09-21-2006 12:44 PM - edited 07-04-2021 01:08 PM
This is probably an easy one for our Cisco Pros but it has me stumped.
It involves the VLAN identifier on our 4402 controller. We are running 4.x software, the latest from Cisco on both our WCS and controller.
When we tag both sides of the trunk between the controller (management interface and the ap-manager)and the switch we lose all connectivity to the network. We we use the untagged option on the controller side we have connectivity but not to the AP.
Here is how we have the switch port configured in both cases:
switchport trunk encapsulation dot1q
switchport trunk native vlan 504
switchport mode trunk
no ip address
Additionally, here is the error message we receive on the AP when we are untagged on the controller side:
*Mar 1 00:00:45.692: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
*Mar 1 00:00:51.693: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not rec
ieve the Join response
*Mar 1 00:00:51.693: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses
remain.
*Mar 1 00:00:56.729: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not rec
ieve the Join response
*Mar 1 00:00:56.729: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses
remain.
*Mar 1 00:00:56.908: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Re
ason: DID NOT GET JOIN RESPONSE.
*Mar 1 00:00:56.909: %LWAPP-5-CHANGED: LWAPP changed state to DOWNXmod
Any help would be greatly appreciated.
Solved! Go to Solution.
09-22-2006 07:46 AM
The fact that LWAPP has transitioned to the Join state indicates your AP found the controller correctly and received the LWAPP Discovery Reply . This is not a controller discovery problem.
The controller however, appears to not be sending an LWAPP Join Reply to the AP. This is probably because it is failing to authenticate the AP's Join request. Common culprits:
1. Check the controller date and time. The AP's present certs to the WLC for authentication and these have a validity interval. If the WLC looks at the certificate and the WLC date/time is outside the validity interval, it will reject the LWAPP Join Request. You can usually detect that by running "debug pm pki enable" on the WLC.
2. There's an issue with the AP certificate. Since it's an upgraded AP, there may be issues with the SSC. I suggest you peruse this document: http://www.cisco.com/warp/public/102/lwapp_upg_tool.pdf#search=%22Troubleshooting%20LWAPP%20Upgrade%22
Hope this helps.
09-21-2006 02:15 PM
I am not sure if it's officially "best practice" or not, but I always set up my manager/ap manager as untagged. If you do wish to set them up as tagged, you will need to choose a different native VLAN since switches by default do not tag traffic on their native vlan. Alternately, you could enable tagging of the native VLAN with the command "lan dot1q tag native", but I would not recommend it as it changes the behaviour for the entire switch.
As for why it is not working when it is untagged, I need some more info.
- What types of APs are these? If they are 11xx or 12xx, do you have the controller set up for Layer 3 mode?
- Are they in the same VLAN? If not, do you have you configured the DHCP options yet?
Thanks,
Eric
09-22-2006 05:07 AM
Thanks for your reply.
The APs are AIR_AP1231G-A-K9 that have been upgraded to LWAPP.
The controller is set for layer 3 mode.
The management interface, ap-manager and the ap are on the same subnet.
We have configured the DHCP options. In fact, the AP received an address and was momentarily pingable. Then it resumed with the same error message and rebooted:
*Mar 1 00:00:45.692: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
*Mar 1 00:00:51.693: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not rec
ieve the Join response
*Mar 1 00:00:51.693: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses
remain.
*Mar 1 00:00:56.729: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not rec
ieve the Join response
*Mar 1 00:00:56.729: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses
remain.
*Mar 1 00:00:56.908: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Re
ason: DID NOT GET JOIN RESPONSE.
*Mar 1 00:00:56.909: %LWAPP-5-CHANGED: LWAPP changed state to DOWNXmod
We have the management and ap-manager tagged at the moment. The switch is an IOS model and we removed the native vlan command from the interface.
Please let me know if I can give you any more information.
Thank you in advance!
09-22-2006 05:41 AM
Hi
Which VLANs are you tagging your mgmt/ap-man interfaces as?
Can you post a config from an AP switch port and the controllers' switch port?
Also check that the VLAN you're using is active on all switches along the comms path (and not pruned off trunks) if there is more than one switch involved...
Thanks
Aaron
09-22-2006 07:54 AM
Thanks for your reply. I'll answer in reverse order.
3. We checked the pruning along the communications path and the vlan are not being pruned.
2.
The AP switch port config:
switchport access vlan 614
switchport mode dynamic desirable
no ip address
The controller port config:
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 504, 514, 614
switchport mode trunk
no ip address
1. We are tagging the management interface and the ap-manager with vlan 504.
Thanks.
09-22-2006 07:46 AM
The fact that LWAPP has transitioned to the Join state indicates your AP found the controller correctly and received the LWAPP Discovery Reply . This is not a controller discovery problem.
The controller however, appears to not be sending an LWAPP Join Reply to the AP. This is probably because it is failing to authenticate the AP's Join request. Common culprits:
1. Check the controller date and time. The AP's present certs to the WLC for authentication and these have a validity interval. If the WLC looks at the certificate and the WLC date/time is outside the validity interval, it will reject the LWAPP Join Request. You can usually detect that by running "debug pm pki enable" on the WLC.
2. There's an issue with the AP certificate. Since it's an upgraded AP, there may be issues with the SSC. I suggest you peruse this document: http://www.cisco.com/warp/public/102/lwapp_upg_tool.pdf#search=%22Troubleshooting%20LWAPP%20Upgrade%22
Hope this helps.
09-22-2006 08:18 AM
Good call on the time setting. We adjusted it and rebooted the controller. Though no luck with the AP. Here is the debug you suggested:
debug pm pki enable
(Cisco Controller) >Fri Sep 22 23:04:34 2006: sshpmGetIssuerHandles: locking ca
cert table
Fri Sep 22 23:04:34 2006: sshpmGetIssuerHandles: calling x509_alloc() for user c
ert
Fri Sep 22 23:04:34 2006: sshpmGetIssuerHandles: calling x509_decode()
Fri Sep 22 23:04:34 2006: sshpmGetIssuerHandles:
rnia, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1200-000f8f3c7382
Fri Sep 22 23:04:34 2006: sshpmGetIssuerHandles:
rnia, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1200-000f8f3c7382
Fri Sep 22 23:04:34 2006: sshpmGetIssuerHandles: Mac Address in subject is 00:0f
:8f:3c:73:82
Fri Sep 22 23:04:34 2006: sshpmGetIssuerHandles: Cert is issued by Cisco Systems
.
Fri Sep 22 23:04:34 2006: sshpmGetIssuerHandles: SSC is not allowed by config; b
ailing...
Fri Sep 22 23:04:34 2006: sshpmFreePublicKeyHandle: called with (nil)
Fri Sep 22 23:04:34 2006: sshpmFreePublicKeyHandle: NULL argument.
Fri Sep 22 23:04:39 2006: sshpmGetIssuerHandles: locking ca cert table
Fri Sep 22 23:04:39 2006: sshpmGetIssuerHandles: calling x509_alloc() for user c
ert
Fri Sep 22 23:04:39 2006: sshpmGetIssuerHandles: calling x509_decode()
Fri Sep 22 23:04:39 2006: sshpmGetIssuerHandles:
rnia, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1200-000f8f3c7382
Fri Sep 22 23:04:39 2006: sshpmGetIssuerHandles:
rnia, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1200-000f8f3c7382
Fri Sep 22 23:04:39 2006: sshpmGetIssuerHandles: Mac Address in subject is 00:0f
:8f:3c:73:82
Fri Sep 22 23:04:39 2006: sshpmGetIssuerHandles: Cert is issued by Cisco Systems
.
Fri Sep 22 23:04:39 2006: sshpmGetIssuerHandles: SSC is not allowed by config; b
ailing...
Fri Sep 22 23:04:39 2006: sshpmFreePublicKeyHandle: called with (nil)
Fri Sep 22 23:04:39 2006: sshpmFreePublicKeyHandle: NULL argument.
Fri Sep 22 23:04:44 2006: sshpmGetIssuerHandles: locking ca cert table
Fri Sep 22 23:04:44 2006: sshpmGetIssuerHandles: calling x509_alloc() for user c
ert
Fri Sep 22 23:04:44 2006: sshpmGetIssuerHandles: calling x509_decode()
Fri Sep 22 23:04:44 2006: sshpmGetIssuerHandles:
rnia, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1200-000f8f3c7382
Fri Sep 22 23:04:44 2006: sshpmGetIssuerHandles:
rnia, C=US, O=Cisco Systems, MAILTO=support@cisco.com, CN=C1200-000f8f3c7382
Fri Sep 22 23:04:44 2006: sshpmGetIssuerHandles: Mac Address in subject is 00:0f
:8f:3c:73:82
Fri Sep 22 23:04:44 2006: sshpmGetIssuerHandles: Cert is issued by Cisco Systems
.
Fri Sep 22 23:04:44 2006: sshpmGetIssuerHandles: SSC is not allowed by config; b
ailing...
Fri Sep 22 23:04:44 2006: sshpmFreePublicKeyHandle: called with (nil)
Fri Sep 22 23:04:44 2006: sshpmFreePublicKeyHandle: NULL argument.
I'll read the information about the SSC and the debug seems to point in that direction. I'll post results for all to see.
09-22-2006 09:26 AM
Problem solved. I had to enable on the controller that it would accept self-signed certificates. This is only necessary when you upgrade an ap from IOS to LWAPP.
Do a show auth-list from the CLI:
Allow aps with Self Signed Certificates SSC enabled
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: