LWAPP Join Failed (migrated Cisco AP1230)

vergeerf · ‎06-22-2006

After a succesfull migration of a Cisco AIR-AP1231G-E-K9 to LWAPP this AP is not able to join the controller (4402)

I receive the following error message (we use the DNS solution for finding the controller which seems to work)

*Mar 1 00:00:05.377: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up

*Mar 1 00:00:06.377: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up

*Mar 1 00:00:23.401: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY

Translating "CISCO-LWAPP-CONTROLLER.ict.hva.nl"...domain server (x.x.x.x) [OK]

*Mar 1 00:00:31.549: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address x.x.x.x, mask 255.255.255.224, hostname AP1012.0128.6100

*Mar 1 00:00:44.545: %LWAPP-5-CHANGED: LWAPP changed state to JOIN

*Mar 1 00:00:49.545: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not recieve the Join response

*Mar 1 00:00:49.545: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses remain.

*Mar 1 00:00:49.545: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET JOIN RESPONSE.

*Mar 1 00:00:49.546: %LWAPP-5-CHANGED: LWAPP changed state to DOWN

Rob Huffman · ‎06-23-2006

Hi Frank,

Is this the only AP that won't join the WLC? If you have others that were successful how many?

Please let me know.

Rob

vergeerf · ‎06-23-2006

Hi Rob,

None of the migrated AP's is able to join the contoller. (It has a supported radio, because I know that the older radio modules are not supported)

The migration was done by using the conversion tool.

Frank

Rob Huffman · ‎06-23-2006

Hi Frank,

Maybe you are running into this;

Field Notice: FN - 62379 - Wireless LAN Controller Network Module does not Authenticate with Cisco/Airespace Access Points - Hardware Upgrade

Problem Description

Wireless LAN Controller Network Modules NM-AIR-WLC6-K9 and NM-AIR-WLC6-K9= were shipped with incorrect certificates, causing the WLCNM to not be authenticated by Cisco/Airespace Access Points. Wireless LAN Controller Network Modules shipped between February 1, 2006 and March 22, 2006 are affected. A manufacturing process failure did not copy the correct certificates to WLCNM devices. The incorrect certificate creates an RSA key mismatch, which causes LWAPP-based Access Points to fail to join/associate/register to WLCNM.

Background

On March 20, 2006, a bug was logged indicating that Access Points were not authenticating to NM-AIR-WLC6-K9 or NM-AIR-WLC6-K9= network modules. It was found that an RSA key mismatch causes LWAPP-based Access Points to fail to join/associate/register to WLCNM. The cause of the incorrect certificate was related to a manufacturing process failure which prevented copying of the correct certificate to WLCNM devices. The manufacturing anomaly has since been corrected and Wireless LAN Controller Network Modules produced as of March 23, 2006 should no longer experience this problem.

Access point console log will show it is unable to decode the JOIN response:

LWAPP_CLIENT_ERROR_DEBUG: peer RSA public key decrypt failed

LWAPP_CLIENT_ERROR_DEBUG: spamDecodeJoinReply :

sessionId 0x7E7F8081 does not match sent 0xDD2439D8

LWAPP_CLIENT_ERROR_DEBUG: Unable to decode join reply

LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not recieve the Join response

LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses remain.

%SYS-5-RELOAD: Reload requested by LWAPP CLIENT.

Reload Reason: DID NOT GET JOIN RESPONSE.

%LWAPP-5-CHANGED: LWAPP changed state to DOWN

Workaround/Solution

Replace the affected hardware using the Upgrade Form at the bottom of this field notice. As of approximately March 23, 2006, new products that were manufactured are guaranteed to be free of this problem. To ensure an RMA replacement is not affected by this problem, use the Upgrade Form below.

This upgrade program is scheduled to expire on March 31, 2007. After the upgrade program expires, customers may only replace product which has actually failed. Replacements for failed products will be through the standard RMA process.

Replacements fulfilled through this upgrade process typically take three business days or more to arrive on-site. Therefore, service level agreements do not apply to replacements obtained using the upgrade form.

From this doc;

http://www.cisco.com/en/US/products/hw/routers/ps282/products_field_notice09186a008065afe7.shtml

Hope this helps!

Rob

Please remember to rate helpful posts............

vergeerf · ‎07-04-2006

I have a different model WLC, so this fieldnotice is not applicable. Any idea what's going on?

Rob Huffman · ‎07-05-2006

Hi Frank,

Just curious, this log shows a date of Mar 1 @ 00:00:05 was this the actual time and date of the attempt? I'm running out of ideas here, but I do know that the time and date is very important;

The WLC time should be synchronized with the machine that hosts the upgrade utility. The upgrade utility configures the access point to generate a self-signed certificate with a validity interval, beginning with the machine time of the utility host or a time specified at run-time. If the WLC time is outside the validity interval of the SSC, the access point cannot join the controller. To configure the WLC time, use the WLC web-interface found by choosing Commands > Set Time

From this excellent doc;

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html#wp156967

Hope this helps!

Rob

Stephen Rodriguez · ‎07-05-2006

what version of code are you on?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

sungy · ‎07-05-2006

Verify SSC for 1230 is in AP polices -> AP authorization list. Verify you are running the latest MR2 release, 3.2.150.6. The time thing that previous poster mention should be checked.

hope this helps.

ys