2602i-n with 5508

jrg100006 · ‎12-23-2013

I have 5 new 2602i-n APs that I am getting a "Lwapp join request rejected" error in the AP Join log of the controller. I have other 2602s working just fine, and I have other N radios working just fine. I have moved the APs to 2 other controllers, via the DNS names, and the problem follows. I have tried allt he various security settings and nothing seems to help. These APs are in an overseas location so I cannot get console access too them right now.

Looking for any help as TAC has run out of ideas.

Stephen Rodriguez · ‎12-23-2013

the LWAPP join request should say

LWAPP joi request rejected from AP supporting CAPWAP.

Can you run and post the output of the following :

debug mac addr < ap mac address >

debug capwap events enable

debug capwap errors enable

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

jrg100006 · ‎12-23-2013

*spamApTask5: Dec 23 19:40:51.118: 18:9c:5d:30:17:50 Discovery Request from 153.65.34.38:3287

*spamApTask5: Dec 23 19:40:51.119: 18:9c:5d:30:17:50 Join Priority Processing status = 0, Incoming Ap's Priority 4, MaxLrads = 200, joined Aps =150

*spamApTask5: Dec 23 19:40:51.119: 18:9c:5d:30:17:50 Discovery Response sent to 153.65.34.38:3287

*spamApTask5: Dec 23 19:41:01.118: 18:9c:5d:30:17:50 DTLS connection not found, creating new connection for 153:65:34:38 (3287) 153:65:1:71 (5246)

*spamApTask5: Dec 23 19:41:02.062: 18:9c:5d:30:17:50 Allocated index from main list, Index: 84

*spamApTask5: Dec 23 19:41:02.062: 18:9c:5d:30:17:50 DTLS keys for Control Plane are plumbed successfully for AP 153.65.34.38. Index 85

*spamApTask5: Dec 23 19:41:02.062: 18:9c:5d:30:17:50 DTLS Session established server (153.65.1.71:5246), client (153.65.34.38:3287)

*spamApTask5: Dec 23 19:41:02.062: 18:9c:5d:30:17:50 Starting wait join timer for AP: 153.65.34.38:3287

*spamApTask5: Dec 23 19:41:02.300: 18:9c:5d:30:17:50 Join Request from 153.65.34.38:3287

*spamApTask5: Dec 23 19:41:02.301: 18:9c:5d:30:17:50 Deleting AP entry 153.65.34.38:3287 from temporary database.

*spamApTask5: Dec 23 19:41:02.302: 18:9c:5d:30:17:50 Bridge AP can not join MultiCountry Controller: Bridge mode AP 153.65.34.38:3287 cannot be supported on Multi Country Controlle

*spamApTask5: Dec 23 19:41:02.302: 18:9c:5d:30:17:50 Finding DTLS connection to delete for AP (153:65:34:38/3287)

*spamApTask5: Dec 23 19:41:02.302: 18:9c:5d:30:17:50 Disconnecting DTLS Capwap-Ctrl session 0x170b15b8 for AP (153:65:34:38/3287)

*spamApTask5: Dec 23 19:41:02.302: 18:9c:5d:30:17:50 CAPWAP State: Dtls tear down

*spamApTask5: Dec 23 19:41:02.302: 18:9c:5d:30:17:50 DTLS keys for Control Plane deleted successfully for AP 153.65.34.38

*spamApTask5: Dec 23 19:41:02.310: 18:9c:5d:30:17:50 State machine handler: Failed to process msg type = 3 state = 0 from 153.65.34.38:3287

*spamApTask5: Dec 23 19:41:02.310: 18:9c:5d:30:17:50 Failed to parse CAPWAP packet from 153.65.34.38:3287

*spamApTask5: Dec 23 19:41:02.310: 18:9c:5d:30:17:50 DTLS connection closed event receivedserver (153:65:1:71/5246) client (153:65:34:38/3287)

*spamApTask5: Dec 23 19:41:02.311: 18:9c:5d:30:17:50 Entry exists for AP (153:65:34:38/3287)

Stephen Rodriguez · ‎12-23-2013

So your AP is in Bridge/MESH mode.

Bridge AP can not join MultiCountry Controller: Bridge mode AP

You'll need to point this AP at a WLC that has only one country code listed, add the mac address to the macfilter. Once the AP has joined, you can then change its mode back to local, and push it to the correct WLC.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

jrg100006 · ‎12-23-2013

As soon as I pasted the output I saw that error ... trying now. Will update as soon as I can.

jrg100006 · ‎12-23-2013

Geeting an odd RADIUS error .. I am only using RADIUS for the user lgin .. not the APs themselves:

Radius authorization of the AP has failed

Stephen Rodriguez · ‎12-23-2013

that can happen with the Bridge/MESH AP. Take a look at Security > Ap Authorization

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

jrg100006 · ‎12-23-2013

I do not see an AP Authorization. Under AP authentication --- protection type is set to none.

jrg100006 · ‎12-23-2013

Could it be a regulatory domain issue? My controller is only configured for A and these APs are N.

Leo Laohoo · ‎12-23-2013

Could it be a regulatory domain issue?  My controller is only configured for A and these APs are N.

Incorrect regulatory domain will play a significant factor. Talk to the vendor who sold you the AP and ask them if they can replace them with the correct one.

Stephen Rodriguez · ‎12-23-2013

Did you add the mac of the AP to the macfilter? you can aslo add it to the AP Auth list. Your AP is in bridge mode, and since the MAC isn't foudn on the WLC, it's getting sent to AAA.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered