issues with 5500 controller and 1140 Aps

Unanswered Question
Sep 7th, 2009

I'm having trouble joining my APs to the controller. I have so far got most of them joined eventually, but i seem to get a random issue with lots of the APs. I have tried all the usual things - changed network leads, power supply, different port etc.. This issue doesn't always stop them joining because sometimes after an hour of errors they join and are fine after that.

The main errors are

*Sep 4 14:07:36.687: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller

*Sep 4 14:07:36.687: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from

*Sep 4 14:07:36.687: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 34078720.

I've attached the debug


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Leo Laohoo Mon, 09/07/2009 - 15:36

How's the WLC and the LAP connected? Is it in an isolated network or in production?

Did you prime the LAP prior to deployment?

Did you unblock CAPWAP UDP ports 5246 and 5247 from the firewall?

aemberson Mon, 09/07/2009 - 23:36

It is connected into our network and I have 20 APs all working, eventually. When the technician put in the controller he told me that the APs don't need to be primed or configured as dns is all sorted so it finds the controller straight away.

Ports can't be blocked as i have got APs to join.

Leo Laohoo Tue, 09/08/2009 - 14:25

Cisco recommends you prime the APs before deployment.

But the 1140s are a different lot altogether. It's faster and has some smarts the older models don't. I've plugged one and immediately found the WLC faster than the other models.

bernieli79 Tue, 09/08/2009 - 23:13

Do you have encryption turned on?

Maybe try turning off encryption.

"Cisco 5500 series controllers enable you to encrypt CAPWAP control packets (and optionally CAPWAP data packets) that are sent between the access point and the controller using Datagram Transport Layer Security (DTLS). If an access point does not support DTLS data encryption, DTLS is enabled only for the control plane, and a DTLS session for the data plane is not established."

wackerk24 Wed, 09/09/2009 - 14:51

How is your controller connected to the network? Is it using LAG? If so make sure you are using src-dst-ip for the portchannel loadbalancing on your switch as other settings can cause issues with AP's joining (i.e src-dst-port)

aemberson Mon, 09/14/2009 - 03:05

Not sure what you mean src-dst-ip?? tried that command on the ports that are in the etherchannel link?

wackerk24 Mon, 09/14/2009 - 04:43

Sorry, hopefully this clears it up. This is from the WLC best practices configuration guide.


When you use LAG, the controller relies on the switch for the load balancing decisions on traffic that comes from the network. It expects that traffic that belongs to an AP (LWAPP or network to wireless user) always enters on the same port. Use only ip-src or ip-src ip-dst load balancing options in the switch EtherChannel configuration. Some switch models might use unsupported load balancing mechanisms by default, so it is important to verify.

This is how to verify the EtherChannel load balancing mechanism:

switch#show etherchannel load-balance

EtherChannel Load-Balancing Configuration:


EtherChannel Load-Balancing Addresses Used Per-Protocol:

Non-IP: Source XOR Destination MAC address

IPv4: Source XOR Destination IP address

IPv6: Source XOR Destination IP address

This is how to change the switch configuration (IOS):

switch(config)#port-channel load-balance src-dst-ip


Do not configure a LAG connection that spans across multiple switches. When you use LAG, it must be with all ports that belong to the same EtherChannel that goes to the same physical switch.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode