cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1850
Views
0
Helpful
8
Replies

issues with 5500 controller and 1140 Aps

aemberson
Level 1
Level 1

I'm having trouble joining my APs to the controller. I have so far got most of them joined eventually, but i seem to get a random issue with lots of the APs. I have tried all the usual things - changed network leads, power supply, different port etc.. This issue doesn't always stop them joining because sometimes after an hour of errors they join and are fine after that.

The main errors are

*Sep 4 14:07:36.687: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller

*Sep 4 14:07:36.687: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 1.2.11.3

*Sep 4 14:07:36.687: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 34078720.

I've attached the debug

Cheers

8 Replies 8

Leo Laohoo
Hall of Fame
Hall of Fame

How's the WLC and the LAP connected? Is it in an isolated network or in production?

Did you prime the LAP prior to deployment?

Did you unblock CAPWAP UDP ports 5246 and 5247 from the firewall?

It is connected into our network and I have 20 APs all working, eventually. When the technician put in the controller he told me that the APs don't need to be primed or configured as dns is all sorted so it finds the controller straight away.

Ports can't be blocked as i have got APs to join.

Leo Laohoo
Hall of Fame
Hall of Fame

Cisco recommends you prime the APs before deployment.

But the 1140s are a different lot altogether. It's faster and has some smarts the older models don't. I've plugged one and immediately found the WLC faster than the other models.

bernieli79
Level 1
Level 1

Do you have encryption turned on?

Maybe try turning off encryption.

"Cisco 5500 series controllers enable you to encrypt CAPWAP control packets (and optionally CAPWAP data packets) that are sent between the access point and the controller using Datagram Transport Layer Security (DTLS). If an access point does not support DTLS data encryption, DTLS is enabled only for the control plane, and a DTLS session for the data plane is not established."

How is your controller connected to the network? Is it using LAG? If so make sure you are using src-dst-ip for the portchannel loadbalancing on your switch as other settings can cause issues with AP's joining (i.e src-dst-port)

Not sure what you mean src-dst-ip?? tried that command on the ports that are in the etherchannel link?

Sorry, hopefully this clears it up. This is from the WLC best practices configuration guide.

#

When you use LAG, the controller relies on the switch for the load balancing decisions on traffic that comes from the network. It expects that traffic that belongs to an AP (LWAPP or network to wireless user) always enters on the same port. Use only ip-src or ip-src ip-dst load balancing options in the switch EtherChannel configuration. Some switch models might use unsupported load balancing mechanisms by default, so it is important to verify.

This is how to verify the EtherChannel load balancing mechanism:

switch#show etherchannel load-balance

EtherChannel Load-Balancing Configuration:

src-dst-ip

EtherChannel Load-Balancing Addresses Used Per-Protocol:

Non-IP: Source XOR Destination MAC address

IPv4: Source XOR Destination IP address

IPv6: Source XOR Destination IP address

This is how to change the switch configuration (IOS):

switch(config)#port-channel load-balance src-dst-ip

#

Do not configure a LAG connection that spans across multiple switches. When you use LAG, it must be with all ports that belong to the same EtherChannel that goes to the same physical switch.

Hi,

Did you get any resolution on this? -i have the same problem!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: