Solved: (C1200-RCVK9W8-M), Version 12.3(7)JX9 unable to join 5508 with 6 - Page 2

john.wright · ‎09-06-2013

Should a 1231 AP be able to join a 5508 running 6.0 IOS? I changed this unit from autonomus to lwap before attempting this.

The ap receives an IP addr. but I see the following messages on the AP:

*Mar 1 00:04:18.721: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 10.49.12.205, mask 255.255.0.0, hostname AP0011.212d.2f98

*Mar 1 00:04:41.599: LWAPP_CLIENT_ERROR_DEBUG: spamHandleDiscoveryTimer : Found the discovery response from MASTER Mwar

*Sep 6 13:00:48.022: LWAPP_CLIENT_ERROR_DEBUG:

*Sep 6 13:00:48.023: peer certificate verification failed

*Sep 6 13:00:48.023: LWAPP_CLIENT_ERROR_DEBUG: spamDecodeJoinReply : Certificate is not valid

*Sep 6 13:00:48.023: LWAPP_CLIENT_ERROR_DEBUG: Unable to decode join reply

*Sep 6 13:00:52.744: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not recieve the Join response

*Sep 6 13:00:52.744: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses remain.

*Sep 6 13:00:52.744: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET JOIN RESPONSE.

*Sep 6 13:00:52.745: %LWAPP-5-CHANGED: LWAPP changed state to DOWNXmodem file system is available.

The time by the way is correct on the 5508. Here is what I see on 5508.

*Sep 06 09:22:49.622: sshpmPrivateKeyEncrypt: RSA_private_encrypt returned 256

*Sep 06 09:22:49.622: sshpmPrivateKeyEncrypt: encrypted bytes: 512

*Sep 06 09:23:52.476: sshpmLscTask: LSC Task received a message 4

*Sep 06 09:24:19.477: sshpmFreePublicKeyHandle: called with 0x1c9a35a4

*Sep 06 09:24:19.477: sshpmFreePublicKeyHandle: freeing public key

*Sep 06 09:25:52.476: sshpmLscTask: LSC Task received a message 4

Scott Fella · ‎09-07-2013

First off, the 1140 doesn't require the Asc to be added, but the 1200 does. In your log, it shows that it is failing to join because of that certificate. You need to run the debug command that George posted and get the hash that you have to enter back in on the WLC. Typically the 1230's and older model have an sac that need to be added.

Lightweight and autonomous are different!!!! Autonomous requires you to use a trunk port for the ap if you have more than one vlan. Lightweight APs are connected to an access port and the WLC is connect to a trunk. If you want to keep the same setup as your autonomous, then you need to setup the ap as FlexConnect. See this document but understand there are limitation to using FlexConnect than using standard default local mode.

http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml

http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/flexconnect/config_flexconnect.pdf

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎09-09-2013

Turn of RLDP!!! You don't need this enabled. When you have this enabled, it will kick clients off the AP which you are seeing.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

john.wright · ‎09-09-2013

Scott

Thanks for heads up on removing rldp. I assume you mean that I should disable under security AP policies?

It appears that clients are still coming and going so not sure where this setting is located.

Flex Connect

I suppose I should be more clear based on your response concerning flex connect. I just want to make sure that the production vlan still works just as it does now after we migrate to the 5508. And that we can also provide guest users asscess just as we presently do in our autonomous environmentl after migrating.

I have not done anything in terms of configuration to get the guest association to work. I want the production to work perfectly first.

Scott Fella · ‎09-09-2013

Its hard to determine what you need to do, because I have no clue at all how your previous wireless deployment was and how your current one is configured. Typically when I move a customer from an autonomous system to a lightweight system, the environment will change. Again, your going from autonomous, in which your aps are connected to a trunk port to a lightweight system which that aps typically connect to an access port. Traffic flows differently and in a light weight environment, traffic flows back to the wlc and the wlc puts the traffic on the vlan its assigned to.

If you want to place the traffic at the access layer which all your autonomous AP's we setup like, then you need to look at FlexConnect, because that is the only way you will be able to place SSID X to Vlan X and SSID y to Vlan y at the access layer. Or else you need to define interfaces for vlan x and vlan y on the WLC and everything will flow to the wlc.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

john.wright · ‎09-09-2013

Scott

This is the piece I did not understand.

"Or else you need to define interfaces for vlan x and vlan y on the WLC and everything will flow to the wlc."

This last point is the reason you create vlan interfaces on the WLC?

So if I got that right then when I migrate the other buiuldings which are currently on a different wireless vlan I need to create that interface on the WLC.

Scott Fella · ‎09-09-2013

If you have other buildings that cross your WAN, then you will no longer be able to define the subnets for those building and you would need to create a new local vlan on the site where the WLC is located. The interfaces need to connect to a subnet locally not across the wan. So that is where you have to decide if you you local mode or flexconnect. Either way, you have some converting to do to get that to work.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

john.wright · ‎09-09-2013

Scott

Thanks again for response.

The other buildings are not over the WAN. They are buildings connected to our local LAN via a trunk but they are different vlans.

Scott Fella · ‎09-09-2013

Then you can keep the AP's in local mode and make sure you extend the vlans to the switch where the WLC is connected. Then you need to create a dynamic interface on the WLC for each of the vlans. This way a device associates to an ssid and the traffic gets tunneled to the wlc and the wlc puts that traffic on the interface it belongs to. Makes sense?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎09-09-2013

Here is an old doc, but still pretty good and shows you how the traffic flows in a way:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805e7a24.shtml

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

(C1200-RCVK9W8-M), Version 12.3(7)JX9 unable to join 5508 with 6.0 IOS