Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

2602i LAPs Refuse to Join Controller

I've been fighting this for two days and am not getting anywhere. I have followed the documentation setting up the mobility controller on the Catalyst 3850 switches (which are basically the same as the 5508 standalone controller), as well as the Lightweight Access Point configuration guides. I have a switch setup as the WLC. The RTU licenses were purchased and I've accepted the EULA on the switch and enabled them. Both the switch and the 2602 APs are brand new out of the box. Typical wired communications all work flawlessly. I have setup the CISCO-CAPWAP-CONTROLLER.localdomain DNS entry. The LAPs receive an IP address from the DHCP server, then they successfully get the IP address for the controller from DNS. Below is the output I get from console of the AP, repeated over and over.

*Sep  4 19:26:58.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.1.8.3 peer_port: 5246

*Sep  4 19:26:58.223: %CAPWAP-5-SENDJOIN: sending Join Request to 10.1.8.3

*Sep  4 19:26:58.235: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.1.8.3

*Sep  4 19:26:58.235: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.1.8.3:5246

*Sep  4 19:26:58.235: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Sep  4 19:26:58.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.8.3 peer_port: 5246

*Sep  4 19:26:58.227: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.1.8.3 peer_port: 5246

*Sep  4 19:26:58.227: %CAPWAP-5-SENDJOIN: sending Join Request to 10.1.8.3

*Sep  4 19:26:58.235: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.1.8.3

*Sep  4 19:26:59.595: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up

*Sep  4 19:27:00.595: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

*Sep  4 19:27:08.335: %CAPWAP-3-ERRORLOG: Go join a capwap controller

Here is the output showing that the join is failing on the controller side:

Switch#show ap mac dca5.f44d.f950 join stats detail

Discovery phase statistics  

Discovery requests received                            : 39  

Successful discovery responses sent                    : 39  

Unsuccessful discovery request processing              : 0  

Reason for last unsuccessful discovery attempt          : Not applicable  

Time at last successful discovery attempt              : Sep 04 20:03:00.844  

Time at last unsuccessful discovery attempt            : Not applicable

Join phase statistics  

Join requests received                                  : 33  

Successful join responses sent                          : 0  

Unsuccessful join request processing                    : 33  

Reason for last unsuccessful join attempt              : RADIUS authorization is pending for the AP  

Time at last successful join attempt                    : Not applicable  

Time at last unsuccessful join attempt                  : Sep 04 20:03:00.494

Configuration phase statistics  

Configuration requests received                        : 0  

Successful configuration responses sent                : 0  

Unsuccessful configuration request processing          : 0  

Reason for last unsuccessful configuration attempt      : Not applicable  

Time at last successful configuration attempt          : Not applicable  

Time at last unsuccessful configuration attempt        : Not applicable Last AP message decryption failure details  

Reason for last message decryption failure              : Not applicable Last AP disconnect details  

Reason for last AP connection failure                  : Radius authorization of the AP has failed

Last join error summary  

Type of error that occurred last                        : AP got or has been disconnected  

Reason for error that occurred last                    : Radius authorization of the AP has failed  

Time at which the last join error occurred              : Sep 04 20:03:00.496

Where I'm really lost is that I do not have RADIUS authentication enabled. I also don't have a RADIUS server established, so it isn't really an option for me. I'm hopeful somebody here can help me figure out why the WLC is not allowing the APs to join. I've been unable to locate anything in the documentation that indicates a reason. I followed the setup procedures step by step and everything fails as soon as I hit the step of plugging the AP into the switch.

HELP!

Message was edited by: Christopher Stewart

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

2602i LAPs Refuse to Join Controller

From WLC GUI>>Secuirty>>AAA>AP policies, can you verify you have not checked "Authorize MIC APs against auth-list or AAA" ? If checked, uncheck this and try.

Otherwise,  It could be that this 2602 AP got shipped with a mesh image.

On the logs ": RADIUS authorization is pending for the AP  " means that this needs the MAC addr to be in the mac filter or ap policies.

So, from WLC GUI>>Secuirty>>AAA>AP policies>>Add> dca5.f44d.f950 (AP mac addr) and check if it jons.

6 REPLIES
New Member

2602i LAPs Refuse to Join Controller

Check the time at the controller and make sure its date is correctly set.

also please do the 'debug capwap events enable' at the controller and paste here.

Cisco Employee

2602i LAPs Refuse to Join Controller

From WLC GUI>>Secuirty>>AAA>AP policies, can you verify you have not checked "Authorize MIC APs against auth-list or AAA" ? If checked, uncheck this and try.

Otherwise,  It could be that this 2602 AP got shipped with a mesh image.

On the logs ": RADIUS authorization is pending for the AP  " means that this needs the MAC addr to be in the mac filter or ap policies.

So, from WLC GUI>>Secuirty>>AAA>AP policies>>Add> dca5.f44d.f950 (AP mac addr) and check if it jons.

Cisco Employee

2602i LAPs Refuse to Join Controller

Add the MAC address (Ethernet interface of the 2602 AP) to the MAC filtering table

Hall of Fame Super Gold

2602i LAPs Refuse to Join Controller

Please post the output to the following commands:

1.  WLC:  sh sysinfo;

2.  WLC:  sh time;

3.  AP:  sh version;

4.  AP:  sh inventory; and

5.  AP:  sh ip interface brief

Cisco Employee

2602i LAPs Refuse to Join Controller

Christopher,

The Catalyst 3850 is an IOS-based WLC which presents differences in the approach to connect the APs to the controller.  In this case, your 2602i APs need to be running at least IOS version 7.2.11.x.x to connect to the WLC.  I understand that the APs have just been unboxed, but even so, this does not mean that they are running current code.  Please check the version before moving on.  It could be that simple.

http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html

Please let me know if this fixes your issue.  If it does, please rate this answer and mark your question as Answered.

Charles Moreton

Cisco Employee

2602i LAPs Refuse to Join Controller

I think Shankar has hit the right spot.

+5 Shankar


This could very well be the case of ap shipped/ordered as mesh.

In addition to what has been said for adding mac address, you can issue following on the ap cli "test mesh mode local".

With 3850 if the wcm (controller) on the same stack is intended for this ap to join, you dun need any discovery options.

AP has to be in same vlan as wlc management.

Thanks

Sahil

2242
Views
5
Helpful
6
Replies
CreatePlease login to create content