Wireless vLecture CAPWAP Join Process

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
okay well today we're gonna be talking about the cap web join process to the wireless LAN controllers if you saw the last class I did we were talking all about the discovery process so those ApS booting up discovering a whole bunch of controllers to possibly join to now the next step here is going to be actually joining up to the wireless LAN controllers so if you didn't see that one you should be able to find it on our YouTube channel for IP experts so definitely go ahead and take a peek on that one if you haven't seen it this is being recorded so if you want to re-watch it again or have other people watch it that will show up in our YouTube channel as well so you will be able to view this again in the future so the EP joint process this really starts after my notes after the discovery phase is completed so just to review the discovery phase when an access point boots up it's going to load up it's like its OS and then at that point it's going to move into a discovery phase where it's going to build a list of wireless LAN controllers to try and reach out to so the joint process starts after that list has been compiled so we have a list of one or multiple wireless LAN controllers to possibly join up to so that's kind of where we're picking up the story here so we have this list of controllers already built out now what we discover is the management IP address so all of our our ap in this process here is going to be reaching out and trying to discover controllers by their management IP addresses so the first thing it's going to do it's going to send out a discovery request discovery request - every single wireless LAN controller that it compiled in that list during the discovery phase so it's kind of sudden you want to discover requests to the management IP address that IP address that it discovered and it's looking for a response so the wireless LAN controller sends back a discovery response in that discovery response we're going to have a number of pieces of information that the saxes point is going to use to figure out you know who should I be joining up to so some of that information included in the discovery response from the controller it's going to have the sorry patrollers name controller type or model so it's a 5500 or 2500 the number of licenses and the number of current APs so how many ApS do we actually have currently on here does it have the master controller flag set or not it's kind of just the yes or no and finally we have an IP address of an AP manager interface so we discovered the management IP address but ultimately when we join up to a wireless LAN controller we're joining up to an AP manager interface now in older controllers we always had separation between management and ap managers so like I'm a 4400 or the older wisdom controllers there was a management interface and then there was an AP manager interface one or more IP manager interfaces on newer controllers so pretty much anything currently selling today 2555 hundreds those other ones the management interface inherited the ability to be an AP manager it kenner cannot be you know it's optional or we can have additional multiple AP manager interfaces so depending on the controller you're on this ap manager IP address might also be the same IP address as the management interface but technically it's the IP address of an interface that has the AP management functionality on it so at this point the AP has sent out this discovery request to every controller that it discovered all the controllers that receive these should respond back with a discovery response including all this information here once the AP has received all these replies back now it needs to actually try to join up to a wireless LAN controller so how does it figure out which Wireless LAN controller you should try to join first well there's a priority to everything that happens here so for the AP join priority spill right right priority so the first really three things it's gonna try to join if you hard code a primary secondary or tertiary controller on the AP itself it will try to join those first primary secondary tertiary like I said these are hard-coded on a per access point basis this is something that wouldn't really occur on a fresh out of the box ap unless you actually went into the AP and primed it with either a primary secondary or tertiary typically we have these once an AP has joined up that's usually when we start configuring these things although some people have a really streamlined process where they take a brand-new out-of-the-box AP and actually have a provisioning process that they go through with that but we can do that either you know through the GUI through the CLI so hard-code primary secondary tertiary if we don't have one of those or you're not able to join up to one of those the next one is going to be a master controller this is just any wireless LAN controller that has the master controller option enabled typically you would use this you would most likely have one of these in your network and it's usually done so that any brand-new ApS that come up just sort of sink in to this master controller once they are there you go on configure them for the appropriate primary secondary tertiary controllers and then they never really used the master controller anymore unless that was supposed to be the controller that they're on or if you only have you know a couple controllers and you know you have maybe a controller per site and well you won't even use that most of the time it's it's for this provisioning process of any brand-new AP just goes there then I know any ApS that are on this master controller just need to be further provisioned most of the time it's not the controller that stuff just stays on forever last one we have is going to be the least loaded controller and it's not the one that hasn't had the most to drink it's the one that has the least number of ApS in relation to the number of licenses that it has so this was on a percentage basis so let's say we had two controllers that you know it wasn't primary secondary tertiary wasn't a master controller so we're at this kind of last one here where it's the least loaded so let's say we had WL see one has a total of ten ApS and it has a hundred licenses so this is 10% loaded WLC to let's say this was maybe the DMZ controller but for some reason the AP actually actually discovered it on accident it has no one annoy peas on it but it only has 12 licenses well that's 0% loaded so technically that's the winner so if you're ever trying to load balance out your ApS pay attention to what controllers they're actually discovering because if they aren't if you aren't using primary secondary tertiary and you aren't using master controller you're just allowing them to discover up a bunch of controllers and just sort of load-balanced themselves across it it's going to load balance again based off of this percentage it's not the number of available licenses it's just the percentage of used licenses so that's one place where you can can't get yourself in a little bit of trouble if you're not paying attention to what's being discovered and I guess really the tiebreaker once we get down kind of to the bottom if everything is the same it's the first to respond so whichever discovery response that I received first if everything else is equal that's the ones going to attempt to join up too so I show you real quick how to configure a few of these things just so you understand if you haven't actually seen the configurations for these so the first configuration primary secondary tertiary few ways you can figure this will show you in the GUI first so I have my controllers up I'd already have some ApS joined up so let's go to controller where I have some ApS and one here and yep alright so if you go and click into the access point that you want to configure again this is a per access point configuration we have a high availability tab up on top and we can configure our three different controller so I could say right now I'm on controller 2 so I'll leave this guy to be the primary 10 1000 and to 10 so I want I could have a secondary controller CC 1 and 10 1 1 1 that them obviously that that one primary one secondary now this is going to be saved in the flash of the AP so the AP will remember this upon across tree boots so that's the one beauty of this configuration is its static so regardless of what else is happening you know whether our discovery mechanisms the dynamic ones whether it's DHCP or DNS or whatever it is whether those are working or not it always remembers a few of these controllers to join up to so as would be through the GUI let's show you how to do it on the CLI so maybe you want to have a process where you'd stage these up before they even joined up to the network so if we go to an access point on the same LA p1 that just configured in the GUI here so right now I'm on the the console connection of the access point if I wanted to configure the same thing from here it would be camp map AP and we have primary base secondary base tertiary base so same come same type of configuration as just through the CLI so I could say primary base what's my controller cc - what's its IP address 1010 on 1210 now you'll notice that the IP address is optional if we go back to some older code before you out you were only able to specify the controller name so you actually had to still discover it the IP address through one of the normal means get DHCP option 43 or DNS or whatever it is once the discovery got that discovery response back which included the controller name if it matched you know the name that you specified then it would join up to as its primary fortunately in newer code now we don't even need to discover it we can hard code the IP address so it can immediately go out there and I'll send the discovery that way so you can go primary base secondary base tertiary there's one other option cap web AP controller IP address this is the same as doing the cap web AP primary base except we just configure an IP address we actually don't configure the name so because we don't get to configure the name through this command most of the time I try to fall back to a primary base or secondary base tertiary base if you want to validate it in the CLI show camp web client config and we'll see it at towards the beginning with these mor names and mr IP addresses so primary secondary tertiary there so that's how you can actually validate if it's actually configured through the CLI but most of the time we're just doing it in the GUI and you can see it pretty quickly in the GUI there so I would be configuring a primary secondary tertiary how about master controller flag this is a global setting per controller where the controller menu down to advanced master controller mode and it's just a checkbox check the box apply perfect so now when I send back the discovery response master controller flag will be set to yes and as long as the APS don't have a primary secondary tertiary they're all going to funnel into a wireless LAN controller - as long as they discovered it and the last part there we really don't need to there's no configuration there it's just a tiebreaker at the end with the least load controller so I would be the the joint priority so up to this point we discovered our controllers we sent a discovery request we got our discovery response back with lots of information you know all this information here name model licenses master controller flag once we receive all of those we're gonna analyze them okay which one am I gonna try to join first primary secondary tertiary a master controller or at least loaded controller now once I've figured out okay what controller my going to join the join process really starts in earnest so now I'm going to send a join request to my controller of choice in that joint requests it's going to send an X dot 5:09 certificate someone's kind of draw this out just a little bit here we have our AP wireless LAN controller I want to do this real simple we have one ap we have one wireless LAN controller so initially we sent a discovery request and we got a discover your response now we're going to join it so you send a join request with the access points X dot 509 certificate so this is almost et Alicia's where we have the AP sending its certificate to be validated by the controller when the controller sends the join response showing response sorry my phone's buzzing at me with the controller's X dot 509 certificate so there's a certificate exchange in both directions that each size has to validate now when the say PE attempts to join the controller when it sends its certificate the AP can actually use one of three different types of certificates that it sends to the wireless LAN controller so the default certificate that's going to send is a manufacturer installed certificate that's what's going to happen probably 99% of the time today so let's just write these out here ap serve types number one would be the mick or manufacturer install certificate since i think it was 2006 cisco has installed manufacturer installed certificates in all their access points so that when the AP tries to join up to a wireless LAN controller it's already got a built in certificate signed by the cisco CA the controller already has the CA cert to validate the certificate presented by the access point so it makes it really easy you know very smooth process and something that most people don't even think about or even maybe even realize that's happening so I was pretty much from 2006 or newer so anything that's pretty much on 11:31 1242 and newer definitely anything that's AO 2.11 n has a manufacturer install certificate by default usually where we don't have a manufacturer installed certificate is when we get into the second most common type and I'd be a self-signed certificate typically we run to sell science certificates when we do an autonomous to lightweight migration so we bought this autonomous ap like forever ago it's a you know maybe like a twelve thirty or some of the very first eleven thirty ones I believe might also have needed these when we do that migration from autonomous to lightweight well Donovan say P's don't really need a cert because they're not using it for anything but when we move to lightweight it does need to present a cert so we need to create one if it doesn't have one so since I don't have an actual CA to provision a certificate down to the access point with it just creates its own so sometimes certificate is just one that the access point came up with its own the only problem with self-signed certificates is that the wireless LAN controllers have no way to really validate it because it wasn't signed by a CA that the controller knows about it was just created on its own so essentially the VAP is its own CA in this case so when we do self-signed certificates the controller actually needs to be told every single self signed certificate that an AP could present to it and we'll get into how that's configured in just a little bit the last one and I honestly don't know any companies that do this but there obviously are some out there it would be a locally signed certificate or an LLC this could be on any type of access point either a new or access point over access point it doesn't really matter what this is is rather than say I'm gonna use you know rather than use the mick or whatever built-in certificates on the AP I actually want to provision my own certificates and push those out to my access points so I would have my own PKI infrastructure with my own certificate authority crate certs on that and push it out so that when the access point joins up to the controller it's presenting a certificate signed by my CA not Cisco's CA and then I can really really control you know what ApS are allowed to join up to my controller because I'm only going on you know maybe allow these locally signed certificate access points to join up to my controller again hardly anyone ever uses this but that is a type that could be in use so it's going to present one of these three certificates to the controller the controller needs to validate these so if it's a Mik it's going to pretty much work automatically if it's a self-signed certificate we have to tell the controller about every single self signed certificate that could be joining up and if it's an alle see we need to make sure that we've installed the CA that created the certificates for these access points so it's kind of show you where we would configure the stuff for accepting these different certificate types on our controller we are going to security and then aap policies so here we have the default configuration we're going to accept any manufacturer installed certificates or mix automatically so that's just going to work right out the bat if I want to accept these other certificate types as a C or LS C's I have to actually check the box to allow them if I want to accept ssese LS C's turn these on otherwise they're just going to be flat-out denied they're not even going to look at any deeper than the fact that it's it's not a mix Oh tough and I'm now allowing you to join now if we have a self-signed certificate we do need to add each one so you would click on add up on the top right here choose a self-signed certificate and you need to put in the MAC address of the access point as well as a key hash now how do we know what this key hash is supposed to be well there's two ways of doing this one is ideally you use the tool the autonomous to lightweight migration tool and what that's going to do on your behalf when you run the tool you actually specify a controller as well as credentials to login to the controller with the tool is going to migrate the access point from autonomous to lightweight it's going to create the cell science certificate as a part of this process and then it's going to log in to the controller that you specified and pre-populate an SSC entry so it's going to do it for you as long as you use as as long as you use the tool if you don't use the tool now I got a little bit of work ahead of you cuz ya figure out what that is and there's no just show command that you can run on the access point for this you actually have to use debugs and once we get into troubleshooting we'll show you what that debug command is so that if by chance you are using sses and user lost to the hash or you forgot to use the tool and you don't want to have to play or off a bunch of steps of undoing it redoing it you can find what that hash key is so this is where we're choosing which cert types we don't wanna allow and again if it's a self-signed certificate we do have to pre-populate every single one of those on the list in order to accept it because it's not signed by a CA that we can use to validate ok so if we go back here so the AAP sends join request the wireless LAN controller validates the cert wireless LAN controller as long as the cert was validated sends back a join response with its cert the access point has to validate that once this entire process is done now the AP is actually finally joined the wireless LAN controller now there's still a couple extra steps that we need to do to finally get this access point fully up and running first thing it's going to check once this is joined to the controller is am i running the same code that the controller is running if there's a code difference the access point needs to download the correct code so that it can be in sync with what the wireless LAN controller is doing either in either direction either it needs to down downgrade or upgrade just depending on what's going on most of the time we're upgrading to new code every once in a while so that way we know every access point on the controller always is using the same code that's on the controller so we don't worry about any feature discrepancies or anything like that if by chance the access point is running different code it joins up starts downloading the image immediately once it's download the image it actually has to reboot boot up with the new code at that point it's going to start this process all over discover try to join up do these join request and response and so on once we've joined up and we do have the same code the last step really is the wireless LAN controller is going to push out configuration to the AP so at that point it's going to configure the access point the access point will get all of the W LANs and appropriate configurations and at that point it's up and running and should be servicing clients at that point so that's the overall flow to the join process here quick rehash we've discovered a bunch of controllers by their management ease I send discovery response a request to every single controller the controller responds back with a discovery response with lots of information including an AP major IP address to join up to when I join I join up to the AP manager IP address that I learned in the discovery response the controller validates that t-shirt sends its own cert to the AP the AP validates the controller we do any code upgrades downgrades and finally configurations push down to the access point so what could possibly go wrong in this process well there's quite a few ways that this could kind of fall apart from start to finish so let's talk about troubleshooting a little bit unless anyone has any questions about you know clarifications of this joint process No ok so troubleshooting the joint process we'll assume at this point at least that the discovery is working we've discovered controllers to try to join up to so we're assuming that the APS are at least sending at a minimum the discovery requests to that to the controllers if you want to know how to troubleshoot the discovery phase where you know we're trying to build that list of controllers look at that last class that I did in terms of the discovery process and they I'll show you how to troubleshoot all those methods I note on that one I had problems doing a debug when I was in that class I figured out the problem shortly afterwards I was trying to debug on the wrong controller so that's why I wasn't getting any output so if you watch that class again and you'll notice that was on the wrong controller so tip always be running stuff on the correct controller all right so debugging I'm sorry troubleshooting most of the time I'm going to start just looking at some cursory information namely logs happening on both the controller in the access point as well as the AP join stats that's usually the the first place I'm gonna go so no black please there we go so if you have access to that to the AP console port to the AP log so you can look at that there's usually some helpful information you can see there now in a real life deployment most of the time we don't just have access to that because we don't have console ports you know terminal servers plugged into all the console ports and most of the time telnet SSH is turned off so that's not always easily available to us and that's fine if you don't have it easily available to you just get that step for now we can look at controller logs oftentimes both traps and syslog or just regular logs sorry spelling and speaking at the same time I don't always do well and finally wireless LAN controller ap joins dance so oftentimes you can start getting clues here you might flat-out see the answer in these or you might at least start getting ideas about what might be happening you know how far along in the in the process are we at least getting you know did we get a discovery response did it attempt to join did we get a response back things like that so the AP logs I'm normally just looking at it in the console but in the controller logs I'll show you the two places I might look so what if Prime is part of the network the joint process is prime is really invisible I guess to the entire joint process now it could be used as a place to consolidate a lot of these logs so if you didn't want to dig into the controller's to look at the logs you could be looking at in in prime but in terms of the process of joining primes totally out of the picture it's more of a at best it would be useful as a troubleshooting tool to look look into some information with ok so where are some of these logs in the controller under management the trap blocks are going to be under SNMP trap logs now honestly this is my favorite place to look for logs because most of the trapped logs are written in a little bit better English you can actually understand kind of what's going on the trap logs so you can look in here if you want to look in the more like syslog kind of logs or buffered logs you'll see under logs message logs and you can see it in here too but you'll notice not always the easiest to reads but a little bit more detailed at times other two places but honestly the best place to go is under monitor statistics ap join this is gonna keep information about every single access point that either is joined or at least has attempted to join this Wireless LAN controller so you can see right now I have one access point join and then it's remembered a bunch of other access points that have they haven't joined themselves but it they've at least sent a discovery request so if we click in to the access point in question for this you would need to know the APS MAC address but once you know that MAC address or the IP address if you knew that as well you can kind of figure out what shape e it is you go on here you can see information for instance you know about the last ap join but each phase we get some information on so here's the discovery phase so I received two and I sent back to so that means you know at this point we have connectivity you know it received a packet and send it back so we know at least it's communicating back and forth with each other it sent a response okay how about the join so now how many join requested I did get how many responses did I send back if there was a problem it would actually tell you the reason for the last unsuccessful attempt here's where we can start getting some good information both for the discovery phase up here as well as for the join phase configuration phase this again pretty much happens once it actually has joined so most of the time it's not a problem once we get to the configuration stage of the game last error summary so you can get some information there too so a lot of good information here they're gonna Eve you either tell you flat out what the problem was or at least they're gonna start giving you some clues so a really great place to go here on the controller otherwise look at some of those logs that's gonna get you going for sure and it might even solve your problem for you right there at least tell you what the problem is once I've got through these steps though then if I do if I still and not quite sure what the problem is now I have for me I guess one of two methods they could go down once we've done step one here now step two is going to be to me you do one or the other for the most part unless one of them is not working you could get into the debugging route where you're going to run D bugs and dive deep and try to look you know at the entire process and might might be going right while might be going wrong in there no doubt you can definitely find out what the problem is through debugging but how much work are you having to do to do that and how much data are you having to sift through to try to really narrow down what the problem is the other route for me is the cheat sheet route I kind of like this one because honestly I'm not a huge fan of debugging just because it's a lot of data sometimes to sift through to figure out what's going wrong whereas there's only so many reasons why I joined wouldn't happen if I just sort of have a cheat sheet of what all those reasons are most of the time I can actually jump through the most common problems real quickly and as I'm doing that I'll probably spot the issue so let's talk about debugging first a few commands that if you need to go down that more detailed road maybe that's your fallback if the cheat sheet method doesn't work what debug that we can be using to help us out for this join process most of the D bugs are going to be on the controller itself so if I go to CLI of a controller so what do bucks can we do well first depending on the controller we might have a whole ton of access points currently on the controller and we only really care about one so if we want to kind of pare back you know what debugs that we have to sift through let's target excuse me the AP that we want to debug so if we do a debug sorry MAC address then we can specify the MAC address of our EP again we need to figure out the MAC address of the AP is but usually that's not too hard you could look in the ARP tables so if you knew the IP address of the access point look at that if you knew the port that the access point was on look at the cam table and see okay what MAC address is on this port if you can actually get to the access point itself you can do I believe just a show version I think might have it in there or a show sorry show interface definitely would have it in there a few different ways but just go ahead and specify it and it's in the format of character character : so every two characters it's a call and separated I won't do this because I don't know the MAC address right now that's gonna filter and show you it should only show you debugging for the specific ap you want now let's actually do the debug commands that might be helpful for you so there's gonna be two debug cap web commands we could do debug cap web events enable and this is going to show you more generically just any sort of cap web interaction or it kind of event happening so more of a high-level the should like to kind of watch the process you know here's the discovery request there went to discover your response here's the join request they want the join response lots of that type of information so you can either see worth you know how far did it get along the process or you might actually get some helpful information even beyond that another one that you can do is camp will have errors so when something actually goes wrong enable sorry show me that information when we actually have problems in the camp web process the last one that's can be really helpful is debug PM TK i enabled this is specifically for certificate stuff since we have that certificate exchange during the joint process both the controller validating the client of the AP certificate and vice versa this is going to help show if there's any issues with that so those 3d bugs on the controller are probably gonna be your best friends and look at that way I got some stuff going on obviously we can get a lot of stuff happening here so if you need to stop the debug from happening debug disable all and actually if you just type in de space D that does it as well sorry D space di that would do it so if you ever need to stop it debug disable all what kind of stopping sort of get you back and going in your CLI here on the access point most the time we don't have access to the these are at least easy access one thing that you could do on the access point itself would be get in to enable mode here it should be debug camp where client events so here you'd be able to see you know that discovery request discovery response during requests join response from the perspective of the access point so you know this is gonna help you know okay I know I sent the discovery request but I never on you know on the controller I never saw receiving a soul okay we probably have some sort of a connectivity issue here or I got the join I sent the joint request but something fell apart on the response so it was probably something in relation to that so something you can do here and I'm not going to go over every single failure scenario that would be almost impossible to try to drill through all these but these are D bugs that you could be using and I'll give you some documents that you could be looking at to to sort of show you what some of this debug looks like when things are going wrong as well as when things are going right so you can kind of see that as well supposed to be the debug that you can most commonly use to figure out what the issue is now personally I like the cheatsheet method so let's go ahead and talk about all the main reasons that a join wouldn't be working oh sorry recorded yep so absolutely being recorded for further use so a cheat sheet method let's talk about the main ways that the join process fails to work so Chi Chi and here basically all I do is I just go through the list check them all and eventually usually I find what the problem is here and it only takes a couple minutes honestly to go through so usually you can get to the heart of the problem pretty darn quick without the need for any D bugs or anything like that so the first thing that we absolutely need to make this work is layer 3 connectivity to the AP manager remember we always join to the AP manager on 52:46 actually I guess it's both to both the management interface on the AP manager because we discover the management and we join to the AP manager so I guess depending on which part fell out we need that and the port the cap web port 5246 that's what we need so it's really hard to validate this um sorry and that's UDP it's always hard to validate UDP connectivity so we don't really have a tool to target a port for a test TCP is always easy we can just target the tcp port and establish a session that way so usually the way I'm just gonna validate this is are just ping you know can I ping to the the controller so I can either do it from the controller to the AP or from the AP to the controller honestly doesn't really matter either way should just be fine but for instance if I'm on lmp2 here if I kind of type in the password correctly Jing 1010 1 1210 if that's my AP manager great if not you know management and ap manager so I can pan I probably have UDP 5246 access as well unless there's an ACL or a firewall in between me and net that's usually not the case so if I can ping it I'm gonna assume that I have that connectivity working fine unless nothing else pans out then I might come back to this the other way that you can validate this is look at those AP join stats if you're not seeing it you know either discovery or the join one of those two then it's probably connectivity so if you don't see any discovery requests and you know that the access point actually discovered it it's probably that or if you see discovery requests but no join requests either it's not trying to join to it or you know if you have a separate ap manager interface then it might be a problem getting to that ap manager interface so just a simple painting though is usually all I need to worry about for this next one ap policy config so this is where we're specifying on what type of certificates are we're going to accept mix LSCs sses and we can also specify whether we are authorizing these access points so let's just go take a look back under security ap policies do I have the appropriate checkbox checked so most of the time we're going to be doing mix but if you had this you know one-off SSC and make sure that the box is checked I also take a look down on the bottom do we are we set to authorize mix or lscs against an auth list SS CS are always off so we always have to have an entry for the AP authorization list for self-signed certificates so if you are using a self-signed certificate make sure that it's listed down here if we have the box down here checked for either mix or LLC's then once we have this these boxes checked we have to put a list there so if I wanted to authorize a Mik you know I'd have to choose a MAC address and hit add that's only if these bottom boxes are checked if it's not supposed to be check just uncheck it and then any access point that uses a valid certificate type will work again with the exception of the SSC which always has to have an entry in the awfulest so take a look at this screen just make sure everything is correct I'm accepting the correct certificate type am I supposed to authorize it yes okay if I am do I have the appropriate entry down the list below so I'd be the AP policy to check next one and this is usually not the case but controller time in relation to the AP cert so anytime we validate a cert a cert always has an initial date that's begins being valid and then an end date when it's no longer valid if the controller time is outside of that validity period it will not accept the certificate even if it's set to accept Mick or ssee or whatever it is so almost it isn't it's almost impossible for this to be a problem with the mick as long as your controller is this year honestly as long as your controller has a date in this decade it's fine because I believe the a.p.e certs are good usually for like 20 years or something like that so your controller would have to be like year 2035 or whatever for this to actually be a problem I don't think we can even get set our controllers at least in newer controllers to a date early enough to make it before but just check the time on your controller and just see okay is it today that's plenty fine ideally you're using ntp and then you don't have to worry about this where this can be maybe a little bit more of a problem as if you're using locally significance or locally a local significance certificates the lscs depending on how you provision the certificate from your CA maybe you didn't set the lifespan long enough you know you said it accidentally for one year and all sudden one year the AP has been working fine for a year and now it's not because of the certain expired cell pay attention to that a little bit more with an LLC otherwise just make sure that the time is actually today and you're totally fine for that ideally again use NTP well one thing circle back on that ap policy so let's say that you you did use the the self signed certificate I remember I was going to tell you this and I forgot but you lost the hash if you want to figure out what the hash is do the debug on the controller and the debug PM PKI enable somewhere in that huge thing it'll actually show you it'll actually say the hash and then the full string of the hash that's the only place to really find it so debug PM PKI enable look for the hash grab that paste it into your controller and actually pick make sure you're pasting into every single controller that this ap could possibly join up to and they'll get you that one just in case you lose that but most people honestly don't have to worry about these because as we move on they're fewer and fewer ApS out there that actually don't have them making them anymore alright so there are those next one regulatory domain mismatch so when you buy an Access Point you buy an Access Point specifically you can create it for a specific regulatory domain so Americas or Europe or Japan might have a separate one when you look at that model number of the access point you know for instance if I go on to one of my ApS here your show version and I can find the model number so here's the model numbers is 3500 this - a that's the regulatory domain that that access point is made for in order for this access point to join up to a controller the controller must support that regulatory domain usually way you'd run into problems with this is if you're trying to have one controller support access points across multiple different countries or you know you bought something in the US and then you send it over to your remote office over in Germany or whatever it was going to be we need to make sure that the controller is set to accept the regulatory domain that the access points on so where would you see that that's going to be in the country code of the controller so if I go to the wireless on the controller country here are the country codes supported and then the regulatory domain is based off of what country codes we have specified a controller can support multiple regulatory domains at the same time and that's fine so right now us is the default to change any of this you do have to turn off your radios so let me do that and I can show you how it changes when we select a new country yeah that's fine go back down here so let's go ahead and do Belgium because why not I think there - e yep so I can support anything - a - e so just pay attention to the code on your AP make sure it's in here specifically for the the regulatory domain most people don't run into that problem unless you're again either you've shipped stuff overseas or you accidentally bought the wrong kind of access point you know he bought a a dashi and you're supposed to be using in the United States you know stuff like the AB number five no more licenses so you just don't have enough licenses to support new access points that's pretty easy to check just look at your license usage in the management software activation licenses look for the ones that's permanent should say that's in use so you can see we have 12 now you can see how many access points we have it was 12 obviously we're out licenses you can also see the number of access points here as well so not too mysterious about that one one I guess lesser-known one if you're using older controllers like a 4400 you can actually run to this issue where you have too many ApS per interface report it's actually technically per port on a forty four hundred the most ApS you can have per port is actually 48 so you can order a model of the 4400 that had 100 licenses but only to join oh yeah I think you could get a hundred licenses with two ports but basically we could run to is where if you're running in non leg mode you can only have 48 ApS joining up to a port so technically even though we had enough licenses it won't join up to the port just because the port can only support 48 access points the fix there would be to one provision more ports if you have it more ports available so you create additional AP manager interfaces and assigned to the additional ports or enable leg once turn on lag you eliminate this 48 port maximum and you can just have you know however made licenses you have you can use that on the leg so this is really only on 44 hundreds or you know the similar models to those I think maybe the the wisdoms the original wisdom ones might have been the same thing because those were essentially two forty four hundred shut but sorry that's not the case because wisdom wisdoms were always lagged so usually 4400 is about the only place you run into that one just a few more here AP models not supported on the WLC code so every so often as we get new code comes out older ApS become unsupported so for instance if you're running current code today whether it's seven three or seven four seven five you can't use at 12:30 as we march on down the line I think the newest code you know stuff like the the 12 50s become unsupported so always check that also if you're using older code you can't support the newer access points so if you bought a you know 2600 or 1600 series access point but you're running you know seven Oh code you're out of luck so usually you run to this as you're trying to introduce a brand new model of access point hopefully you looked at this before but check to make sure that your ap model is actually supported on the code that you're running and number eight with mesh AP's have a few requirements here mesh DPS check apo is a ssin mushy peas always have to be authorized even if you don't specifically say enable eight the authorization mesh a peas are the exception to that so you have to have an entry in that API ization list to allow a mesh ap to join up technically you could also put an entry in the Mack filter list that works as well so the two places you could put an entry for a mesh AP the AP authorization under ap policies so you just put an entry in here again you don't actually have to say authorize mix it's going to happen on a mesh ap no matter what so you can either put it in here and it's going to be a Mik or you could go up to Mac filtering do a new Mac filter entry just put the MAC address of the AP in there leave everything else the default apply that works as well either place will work for a mesh ap the other requirement on a mesh ap is that my VP will only join up to a controller that has one country code selected so as we have things configured right now no mesh ap could ever join this controller because I have two country code so I've checked that as well when if you were having a problem with a mesh ap specifically joining only one country codes going to be allowed and one country code and last one and this is a really ridiculous corner case you have no EP manager this only could ever happen on a 2500 or 5500 you know miles current selling controllers where the AP the management interface can also be the AP manager technically you can turn off the the AP management functionality from the management to interface if you don't create an another ap manager interface there's no ap manager so in essence I don't even think it sends back a discovery response but even if it did it would have no IP address to put in that discovery response or response message so I think it just drops it honestly it won't it won't ever send a response back but to check that you can just go into the interfaces on your controller you just need to have something with the dynamic ap management set to enable as long as you have that it will rescind back and ap Manager IP address in that discovery response and everything's fine so you know some of these are gonna be you know affect one or two ApS at a time someone's gonna be globally affecting you know like the the time was ridiculously off it would probably affect every single ap obviously the no EP manager would affect every single ap you know some of it may be layer three some stuff as layer three some stuff doesn't so you just run through the checklist so you know starting from the top can I ping between them yeah then we probably have it good if I look at my AP join stats I should see both requests and responses for you know discovery and joins look at my ap policy am i accepting the correct certificate type am I set to authorize it or is it a self signed certificate if so make sure I have an API ization entry for it as the controller time right is it today that's usually plenty fine otherwise if I'm using a locally significant certificate did I provision those certs far enough into the future if you want to make sure if you are using a local lessor significant certificate and you want to check the validity period of that that's one thing I forgot to mention go on to the access point and it's command I almost never have to do something make sure I have it right here show crypto CA certificates show crypto CA certificates should be able to find the local certain local a significant certificate in there and then look for the validity date just make sure it's appropriate so there's a number of certs on an access point so you have to keep on scrolling down until you find the APS or because this also has CAS to validate the controller's cert that it sends back to it that's where you could find that am I using the correct regulatory domain you know just make sure that the model is used for the regular tournament domain that you're using do I have licenses if I'm out of 4400 do I have you know more than 40 you know am i running into that 48 ports port 4400 is my AP model supported on the code I'm running if it's a mess ap make sure I have an authentic or it one country code make sure have an AP manager now if I hard to check most of these and you can probably burn through these in about two minutes of time so cheat sheet method you don't have to do any debugs just start going down the list is it this nope is it that no and usually you'll find it pretty quick if not then it's time to maybe flip over to some of those debugging options but this is the way I like to do it just because I'm not a huge fan of debugs myself some people love it so whatever method gets you to the end awesome you should have the tools that you need though again so the process start looking at the logs definitely check out the AP join statistics page where it's gonna give you you know hopefully an actual error that's gonna tell you what the problem is if you can't figure it out from there either do the debugging method or the cheat sheet method if you use the to cheat method you can't figure it out then maybe fall back to the debugging method so that is kind of the process I use let me give you a couple documents I'll paste them into the the chat window for troubleshooting this joint process here now some of them are at least one of these the first one that I gave you here is actually a little bit older you know starts talking about LWOP instead of cap way up and it talks you know some stuff about you know layer 2 versus layer 3 AP join process so you can kind of filter that out but it's still giving you you know like the debugs showing you some of that debug output different cases that you could run across and most of these that I already outlined here the other one the second one actually gets them do a little bit more focusing on that ap join statistics and I guess for the people that are gonna be watching this in the future that don't see what I pay sit in I can paste it in here real quick those are the two but if you just google like cisco EP joint troubleshooting you'll probably find both of these in that search pretty high up on the list so that is the joint process so any questions I guess about anything that we talked about here today and thinking maybe the next class I do or is gonna start getting into high availability so talking about you know if you fail overs the different methods we have for high availability the processing of validating things like that Oh as if anyone has any suggestions on topics you'd like me to to dig into I'm definitely open to that as well again this has been recorded so you should see this in our youtube channel relatively soon I would think so all right yep no problem Kyle so yeah if anyone has anything don't hesitate to reach out to me my email address Jaron sink at IP expert comm you can also find me on the online study list I'm monitoring that all the time Cisco Learning Network I'm usually on the forums there as well if you have a question so bunch of different ways to reach out to me so anything I can do to help you guys out you know don't hesitate I'm here furred for your assistance so thank you guys very much for spending some time with me this morning and hope you guys have a great day and we'll see you next time
Info
Channel: IPexpertInc
Views: 30,614
Rating: undefined out of 5
Keywords: CCIE Wireless Lab, CCIE Wireless Training Videos, CCIE Wireless Lab Videos
Id: TEnwuB8Xbvo
Channel Id: undefined
Length: 61min 8sec (3668 seconds)
Published: Tue Dec 17 2013
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.