Country/Region

New AP registration failed

2022-09-22 22:49:49 Published
  • 0 Followed
  • 0Collected ,1055Browsed
WangXudong

Network Topology

Null

Problem Description

Several new WA5320-SI ap"s were added to the project and when tested, it was found that they would not come online. Dozens of old ap"s of the same model had previously been online normally.

Process Analysis

1. Check that the ap can get the address and the AP can ping the AC, which means the connectivity is fine

dis ip int br

Interface     Physical Protocol IP Address      Description
Vlan1                up       up       10.x.1.xx       --
ping 10.x.1.1
Ping 10.x.1.1 (10.x.1.1): 56 data bytes, press CTRL_C to break
56 bytes from 10.x.1.1: icmp_seq=0 ttl=255 time=1.154 ms
56 bytes from 10.x.1.1: icmp_seq=1 ttl=255 time=0.388 ms
56 bytes from 10.x.1.1: icmp_seq=2 ttl=255 time=0.385 ms
56 bytes from 10.x.1.1: icmp_seq=3 ttl=255 time=0.394 ms
56 bytes from 10.x.1.1: icmp_seq=4 ttl=255 time=0.404 ms
--- Ping statistics for 10.x.1.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.385/0.545/1.154/0.305 ms

2. display wlan ap all to check the Remaining AP licenses is 298, which is sufficient for use

display wlan ap all
Total number of APs: 214
Total number of connected APs: 214
Total number of connected manual APs: 0
Total number of connected auto APs: 214
Total number of connected common APs: 214
Total number of connected WTUs: 0
Total number of inside APs: 0
Maximum supported APs: 512
Remaining APs: 298
Total AP licenses: 512
Local AP licenses: 512
Server AP licenses: 0
Remaining Local AP lic

3. The AC version is R5433P03, which supports the AP model WA5320-SI


4. Since the registration is automatic, display wlan ap all can not see the status of the unlisted ap. Modify the test ap to manual registration, and check the status again to find that it has been in " I "

5. There is a wa5300.ipe file in the apimge folder of the AC, and the firmware-update version check has been disabled on the AC. There is also no APDB special command configured

dir

Directory of cfa0:/apimge
   6 -rw-    21411840 Jul 28 2020 19:48:14   wa5300.ipe
display cu
wlan ap-group default-group 
 ap-model WA5530-SI
  radio 1      
   radio enable
   service-template xxx vlan 12
  radio 2      
   radio enable
   service-template xxx vlan 12
  radio 3      
   radio enable
   service-template xxx vlan 12
  gigabitethernet 1

  gigabitethernet 2

6. debugging wlan capwap error and debugging wlan capwap event on AC found a DTLS handshake error reported
debugging wlan capwap error
*Jan  1 00:06:52:989 2016 H3C CWC/7/EVENT: Start ipv4 dhcp opt43 discover.
*Jan  1 00:06:52:989 2016 H3C CWC/7/EVENT: Start ipv4 broadcast discover.
*Jan  1 00:06:52:989 2016 H3C CWC/7/EVENT: Open capwap client udp port:13172
*Jan  1 00:06:52:991 2016 H3C CWC/7/EVENT: Fill discover req.wtu=1.model=WA5530-SI.wt drv info:[].subslot=0.licensetype=1.ret=0x40010001.
*Jan  1 00:06:52:991 2016 H3C CWC/7/EVENT: Fill discover req.ap=1.model=WA5530-SI.licensetype=1.carry wt info is unnecessary.
t m*Jan  1 00:06:54:995 2016 H3C CWC/7/EVENT: Discovered AC by method of IPv4 broadcast successfully.
*Jan  1 00:06:54:995 2016 H3C CWC/7/EVENT: AP selected AC IP 10.7.1.1 Priority 4 successfully.
*Jan  1 00:06:54:999 2016 H3C CWC/7/EVENT: DTLS start hand shark. ulErrCode:0.
*Jan  1 00:06:55:005 2016 H3C CWC/7/ERROR: Failed to handshake, ErrCode:9
*Jan  1 00:06:59:996 2016 H3C CWC/7/EVENT: Close capwap client udp port:13172

*Jan  1 00:06:59:996 2016 H3C CWC/7/EVENT: CAPWAP tunnel to AC 10.7.1.1 went down. Reason: Handshake failed

The DTLS handshake failed because there was a router with AC capability in the group or tunnel encryption was configured. There was indeed a router with AC capability on site, and the WAN port of the router was connected to the core switch, so the port connected to the router was down from the switch but the failure was still there. Then checking all the configurations again, it found that there was an ap group configured with if-match ip 10.7.1.0 255.255.255.0, and the ap was getting addresses from this network segment. So it would have the highest priority to match this group to register online, and the tunnel encryption was configured in this view, causing the registration to fail all the time.

wlan ap-group xxx1
 firmware-upgrade enable
 tunnel encryption enable
 vlan 1
 if-match ip 10.x.1.0 255.255.255.0
 ap-model WA5530-SI
  radio 1
   radio enable
   service-template  xxx1  vlan 12
  radio 2
   radio enable
   service-template  xxx1  vlan 12
  radio 3
   radio enable
   service-template  xxx1  vlan 12
  gigabitethernet 1

  gigabitethernet 2

To add here, there is no relationship between ap registration and whether the service template is enabled or not. That is, if the  xxx1  service template is not enabled and the ap address matches the 10.x.1.0/24 network segment, it will also give priority to this group. If there is no if-match ip 10.7.1.0 configured under this group, it will go to match the default group to register.


Solution

Turn off tunnel encryption in wlan ap-group  xxx1  view, i.e. tunnel encryption disable


Please rate this case:   
0 Comments

No Comments

Add Comments:

Copyright© 2025 H3C reserves all rights to the current version NO.1

The copyright of this icon belongs to H3C. It is only for the use of this community. Do not use it for commercial purposes. Anyone who violates this icon will be prosecuted