Guest

Wireless, LAN (WLAN)

Troubleshooting Why an AP Does Not Join a Controller

Cisco - Troubleshooting Why an AP Does Not Join a Controller

Introduction

This document provides information about the new show ap join stats commands in controller version 4.2.61.0 and demonstrates how to use them effectively. For more information, refer to Troubleshoot a Lightweight Access Point Not Joining a Wireless LAN Controller to effectively troubleshoot why an access point (AP) does not join a controller. Additional troubleshooting at the AP can be required if the AP does not send a join to the controller.

This troubleshooting document applies to all the controller (WLC) versions from 4.2.61 to the latest version of 7.2.103.

Several example outputs of different errors that occur on the controller follow the Background Information and Troubleshooting Algorithm sections.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Background Information

In controller version 4.2.61.0, the controller now keeps track of all APs that send it a discovery request and which APs it sends a discovery reply to. It also tracks APs that try to join the controller and whether or not they are successful. There are 2 new CLI (console or SSH) commands on the controller to help troubleshoot why an AP will fail to join the controller:

Show ap join stats summary [all | AP_Mac_Address]
Show ap join stats detailed AP_Mac_Address

Troubleshooting Algorithm

Use the show ap join stats summary all command to see which APs do not join the controller. The AP is inserted into the show ap join stats list as soon as the controller receives a discovery request.

Note: The controller never removes the AP from the show ap join stats list until the controller is rebooted. In some cases, the failed APs have tried to join for more than a day or are completely offline. Use the show ap join stats detail command to find out when the last discovery request and last join request were sent from the AP to determine if the AP has lost connectivity to the controller or has possibly moved to another controller.

The output gives the total number of APs from which the controller has received discovery requests and then lists whether or not those APs are currently joined to the controller.

(Cisco Controller) >show ap join stats summary all
Number of APs................................. 3
00:0b:85:1b:7c:b0............................. Joined
00:12:44:bb:25:d0............................. Joined
00:13:19:31:9c:e0............................. Not joined

Once you have the MAC address of the AP that is not joined, use the show ap join stats summary <mac addr> to discovery the last join and reason for failure.

(Cisco Controller) >show ap join stats summary 00:14:f2:63:12:50
Is the AP currently connected to controller............. Yes
Time at which the AP joined this controller last time... 
   Jan 24 12:21:32.414
Type of error that occurred last........................ 
   AP got or has been disconnected
Reason for error that occurred last..................... 
   Timed out while waiting for ECHO response from the AP
Time at which the last join error occurred.............. 
   Jan 24 12:21:14.751

If you want detailed information on discovery requests, join requests, and configuration requests, use the command show ap join stats detail <mac-address> . This command also indicates whether or not the controller sees only a discovery request from the AP but does not see a join request.

(Cisco Controller) >show ap join stats detail 00:14:f2:63:12:50
Discovery phase statistics
- Discovery requests received........................... 2
- Successful discovery responses sent................... 2
- Unsuccessful discovery request processing............. 0
- Reason for last unsuccessful discovery attempt........ 
   Not applicable
- Time at last successful discovery attempt............. 
   Jan 24 12:21:20.547
- Time at last unsuccessful discovery attempt........... 
   Not applicable

Join phase statistics
- Join requests received................................ 2
- Successful join responses sent........................ 2
- Unsuccessful join request processing.................. 0
- Reason for last unsuccessful join attempt............. 
   Not applicable
- Time at last successful join attempt.................. 
   Jan 24 12:21:30.669
- Time at last unsuccessful join attempt................ 
   Not applicable

Configuration phase statistics
- Configuration requests received....................... 2
- Successful configuration responses sent............... 2
- Unsuccessful configuration request processing......... 0
- Reason for last unsuccessful configuration attempt.... 
   Not applicable
- Successful configuration attempt...................... 
   Jan 24 12:21:32.414

- Time at last unsuccessful configuration attempt....... 
   Not applicable

Last AP message decryption failure details
- Reason for last message decryption failure............ 
   Not applicable

Last AP disconnect details
- Reason for last AP connection failure................. 
   Timed out while waiting for ECHO response from the AP

Last join error summary
- Type of error that occurred last...................... 
   AP got or has been disconnected
- Reason for error that occurred last................... 
   Timed out while waiting for ECHO response from the AP
- Time at which the last join error occurred............ 
   Jan 24 12:21:14.751

Example 1

In this case, the time on the controller is incorrect. The error indicates that the APs certificate payload is invalid. This error occurred because the time on the controller was outside of the certificates validity time interval. Ensure that the show time command indicates the correct time. Note the Mar 6 1993 time values in the output below. This is where the clock starts for the controller without NTP configured.

The three phases of the AP join report statistics with time stamps are the Discovery, Join and Configuration Phase. Check the Last Error Summary why the AP failed to join or disconnect reason.

 (Cisco Controller) >show ap join stats detailed 00:14:1b:5a:40:10

Discovery phase statistics
- Discovery requests received........................... 2
- Successful discovery responses sent................... 1
- Unsuccessful discovery request processing............. 2113123
- Reason for last unsuccessful discovery attempt........ 
   Discovery request received on unsupported VLAN
- Time at last successful discovery attempt............. 
   Mar 06 19:03:50.779
- Time at last unsuccessful discovery attempt........... 
   Mar 06 19:03:50.782

Join phase statistics
- Join requests received................................ 1
- Successful join responses sent........................ 0
- Unsuccessful join request processing.................. 1
- Reason for last unsuccessful join attempt............. 
   Certificate payload in join request contains 
   invalid certificate
- Time at last successful join attempt.................. 
   Not applicable
- Time at last unsuccessful join attempt................ 
   Mar 06 19:04:00.810

Configuration phase statistics
- Configuration requests received....................... 0
- Successful configuration responses sent............... 0
- Unsuccessful configuration request processing......... 0
- Reason for last unsuccessful configuration attempt.... 
   Not applicable
- Time at last successful configuration attempt......... 
   Not applicable
- Time at last unsuccessful configuration attempt....... 
   Not applicable

Last AP message decryption failure details
- Reason for last message decryption failure............ 
   Not applicable

Last AP disconnect details
- Reason for last AP connection failure................. 
   Not applicable

Last join error summary
- Type of error that occurred last...................... 
   Lwapp join request rejected
- Reason for error that occurred last................... 
   Certificate payload in join request contains invalid 
   certificate
- Time at which the last join error occurred............ 
   Mar 06 19:04:00.810
 

Example 2

In this case, the AP sends the discovery request on a VLAN other than the management IP address VLAN. The controller rejects all discovery requests that are not received on the management interface subnet.

 (Cisco Controller) >show ap join stats detailed 00:14:1b:5a:40:10

Discovery phase statistics
- Discovery requests received........................... 10
- Successful discovery responses sent................... 5
- Unsuccessful discovery request processing............. 2113123
- Reason for last unsuccessful discovery attempt........ 
   Discovery request received on unsupported VLAN
- Time at last successful discovery attempt............. 
   Jan 30 14:30:12.284
- Time at last unsuccessful discovery attempt........... 
   Jan 30 14:30:12.288

Join phase statistics
- Join requests received................................ 4
- Successful join responses sent........................ 0
- Unsuccessful join request processing.................. 4
- Reason for last unsuccessful join attempt............. 
   Certificate payload in join request contains invalid 
   certificate
- Time at last successful join attempt.................. 
   Not applicable
- Time at last unsuccessful join attempt................ 
   Mar 06 19:19:03.345

Configuration phase statistics
- Configuration requests received....................... 0
- Successful configuration responses sent............... 0
- Unsuccessful configuration request processing......... 0
- Reason for last unsuccessful configuration attempt.... 
   Not applicable
- Time at last successful configuration attempt......... 
   Not applicable
- Time at last unsuccessful configuration attempt....... 
   Not applicable

Last AP message decryption failure details
- Reason for last message decryption failure............ 
   Not applicable

Last AP disconnect details
- Reason for last AP connection failure................. 
   Not applicable

Last join error summary
- Type of error that occurred last...................... 
   Failed to send Lwapp discovery response
- Reason for error that occurred last................... 
   Discovery request received on unsupported VLAN
- Time at which the last join error occurred............ 
   Jan 30 14:30:12.288

(Cisco Controller) >

Example 3

In this case, the AP moved from this controller to its primary controller.

Note: The error can be generated for multiple reasons, one of which is a network interruption.

 (Cisco Controller) >show ap join stats detailed 00:14:1b:5a:40:10

Discovery phase statistics
- Discovery requests received........................... 23
- Successful discovery responses sent................... 23
- Unsuccessful discovery request processing............. 0
- Reason for last unsuccessful discovery attempt........ 
   Not applicable
- Time at last successful discovery attempt............. 
    Jan 30 14:39:38.526
- Time at last unsuccessful discovery attempt........... 
   Not applicable

Join phase statistics
- Join requests received................................ 21
- Successful join responses sent........................ 21
- Unsuccessful join request processing.................. 0
- Reason for last unsuccessful join attempt............. 
   Not applicable
- Time at last successful join attempt.................. 
   Jan 30 14:39:07.085
- Time at last unsuccessful join attempt................ 
   Not applicable

Configuration phase statistics
- Configuration requests received....................... 21
- Successful configuration responses sent............... 21
- Unsuccessful configuration request processing......... 0
- Reason for last unsuccessful configuration attempt.... 
   Not applicable
- Time at last successful configuration attempt......... 
   Jan 30 14:39:09.481
- Time at last unsuccessful configuration attempt....... 
   Not applicable

Last AP message decryption failure details
- Reason for last message decryption failure............ 
   Not applicable

Last AP disconnect details
- Reason for last AP connection failure................. 
   Timed out while waiting for ECHO response from the AP

Last join error summary
- Type of error that occurred last...................... 
   AP got or has been disconnected
- Reason for error that occurred last................... 
   Timed out while waiting for ECHO response from the AP
- Time at which the last join error occurred............ 
   Jan 30 14:40:15.451

Example 4

In this case, the self-signed certificate (SSC) of the AP was not correct on the controller. The controller always checks its local database before it forwards the request to a defined radius server. As a result, the RADIUS authorization is pending for AP error appears when the controller does not find the SSC locally.

 (Cisco Controller) >show ap join stats detailed 00:13:5f:fa:88:50

Discovery phase statistics
- Discovery requests received........................... 2
- Successful discovery responses sent................... 1
- Unsuccessful discovery request processing............. 2113123
- Reason for last unsuccessful discovery attempt........ 
   Discovery request received on unsupported VLAN
- Time at last successful discovery attempt............. 
   Jan 30 14:58:58.070
- Time at last unsuccessful discovery attempt........... 
   Jan 30 14:58:58.071

Join phase statistics
- Join requests received................................ 1
- Successful join responses sent........................ 0
- Unsuccessful join request processing.................. 1
- Reason for last unsuccessful join attempt............. 
   RADIUS authorization is pending for the AP
- Time at last successful join attempt.................. 
   Not applicable
- Time at last unsuccessful join attempt................ 
   Jan 30 14:59:13.111

Configuration phase statistics
- Configuration requests received....................... 0
- Successful configuration responses sent............... 0
- Unsuccessful configuration request processing......... 0
- Reason for last unsuccessful configuration attempt.... 
   Not applicable
- Time at last successful configuration attempt......... 
   Not applicable
- Time at last unsuccessful configuration attempt....... 
   Not applicable

Last AP message decryption failure details
- Reason for last message decryption failure............ 
   Not applicable

Last AP disconnect details
- Reason for last AP connection failure................. 
   Radius authorization of the AP has failed

Last join error summary
- Type of error that occurred last...................... 
   AP got or has been disconnected
- Reason for error that occurred last................... 
   Radius authorization of the AP has failed
- Time at which the last join error occurred............ 
   Jan 30 14:59:13.117

(Cisco Controller) >

Example 5

(Cisco Controller) >show ap join stats detailed 0026cb8168c0
Discovery phase statistics
- Discovery requests received.............................. 202
- Successful discovery responses sent...................... 0
- Unsuccessful discovery request processing................ 0
- Reason for last unsuccessful discovery attempt........... Not applicable
- Time at last successful discovery attempt................ Not applicable
- Time at last unsuccessful discovery attempt.............. Not applicable

Join phase statistics
- Join requests received................................... 122
- Successful join responses sent........................... 0
- Unsuccessful join request processing..................... 0
- Reason for last unsuccessful join attempt................ Not applicable
- Time at last successful join attempt..................... Not applicable
- Time at last unsuccessful join attempt................... Not applicable

Configuration phase statistics
- Configuration requests received.......................... 115
- Successful configuration responses sent.................. 0
- Unsuccessful configuration request processing............ 0
- Reason for last unsuccessful configuration attempt....... Not applicable
--More-- or (q)uit
- Time at last successful configuration attempt............ Not applicable
- Time at last unsuccessful configuration attempt.......... Not applicable

Last AP message decryption failure details
- Reason for last message decryption failure............... Not applicable

Last AP disconnect details
- Reason for last AP connection failure.................... Image data 
request received from an unsupported AP

Last join error summary
- Type of error that occurred last......................... AP got or 
has been disconnected
- Reason for error that occurred last...................... Image data 
request received from an unsupported AP
- Time at which the last join error occurred............... Feb 16 
00:50:16.841
Discovery phase statistics
- Discovery requests received.............................. 44
- Successful discovery responses sent...................... 44
- Unsuccessful discovery request processing................ 0
- Reason for last unsuccessful discovery attempt........... Not applicable
- Time at last successful discovery attempt................ Feb 26 18:36:24.098
- Time at last unsuccessful discovery attempt.............. Not applicable

Join phase statistics
- Join requests received................................... 44
- Successful join responses sent........................... 0
- Unsuccessful join request processing..................... 44
- Reason for last unsuccessful join attempt................ Join request receive
d from an unsupported AP
- Time at last successful join attempt..................... Not applicable
- Time at last unsuccessful join attempt................... Feb 26 18:36:39.497

Configuration phase statistics
- Configuration requests received.......................... 0
- Successful configuration responses sent.................. 0
- Unsuccessful configuration request processing............ 0
- Reason for last unsuccessful configuration attempt....... Not applicable
- Time at last successful configuration attemp--More-- or (q)uit
t............ Not applicable
- Time at last unsuccessful configuration attempt.......... Not applicable

Last AP message decrytion failure details
- Reason for last message decryption failure............... Not applicable

Last AP disconnect details
- Reason for last AP connection failure.................... Not applicable

Last join error summary
- Type of error that occurred last......................... Lwapp join request r
ejected
- Reason for error that occurred last...................... Join request receive
d from an unsupported AP
- Time at which the last join error occurred............... Feb 26 18:36:39.497

Related Information

Updated: May 02, 2012
Document ID: 100731