Solved: VLAN Identifier

pmccubbin · ‎09-21-2006

This is probably an easy one for our Cisco Pros but it has me stumped.

It involves the VLAN identifier on our 4402 controller. We are running 4.x software, the latest from Cisco on both our WCS and controller.

When we tag both sides of the trunk between the controller (management interface and the ap-manager)and the switch we lose all connectivity to the network. We we use the untagged option on the controller side we have connectivity but not to the AP.

Here is how we have the switch port configured in both cases:

switchport trunk encapsulation dot1q

switchport trunk native vlan 504

switchport mode trunk

no ip address

Additionally, here is the error message we receive on the AP when we are untagged on the controller side:

*Mar 1 00:00:45.692: %LWAPP-5-CHANGED: LWAPP changed state to JOIN

*Mar 1 00:00:51.693: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not rec

ieve the Join response

*Mar 1 00:00:51.693: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses

remain.

*Mar 1 00:00:56.729: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not rec

ieve the Join response

*Mar 1 00:00:56.729: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses

remain.

*Mar 1 00:00:56.908: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Re

ason: DID NOT GET JOIN RESPONSE.

*Mar 1 00:00:56.909: %LWAPP-5-CHANGED: LWAPP changed state to DOWNXmod

Any help would be greatly appreciated.

jakew · ‎09-22-2006

The fact that LWAPP has transitioned to the Join state indicates your AP found the controller correctly and received the LWAPP Discovery Reply . This is not a controller discovery problem.

The controller however, appears to not be sending an LWAPP Join Reply to the AP. This is probably because it is failing to authenticate the AP's Join request. Common culprits:

1. Check the controller date and time. The AP's present certs to the WLC for authentication and these have a validity interval. If the WLC looks at the certificate and the WLC date/time is outside the validity interval, it will reject the LWAPP Join Request. You can usually detect that by running "debug pm pki enable" on the WLC.

2. There's an issue with the AP certificate. Since it's an upgraded AP, there may be issues with the SSC. I suggest you peruse this document: http://www.cisco.com/warp/public/102/lwapp_upg_tool.pdf#search=%22Troubleshooting%20LWAPP%20Upgrade%22

Hope this helps.

View solution in original post

ethiel · ‎09-21-2006

I am not sure if it's officially "best practice" or not, but I always set up my manager/ap manager as untagged. If you do wish to set them up as tagged, you will need to choose a different native VLAN since switches by default do not tag traffic on their native vlan. Alternately, you could enable tagging of the native VLAN with the command "lan dot1q tag native", but I would not recommend it as it changes the behaviour for the entire switch.

As for why it is not working when it is untagged, I need some more info.

- What types of APs are these? If they are 11xx or 12xx, do you have the controller set up for Layer 3 mode?

- Are they in the same VLAN? If not, do you have you configured the DHCP options yet?

Thanks,

Eric

pmccubbin · ‎09-22-2006

Thanks for your reply.

The APs are AIR_AP1231G-A-K9 that have been upgraded to LWAPP.

The controller is set for layer 3 mode.

The management interface, ap-manager and the ap are on the same subnet.

We have configured the DHCP options. In fact, the AP received an address and was momentarily pingable. Then it resumed with the same error message and rebooted:

*Mar 1 00:00:45.692: %LWAPP-5-CHANGED: LWAPP changed state to JOIN

*Mar 1 00:00:51.693: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not rec

ieve the Join response

*Mar 1 00:00:51.693: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses

remain.

*Mar 1 00:00:56.729: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not rec

ieve the Join response

*Mar 1 00:00:56.729: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses

remain.

*Mar 1 00:00:56.908: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Re

ason: DID NOT GET JOIN RESPONSE.

*Mar 1 00:00:56.909: %LWAPP-5-CHANGED: LWAPP changed state to DOWNXmod

We have the management and ap-manager tagged at the moment. The switch is an IOS model and we removed the native vlan command from the interface.

Please let me know if I can give you any more information.

Thank you in advance!

Aaron Harrison · ‎09-22-2006

Hi

Which VLANs are you tagging your mgmt/ap-man interfaces as?

Can you post a config from an AP switch port and the controllers' switch port?

Also check that the VLAN you're using is active on all switches along the comms path (and not pruned off trunks) if there is more than one switch involved...

Thanks

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

pmccubbin · ‎09-22-2006

Thanks for your reply. I'll answer in reverse order.

3. We checked the pruning along the communications path and the vlan are not being pruned.

2.

The AP switch port config:

switchport access vlan 614

switchport mode dynamic desirable

no ip address

The controller port config:

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 504, 514, 614

switchport mode trunk

no ip address

1. We are tagging the management interface and the ap-manager with vlan 504.

Thanks.

jakew · ‎09-22-2006

The fact that LWAPP has transitioned to the Join state indicates your AP found the controller correctly and received the LWAPP Discovery Reply . This is not a controller discovery problem.

The controller however, appears to not be sending an LWAPP Join Reply to the AP. This is probably because it is failing to authenticate the AP's Join request. Common culprits:

1. Check the controller date and time. The AP's present certs to the WLC for authentication and these have a validity interval. If the WLC looks at the certificate and the WLC date/time is outside the validity interval, it will reject the LWAPP Join Request. You can usually detect that by running "debug pm pki enable" on the WLC.

2. There's an issue with the AP certificate. Since it's an upgraded AP, there may be issues with the SSC. I suggest you peruse this document: http://www.cisco.com/warp/public/102/lwapp_upg_tool.pdf#search=%22Troubleshooting%20LWAPP%20Upgrade%22

Hope this helps.

pmccubbin · ‎09-22-2006

Good call on the time setting. We adjusted it and rebooted the controller. Though no luck with the AP. Here is the debug you suggested:

debug pm pki enable

(Cisco Controller) >Fri Sep 22 23:04:34 2006: sshpmGetIssuerHandles: locking ca

cert table

Fri Sep 22 23:04:34 2006: sshpmGetIssuerHandles: calling x509_alloc() for user c

ert

Fri Sep 22 23:04:34 2006: sshpmGetIssuerHandles: calling x509_decode()

Fri Sep 22 23:04:34 2006: sshpmGetIssuerHandles: L=San Jose, ST=Califo

rnia, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1200-000f8f3c7382

Fri Sep 22 23:04:34 2006: sshpmGetIssuerHandles: L=San Jose, ST=Califo

rnia, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1200-000f8f3c7382

Fri Sep 22 23:04:34 2006: sshpmGetIssuerHandles: Mac Address in subject is 00:0f

:8f:3c:73:82

Fri Sep 22 23:04:34 2006: sshpmGetIssuerHandles: Cert is issued by Cisco Systems

.

Fri Sep 22 23:04:34 2006: sshpmGetIssuerHandles: SSC is not allowed by config; b

ailing...

Fri Sep 22 23:04:34 2006: sshpmFreePublicKeyHandle: called with (nil)

Fri Sep 22 23:04:34 2006: sshpmFreePublicKeyHandle: NULL argument.

Fri Sep 22 23:04:39 2006: sshpmGetIssuerHandles: locking ca cert table

Fri Sep 22 23:04:39 2006: sshpmGetIssuerHandles: calling x509_alloc() for user c

ert

Fri Sep 22 23:04:39 2006: sshpmGetIssuerHandles: calling x509_decode()

Fri Sep 22 23:04:39 2006: sshpmGetIssuerHandles: L=San Jose, ST=Califo

rnia, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1200-000f8f3c7382

Fri Sep 22 23:04:39 2006: sshpmGetIssuerHandles: L=San Jose, ST=Califo

rnia, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1200-000f8f3c7382

Fri Sep 22 23:04:39 2006: sshpmGetIssuerHandles: Mac Address in subject is 00:0f

:8f:3c:73:82

Fri Sep 22 23:04:39 2006: sshpmGetIssuerHandles: Cert is issued by Cisco Systems

.

Fri Sep 22 23:04:39 2006: sshpmGetIssuerHandles: SSC is not allowed by config; b

ailing...

Fri Sep 22 23:04:39 2006: sshpmFreePublicKeyHandle: called with (nil)

Fri Sep 22 23:04:39 2006: sshpmFreePublicKeyHandle: NULL argument.

Fri Sep 22 23:04:44 2006: sshpmGetIssuerHandles: locking ca cert table

Fri Sep 22 23:04:44 2006: sshpmGetIssuerHandles: calling x509_alloc() for user c

ert

Fri Sep 22 23:04:44 2006: sshpmGetIssuerHandles: calling x509_decode()

Fri Sep 22 23:04:44 2006: sshpmGetIssuerHandles: L=San Jose, ST=Califo

rnia, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1200-000f8f3c7382

Fri Sep 22 23:04:44 2006: sshpmGetIssuerHandles: L=San Jose, ST=Califo

rnia, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1200-000f8f3c7382

Fri Sep 22 23:04:44 2006: sshpmGetIssuerHandles: Mac Address in subject is 00:0f

:8f:3c:73:82

Fri Sep 22 23:04:44 2006: sshpmGetIssuerHandles: Cert is issued by Cisco Systems

.

Fri Sep 22 23:04:44 2006: sshpmGetIssuerHandles: SSC is not allowed by config; b

ailing...

Fri Sep 22 23:04:44 2006: sshpmFreePublicKeyHandle: called with (nil)

Fri Sep 22 23:04:44 2006: sshpmFreePublicKeyHandle: NULL argument.

I'll read the information about the SSC and the debug seems to point in that direction. I'll post results for all to see.

pmccubbin · ‎09-22-2006

Problem solved. I had to enable on the controller that it would accept self-signed certificates. This is only necessary when you upgrade an ap from IOS to LWAPP.

Do a show auth-list from the CLI:

Allow aps with Self Signed Certificates SSC enabled