Access points can fail to join a controller for many reasons such as a RADIUS authorization is pending, self-signed certificates are not enabled on the controller, the access point and controller’s regulatory domains do not match, and so on.
You can configure the access points to send all CAPWAP-related errors to a syslog server. You do not need to enable any debug
commands on the controller because all of the CAPWAP error messages can be viewed from the syslog server itself.
The state of the access point is not maintained on the controller until it receives a CAPWAP join request from the access point, so it can be difficult to determine why the CAPWAP discovery
request from a certain access point was rejected. In order to troubleshoot such joining issues without enabling CAPWAP debug
commands on the controller, the controller collects information for all access points that send a discovery message to this controller and maintains information for any access points that have successfully joined this controller.
The controller collects all join-related information for each access point that sends a CAPWAP discovery request to the controller. Collection begins when the first discovery message is received from the access point and ends when the last configuration
payload is sent from the controller to the access point.
When the controller is maintaining join-related information for the maximum number of access points, it does not collect information for any
more access points.
You can also configure a DHCP server to return a syslog server IP address to the access point using option 7 on the server.
The access point then starts sending all syslog messages to this IP address.
You can configure the syslog server IP address through the access point CLI, if the access point is not connected to the controller by entering the capwap ap log-server syslog_server_IP_address command.
When the access point joins a controller for the first time, the controller pushes the global syslog server IP address (the default is 255.255.255.255) to the access point. After that, the access point
sends all syslog messages to this IP address, until it is overridden by one of the following scenarios:
-
The access point is still connected to the same controller, and you changed the global syslog server IP address configuration on the controller by using the ap syslog host Syslog_Server_IP_Address command. In this case, the controller pushes the new global syslog server IP address to the access point.
-
The access point is still connected to the same controller, and you configured a specific syslog server IP address for the access point on the controller by using the ap name Cisco_AP syslog host Syslog_Host_IP_Address command. In this case, the controller pushes the new specific syslog server IP address to the access point.
-
The access point gets disconnected from the controller, and you configured the syslog server IP address from the access point CLI by using the capwap ap log-server syslog_server_IP_address command. This command works only if the access point is not connected to any controller.
-
The access point gets disconnected from the controller and joins another controller. In this case, the new controller pushes its global syslog server IP address to the access point.
Whenever a new syslog server IP address overrides the existing syslog server IP address, the old address is erased from persistent
storage, and the new address is stored in its place. The access point also starts sending all syslog messages to the new IP
address, if the access point can reach the syslog server IP address.