cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1437
Views
0
Helpful
15
Replies

cisco 3502E LAP is showing DTLS tunneling issue with 5508 Controller

jbnair
Level 1
Level 1

Hello All,

I am trying to connect 3502-E-K9 Access points to 5508 controller.

The dhcp pool is from the same range from management ip address.

The AP is getting the IP address.

The AP can see the Controller ip addresses. (there are two 5508 controllers) Option 60 and 43 is already setup on the pool.

The controllers are upgraded to 7.5.102.0 IOS

The FUS FPGA version is 1.7

I have a ASA service module in 6500 and the management vlan gateway is configured with the firewall. But i temporarily removed the gateway address from FW  and applied it to the 6500 switch vlan, but still the problem is going on and it shows this is not a problem from the FW.

The logs from the AP is shown below:

*Nov 10 18:03:58.481: %CAPWAP-5-SENDJOIN: sending Join Request to 10.210.99.21

*Nov 10 18:03:58.484: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.

*Nov 10 18:03:58.484: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.

*Nov 10 18:03:58.484: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller

*Nov 10 18:03:58.484: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 10.210.99.21

Full log:

*Mar  1 00:13:30.348: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar  1 00:13:30.439: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar  1 00:13:31.439: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
Translating "CISCO-CAPWAP-CONTROLLER.sht-2.com"...domain server (10.210.99.1)
*Mar  1 00:13:40.461: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.210.99.21 obtained through DHCP
*Mar  1 00:13:40.461: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.210.99.22 obtained through DHCP
*Mar  1 00:13:40.461: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

*Mar  1 00:13:43.462: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.sht-2.com
*Mar  1 00:13:53.466: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Nov 10 18:03:58.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.210.99.21 peer_port: 5246
*Nov 10 18:03:58.481: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.210.99.21 peer_port: 5246
*Nov 10 18:03:58.481: %CAPWAP-5-SENDJOIN: sending Join Request to 10.210.99.21
*Nov 10 18:03:58.484: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Nov 10 18:03:58.484: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Nov 10 18:03:58.484: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Nov 10 18:03:58.484: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 10.210.99.21
*Nov 10 18:04:03.483: %CAPWAP-5-SENDJOIN: sending Join Request to 10.210.99.21

                

Any comments?

Thanks & Regards

Jay

3 Accepted Solutions

Accepted Solutions

Sandeep Choudhary
VIP Alumni
VIP Alumni

Hi Jay,

Please check the time and date on WLC and make it correct.

Login to wlc and then go here :

Commands>set time

Regards
Don't forget to rate helpful posts .


Sent from Cisco Technical Support iPhone App

View solution in original post

HI Jay,


Configured Country............................... US  - United States

cisco AIR-CAP3502E-E-K9 (PowerPC460exr) processor (revision B1) with 98294K/32768K bytes of memory.

your WLC shoes that it is in US reguletry domain but your AP shows in Europe:

Regards

View solution in original post

As long as the WLC has the country code defined for the AP and the time is set, having the ap on the same subnet is the best way to have an ap join. You don't need option 43 or DNS for that.

I would make sure that under the WLC Security tab that aaa authorization for access points is not checked. Also just for kicks I would enter the AP's Ethernet MAC address to the Mac filter and see if that helps. If either one doesn't work, I would upload a new rcv image to the AP. There are few times in which the rcv or image can be corrupt and the ap will not join.

How many AP's do you have joined successfully?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

15 Replies 15

Sandeep Choudhary
VIP Alumni
VIP Alumni

Hi Jay,

Please check the time and date on WLC and make it correct.

Login to wlc and then go here :

Commands>set time

Regards
Don't forget to rate helpful posts .


Sent from Cisco Technical Support iPhone App

Hi Sandeep,

Thank you for your reply. I set the timing and time zone on the controllers and restarted. Then tried the APs again connecting but it is giving the same error. What can be the other causes?

Regards

jay

*Mar  1 00:13:43.462: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.sht-2.com

DNS is wrong please make it correct.

Please paste these:

1.  WAP:  sh inventory;

2.  WLC:  sh sysinfo

Can u reboots the ap and paste the log from it.

Regards

Sent from Cisco Technical Support iPhone App

Find below the AP intialization logs:


using  eeprom values

WRDTR,CLKTR: 0x8200083f 0x40000000
RQDC ,RFDC : 0x80000032 0x00000211

using HYNG ddr static values from serial eeprom
ddr init done

Running Normal Memtest...
Passed.
IOS Bootloader - Starting system.
FLASH CHIP:  Numonyx P33
Checking for Over Erased blocks
......................................................................................................................................................................................................................................................
Xmodem file system is available.

DDR values used from system serial eeprom.
WRDTR,CLKTR: 0x8200083f, 0x40000000
RQDC, RFDC : 0x80000032, 0x00000211

PCIE0: link is up.
PCIE0: VC0 is active
PCIE1: link is up.
PCIE1: VC0 is active
64bit PCIE devices
PCIEx: initialization done
flashfs[0]: 48 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31739904
flashfs[0]: Bytes used: 18169856
flashfs[0]: Bytes available: 13570048
flashfs[0]: flashfs fsck took 10 seconds.
Reading cookie from system serial eeprom...Done
Base Ethernet MAC address: 88:5a:92:bd:72:02
Ethernet speed is 1000 Mb - FULL duplex
Loading "flash:/ap3g1-k9w8-mx.152-4.JA1/ap3g1-k9w8-mx.152-4.JA1"...#################

File "flash:/ap3g1-k9w8-mx.152-4.JA1/ap3g1-k9w8-mx.152-4.JA1" uncompressed and installed, entry point: 0x4000
executing...
enet halted

IOS Secondary Bootloader - Starting system.
FLASH CHIP:  Numonyx P33
Checking for Over Erased blocks
......................................................................................................................................................................................................................................................
Xmodem file system is available.

DDR values used from system serial eeprom.
WRDTR,CLKTR: 0x8200083f, 0x40000000
RQDC, RFDC : 0x80000032, 0x00000211

PCIE0: link is up.
PCIE0: VC0 is active
PCIE1: link is up.
PCIE1: VC0 is active
Radio 0 : Vendor 0x11AB, Device 0x8350

64bit PCIE devices
Radio 1 : Vendor 0x11AB, Device 0x8324

PCIEx: initialization done
flashfs[0]: 48 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31739904
flashfs[0]: Bytes used: 18169856
flashfs[0]: Bytes available: 13570048
flashfs[0]: flashfs fsck took 10 seconds.
Reading cookie from system serial eeprom...Done
Base Ethernet MAC address: 88:5a:92:bd:72:02
Creating Test Kernel diagnostic commands

Radio 0 : Vendor 0x11AB, Device 0x8324

Radio 1 : Vendor 0x11AB, Device 0x8350

Radio 2 : Vendor 0xFFFF, Device 0xFFFF

Radio 3 : Vendor 0xFFFF, Device 0xFFFF
******** AUTOMATIC DDR CALIBRATION UPGRADE LOGIC *********
=== 1. Is original FCS bootloader in BS:?  If not, skip upgrade ===
    ---> original FCS bootloader not detected -- skip upgrade
Boot CMD: 'boot  flash:/ap3g1-k9w8-mx.152-4.JA1/ap3g1-k9w8-xx.152-4.JA1;flash:/ap3g1-k9w8-mx.152-4.JA1/ap3g1-k9w8-mx.152-4.JA1'
Loading "flash:/ap3g1-k9w8-mx.152-4.JA1/ap3g1-k9w8-xx.152-4.JA1"...####################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################

File "flash:/ap3g1-k9w8-mx.152-4.JA1/ap3g1-k9w8-xx.152-4.JA1" uncompressed and installed, entry point: 0x100000
executing...

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706

Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 15.2(4)JA1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 30-Jul-13 22:49 by prod_rel_team

Initializing flashfs...
FLASH CHIP:  Numonyx P33
Checking for Over Erased blocks
......................................................................................................................................................................................................................................................

flashfs[3]: 48 files, 9 directories
flashfs[3]: 0 orphaned files, 0 orphaned directories
flashfs[3]: Total bytes: 31481856
flashfs[3]: Bytes used: 18169856
flashfs[3]: Bytes available: 13312000
flashfs[3]: flashfs fsck took 8 seconds.
flashfs[3]: Initialization complete.
flashfs[4]: 0 files, 1 directories
flashfs[4]: 0 orphaned files, 0 orphaned directories
flashfs[4]: Total bytes: 11999232
flashfs[4]: Bytes used: 1024
flashfs[4]: Bytes available: 11998208
flashfs[4]: flashfs fsck took 0 seconds.
flashfs[4]: Initialization complete.
Copying radio files from flash: to ram:
Copy in progress...CCC
Copy in progress...CCC
Copy in progress...CC
Uncompressing radio files...
...done Initializing flashfs.

Ethernet speed is 1000 Mb - FULL duplex

Radio0  present 8364B 8000 B8020000 0 B8030000 10
Rate table has 80 entries (32 SGI/4 BF variants)

Radio1  present 8364B 8000 B0020000 0 B0030000 C
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-CAP3502E-E-K9 (PowerPC460exr) processor (revision B1) with 98294K/32768K bytes of memory.
Processor board ID FCZ1746D00J
PowerPC460exr CPU at 666Mhz, revision number 0x18A8
Last reset from power-on
LWAPP image version 7.5.102.0
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 88:5A:92:BD:72:02
Part Number                          : 73-12175-06
PCA Assembly Number                  : 800-32268-06
PCA Revision Number                  : B0
PCB Serial Number                    : FOC17418B8A
Top Assembly Part Number             : 800-32904-02
Top Assembly Serial Number           : FCZ1746D00J
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP3502E-E-K9  
% Please define a domain-name first.


Press RETURN to get started!


*Mar  1 00:00:11.076: FIPS IOS test Image Checksum successful
*Mar  1 00:00:11.079: FIPS IOS test Crypto RNG DEK Key Test successful
*Mar  1 00:00:11.079: FIPS IOS test SHA-1 successful
*Mar  1 00:00:11.079: FIPS IOS test HMAC-SHA1 successful
*Mar  1 00:00:11.079: FIPS IOS test AES CBC 128-bit Encrypt successful
*Mar  1 00:00:11.079: FIPS IOS test AES CBC 128-bit Decrypt successful
*Mar  1 00:00:11.079: FIPS IOS test IOS AES CMAC Encrypt successful
*Mar  1 00:00:11.079: FIPS IOS test IOS CCM Encrypt successful
*Mar  1 00:00:11.079: FIPS IOS test IOS CCM Decrypt successful
*Mar  1 00:00:11.117: FIPS IOS test RSA Signature Generation successful
*Mar  1 00:00:11.120: FIPS IOS test RSA Signature Verification successful
*Mar  1 00:00:11.120: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
*Mar  1 00:00:11.120: *** CRASH_LOG = YES

*Mar  1 00:00:11.120: 64bit PCIE devices
*Mar  1 00:00:12.227: FIPS HW test SHA-1 successful
*Mar  1 00:00:12.227: FIPS HW test HMAC-SHA1 successful
*Mar  1 00:00:12.227: FIPS HW test AES CBC 128-bit Encrypt successful
*Mar  1 00:00:12.227: FIPS HW test AES CBC 128-bit Decrypt successful
*Mar  1 00:00:12.227: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed
*Mar  1 00:00:12.227: Security Core found.

*Mar  1 00:00:12.240: Registering HW DTLS
Base Ethernet MAC address: 88:5A:92:BD:72:02

*Mar  1 00:00:14.401: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar  1 00:00:15.684: FIPS RADIO test AES 128-bit encrypt for TX on Dot11Radio 0 successful
*Mar  1 00:00:15.687: FIPS RADIO test AES 128-bit CCM encrypt on Dot11Radio 0 successful
*Mar  1 00:00:15.687: FIPS RADIO test AES 128-bit CCM decrypt on Dot11Radio 0 successful
*Mar  1 00:00:15.687: FIPS RADIO test AMAC AES 128-bit CMAC encrypt on Dot11Radio 0 successful
*Mar  1 00:00:15.687: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
*Mar  1 00:00:15.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar  1 00:00:18.827: FIPS RADIO test AES 128-bit encrypt for TX on Dot11Radio 1 successful
*Mar  1 00:00:18.827: FIPS RADIO test AES 128-bit CCM encrypt on Dot11Radio 1 successful
*Mar  1 00:00:18.827: FIPS RADIO test AES 128-bit CCM decrypt on Dot11Radio 1 successful
*Mar  1 00:00:18.827: FIPS RADIO test AMAC AES 128-bit CMAC encrypt on Dot11Radio 1 successful
*Mar  1 00:00:18.827: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1
*Mar  1 00:12:56.191: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 15.2(4)JA1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 30-Jul-13 22:49 by prod_rel_team
*Mar  1 00:12:56.191: %SNMP-5-COLDSTART: SNMP agent on host AP885a.92bd.7202 is undergoing a cold start
*Mar  1 00:12:56.232: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar  1 00:12:56.232: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar  1 00:12:56.261: %PARSER-4-BADCFG: Unexpected end of configuration file.

*Mar  1 00:12:56.437: %SSH-5-ENABLED: SSH 2.0 has been enabledlwapp_crypto_init: MIC Present and Parsed Successfully

*Mar  1 00:12:57.229: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar  1 00:12:56.191: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 15.2(4)JA1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 30-Jul-13 22:49 by prod_rel_team
*Mar  1 00:12:56.191: %SNMP-5-COLDSTART: SNMP agent on host AP885a.92bd.7202 is undergoing a cold start
*Mar  1 00:12:56.232: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar  1 00:12:56.232: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar  1 00:12:56.261: %PARSER-4-BADCFG: Unexpected end of configuration file.

*Mar  1 00:12:56.437: %SSH-5-ENABLED: SSH 2.0 has been enabledlwapp_crypto_init: MIC Present and Parsed Successfully

*Mar  1 00:12:57.229: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up%Default route without gateway, if not a point-to-point interface, may impact performance
*Mar  1 00:13:24.912: Logging LWAPP message to 255.255.255.255.

*Mar  1 00:13:28.029: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar  1 00:13:29.118: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar  1 00:13:29.476: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.210.99.176, mask 255.255.255.0, hostname AP885a.92bd.7202

*Mar  1 00:13:30.118: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar  1 00:13:30.209: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar  1 00:13:31.210: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
Translating "CISCO-CAPWAP-CONTROLLER.sht-2.com"...domain server (10.210.99.1)
*Mar  1 00:13:40.461: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.210.99.21 obtained through DHCP
*Mar  1 00:13:40.461: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.210.99.22 obtained through DHCP
*Mar  1 00:13:40.461: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

*Mar  1 00:13:58.467: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.sht-2.com
*Mar  1 00:14:08.468: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Dec 11 11:38:33.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.210.99.21 peer_port: 5246
*Dec 11 11:38:33.478: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.210.99.21 peer_port: 5246
*Dec 11 11:38:33.481: %CAPWAP-5-SENDJOIN: sending Join Request to 10.210.99.21
*Dec 11 11:38:33.481: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Dec 11 11:38:33.481: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Dec 11 11:38:33.481: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Dec 11 11:38:33.481: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 10.210.99.21
*Dec 11 11:38:38.479: %CAPWAP-5-SENDJOIN: sending Join Request to 10.210.99.21

Regards

Jay

Sandeep,

I cannot login to the AP as it is not allowing and i think it is in read only mode. How can I access it ? Do we need to change it back to autonomous and then capwap back?

I do not have a dns server now as it is a new network setup. Is this mandatory or can we directly use IP address instead of hostname?

The sysinfo from Controller is as follows:

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.5.102.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
Build Type....................................... DATA + WPS

System Name...................................... 6048-LWW-1004
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. Disabled
IP Address....................................... 10.210.99.21
Last Reset....................................... Software reset
System Up Time................................... 0 days 0 hrs 53 mins 16 secs
System Timezone Location......................... (GMT +4:00) Muscat, Abu Dhabi
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

Configured Country............................... US  - United States
Operating Environment............................ Commercial (0 to 40 C)

--More-- or (q)uit
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +44 C
External Temperature............................. +25 C
Fan Status....................................... OK

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 0

Burned-in MAC Address............................ 6C:41:6A:5F:0F:C0
Power Supply 1................................... Present, OK
Power Supply 2................................... Present, Power Off, Fan On
Maximum number of APs supported.................. 50

Regards

Jay

HI Jay,


Configured Country............................... US  - United States

cisco AIR-CAP3502E-E-K9 (PowerPC460exr) processor (revision B1) with 98294K/32768K bytes of memory.

your WLC shoes that it is in US reguletry domain but your AP shows in Europe:

Regards

Sandeep,

Thank you for pointing that mistake, I correctied it now. In fact, i tried it earlier then found it was not able to save and now i tried via command line and found that we need to shutdown the wireless networks a/b/n before changing the country code. After this, two or three times i saw that the APs registered into the WLCs, but again it is disappeared in couple of seconds. Still it shows the registration error as follows.

*Dec 11 12:26:17.478: %CAPWAP-5-SENDJOIN: sending Join Request to 10.210.99.21

*Dec 11 12:26:17.481: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.

*Dec 11 12:26:17.481: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.

*Dec 11 12:26:17.481: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller

*Dec 11 12:26:17.481: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 10.210.99.21

*Dec 11 12:26:17.478: %CAPWAP-5-SENDJOIN: sending Join Request to 10.210.99.21

*Dec 11 12:26:17.481: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.

*Dec 11 12:26:17.481: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.

*Dec 11 12:26:17.481: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller

*Dec 11 12:26:17.481: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 10.210.99.21

Regards

Jay

The ap is on the same subnet as the WLC correct?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Yes, find below the dhcp configuration:

SHT-2_Core_VSS#sh run | sec dhcp

ip dhcp excluded-address 10.210.99.1 10.210.99.175

ip dhcp pool 3502-WL-POOL

   network 10.210.99.0 255.255.255.0

   option 60 ascii "Cisco AP c3500"

   option 43 hex f108.0ad2.6315.0ad2.6316

   default-router 10.210.99.1

   dns-server 10.210.99.1

   domain-name sht-2.com

WLC IPs - 10.210.99.21 and 10.210.99.22.

Regards

Jay

As long as the WLC has the country code defined for the AP and the time is set, having the ap on the same subnet is the best way to have an ap join. You don't need option 43 or DNS for that.

I would make sure that under the WLC Security tab that aaa authorization for access points is not checked. Also just for kicks I would enter the AP's Ethernet MAC address to the Mac filter and see if that helps. If either one doesn't work, I would upload a new rcv image to the AP. There are few times in which the rcv or image can be corrupt and the ap will not join.

How many AP's do you have joined successfully?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***


Scott,

I made sure that the authorized check lists in security tab is unchecked. I am taking the mac addresses and going to apply and let you know. I have 39 x 3502 APs and then 12 x 1552 External Mesh APs too. But the testing is started only, no AP is registered to the controllers yet.

How i can check which rcv image is running currently on the APs? Also rcv image installation on controller is the same way we copy the controller IOS?

Regards

Jay

Hi Jay,

Can u check the trunk port which is connected to WLC and SWITCH.

Also allowed only needful VLAN via this ports.

Regards

Sandeep,

The interface is running as trunk and i did not use allowed vlan. Currently there is no other traffic also pasing as this is a newn network setting up. Anyway i will give it and check.

Rgds

Jay

jbnair
Level 1
Level 1

Sandeep / Scott,

Thank you very much, the problem is resolved now as the APs are started registering now. I think the problem was with the AP policies, i rechecked the options. Earlier the country domain issue was also a problem.

I do not know where you sit in the world , but your support was awesome!

Once again, thank you  very much!

Regards

Jay

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: