgrade utility.

the controller is a 4404-100

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (5 ratings)
Loading.
rob.huffman Sat, 06/13/2009 - 08:01

Hi Craig,

I'm sure that you are on the right track here;

Here are three good related docs;

Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode

http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp176272

Self-Signed Certificate Manual Addition to the Controller for LWAPP-Converted APs

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00806a426c.shtml

LWAPP Upgrade Tool Troubleshoot Tips

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008072d9a1.shtml#prob

Hope this helps!

Rob

craig.schnarrs Sat, 06/13/2009 - 08:52

i went to the wlc and issued the command

debug lwapp events enable

i got the following output

Sat Jun 13 12:41:51 2009: 00:11:20:1a:07:a9 Received LWAPP JOIN REQUEST from AP 00:11:20:1a:07:a9 to 06:0a:10:10:00:00 on port '29'

Sat Jun 13 12:41:51 2009: 00:11:20:1a:07:a9 AP AP0011.201a.07a9: txNonce 00:00:00:00:00:00 rxNonce 00:00:00:00:00:00

Sat Jun 13 12:41:51 2009: 00:11:20:1a:07:a9 LWAPP Join Request MTU path from AP 00:11:20:1a:07:a9 is 1500, remote debug mode is 0

Sat Jun 13 12:41:51 2009: 00:11:20:1a:07:a9 Processing Radius Response: AP Authorization failure for 00:11:20:1a:07:a9

Sat Jun 13 12:41:54 2009: 00:1e:f7:ed:e8:aa Did not receive hearbeat reply from AP 00:1e:f7:ed:e8:aa

Sat Jun 13 12:41:54 2009: DTL Deleting AP 5 - 0.0.0.0

Sat Jun 13 12:41:55 2009: 00:11:21:89:fb:30 Received LWAPP ECHO_REQUEST from AP 00:11:21:89:fb:30

Sat Jun 13 12:41:55 2009: 00:11:21:89:fb:30 Successful transmission of LWAPP Echo-Response to AP 00:11:21:89:fb:30

Sat Jun 13 12:41:55 2009: 00:21:55:c2:06:20 Received LWAPP DISCOVERY REQUEST from AP 00:21:55:c2:06:20 to ff:ff:ff:ff:ff:ff on port '29'

Sat Jun 13 12:41:56 2009: 00:11:5c:03:3c:b0 Received LWAPP RRM_DATA_REQ from AP 00:11:5c:03:3c:b0

Sat Jun 13 12:41:56 2009: 00:11:5c:03:3c:b0 Successful transmission of LWAPP Airewave-Director-Data Response to AP 00:11:5c:03:3c:b0

Sat Jun 13 12:41:56 2009: 00:11:5c:03:3c:b0 Received LWAPP RRM_DATA_REQ from AP 00:11:5c:03:3c:b0

Sat Jun 13 12:41:56 2009: 00:11:5c:03:3c:b0 Successful transmission of LWAPP Airewave-Director-Data Response to AP 00:11:5c:03:3c:b0

Sat Jun 13 12:41:56 2009: 00:11:5c:03:3c:b0 Received LWAPP RRM_DATA_REQ from AP 00:11:5c:03:3c:b0

Sat Jun 13 12:41:56 2009: 00:11:5c:03:3c:b0 Successful transmission of LWAPP Airewave-Director-Data Response to AP 00:11:5c:03:3c:b0

Sat Jun 13 12:41:56 2009: 00:11:5c:03:3c:b0 Received LWAPP STATISTICS_INFO from AP 00:11:5c:03:3c:b0

Sat Jun 13 12:41:56 2009: 00:11:5c:03:3c:b0 Successful transmission of LWAPP Statistics Info Response to AP 00:11:5c:03:3c:b0

Sat Jun 13 12:41:58 2009: 00:1d:70:f4:3e:50 Received LWAPP DISCOVERY REQUEST from AP 00:1d:70:f4:3e:50 to ff:ff:ff:ff:ff:ff on port '29'

can someone help me decipher what it means, i think i need to debug to get the sha key.

there are about 14 new ap's. and they all have problems.

thanks

rob.huffman Sat, 06/13/2009 - 10:10

Hi Craig,

I think this line may be the key;

"AP Authorization failure"

Lightweight Access Point (LAP) Authorization in a Cisco Unified Wireless Network Configuration Example

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c7234.shtml

Using show ap join stats command to troubleshoot an AP not joining a Wireless LAN Controller

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080962aac.shtml

Hope this helps!

Rob

Leo Laohoo Sat, 06/13/2009 - 14:41

Hi Craig,

The 1130 uses MIC instead of SSC (if I remembered correctly). This model ain't as old as the 1230 (now THAT uses SSC).

When you console into the AP, if you can ping the Management IP Address of the WLC, can you type the command into the AP: lwap ap controller ip address

Hope this helps.

NOTE: I know it's none of my business, but just like kids, when you tell them DON'T DO THIS, what do they do? They do it. In your particular issue with the staff member, I guess the best way is to demonstrate the "painless" procedure by using the Converstion Tool and maybe they'll listen to you.

craig.schnarrs Sat, 06/13/2009 - 15:54

I got this response, from the TAC engineer assigned to the case...

Hi Craig,

Looking at the debugs that you have sent me, it seems 4400 controller

detects AP but requires AP Authorization template. Upgrade tool does not

provide fully populated CSV file (no hash values included).

If you cannot find the hash key in the .CSV file. You can enable the 'debug

pm pki enable' debug on the controller and you should be able to see the

hash key being transmitted. If that does n ot work, try resetting the Ap and

then enabling the debug.

Also during the upgrade process, make sure telnet is enabled on the

controller, so the upgrade tool can update the controller accordingly.

end of tac commments...

funny thing also, these aps were on our ap managment vlan , and they were showing with an ip address that they could never have gotten. ( it was the ip address they had when they were autonomous) they were totally unreachable Via ip , the address they had listed is show cdp nei was totally bougus.

for giggles i moved two of them out of the wireless manangement vlan and into a standard vlan with DHCP available and these aps picked up valid ip addresses i can now ping them. but i can't web into them or telnet to them. they are running the lwapp recovery image with a valid ip address that can be pinged.

weterry Sun, 06/14/2009 - 19:14

If these APs are in the same vlan as the management address, but the IP address is an address in another vlan, that could be why your join is failing.

If you move them to another vlan, and get a dhcp address, do you have a discovery method in place for the AP to find the controller? The broadcast was probably working when in the same subnet, but now you'll need dns or dhcp in the new subnet.

Alternately, as another user suggested, you should be able to define the controller to join when consoled in.

You can't telnet to an LWAPP AP unless you've configured the controller to enable telnet on the ap (which requires the AP to join the controller first)..

Leo Laohoo Sat, 06/13/2009 - 18:49

HI Craig,

When running LWAP IOS, you can't HTML into the LAP, only to the WLC.

Matthew Fowler Sun, 06/14/2009 - 20:05

Craig,

The error is saying 'Processing radius response', so please check that 'Authorize APs against AAA' or similar is unchecked under Security>AP Policies.

Other cert-related join issues:

It is possible that the 1130s do not have a MIC (manufactured prior to MICs were first used). The way to test this is to run the 'test pb display' command when it is in autonomous mode. If there is no output, it doesn't have a MIC. This means you MUST use the upgrade tool to go to lightweight mode. You will need to go back to autonomous, then use the tool.

Going back to autonomous:

http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp160918

or from AP console port:

debug lwapp console cli

debug lwapp client no-reload

archive download-sw tftp:///

If the SSC is installed, but the WLC doesn't have the hash, run 'debug pm pki enable' and look for 'SSC Key Hash is ' and enter this under Security>AP Policies.

Also, incorrect time can cause certs to fail as well.

If none of these resolve your issue, attach:

- show run-config

- debug mac addr

- debug lwapp events enable

- debug pm pki enable

to your TAC case. Then, let me know the number and I'll take a look for you.

-Matt

craig.schnarrs Mon, 06/15/2009 - 03:59

well the problem is solved, I am not exactly sure what fixed it. I moved ap's to a different Vlan , and they got a valid ip address, and attached to a controller , i then went in and corrected the config . I want to thank everyone who has helped here . this is a great forum

Actions

This Discussion