I'm having trouble joining my APs to the controller. I have so far got most of them joined eventually, but i seem to get a random issue with lots of the APs. I have tried all the usual things - changed network leads, power supply, different port etc.. This issue doesn't always stop them joining because sometimes after an hour of errors they join and are fine after that.
The main errors are
*Sep 4 14:07:36.687: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Sep 4 14:07:36.687: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 22.214.171.124
*Sep 4 14:07:36.687: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 34078720.
I've attached the debug
How's the WLC and the LAP connected? Is it in an isolated network or in production?
Did you prime the LAP prior to deployment?
Did you unblock CAPWAP UDP ports 5246 and 5247 from the firewall?
It is connected into our network and I have 20 APs all working, eventually. When the technician put in the controller he told me that the APs don't need to be primed or configured as dns is all sorted so it finds the controller straight away.
Ports can't be blocked as i have got APs to join.
Cisco recommends you prime the APs before deployment.
But the 1140s are a different lot altogether. It's faster and has some smarts the older models don't. I've plugged one and immediately found the WLC faster than the other models.
Do you have encryption turned on?
Maybe try turning off encryption.
"Cisco 5500 series controllers enable you to encrypt CAPWAP control packets (and optionally CAPWAP data packets) that are sent between the access point and the controller using Datagram Transport Layer Security (DTLS). If an access point does not support DTLS data encryption, DTLS is enabled only for the control plane, and a DTLS session for the data plane is not established."
How is your controller connected to the network? Is it using LAG? If so make sure you are using src-dst-ip for the portchannel loadbalancing on your switch as other settings can cause issues with AP's joining (i.e src-dst-port)
Sorry, hopefully this clears it up. This is from the WLC best practices configuration guide.
When you use LAG, the controller relies on the switch for the load balancing decisions on traffic that comes from the network. It expects that traffic that belongs to an AP (LWAPP or network to wireless user) always enters on the same port. Use only ip-src or ip-src ip-dst load balancing options in the switch EtherChannel configuration. Some switch models might use unsupported load balancing mechanisms by default, so it is important to verify.
This is how to verify the EtherChannel load balancing mechanism:
switch#show etherchannel load-balance
EtherChannel Load-Balancing Configuration:
EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source XOR Destination MAC address
IPv4: Source XOR Destination IP address
IPv6: Source XOR Destination IP address
This is how to change the switch configuration (IOS):
switch(config)#port-channel load-balance src-dst-ip
Do not configure a LAG connection that spans across multiple switches. When you use LAG, it must be with all ports that belong to the same EtherChannel that goes to the same physical switch.