Tuesday, 15 October 2013

WLC Discovery



Following are the methods for APs to discover a WLC.OTAP was there in the past not too sure this is in play anymore.

  1. option 43
  2. broadcast
  3. dns method
  4. previous config
  5. manual config of the WLC Ip on the AP (when you are really desperate!!)


 DHCP option 43 –typically when AP and WLC in different subnet

    configuration:
   ip dhcp pool TST1
   network 172.16.100.0 255.255.255.0
   default-router 172.16.100.100
   option 43 hex f104.0a0a.0a01

AP output:
Mar  1 00:00:41.682: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.10.10.1 obtained through DHCP



Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)



 wmmAC status is FALSE

*Aug 15 09:38:36.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.10.2 peer_port: 5246

*Aug 15 09:38:36.001: %CAPWAP-5-CHANGED: CAPWAP changed state to

*Aug 15 09:38:37.427: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.10.10.2 peer_port: 5246

*Aug 15 09:38:37.428: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.10.2

*Aug 15 09:38:37.428: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN

*Aug 15 09:38:37.577: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG

*Aug 15 09:38:37.684: %CAPWAP-5-CHANGED: CAPWAP changed state to UP

*Aug 15 09:38:37.736: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC1

*Aug 15 09:38:37.782: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to down

*Aug 15 09:38:37.784: %LWAPP-3-CLIENTEVENTLOG: SSID testv added to the slot[0]

*Aug 15 09:38:37.786: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset

*Aug 15 09:38:37.787: %LWAPP-3-CLIENTEVENTLOG: SSID testv added to the slot[1]

*Aug 15 09:38:37.797: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated

*Aug 15 09:38:37.803: %WIDS-5-ENABLED: IDS Signature is loaded and enabled

*Aug 15 09:38:37.856: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up

DNS method


  • configure “A record” with WLC management IP cisco
  • can utilise multiple IPs pointing to  CISCO-CAPWAP-CONTROLLER.yyyyy.con


Broadcast forwarding

  • UDP forwarding of CAPWAP control packet is required
  • The SVI (AP management) to be configured with ip helper-address which is the  WLC  management IP.

 Previous Configuration

Any previous config on the AP that contain the primary,secondary and tertiary WLC IPs
This configuration is typically done on the AP or the WLC.

AP-1130-1#capwap ap secondary-base wlc02 100.100.100.100

(wlc01) >config ap secondary-base wlc02  AP-1130-1 192.168.10.100

Static configuration of the WLC address

capwap ap controller ip address 10.10.10.1
 if not allowed  to enter a static IP then  clear the private-config




AP Joining  process


With the 4402 WLCS I use the AP establishes a peer session with the AP-manager IP address during DTLS establishment. With the 5508 this will achieved via the management IP as there is no concept of an AP-manager interface.
  • UDP 5246- CAPWAP control
  • UDP 5247 –CAPWAP Data

               
AP join process involves the following steps
  1. Discovery request
  2. Discovery response
  3. DTLS session establishment
  4. Join request
  5. Join response
  6. Configuration status request
  7. Configuration status response
  8. Run (holy grail state!!)

Typical errors encountered during AP join  process

 source http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c7234.shtml

I selected common problem items listed in the above document and created them in the home lab so  I could see the actual cli output to get a better understanding of the AP join process. I think this is the  most important topic as if the APs cannot join the WLC, we will be in big trouble at the lab and real life..

 incorrect IP configured under option 43

the correct WLC Mgmt Ip 10.10.10.1 but we use 10.10.10.4 instead
*Mar  1 00:00:41.662: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.10.10.4 obtained through DHCP



Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)



*Mar  1 00:01:49.668: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.

*Mar  1 00:01:50.668: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated

Not in Bound state.

*Mar  1 00:02:00.188: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination



NTP out of synch between the WLC and AP


*Aug 15 09:24:25.001: %CAPWAP-5-CHANGED: CAPWAP changed state to

*Aug 15 09:24:26.311: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.10.10.2

*Aug 15 09:24:26.312: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.

*Aug 15 09:24:26.312: %DTLS-5-PEER_DISCONNECT: Peer 10.10.10.2 has closed connection.

*Aug 15 09:24:26.312: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.2:5246

*Aug 15 09:24:26.313: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

*Aug 15 09:24:26.315: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated


UDP broadcast are blocked

AP cli


 Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)

*Mar  1 00:00:41.654: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.10.10.4 obtained through DHCP



Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)



*Mar  1 00:01:49.661: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.

*Mar  1 00:01:50.661: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated

Not in Bound state.

*Mar  1 00:02:00.187: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.

 

Aug 15 10:48:38.555:  status of voice_diag_test from WLC is false

*Aug 15 10:48:49.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.10.2 peer_port: 5246

*Aug 15 10:48:49.001: %CAPWAP-5-CHANGED: CAPWAP changed state to

*Aug 15 10:48:50.427: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.10.10.2 peer_port: 5246

*Aug 15 10:48:50.429: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.10.2

*Aug 15 10:48:50.429: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN

*Aug 15 10:48:55.428: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.10.2

*Aug 15 10:48:55.430: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.10.10.2

*Aug 15 10:48:55.430: %DTLS-5-PEER_DISCONNECT: Peer 10.10.10.2 has closed connection.

*Aug 15 10:48:55.430: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.2:5246

*Aug 15 10:48:55.477: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Aug 15 10:48:55.477: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Aug 15 10:48:55.530: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down

*Aug 15 10:48:55.531: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down

*Aug 15 10:48:55.532: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up





WLC AP auth policy does not include the MIC

 WLC CLI

*spamReceiveTask: Aug 15 10:50:56.974: 00:21:55:4d:6e:00 DTLS Session established server (10.10.10.2:5246), client (172.16.100.13:28253)

*spamReceiveTask: Aug 15 10:50:56.974: 00:21:55:4d:6e:00 Starting wait join timer for AP: 172.16.100.13:28253



*spamReceiveTask: Aug 15 10:50:56.978: 00:21:55:4d:6e:00 Join Request from 172.16.100.13:28253



*spamReceiveTask: Aug 15 10:50:56.980: 00:21:55:4d:6e:00 MIC AP is not allowed to join by config



*spamReceiveTask: Aug 15 10:51:01.976: 00:21:55:4d:6e:00 Join Request from 172.16.100.13:28253



*spamReceiveTask: Aug 15 10:51:01.976: 00:21:55:4d:6e:00 Join request received from AP which is already present. Deleting previous connection

172.16.100.13:28253



*spamReceiveTask: Aug 15 10:51:01.976: 00:21:55:4d:6e:00 Finding DTLS connection to delete for AP (172:16:100:13/28253)

*spamReceiveTask: Aug 15 10:51:01.976: 00:21:55:4d:6e:00 Disconnecting DTLS Capwap-Ctrl session 0x136b84e8 for AP (172:16:100:13/28253)



*spamReceiveTask: Aug 15 10:51:01.976: 00:21:55:4d:6e:00 CAPWAP State: Dtls tear down



*spamReceiveTask: Aug 15 10:51:01.978: 00:21:55:4d:6e:00 DTLS connection not found. Ignoring join request from 172.16.100.13:28253



*spamReceiveTask: Aug 15 10:51:01.978: 00:21:55:4d:6e:00 DTLS connection closed event receivedserver (10:10:10:2/5246) client (172:16:100:13/2825



AP cli



*Aug 15 10:52:25.426: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.10.2

*Aug 15 10:52:25.426: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN

*Aug 15 10:52:30.425: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.10.2

*Aug 15 10:52:30.427: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.10.10.2

*Aug 15 10:52:30.427: %DTLS-5-PEER_DISCONNECT: Peer 10.10.10.2 has closed connection.



*Aug 15 10:52:30.427: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.2:5246


Mismatched regulatory domains

 AP cli

*Aug 15 11:20:58.257: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Aug 15 11:20:58.257: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Aug 15 11:20:58.311: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down

*Aug 15 11:20:58.311: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down

*Aug 15 11:20:58.342:  status of voice_diag_test from WLC is false



 WLC GUI



AP on the 802.11a radio with Base Radio MAC 00:21:55:4d:6e:00 (AP001d.e556.e5b0) is unable to associate. The regulatory domain configured on it '-A' does not match the controller's regulatory domain: -N




WLC cli

debug capwap error enable

*spamReceiveTask: Aug 15 11:34:26.635: 00:21:55:4d:6e:00 AP 00:21:55:4d:6e:00: Country code is not configured(AU ).

*spamReceiveTask: Aug 15 11:34:26.635: 00:21:55:4d:6e:00 Regulatory Domain Mismatch: AP 00:21:55:4d:6e:00 not allowed to join. Regulatory Domain check failed.

AP not listed in the authorisation list

config auth-list ap-policy mic enable

on the AP

Aug 15 18:54:41.430: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.10.2

*Aug 15 18:54:41.431: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN

*Aug 15 18:54:41.434: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.10.10.2

*Aug 15 18:54:41.434: %DTLS-5-PEER_DISCONNECT: Peer 10.10.10.2 has closed connection.

*Aug 15 18:54:41.434: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.2:5246

*Aug 15 18:54:41.483: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Aug 15 18:54:41.483: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY



WLC cli

The capwap debug did not throw any clue as to the possible culprit

(wlc01) >*spamReceiveTask: Aug 15 18:56:49.367: 00:1e:be:22:16:c2 DTLS Session established server (10.10.10.2:5246), client (172.16.100.4:28252)

*spamReceiveTask: Aug 15 18:56:49.367: 00:1e:be:22:16:c2 Starting wait join timer for AP: 172.16.100.4:28252



*spamReceiveTask: Aug 15 18:56:49.372: 00:21:55:4d:6e:00 Join Request from 172.16.100.4:28252



*spamReceiveTask: Aug 15 18:56:49.372: 00:21:55:4d:6e:00 In AAA state 'Idle' for AP 00:21:55:4d:6e:00

*spamReceiveTask: Aug 15 18:56:49.373: 00:21:55:4d:6e:00 Finding DTLS connection to delete for AP (172:16:100:4/28252)

*spamReceiveTask: Aug 15 18:56:49.373: 00:21:55:4d:6e:00 Disconnecting DTLS Capwap-Ctrl session 0x136bb4f0 for AP (172:16:100:4/28252)



*spamReceiveTask: Aug 15 18:56:49.373: 00:21:55:4d:6e:00 CAPWAP State: Dtls tear down



*spamReceiveTask: Aug 15 18:56:49.375: 00:21:55:4d:6e:00 DTLS connection closed event receivedserver (10:10:10:2/5246) client (172:16:100:4/28252)





on the WLC GUI

syslog entry on the GUI was spot on.



Thu Aug 15 18:52:03 2013
Failed to authorize AP Name AP001d.e556.e5b0 with Base Radio MAC 00:21:55:4d:6e:00. Authorization entry does not exist in AAA server.




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)