Your Access Point (AP) needs to be connected to the Wireless LAN Controller (WLC) via the management interface before it can serve network users. The connection is crucial because the WLC gives the AP the configuration information and firmware required for it to operate.
Wireless AP WLC registration issues are common and can be caused by a variety of reasons that are discoverable using appropriate debugging commands. Some common problems that cause WLC connection issues include:
In this article, you will find an overview of the Cisco AP discovery and join process, information on how to debug both your controller and your AP, and an analysis of the debugging results to find the most common reasons why your AP fails to join the WLC.
Download the guide and refer back to it at any time!
Before we continue, ask yourself a couple of questions:
Do I have the time and expertise to handle AP errors?
Do I have the resources to troubleshoot any issues on my network?
If you answered "No" to these questions, let PivIT handle it all with our EXTEND offering. Hire an engineer to take care of troubleshooting, configurations, and more. Click below to learn more about SmartHands.
Before you begin diagnosing any AP joining issues, you should understand the Cisco AP registration process which takes place in two phases, namely, the discovery phase and the join phase.
Immediately after you boot up the AP, it will attempt to discover as many controllers as possible using the following methods:
Any controllers that are discovered during the discovery phase will send a response to the AP. The response includes the number of APs connected to it as well as the maximum number of APs it can support.
The discovery phase ends with the AP having a list of potential controllers that it could join. It then sends a Control and Provisioning of Wireless Access Points (CAPWAP) discovery message to the controllers on the list, and the available controllers send back a CAPWAP response message.
The AP will follow the joining criteria shown below:
Once it has determined which controller to join, the AP will send it a join request containing information about it and then wait for the controller to send a join response.
When you are having issues with your AP connecting to the controller, it is always a good idea to debug the entire discovery and join process. The debug commands you use will show all events and errors that occurred during the process. The following section highlights the debug commands you can use on both the controller and the AP.
To view the entire discovery and join process from the controller’s perspective, issue the following debugging commands:
If your AP has a console port, it is possible to view the join request sent by the AP by debugging it. Start by ensuring you are in the enable mode and then use the following debug CAPWAP commands to view the packets it sends as discovery and join requests:
You should collect all the information you get after debugging from both the AP and controller and save it into a file.
Analyzing the output of the debugging commands can give you deeper insight into what the problem may be. Let’s go through an explanation of the most common debugging results and the reasons why your AP may fail to join the WLC.
Looking to purchase a new access point? Take a look at our comparison guides to find the perfect AP for your network:
If you get this debug output, the problem is most likely the presence of duplicate IP addresses where one of the IP addresses on the network is the same as the AP manager’s IP address. This issue also causes the AP to reboot constantly without joining the controller.
Duplicate IP addresses are a common problem and running debug commands usually shows that the discovery phase occurred successfully but there was no join request sent from the AP. To resolve this issue, you can choose to remove the device with the duplicate IP address or change its address.
Your AP can only join the WLC if it has a similar regulatory domain. If the domains are dissimilar, a regulatory domain mismatch error occurs. You can view this error on the message log when you run the "debug capwap events" enable command. The image below shows the output on the WLC message log in case this is the issue.
Each regulatory domain supported by the WLC should be selected before an AP can be connected through it. It is recommended to buy APs that share a regulatory domain.
This error occurs if the AP is not included in the WLC AP authorization list, and you can usually discover it by running the "debug capwap events table" command on the WLC or the "debug capwap client error" command on the AP.
Running the debug command on the WLC gives an output like the one shown below.
On the other hand, running the debug command on the AP gives a message like the one shown below.
Solving this problem involves adding the access point to the authorization list by issuing the "config auth-list add mic <AP MAC Address>" command.
Your AP may fail to join the WLC because of a certificate or public key corruption error. To figure out whether there is corruption, issue the "debug capwap errors enable" and "debug pm pki enable" commands and analyze the output.
If there is a corruption error, output like the one below will be shown on the message log.
This message is usually displayed if the main problem is the AP sending a discovery message from a VLAN not configured on the controller. This error usually means the controller will also drop the packets sent during the discovery phase.
This debugging output is usually displayed if the AP was configured as a mesh AP but is currently in bridge mode. If this is the case, you will need to add the AP to the WLC’s AP authorization list.
After adding the AP, it should download the image from the controller and then register in bridge mode. After that, change the mode to local mode. The AP will then download the image, reboot, and register in local mode.
Check and ensure that the following necessary ports for the AP to join the controller are enabled on the firewall:
Access points can constantly change their IP addresses when they are undergoing the AP discovery and join process. The constant renewal of IP addresses can cause the DHCP servers on the network to mark the AP’s addresses as bad addresses.
In summary, the process of AP registration on a WLC can be divided into the discovery phase and the join phase. If errors occur in any one of these phases, they can prevent the AP from joining the WLC. You can discover any existing errors by issuing debug commands. Studying the outputs of debug commands can give you deep insight into the problem causing the joining issues.
PivIT offers you a secure, isolated, and (most importantly) remote environment to pre-configure your network prior to deployment to your locations around the world using our out-of-band (OOB) management platform. Get your gear configured for deployment without overtaking your cubicle - everything you need and more is here.