Solved: Re: IOS to LWAPP converted AP don't join to a controller 4402

sr1482613 · ‎05-25-2006

We have a WLC 4402 with eight AP 1232AG series and now we wanted to upgrade a 1232AG AP from IOS to LWAPP.

We've just upgraded the AP from IOS to LWAPP following the steps in the documentation.

When the upgrade was completed, the AP didn't join to the WLC.

I attach the output when the AP reboots.

*Mar 1 00:00:23.408: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY

*Mar 1 00:00:34.130: %LWAPP-5-CHANGED: LWAPP changed state to JOIN

*Mar 1 00:00:40.130: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not recieve the Join response

*Mar 1 00:00:40.130: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses remain.

*Mar 1 00:00:40.130: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET JOIN RESPONSE.

*Mar 1 00:00:40.131: %LWAPP-5-CHANGED: LWAPP changed state to DOWNXmodem file system is available.

flashfs[0]: 4 files, 2 directories

Does anyone know why the AP is not joining the WLC??

Thanks in advance.

RaveDave1 · ‎05-25-2006

I had an identical problem with my WLC2006 and a converted AP1231G.

Found out that the upgrade utility had incorrectly formatted the controller configuration commands. Check your log files in the \log subdirectory of where you have the upgrade tool loaded.

I reformatted the commands and entered them on the WLC2006 command line, NOT THE GUI, and it worked flawlessly after I upgraded the controller to 3.2.116.21.

I had to upgrade the firmware because the AP1200 was asking for an upgrade file that 3.2.76 didn't have

Reformatted commands:

means press the enter key at the end of a command line.

config

auth-list add ssc 00:0c:30:f1:5b:2f 9273b099dc3854c1e429f4bc256d217470306261

This is the command to add an AP with a self-Certified cert to the controller. 00:0c:30:f1:5b:2f is the MAC address of the AP and 9273b099dc3854c1e429f4bc256d217470306261 is the cert key created by the upgrade utility.

auth-list ap-policy ssc enable

Enable self-certifying APs.

Then save the current configuration.

My AP1200 now works flawlessly.

View solution in original post

jakew · ‎05-26-2006

The controller isn't authenticating the AP's join request. There's a good chance the controller can't validate the certificate. This typically happens because the WLC date/time is outside the certificate validity interval. Check the controller's date/time.

If that's OK, check the auth-list. In the WLC CLI, use the command: show auth-list. You may need to allow SSC . You might also need to verify the correct SSC public key hash exists in the table. Typically, you can use 'debug pm pki enable' and 'debug lwapp events enable' to figure out what's happening.

View solution in original post

Dmitry Halavin · ‎05-25-2006

Check to make sure the 4400 has the SSC entry for the AP. Check the time on the controller. Also it looks like the time on the AP is wrong, so make sure that you had the correct time on the controller and on the laptop when upgrading.

RaveDave1 · ‎05-25-2006

I had an identical problem with my WLC2006 and a converted AP1231G.

Found out that the upgrade utility had incorrectly formatted the controller configuration commands. Check your log files in the \log subdirectory of where you have the upgrade tool loaded.

I reformatted the commands and entered them on the WLC2006 command line, NOT THE GUI, and it worked flawlessly after I upgraded the controller to 3.2.116.21.

I had to upgrade the firmware because the AP1200 was asking for an upgrade file that 3.2.76 didn't have

Reformatted commands:

means press the enter key at the end of a command line.

config

auth-list add ssc 00:0c:30:f1:5b:2f 9273b099dc3854c1e429f4bc256d217470306261

This is the command to add an AP with a self-Certified cert to the controller. 00:0c:30:f1:5b:2f is the MAC address of the AP and 9273b099dc3854c1e429f4bc256d217470306261 is the cert key created by the upgrade utility.

auth-list ap-policy ssc enable

Enable self-certifying APs.

Then save the current configuration.

My AP1200 now works flawlessly.

sparkymark · ‎05-26-2006

I had the same issue with an AP yesterday. I determined that I had used the wrong telnet-username, telnet-user-password and enable-password in the IP File for this particular AP. If I'm not mistaken the upgrade process uses those credentials to set the date and time on the AP, then the date and time on the AP are used to create the self-signed certificate. My AP was resetting to midnight on March 1st on every reload, just as yours appears to be.

There might be a better way to get the AP to join, but I converted back to IOS and went back through the LWAPP conversion process again. With the right telnet login/enable credentials, which was the only change I made, the AP joined right away.

jakew · ‎05-26-2006

Don't forget to enable telnet on the controller. It isn't on by default.

In the future, you can use 'debug pm pki enable' on the WLC CLI when the AP attempts to join. You can harvest the AP MAC and public key hash from that output and use those values to add the AP to the auth-list.

jakew · ‎05-26-2006

The controller isn't authenticating the AP's join request. There's a good chance the controller can't validate the certificate. This typically happens because the WLC date/time is outside the certificate validity interval. Check the controller's date/time.

If that's OK, check the auth-list. In the WLC CLI, use the command: show auth-list. You may need to allow SSC . You might also need to verify the correct SSC public key hash exists in the table. Typically, you can use 'debug pm pki enable' and 'debug lwapp events enable' to figure out what's happening.