Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AP failover to a HA-SKU 5508 controller failing

Hi,

I am not able to join a Cisco 1242AG access point to register to failover from a 5508 (50 lic) controller to a 5508 HA-SKU controller. Both the controllers are running code version 7.4.121.0. Both WLC part of same mobility group with an active mobility tunnel between them.

 

(Cisco Controller) >show redundancy summary 
 Redundancy Mode = SSO DISABLED 
     Local State = ACTIVE 
      Peer State = N/A 
            Unit = Primary
         Unit ID = 3C:08:F6:CA:52:20
Redundancy State = N/A 
    Mobility MAC = 3C:08:F6:CA:52:20

Redundancy Management IP Address................. 0.0.0.0
Peer Redundancy Management IP Address............ 0.0.0.0
Redundancy Port IP Address....................... 0.0.0.0
Peer Redundancy Port IP Address.................. 169.254.0.0

 

(Cisco Controller) >show redundancy summary 
 Redundancy Mode = SSO DISABLED 
     Local State = ACTIVE 
      Peer State = N/A 
            Unit = Secondary - HA SKU
         Unit ID = 3C:08:F6:CA:53:C0
Redundancy State = N/A 
    Mobility MAC = 3C:08:F6:CA:53:C0

Redundancy Management IP Address................. 0.0.0.0
Peer Redundancy Management IP Address............ 0.0.0.0
Redundancy Port IP Address....................... 0.0.0.0
Peer Redundancy Port IP Address.................. 169.254.0.0

 

 

Temporary set the Primary Controller for the AP to the HA Controller. The AP attempts to join to HA WLC, fails and then joins the main 50 licensed controller. Debug from the AP below.

....

*May 12 06:49:11.633: %CAPWAP-3-ERRORLOG: Selected MWAR 'CAMWC7310'(index 0).
*May 12 06:49:11.633: %CAPWAP-3-ERRORLOG: Go join a capwap controller 

*May 12 06:50:12.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.31.210 peer_port: 5246
*May 12 06:50:42.000: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2051 Max retransmission count reached!
*May 12 06:51:11.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.1.31.210:5246
*May 12 06:51:12.000: %CAPWAP-3-ERRORLOG: Selected MWAR 'CAMWC7309'(index 1).
*May 12 06:51:12.000: %CAPWAP-3-ERRORLOG: Go join a capwap controller 
*May 12 06:50:12.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.30.210 peer_port: 5246
*May 12 06:50:13.488: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.1.30.210 peer_port: 5246
*May 12 06:50:13.489: %CAPWAP-5-SENDJOIN: sending Join Request to 10.1.30.210
*May 12 06:50:13.492: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*May 12 06:50:13.493: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*May 12 06:50:13.493: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*May 12 06:50:13.493: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 10.1.30.210
*May 12 06:50:13.586: Starting Ethernet promiscuous mode
*May 12 06:50:14.002: %LWAPP-4-CLIENTEVENTLOG: OfficeExtend Localssid saved in AP flash
*May 12 06:50:14.238: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller CAMWC7309
*May 12 06:50:14.920: %LWAPP-4-CLIENTEVENTLOG: No Flex ACL map configuration file to load. Connect to controller to get configuration file
*May 12 06:50:14.921: %LWAPP-4-CLIENTEVENTLOG: No Flex ACL map configuration file to load. Connect to controller to get configuration file
*May 12 06:50:14.921: %LWAPP-3-CLIENTERRORLOG: Switching to Connected mode
*May 12 06:50:16.747: %LWAPP-4-CLIENTEVENTLOG: SSID cp_corpd01 added to the slot[0]
*May 12 06:50:16.914: %LWAPP-4-CLIENTEVENTLOG: SSID cp_corpv01 added to the slot[0]
*May 12 06:50:17.704: %LWAPP-4-CLIENTEVENTLOG: SSID cp_Resident added to the slot[0]
*May 12 06:50:17.871: %LWAPP-4-CLIENTEVENTLOG: SSID cp_companyguest added to the slot[0]
*May 12 06:50:18.037: %LWAPP-4-CLIENTEVENTLOG: SSID cp_corpd01 added to the slot[1]
*May 12 06:50:18.202: %LWAPP-4-CLIENTEVENTLOG: SSID cp_corpv01 added to the slot[1]
*May 12 06:50:18.991: %LWAPP-4-CLIENTEVENTLOG: SSID cp_Resident added to the slot[1]
*May 12 06:50:19.161: %LWAPP-4-CLIENTEVENTLOG: SSID cp_companyguest added to the slot[1]
*May 12 06:50:20.560: %WIDS-6-ENABLED: IDS Signature is loaded and enabled
*May 12 06:53:23.198: %LWAPP-3-CLIENTERRORLOG: Switching to Standalone mode
*May 12 06:53:23.226: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.1.30.210:5246
*May 12 06:53:23.283: %WIDS-6-DISABLED: IDS Signature is removed and disabled.
*May 12 06:53:33.287: %CAPWAP-3-ERRORLOG: Selected MWAR 'CAMWC7310'(index 0).

 

This is what I get on the HA controller: 

*spamApTask5: May 12 16:48:10.935: c4:64:13:bd:f6:59 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  10.1.30.107:33618)since DTLS session is not established 
*spamApTask5: May 12 16:50:12.264: 00:22:0c:96:72:a0 Primary Discovery Request from 10.1.30.107:33618
*spamApTask5: May 12 16:50:12.264: 00:22:0c:96:72:a0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 500, joined Aps =0
*spamApTask5: May 12 16:50:12.264: 00:22:0c:96:72:a0 Primary Discovery Response sent to  10.1.30.107:33618
*spamApTask4: May 12 16:50:12.409: 00:22:0c:96:72:a0 Discovery Request from 10.1.30.107:33617
*spamApTask4: May 12 16:50:12.410: 00:22:0c:96:72:a0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 500, joined Aps =0
*spamApTask0: May 12 16:50:12.410: 00:22:0c:96:72:a0 Received LWAPP DISCOVERY REQUEST to 3c:08:f6:ca:53:cf on port '13'
*spamApTask0: May 12 16:50:12.410: 00:22:0c:96:72:a0 Refusing Discovery Request from AP 00:22:0c:96:72:a0 - limit for maximum AP downloads 0 reached
*spamApTask4: May 12 16:50:12.410: 00:22:0c:96:72:a0 Discovery Response sent to 10.1.30.107:33617
*spamApTask4: May 12 16:50:12.410: 00:22:0c:96:72:a0 Discovery Response sent to 10.1.30.107:33617
*spamApTask4: May 12 16:50:22.411: c4:64:13:bd:f6:59 DTLS connection not found, creating new connection for 10:1:30:107 (33617) 10:1:31:210 (5246)
*spamApTask4: May 12 16:50:22.411: c4:64:13:bd:f6:59 Failed to create DTLS connection for 10.1.30.107:33617
*spamApTask4: May 12 16:50:22.411: c4:64:13:bd:f6:59 Failed to create DTLS connection for 10.1.30.107.33617
*spamApTask4: May 12 16:50:24.410: c4:64:13:bd:f6:59 DTLS connection not found, creating new connection for 10:1:30:107 (33617) 10:1:31:210 (5246)
*spamApTask4: May 12 16:50:24.410: c4:64:13:bd:f6:59 Failed to create DTLS connection for 10.1.30.107:33617
*spamApTask4: May 12 16:50:24.410: c4:64:13:bd:f6:59 Failed to create DTLS connection for 10.1.30.107.33617
*spamApTask4: May 12 16:50:28.410: c4:64:13:bd:f6:59 DTLS connection not found, creating new connection for 10:1:30:107 (33617) 10:1:31:210 (5246)
*spamApTask4: May 12 16:50:28.410: c4:64:13:bd:f6:59 Failed to create DTLS connection for 10.1.30.107:33617
*spamApTask4: May 12 16:50:28.410: c4:64:13:bd:f6:59 Failed to create DTLS connection for 10.1.30.107.33617
*spamApTask4: May 12 16:50:36.410: c4:64:13:bd:f6:59 DTLS connection not found, creating new connection for 10:1:30:107 (33617) 10:1:31:210 (5246)
*spamApTask4: May 12 16:50:36.410: c4:64:13:bd:f6:59 Failed to create DTLS connection for 10.1.30.107:33617
*spamApTask4: May 12 16:50:36.410: c4:64:13:bd:f6:59 Failed to create DTLS connection for 10.1.30.107.33617

 

 

 

Thanks, 

Rick.

1 REPLY
New Member

Just to update. Opened a TAC

Just to update. Opened a TAC case for this issue and been advised that the 500 AP evaluation license on the HA controller has to be activated by accepting its EULA before HA controller can start serving failed over clients. This starts the evaluation period timer of 8 weeks and 4 days. TAC advised that when the counter reaches 0 days, HA will still serve failed over AP's as per the HA license (upto 500 AP's for 90 days). An annoying aspect of this that Prime Infrastructure keeps complaining that a controller license is expiring in less than 2 months. 

 

Thanks, 

Rick.

578
Views
0
Helpful
1
Replies