WN Blog 001 – AP Join Issues with Cisco WLC

WN BlogWN Series 9800
Written By Matt Starling

So you have just deployed your new shiny Cisco WLCs and you have been waiting for weeks for the cablers to install your APs as per your design and you are sitting there all excited as you can finally enable the switch ports that the APs are connected to but… Oh no, no APs are joining the WLC.

I have certainly been there in that situation and I am going to share with you my usual things to check and troubleshoot.

Firstly we need to understand the process and priority for Cisco APs to discover and join the WLC.

AP Discovery Process:

  1. WLC Discovery

  2. DTLS/ Join

  3. Image Download

  4. Configuration Check

  5. Registered

Now we know the process we need to understand the different methods that APs can discover WLCs.

AP-to-WLC DISCOVERY Algorithm (find as many WLCs as you can):

AP goes through the following to compile a list of WLCs

  • CAPWAP discovery broadcast on local subnet

    • AP broadcasts CAPWAP discovery message on UDP 5246

    • WLC responds back with unicast to the AP

  • Over the Air Provisioning (OTAP) — deprecated

  • Locally stored controller IP addr — remembers up to 8 previously used controllers

  • DHCP vendor specific option 43

    • IP addr should be ‘mgmt int IP’

    • Option 43 format: Windows Server: standard IP / IOS: hex (‘f1040a0f64fd’)

  • DNS resolution of ‘CISCO-CAPWAP-CONTROLLER.localdomain’

  • Manually set via CLI:

    • capwap ap ip address 10.10.113.5 255.255.255.0

    • capwap ap ip default-gateway 10.10.113.1

    • capwap ap controller ip address 10.10.111.10

    • capwap ap primary-base “WLCname” “WLCip”

AP JOIN Phase:

  • Can be hierarchical: Primary, Secondary, Tertiary

  • Master controller is preferred if no others are hardcoded

  • If no hardcoded controllers and no master configured, AP joins least loaded WLC

  • Controller upgrades or downgrades the AP

  • Config sent to AP (SSIDs, channels, powers etc.)

  • AP clears all parameters upon joining and controller sends everything over

Physical checks:

  • Check AP lights — different statuses indicate different issues

  • If remote, check switch: Show CDP neighbour and Show power-inline

  • Console onto the AP and verify firmware — lightweight mode should show “K9W8”, autonomous mode shows “K9W7”.

Run WLC CLI debugs:

  • Show ap join stats detailed [AP MAC Address]

  • debug mac address [AP MAC Address]

  • debug capwap events enable

  • debug capwap errors enable

Common causes of APs not joining:

  • Regulatory domain mismatch between WLC and AP

  • Time & Date significantly out on WLC or AP

  • Insufficient licenses on WLC

  • AP MAC not added to security policy on WLC

  • DHCP issues:

    • DHCP scope out of leases

    • Option 43 HEX string incorrect

    • DNS pointing to old WLC instead of new one

  • Firewall:

    • Ensure CAPWAP ports 5246-5247 (UDP) are allowed through

Matt Starling
Previous

WN Blog 002 – Wireshark Filters