Issues adding a second 4402 wireless controller

Answered Question
May 11th, 2012

I currently have 1 4402 wirless controller that is controlling the 17 APs I have in our corporate office and 18 APs we have in a warehouse 10 miles away. The warehouse has all of the APs set to H-REAP so that they can connect across the WAN to reach the controller.I have purchased a second 4402 and have placed the controller at the warehouse to handle all traffic out at that site and to relieve issues we have when the WAN gets saturated.

I have configured the 4402 at the Warehouse with the same basic setup as the first controller (well, different IP and different VLAN and different SSIDs so I can tell I am on the new one easily). The problem I am having is that I cannot get any of the access points to log onto the second controller. All access points still show up on the first controller.

To reach the first controller I had placed the information in the WIndows DHCP scope (Option 241 I believe) to talk to the first controller. I have change dthat to point to the second controller but that does not help. I saw that the first controller was set to be the MAster, so I turned that off to no avail. I even created a new vlan, created the DHCP information, and then added the Access Points to the new VLAN. Still, they connect to the first controller.

Lastly, I logged into the APs and reset them to factory defaults. The APs still find the first controller.

Any ideas what I may be missing to have them hit the new controller?

Thanks much!

Dave

I have this problem too.
0 votes
Correct Answer by maldehne about 1 year 11 months ago

In the logs I can see the following message:

MIC AP is not allowed to join by config

So please make sure that accept Manufatured installed Certificate option is selected.

Security --> AAA --> AP Policies

Correct Answer by Amandeep Mann about 1 year 11 months ago

From the debug it seems as if  WLC may be authorizing Lightweight APs via an Auth-list or AAA. 

Check these settings here:

Web GUI > Security > AAA > AP Policies

Seems as if your AP's are set to be authorized via an auth-list or AAA,

Try unchecking the following option:

Authorize MIC APs against auth-list or AAA

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (4 ratings)
blakekrone Fri, 05/11/2012 - 11:20

Have you tried setting the AP primary controller to be the name/IP of the new controller?

David Graham Fri, 05/11/2012 - 11:42

Thanks much. Never thought of that. I tried this and what is happeing is that the AP is not showing up on the first controller but it is not showing up on the second controller. Not even any logs about something trying to connect. This is pretty weird. Not sure why it will not show the AP even though it has the correct IP.

alvaro.motta Fri, 05/11/2012 - 12:05

Hi Dave.

Do you have the same DHCP server serving clients across wan link? If the DHCP server is the same, chances are the WLC order will be the same for all the APs (unless we have different models).

Also, did you try to console the AP and checking what is it doing during the boot? A debug capwap on the AP would be a good starting point as well.

HTH.

AL

David Graham Fri, 05/11/2012 - 13:09

I do have the same DHCP server, but I would assume that since I had a different scope option (241 Option 43) for that VLAN that I coul duse a different controller with that. If not, than I really hate Cisco. What I did notice when I tried to force the server (and even before it looks like) I get this error

*spamReceiveTask: May 11 13:37:13.743: %CAPWAP-3-DISC_INTF_ERR2: capwap_ac_sm.c:1460 Ignoring discovery request received on a wrong VLAN (125) on interface (2) from AP 00:1a:e3:ba:3b:10

Which is the Base Radio for the AP. Not the Mac that shows up in the list when it is connected, but the Base Radio Mac.

blakekrone Fri, 05/11/2012 - 13:15

You mentioned that these were HREAP APs correct? Is the DHCP option on the correct VLAN that is set as the native VLAN on the HREAP AP?

You certainly can have different WLCs per scope, I do that often for installs.

David Graham Fri, 05/11/2012 - 13:26

Yup. The DHCP option was on the vlan. I even created a brand new vlan for 2 APs to test with. Put the new scope options in with the correct IP address. Changed the native trunk port to the correct vlan (vlan 125) and then did a shut/no shut on the APs. I see them get DHCP addresses in the new DHCP scope on the new vlan and I can get to them on the new vlan, they just will not get picked up by the controller.

I checked to make sure that the SSID on vlan 125 was active, but even so that should not stop an AP from connecting. I even took the AP out of H-REAP and put it in local mode and still it goes to the first controller. Lastly I found the switch where you can mark a controller as the master for all APs and turned that off on the controller (where it was on) and turned it on on the second controller (where it was off) and that did not help either.

Stange things going on here.

Thanks for all the help so far.

grabonlee Fri, 05/11/2012 - 14:42

David,

Let us start from the beginning and understand the AP join process. You have confirmed that the APs pick up DHCP assigned address. The next step is that the AP will send a discovery request, first as a broadcast on the LAN, if no response from a controller on the LAN, it uses DHCP option 43 and then DNS. For the 4400 controller, the discovery request from the AP is handled by the management interface while the AP manager interface handles the Join request. I would advise that you use debug capwap to find out if the AP receives a response to it's discovery request. I also would suggest that you use DNS option 15 instead of scope option 43. DNS option 15 never fails as long as you include the controllers as objects in your domain using CISCO-CAPWAP-CONTROLLER. When the APs attach to a controller, you can then specify the primary controller name and IP on the AP.

David Graham Mon, 05/14/2012 - 08:22

I am currently using DHCP Option 15 with the Cisco-CAPWAP-CONTROLLER, which I totally forgot about and I gather why I am only going to the one controller. I may play with Option 43 on that vlan and see if I can get that to pick up.

I need to go out to the warehouse to log into the APs and see what I can do for the debug capwap. Let you know that soon.

Thanks much for the hints.

maldehne Sat, 05/12/2012 - 12:07

In order to figure out what is happenning at your end please provide the following info:

on the controller side:

debug mac addr < mac addr of an ap not joining >

debug capwap event enable

debug capwap errors enable

debug pm pki enable

on the AP side:

debug capwap client event

debug capwap client error

from controller

Show run-config

Show msglog

Show traplog

Leo Laohoo Sat, 05/12/2012 - 16:42

Hmmm ... You got a new WLC?

Can you please post the output to the following commands:

1.  WLC:  sh sysinfo;

2.  WAP:  sh version;

3.  WAP:  sh inventory

Console into the WAP and in enable mode, ping the Warehouse WLC Management IP address.  If you CAN, enter the following commands:

1.  clear lwapp ap controller ip address;

2.  lwapp ap controller ip address

If the WAP CAN'T ping the Warehouse WLC Management IP address, then we know where the potential issue is.

David Graham Mon, 05/14/2012 - 08:28

The sh sysinfo from the 2 controllers are below. I need to get to the warehouse and log onto the APs to get the rest. I have a new version of the software on the new switch, but I did not think that would cause an issue. If necessary, I can upgrade the old controller to the new version.



New Controller
(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.230.0
RTOS Version..................................... 7.0.230.0
Bootloader Version............................... 7.0.220.0
Emergency Image Version.......................... 7.0.220.0
Build Type....................................... DATA + WPS

System Name...................................... INROPWC01
System Location.................................. Roselle
System Contact................................... IT
System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3
IP Address....................................... 172.16.12.12
System Up Time................................... 61 days 15 hrs 20 mins 34 secs
System Timezone Location......................... (GMT -6:00) Central Time (US and Canada)

Configured Country............................... US  - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +36 C
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 4
Number of Active Clients......................... 0

Burned-in MAC Address............................ 00:1B:D4:6B:BB:A0
Crypto Accelerator 1............................. Absent
Crypto Accelerator 2............................. Absent
Power Supply 1................................... Absent
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 50


Old Controller
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.98.0
RTOS Version..................................... 7.0.98.0
Bootloader Version............................... 4.0.217.0
Emergency Image Version.......................... 5.2.157.0
Build Type....................................... DATA + WPS

System Name...................................... INWDPWC01
System Location.................................. 901 Mittel
System Contact................................... dni@madden.com
System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3
IP Address....................................... 172.16.1.104
System Up Time................................... 438 days 23 hrs 21 mins 50 secs
System Timezone Location......................... (GMT -6:00) Central Time (US and Canada)

Configured Country............................... US  - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +36 C
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Disabled
Number of WLANs.................................. 6
Number of Active Clients......................... 84

Burned-in MAC Address............................ 00:18:73:36:07:E0
Crypto Accelerator 1............................. Absent
Crypto Accelerator 2............................. Absent
Power Supply 1................................... Absent
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 50

Cheers!



darlynn Mon, 05/14/2012 - 20:21

The controllers are running different versions of code.

they need to be running the same versions.

As i mentioned below, whats the Mobility Group name and have you configured this between both controllers.

NOTE: If you dont want failover between the controllers, you dont need to worry about this.

Also note that the AP will remember the controller address that it last connected too, regardless of the factory reset, if is able to connect when restarted it will do so. you need to enter the clear lwapp command leo mentioned earlier.

darlynn Sun, 05/13/2012 - 00:04

For this to work, follow the DHCP details outlined above.

You also need to ensure that the WLC's are running the same software version.

The you need to configure a mobility group between the WLC's. Be cautious as the mobility group name must be the same and is case sensitive.

Once this is established configure the primary and secondary controllers on the APs in the warehouse.

The APs should reboot and connect to the local wlc.

Sent from Cisco Technical Support iPhone App

David Graham Mon, 05/14/2012 - 14:23

I am logged onto the AP I have been testing with. I do not see any LWAPP commands when I am on the AP. Is this thing in the wrong mode? I thought I put everything back into the correct mode to work with the controllers, but do I need to try to put this into Lightweight mode? I downloaded the conversion tool but wanted to ask before I royally screw this up.

David Graham Mon, 05/14/2012 - 14:24

BTW - I can ping everything correctly back and forth from AP to controller nd back, so the routing is working. Please see above to see if that can be the issue.

David Graham Mon, 05/14/2012 - 14:52

Tried the UpgradeTool since I had the time. Here is what I am now seeing. Pretty wild.

*May 14 21:51:00.012: %PARSER-4-BADCFG: Unexpected end of configuration file.

*May 14 21:51:00.014:  status of voice_diag_test from WLC is false
*May 14 21:51:00.015: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*May 14 21:51:10.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.12.13 peer_port: 5246
*May 14 21:51:10.001: %CAPWAP-5-CHANGED: CAPWAP changed state to 
*May 14 21:51:11.853: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.12.13 peer_port: 5246
*May 14 21:51:11.855: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.12.13
*May 14 21:51:11.855: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 14 21:51:16.854: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.12.13
*May 14 21:51:16.855: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.12.13
*May 14 21:51:16.855: %DTLS-5-PEER_DISCONNECT: Peer 172.16.12.13 has closed connection.
*May 14 21:51:16.856: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.12.13:5246
*May 14 21:51:16.925: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 14 21:51:16.926: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 14 21:51:16.926: bsnInitRcbSlot: slot 1 has NO radio
*May 14 21:51:17.004: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*May 14 21:51:17.028: %PARSER-4-BADCFG: Unexpected end of configuration file.

*May 14 21:51:17.030:  status of voice_diag_test from WLC is false
*May 14 21:51:17.031: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*May 14 21:51:27.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.12.13 peer_port: 5246
*May 14 21:51:27.003: %CAPWAP-5-CHANGED: CAPWAP changed state to 
*May 14 21:51:28.846: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.12.13 peer_port: 5246
*May 14 21:51:28.847: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.12.13
*May 14 21:51:28.848: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 14 21:51:33.846: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.12.13
*May 14 21:51:33.848: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.12.13
*May 14 21:51:33.849: %DTLS-5-PEER_DISCONNECT: Peer 172.16.12.13 has closed connection.
*May 14 21:51:33.849: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.12.13:5246
*May 14 21:51:34.545: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 14 21:51:34.546: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*May 14 21:51:34.546: bsnInitRcbSlot: slot 1 has NO radio
*May 14 21:51:34.625: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*May 14 21:51:34.649: %PARSER-4-BADCFG: Unexpected end of configuration file.

maldehne Tue, 05/15/2012 - 00:15

In the AP logs we see close notification received from the controller we need to check the debugs from the controller side as well

David Graham Tue, 05/15/2012 - 10:12

Weird. Tried to "telnet 172.16.12.13 5246" and it did not pick up. I would think that port would always be open. I can ping that IP (the ap_moanagement ip) but cannot get into that port. Neither here nor there, though.

The 125 vlan is the test vlan. the controller is on vlan 12 (ip or 172,16.12.12) I changed the APs to be on the 12 vlan and not the 125 since it looks like the 125 vlan is causing issues and now thing are different. I saw one AP briefly connect and then it fell off and went back to the original controller.

I am going to use the upgrade tool to force lwapp and see what happens. Posting more soon.

David Graham Thu, 05/17/2012 - 14:39

These are from the AP I am trying to join to the Controller and the logs on the Controller. Looks like I have a setting wrong somewhere on the Controller that I am just missing.

*Mar  1 00:00:05.066: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
*Mar  1 00:00:06.275: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
*Mar  1 00:00:06.370: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 144 messages)

*Mar  1 00:00:06.403:  status of voice_diag_test from WLC is false
*Mar  1 00:00:07.429:  STUB Called : crypto_ssl_init
*Mar  1 00:00:08.472: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
*Mar  1 00:00:08.533: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1200 Software (C1200-K9W8-M), Version 12.4(23c)JA, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 01-Jun-10 11:44 by prod_rel_team
*Mar  1 00:00:08.621: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar  1 00:00:08.622: bsnInitRcbSlot: slot 1 has NO radio
*Mar  1 00:00:08.873: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar  1 00:00:08.873: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar  1 00:00:09.472: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
*Mar  1 00:00:09.876: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar  1 00:00:09.914: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
*Mar  1 00:00:09.927: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar  1 00:00:10.331: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar  1 00:00:16.997: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 172.16.12.60, mask 255.255.255.0, hostname ap

*Mar  1 00:00:27.497:  status of voice_diag_test from WLC is false
*Mar  1 00:00:27.565: Logging LWAPP message to 255.255.255.255.

Translating "CISCO-CAPWAP-CONTROLLER.madden.com"...domain server (172.16.12.11)
*Mar  1 00:00:38.623: %CAPWAP-5-DHCP_OPTION_43: Controller address 172.16.12.12 obtained through DHCP

Translating "CISCO-LWAPP-CONTROLLER.madden.com"...domain server (172.16.12.11)

*Mar  1 00:00:38.623: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar  1 00:00:39.624: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
*Mar  1 00:00:39.626: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.madden.com
*Mar  1 00:00:39.629: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER.madden.com
*Mar  1 00:00:50.632: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*May 17 21:33:14.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.12.13 peer_port: 5246
*May 17 21:33:15.002: %CAPWAP-5-CHANGED: CAPWAP changed state to 
*May 17 21:33:16.822: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.12.13 peer_port: 5246
*May 17 21:33:16.824: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.12.13
*May 17 21:33:16.824: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 17 21:33:21.823: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.12.13
*May 17 21:33:21.825: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.12.13
*May 17 21:33:21.825: %DTLS-5-PEER_DISCONNECT: Peer 172.16.12.13 has closed connection.
*May 17 21:33:21.826: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.12.13:5246
*May 17 21:33:21.827: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*May 17 21:33:14.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.12.13 peer_port: 5246
*May 17 21:33:14.001: %CAPWAP-5-CHANGED: CAPWAP changed state to 
*May 17 21:33:15.831: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.12.13 peer_port: 5246
*May 17 21:33:15.833: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.12.13
*May 17 21:33:15.833: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 17 21:33:20.832: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.12.13
*May 17 21:33:20.834: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.12.13
*May 17 21:33:20.834: %DTLS-5-PEER_DISCONNECT: Peer 172.16.12.13 has closed connection.
*May 17 21:33:20.834: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.12.13:5246
*May 17 21:33:20.836: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*May 17 21:33:13.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.1.105 peer_port: 5246
*May 17 21:33:13.001: %CAPWAP-5-CHANGED: CAPWAP changed state to 
*May 17 21:33:14.937: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.1.105 peer_port: 5246
*May 17 21:33:14.939: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.1.105
*May 17 21:33:14.939: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*May 17 21:33:15.184: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*May 17 21:33:18.402: %CAPWAP-5-CHANGED: CAPWAP changed state to DOWN
*May 17 21:33:18.404: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*May 17 21:33:18.478: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller INWDPWC01
*May 17 21:33:18.547: %LWAPP-3-CLIENTEVENTLOG: SSID Madden_Guest added to the slot[0]
*May 17 21:33:18.572: %LWAPP-3-CLIENTEVENTLOG: SSID LEX_Guest added to the slot[0]
*May 17 21:33:18.590: %LWAPP-3-CLIENTEVENTLOG: SSID Madden_Internal added to the slot[0]
*May 17 21:33:18.607: %LWAPP-3-CLIENTEVENTLOG: SSID LEX_HAND_SCANNERS added to the slot[0]
*May 17 21:33:18.632: %LWAPP-3-CLIENTEVENTLOG: SSID Madden_Zebra added to the slot[0]
*May 17 21:33:18.756: %WIDS-6-ENABLED: IDS Signature is loaded and enabled
*May 17 21:33:19.404: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down


(Cisco Controller) >debug capwap events enable

(Cisco Controller) >debug capwap errors enable

(Cisco Controller) >debug pm pki enable

(Cisco Controller) >
(Cisco Controller) >*sshpmLscTask: May 17 16:30:44.379: sshpmLscTask: LSC Task received a message 4
*sshpmLscTask: May 17 16:32:44.380: sshpmLscTask: LSC Task received a message 4
*spamReceiveTask: May 17 16:33:14.641: 00:16:47:75:19:30 Discovery Request from 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:14.642: 00:16:47:75:19:30 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 50, joined Aps =0
*spamReceiveTask: May 17 16:33:14.643: 00:16:47:75:19:30 Discovery Response sent to 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:14.643: 00:16:47:75:19:30 Discovery Request from 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:14.643: 00:16:47:75:19:30 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 50, joined Aps =0
*spamReceiveTask: May 17 16:33:14.643: 00:16:47:75:19:30 Discovery Response sent to 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:14.644: 00:16:47:75:19:30 Received LWAPP DISCOVERY REQUEST to 00:1b:d4:6b:bb:a0 on port '2'
*spamReceiveTask: May 17 16:33:14.644: 00:16:47:75:19:30 Discarding discovery request in LWAPP from AP supporting CAPWAP

*spamReceiveTask: May 17 16:33:25.638: 00:16:47:75:19:30 DTLS connection not found, creating new connection for 172:16:12:60 (28081) 172:16:12:13 (5246)

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCID: called to evaluate

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCertFromCID: called to get cert for CID 1824fb87

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultIdCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCID: called to evaluate

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamReceiveTask: May 17 16:33:25.639: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamReceiveTask: May 17 16:33:25.640: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamReceiveTask: May 17 16:33:25.640: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamReceiveTask: May 17 16:33:25.640: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamReceiveTask: May 17 16:33:25.640: sshpmGetSshPrivateKeyFromCID: called to get key for CID 1824fb87

*spamReceiveTask: May 17 16:33:25.640: sshpmGetSshPrivateKeyFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<

*spamReceiveTask: May 17 16:33:25.640: sshpmGetSshPrivateKeyFromCID: comparing to row 1, certname >bsnDefaultIdCert<

*spamReceiveTask: May 17 16:33:25.640: sshpmGetSshPrivateKeyFromCID: comparing to row 2, certname >cscoDefaultIdCert<

*spamReceiveTask: May 17 16:33:25.640: sshpmGetSshPrivateKeyFromCID: match in row 2

*spamReceiveTask: May 17 16:33:25.793: sshpmGetIssuerHandles: locking ca cert table

*spamReceiveTask: May 17 16:33:25.793: sshpmGetIssuerHandles: calling x509_alloc() for user cert

*spamReceiveTask: May 17 16:33:25.793: sshpmGetIssuerHandles: calling x509_decode()

*spamReceiveTask: May 17 16:33:25.798: sshpmGetIssuerHandles: C=US, ST=California, L=San Jose, O=Cisco Systems, CN=C1200-0015fae6db09, MAILTO=support@cisco.com

*spamReceiveTask: May 17 16:33:25.798: sshpmGetIssuerHandles:   O=Cisco Systems, CN=Cisco Manufacturing CA

*spamReceiveTask: May 17 16:33:25.798: sshpmGetIssuerHandles: Mac Address in subject is 00:15:fa:e6:db:09

*spamReceiveTask: May 17 16:33:25.798: sshpmGetIssuerHandles: Cert Name in subject is C1200-0015fae6db09

*spamReceiveTask: May 17 16:33:25.798: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.

*spamReceiveTask: May 17 16:33:25.798: sshpmGetCID: called to evaluate

*spamReceiveTask: May 17 16:33:25.798: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamReceiveTask: May 17 16:33:25.798: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamReceiveTask: May 17 16:33:25.798: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamReceiveTask: May 17 16:33:25.798: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamReceiveTask: May 17 16:33:25.798: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamReceiveTask: May 17 16:33:25.798: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamReceiveTask: May 17 16:33:25.798: sshpmGetCertFromCID: called to get cert for CID 26a39b4a

*spamReceiveTask: May 17 16:33:25.798: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<

*spamReceiveTask: May 17 16:33:25.798: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<

*spamReceiveTask: May 17 16:33:25.798: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<

*spamReceiveTask: May 17 16:33:25.798: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<

*spamReceiveTask: May 17 16:33:25.798: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<

*spamReceiveTask: May 17 16:33:25.798: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<

*spamReceiveTask: May 17 16:33:25.798: ssphmUserCertVerify: calling x509_decode()

*spamReceiveTask: May 17 16:33:25.806: ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<

*spamReceiveTask: May 17 16:33:25.806: sshpmGetIssuerHandles: ValidityString (current): 2012/05/17/21:33:25

*spamReceiveTask: May 17 16:33:25.806: sshpmGetIssuerHandles: ValidityString (NotBefore): 2006/01/17/19:00:47

*spamReceiveTask: May 17 16:33:25.807: sshpmGetIssuerHandles: ValidityString (NotAfter): 2016/01/17/19:10:47

*spamReceiveTask: May 17 16:33:25.807: sshpmGetIssuerHandles: getting cisco ID cert handle...

*spamReceiveTask: May 17 16:33:25.807: sshpmGetCID: called to evaluate

*spamReceiveTask: May 17 16:33:25.807: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamReceiveTask: May 17 16:33:25.807: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamReceiveTask: May 17 16:33:25.807: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamReceiveTask: May 17 16:33:25.807: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamReceiveTask: May 17 16:33:25.807: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamReceiveTask: May 17 16:33:25.807: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamReceiveTask: May 17 16:33:25.807: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamReceiveTask: May 17 16:33:25.807: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamReceiveTask: May 17 16:33:25.807: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamReceiveTask: May 17 16:33:25.808: sshpmFreePublicKeyHandle: called with 0x31b5178c

*spamReceiveTask: May 17 16:33:25.808: sshpmFreePublicKeyHandle: freeing public key

*spamReceiveTask: May 17 16:33:27.455: 00:16:47:75:19:30 DTLS Session established server (172.16.12.13:5246), client (172.16.12.60:28081)
*spamReceiveTask: May 17 16:33:27.455: 00:16:47:75:19:30 Starting wait join timer for AP: 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:27.460: 00:16:47:75:19:30 Join Request from 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:27.462: 00:16:47:75:19:30 Deleting AP entry 172.16.12.60:28081 from temporary database.
*spamReceiveTask: May 17 16:33:27.462: 00:16:47:75:19:30 MIC AP is not allowed to join by config

*spamReceiveTask: May 17 16:33:27.462: 00:16:47:75:19:30 State machine handler: Failed to process  msg type = 3 state = 0 from 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:27.462: 00:16:47:75:19:30 Failed to parse CAPWAP packet from 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:32.456: 00:16:47:75:19:30 Join Request from 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:32.456: 00:16:47:75:19:30 Join request received from AP which is already present. Deleting previous connection
                                                                                                                                             172.16.12.60:28081

*spamReceiveTask: May 17 16:33:32.457: 00:16:47:75:19:30 Multiple Join Request: Join request received from AP which is already present. Deleting previous conne
*spamReceiveTask: May 17 16:33:32.457: 00:16:47:75:19:30 Finding DTLS connection to delete for AP (172:16:12:60/28081)
*spamReceiveTask: May 17 16:33:32.457: 00:16:47:75:19:30 Disconnecting DTLS Capwap-Ctrl session 0x13869100 for AP (172:16:12:60/28081)

*spamReceiveTask: May 17 16:33:32.457: 00:16:47:75:19:30 CAPWAP State: Dtls tear down

*spamReceiveTask: May 17 16:33:32.459: 00:16:47:75:19:30 DTLS connection not found. Ignoring join request from 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:32.459: 00:16:47:75:19:30 State machine handler: Failed to process  msg type = 3 state = 0 from 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:32.459: 00:16:47:75:19:30 Failed to parse CAPWAP packet from 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:32.459: 00:16:47:75:19:30 DTLS connection closed event receivedserver (172:16:12:13/5246) client (172:16:12:60/28081)
*spamReceiveTask: May 17 16:33:32.459: 00:16:47:75:19:30 No entry exists for AP (172:16:12:60/28081)
*spamReceiveTask: May 17 16:33:32.459: 00:16:47:75:19:30 No AP entry exist in temporary database for 172.16.12.60:28081
*spamReceiveTask: May 17 16:33:32.459: 00:16:47:75:19:30 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  172.16.12.60:28081)since DTLS session is not established

*spamReceiveTask: May 17 16:33:32.462: 00:16:47:75:19:30 DTLS connection not found, creating new connection for 172:16:12:60 (28081) 172:16:12:13 (5246)

*spamReceiveTask: May 17 16:33:32.462: sshpmGetCID: called to evaluate

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCertFromCID: called to get cert for CID 1824fb87

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultIdCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: called to evaluate

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetSshPrivateKeyFromCID: called to get key for CID 1824fb87

*spamReceiveTask: May 17 16:33:32.463: sshpmGetSshPrivateKeyFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetSshPrivateKeyFromCID: comparing to row 1, certname >bsnDefaultIdCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetSshPrivateKeyFromCID: comparing to row 2, certname >cscoDefaultIdCert<

*spamReceiveTask: May 17 16:33:32.463: sshpmGetSshPrivateKeyFromCID: match in row 2

*spamReceiveTask: May 17 16:33:32.614: sshpmGetIssuerHandles: locking ca cert table

*spamReceiveTask: May 17 16:33:32.614: sshpmGetIssuerHandles: calling x509_alloc() for user cert

*spamReceiveTask: May 17 16:33:32.614: sshpmGetIssuerHandles: calling x509_decode()

*spamReceiveTask: May 17 16:33:32.619: sshpmGetIssuerHandles: C=US, ST=California, L=San Jose, O=Cisco Systems, CN=C1200-0015fae6db09, MAILTO=support@cisco.com

*spamReceiveTask: May 17 16:33:32.619: sshpmGetIssuerHandles:   O=Cisco Systems, CN=Cisco Manufacturing CA

*spamReceiveTask: May 17 16:33:32.619: sshpmGetIssuerHandles: Mac Address in subject is 00:15:fa:e6:db:09

*spamReceiveTask: May 17 16:33:32.619: sshpmGetIssuerHandles: Cert Name in subject is C1200-0015fae6db09

*spamReceiveTask: May 17 16:33:32.619: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.

*spamReceiveTask: May 17 16:33:32.619: sshpmGetCID: called to evaluate

*spamReceiveTask: May 17 16:33:32.619: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamReceiveTask: May 17 16:33:32.619: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamReceiveTask: May 17 16:33:32.619: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamReceiveTask: May 17 16:33:32.619: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamReceiveTask: May 17 16:33:32.619: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamReceiveTask: May 17 16:33:32.619: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamReceiveTask: May 17 16:33:32.619: sshpmGetCertFromCID: called to get cert for CID 26a39b4a

*spamReceiveTask: May 17 16:33:32.619: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<

*spamReceiveTask: May 17 16:33:32.619: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<

*spamReceiveTask: May 17 16:33:32.619: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<

*spamReceiveTask: May 17 16:33:32.619: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<

*spamReceiveTask: May 17 16:33:32.619: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<

*spamReceiveTask: May 17 16:33:32.619: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<

*spamReceiveTask: May 17 16:33:32.619: ssphmUserCertVerify: calling x509_decode()

*spamReceiveTask: May 17 16:33:32.627: ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<

*spamReceiveTask: May 17 16:33:32.627: sshpmGetIssuerHandles: ValidityString (current): 2012/05/17/21:33:32

*spamReceiveTask: May 17 16:33:32.627: sshpmGetIssuerHandles: ValidityString (NotBefore): 2006/01/17/19:00:47

*spamReceiveTask: May 17 16:33:32.627: sshpmGetIssuerHandles: ValidityString (NotAfter): 2016/01/17/19:10:47

*spamReceiveTask: May 17 16:33:32.627: sshpmGetIssuerHandles: getting cisco ID cert handle...

*spamReceiveTask: May 17 16:33:32.627: sshpmGetCID: called to evaluate

*spamReceiveTask: May 17 16:33:32.627: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamReceiveTask: May 17 16:33:32.627: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamReceiveTask: May 17 16:33:32.627: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamReceiveTask: May 17 16:33:32.627: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamReceiveTask: May 17 16:33:32.627: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamReceiveTask: May 17 16:33:32.627: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamReceiveTask: May 17 16:33:32.627: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamReceiveTask: May 17 16:33:32.627: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamReceiveTask: May 17 16:33:32.627: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamReceiveTask: May 17 16:33:32.628: sshpmFreePublicKeyHandle: called with 0x31b53840

*spamReceiveTask: May 17 16:33:32.628: sshpmFreePublicKeyHandle: freeing public key

*spamReceiveTask: May 17 16:33:34.288: 00:16:47:75:19:30 DTLS Session established server (172.16.12.13:5246), client (172.16.12.60:28081)
*spamReceiveTask: May 17 16:33:34.288: 00:16:47:75:19:30 Starting wait join timer for AP: 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:34.293: 00:16:47:75:19:30 Join Request from 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:34.294: 00:16:47:75:19:30 Deleting AP entry 172.16.12.60:28081 from temporary database.
*spamReceiveTask: May 17 16:33:34.294: 00:16:47:75:19:30 MIC AP is not allowed to join by config

*spamReceiveTask: May 17 16:33:34.294: 00:16:47:75:19:30 State machine handler: Failed to process  msg type = 3 state = 0 from 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:34.294: 00:16:47:75:19:30 Failed to parse CAPWAP packet from 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:39.289: 00:16:47:75:19:30 Join Request from 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:39.289: 00:16:47:75:19:30 Join request received from AP which is already present. Deleting previous connection
                                                                                                                                             172.16.12.60:28081

*spamReceiveTask: May 17 16:33:39.289: 00:16:47:75:19:30 Multiple Join Request: Join request received from AP which is already present. Deleting previous conne
*spamReceiveTask: May 17 16:33:39.289: 00:16:47:75:19:30 Finding DTLS connection to delete for AP (172:16:12:60/28081)
*spamReceiveTask: May 17 16:33:39.289: 00:16:47:75:19:30 Disconnecting DTLS Capwap-Ctrl session 0x138691e8 for AP (172:16:12:60/28081)

*spamReceiveTask: May 17 16:33:39.289: 00:16:47:75:19:30 CAPWAP State: Dtls tear down

*spamReceiveTask: May 17 16:33:39.291: 00:16:47:75:19:30 DTLS connection not found. Ignoring join request from 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:39.291: 00:16:47:75:19:30 State machine handler: Failed to process  msg type = 3 state = 0 from 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:39.291: 00:16:47:75:19:30 Failed to parse CAPWAP packet from 172.16.12.60:28081

*spamReceiveTask: May 17 16:33:39.291: 00:16:47:75:19:30 DTLS connection closed event receivedserver (172:16:12:13/5246) client (172:16:12:60/28081)
*spamReceiveTask: May 17 16:33:39.291: 00:16:47:75:19:30 No entry exists for AP (172:16:12:60/28081)
*spamReceiveTask: May 17 16:33:39.291: 00:16:47:75:19:30 No AP entry exist in temporary database for 172.16.12.60:28081
*spamReceiveTask: May 17 16:33:39.292: 00:16:47:75:19:30 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  172.16.12.60:28081)since DTLS session is not established

Correct Answer
Amandeep Mann Thu, 05/17/2012 - 15:25

From the debug it seems as if  WLC may be authorizing Lightweight APs via an Auth-list or AAA. 

Check these settings here:

Web GUI > Security > AAA > AP Policies

Seems as if your AP's are set to be authorized via an auth-list or AAA,

Try unchecking the following option:

Authorize MIC APs against auth-list or AAA

Correct Answer
maldehne Fri, 05/18/2012 - 00:14

In the logs I can see the following message:

MIC AP is not allowed to join by config

So please make sure that accept Manufatured installed Certificate option is selected.

Security --> AAA --> AP Policies

David Graham Fri, 05/18/2012 - 07:37

These both ended up working. On my old controller all of these were turned off. I had them all turned on on the new server (not sure why since I was comparing the two so that they woul dmatch). But, going off the first post I went ahead and blew away everything whiched matched my other controller which ended up failing. I then went ahead and matched the settings shown in the screen shot and now I am getting connections. I was originally working off the email updates which does not include the graphic, so that slowed me down some.

Thanks to all for the help. And those debug commands were excellent. Thanks to everyone!

Actions

Login or Register to take actions

This Discussion

Posted May 11, 2012 at 7:48 AM
Stats:
Replies:22 Avg. Rating:5
Views:1365 Votes:0
Shares:0

Related Content

Discussions Leaderboard