"AP fails to join controller" - Lightweight Access Point (LAP) fails to join Wireless LAN controller (WLC)

Document

Aug 8, 2011 7:14 AM
Aug 8th, 2011


Introduction

In this document we will discuss an overview of the Wireless LAN Controller Discovery and Join Process and some of the issues why a Lightweight Access Point fails to join a WLC. We will also see how to troubleshoot these issues in different practical scenarios faced by Cisco customers.

Problem Description

Lightweight Access Point (LAP) not Joining a Wireless LAN Controller (WLC). Before we discuss different troubleshooting scenarios we need to understand what is happing behind the scene and what is the expected behavior when discovery and joining happens.

Overview - Discovery and Join Process a WLC

Order for an LAP to register to a WLC:-



  • The LAPs issue a DHCP discovery request to get an IP address, unless it has previously had a static IP address configured.
  • The LAP sends LWAPP discovery request messages to the WLCs.
  • Any WLC that receives the LWAPP discovery request responds with an LWAPP discovery response message.
  • From the LWAPP discovery responses that the LAP receives, the LAP selects a WLC to join.
  • The LAP then sends an LWAPP join request to the WLC and expects an LWAPP join response.
  • The WLC validates the LAP and then sends an LWAPP join response to the LAP.
  • The LAP validates the WLC, which completes the discovery and join process. The LWAPP join process includes

     mutual authentication and encryption key derivation, which is used to secure the join process and future LWAPP control messages.

  • The LAP registers with the controller.



How to determine where to send the LWAPP discovery requests (step 2). The LAP uses a discovery algorithm in order to determine the list of WLCs to which the LAP can send the discovery request messages.This procedure describes the hunting process:-

  • The LAP issues a DHCP request to a DHCP server in order to get an IP address, unless an assignment was made previously with a static IP address.
  • If Layer 2 LWAPP mode is supported on the LAP, the LAP broadcasts an LWAPP discovery message in a Layer 2 LWAPP frame.
  • Any WLC that is connected to the network and that is configured for Layer 2 LWAPP mode responds with a Layer 2 discovery response.
  • If the LAP does not support Layer 2 mode, or if the WLC or the LAP fails to receive an LWAPP discovery response to the Layer 2 LWAPP discovery message broadcast, the LAP proceeds to step 3.
  • If step 1 fails, or if the LAP or the WLC does not support Layer 2 LWAPP mode, the LAP attempts a Layer 3 LWAPP WLC discovery.
  • If step 3 fails, the LAP resets and returns to step 1.

Layer 2 LWAPP WLC Discovery Algorithm

LWAPP communication between the AP and the WLC can be in native, Layer 2 Ethernet frames. This is known as Layer 2

LWAPP mode.

Note:- Layer 2 LWAPP mode is not supported on Cisco 2000 Series WLCs. These WLCs support only Layer 3 LWAPP mode.

The LAPs that support Layer 2 LWAPP mode broadcast a LWAPP discovery request message in a Layer 2 LWAPP frame. If there is a WLC in the network configured for Layer 2 LWAPP mode, the controller responds with a discovery response.

The LAP then moves to the join phase. This debug lwapp events enable command output shows the sequence of events that occur when a LAP using Layer 2 LWAPP mode registers with the WLC:-

1.jpg

Layer 3 LWAPP WLC Discovery Algorithm

The LAPs use the Layer 3 discovery algorithm if the Layer 2 discovery method is not supported or if the Layer 2

discovery  method fails. The Layer 3 discovery algorithm uses different options in order to attempt to discover WLCs.

The Layer 3 LWAPP WLC discovery algorithm is used to build a controller list. After a controller list is built, the AP

selects a WLC and attempts to join the WLC.

The LWAPP Layer 3 WLC discovery algorithm repeats until at least one WLC is found and joined.

After the LAP gets an IP address from the DHCP server, the LAP begins this discovery process:

  • The LAP broadcasts a Layer 3 LWAPP discovery message on the local IP subnet. Any WLC that is configured

     for Layer 3 LWAPP mode and that is connected to the same local subnet receives the Layer 3 LWAPP discovery message.

  • Each of the WLCs that receives the LWAPP discovery message replies with a unicast LWAPP discovery

     response message to the LAP.

lap_registration1.jpg

When the LAP powers up, it sends out a DHCP request, with the hope that a DHCP server will provide an IP

address. After the LAP gets an IP address from the DHCP server, the LAP broadcasts a Layer 3 LWAPP discovery message on to its local subnet. Because the WLC is also on the same subnet, the WLC receives the LWAPP discovery request

from the LAP and responds with a Layer 3 LWAPP discovery response.

(Cisco Controller) >debug lwapp events enableMon May 22 12:00:21 2006: Received LWAPP DISCOVERY

REQUEST from AP

00:0b:85:5b:fb:d0 to ff:ff:ff:ff:ff:ff on port '1'Mon May 22 12:00:21 2006: Successful

transmission of LWAPP Discovery-Response to AP 00:0b:85:5b:fb:d0 on Port 1

Troubleshooting Scenario 1

Unable to join 1200 series AP with 4402 controller running 5.2.178 version and AP was just converted from autonomous to lwapp.

Here is what the AP is showing when it is booting up and fails to join.

*Apr 13 16:48:04.012: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Apr 13 16:48:04.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 1.1.1.3

peer_port: xxyy

*Apr 13 16:48:04.001: %CAPWAP-5-CHANGED: CAPWAP changed state to

*Apr 13 16:48:05.715: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 1.1.1.3

*Apr 13 16:48:05.715: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.

*Apr 13 16:48:05.715: %DTLS-5-PEER_DISCONNECT: Peer 1.1.1.3 has closed connection.

*Apr 13 16:48:05.716: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 1.1.1.3:xxyy

*Apr 13 16:48:05.717: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

1. Solution

If you use Cisco Aironet to LWAPP conversion tool then check the directory where the upgrade tool is installed

and see if it created a file (.csv) that contains the SSC for the AP. Then manually add that into the WLC

under Security and then AP policies link.

Troubleshooting Scenario 2




1231 LAP unable to join WISM running 6.0.199.4. Also took SSC (the SHA key)key from the upgrade

tool and added to both controller under security/ap policy and the ap still will not come up.

Here is what the AP is showing when it is booting up and fails to join.

*Mar 25 16:14:07.720: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

*Mar 25 16:15:11.129: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Mar 25 16:15:11.130: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Mar 25 16:15:11.130: bsnInitRcbSlot: slot 1 has NO radio

*Mar 25 16:15:11.145: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to

administratively down

*Mar 25 16:15:11.165: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up

*Mar 25 16:15:11.167: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset

*Mar 25 16:15:11.179: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up

*Mar 25 16:15:11.185: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset

*Mar 25 16:15:11.197: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up

*Mar 25 16:15:21.164: %CAPWAP-3-ERRORLOG: Selected MWAR 'c6509-2-wism-8-2'(index 0).

*Mar 25 16:15:21.164: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Mar 25 16:15:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 1.1.1.2

peer_port: xxyy

*Mar 25 16:15:23.002: %CAPWAP-5-CHANGED: CAPWAP changed state to

*Mar 25 16:15:24.804: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully

peer_ip:1.1.1.2  peer_port: xxyy

*Mar 25 16:15:24.806: %CAPWAP-5-SENDJOIN: sending Join Request to 1.1.1.2

*Mar 25 16:15:24.807: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN

*Mar 25 16:15:24.811: %DTLS-5-ALERT: Received WARNING : Close notify alert from 1.1.1.2

*Mar 25 16:15:24.811: %DTLS-5-PEER_DISCONNECT: Peer 192.168.251.184 has closed connection.

*Mar 25 16:15:24.811: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 1.1.1.2:xxyy

1. Solution

It has been noticed in some cases that if incorrect time is set on different WLCs within mobility group, then AP fail to join

these WLCs due to the mismatch and would not join the desired controller. Most of the time APs join the controller after

correcting the time.

Troubleshooting Scenario 3

Error message on the AP after conversion to LWAPP, get error message:-

*Mar 1 00:00:23.535: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY

*Mar 1 00:00:23.550: LWAPP_CLIENT_ERROR_DEBUG: lwapp_crypto_init_ssc_keys_and_certs

no certs in the  SSC Private File

*Mar 1 00:00:23.550: LWAPP_CLIENT_ERROR_DEBUG:

*Mar  00:00:23.551: lwapp_crypto_init: PKI_StartSession failed

*Mar 1 00:00:23.720: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT.

Reload Reason: FAILED CRYPTO INIT.

*Mar 1 00:00:23.721: %LWAPP-5-CHANGED: LWAPP changed state to DOWN

The AP reloads after 30 seconds and starts the process over again.

1. Solution

It is a SSC AP. Convert back to an autonomous IOS image. Clear the configuration by issuing the write erase

command and reload. Do not save the configuration when reloading.

Troubleshooting Scenario 4



Dropping primary discovery request from AP XX:AA:BB:XX:DD:DD - maximum APs joined 6/6

1. Solution

There is a limit to the number of LAPs that can be supported by a WLC. Each WLC supports a certain number of LAPs, which depends on the model and platform. This error message is seen on the WLC when it receives a discovery

request after it has reached its maximum AP capacity.

Here is the number of LAPs supported on the different WLC platform and models:-

The 2100 series controller supports up to 6, 12, or 25 LAPs. This depends on the model of the WLC.

The 4402 supports up to 50 LAPs, while the 4404 supports up to 100. This makes it ideal for large-sized enterprises

and large-density applications.

The Catalyst 6500 Series Wireless Services Module (WiSM) is an integrated Catalyst 6500 switch and two Cisco 4404 controllers that supports up to 300 LAPs.

The Cisco 7600 Series Router WiSM is an integrated Cisco 7600 router and two Cisco 4404 controllers that supports

up to 300 LAPs.

The Cisco 28/37/38xx Series Integrated Services Router is an integrated 28/37/38xx router and Cisco controller

network module that supports up to 6, 8, 12, or 25 LAPs, depending on the version of the network module. The

versions that support 8, 12, or 25 APs and the NME-AIR-WLC6-K9 6-access-point version feature a high-speed

processor and more on-board memory than the NM-AIR-WLC6-K9 6-access-point version.

The Catalyst 3750G Integrated WLC Switch is an integrated Catalyst 3750 switch and Cisco 4400 series controller that supports up to 25 or 50 LAPs.

Troubleshooting Scenario 5

When Tried to add UK and US together on WLC, message box show error "Mesh APs are not currently

supported for multiple country configuration. Use single country configuration or remove Mesh

APs from the network"

1. Solution

6.

Yes, Mesh access points do not support multiple country codes. If you have configured multiple

country codes then the Mesh AP's will not join the controller.

Please find the link given below that explains the guidelines to be followed while configuring

country codes: http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/

http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/

Troubleshooting Scenario 6

Getting the following errors on access point model is AIR-AP1242AG-E-K9:-

*Jun 16 13:08:02.392: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN

*Jun 16 13:08:02.493: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG

*Jun 16 13:08:02.493: %CAPWAP-3-ERRORLOG: Starting config timer

*Jun 16 13:08:02.496: %DTLS-5-ALERT: Received WARNING : Close notify alert from x.y.z.v

*Jun 16 13:08:02.496: %DTLS-5-PEER_DISCONNECT: Peer x.y.z.x has closed connection.

*Jun 16 13:08:02.497: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to x.y.z.x:xxxx

1. Solution


The access point model is AIR-AP1 242 AG-E-K9 which has -E as the regulatory domain which means

it is designed to operate in the European countries. The  controller by default is configured

with US as the country code, which has a different set of FCC regulations.

If the access points are to be installed in Europe then we need to add your country code to the

list of countries on the WLC and this should resolve the issue.

To change the country code, from the GUI of the WLC, go to Wireless ->Country and select or add

your country.

Tips and Tricks

In case you face issues in getting an AP to discover the controller dynamically, you can enter the

commands given below to add the ip address of the controller statically on the access point:

To enable console access on lightweight AP:-

Command: debug lwapp console cli

To add the controller ip address statically:

Command: lwapp ap controller ip <ip address>

Please note, if your controller is running a version beyond 5.2, use "capwap" in the commands instead

of "lwapp".

Debugging CAPWAP

Use these CLI commands to obtain CAPWAP debug information:

•  debug capwap events {enable | disable}—Enables or disables debugging of CAPWAP events.

•   debug capwap errors {enable | disable}—Enables or disables debugging of CAPWAP errors.

•   debug capwap detail {enable | disable}—Enables or disables debugging of CAPWAP details.

•   debug capwap info {enable | disable}—Enables or disables debugging of CAPWAP information.

•   debug capwap packet {enable | disable}—Enables or disables debugging of CAPWAP packets.

•   debug capwap payload {enable | disable}—Enables or disables debugging of CAPWAP payloads.

•   debug capwap hexdump {enable | disable}—Enables or disables debugging of the CAPWAP

hexadecimal dump.

Source

https://supportforums.cisco.com/message/3323594

Reference Links

Troubleshoot a Lightweight Access Point Not Joining a Wireless LAN Controller


Lightweight AP (LAP) Registration to a Wireless LAN Controller (WLC)


Wireless LAN Controller (WLC) Error and System Messages FAQ


LWAPP Upgrade Tool Troubleshoot Tips


Using show ap join stats command to troubleshoot an AP not joining a Wireless LAN Controller


Cisco Wireless LAN Controller System Message Guide

Average Rating: 5 (1 ratings)

Comments

Actions

Login or Register to take actions

This Document

Posted August 8, 2011 at 7:14 AM
Stats:

Related Content

Documents Leaderboard