Cisco AP not in bound state and will not join controller

At a customers a new SAP2702I would not join the controller and was stuck in a loop of translating cisco-capwap-controller and renew its IP address. 

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (172.16.1.120)
S
Loading http://devicehelper.cisco.com/ca/trustpool !
Loading http://devicehelper.cisco.com/ca/trustpool !
Loading http://devicehelper.cisco.com/ca/trustpool !
Loading http://devicehelper.cisco.com/ca/trustpool !
Not in Bound state.
*Mar  1 00:03:37.059: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 172.16.20.20, mask 255.255.255.0, hostname AP0035.2074.17fb

Not in Bound state.
*Mar  1 00:04:19.495: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
*Mar  1 00:04:22.567: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 172.16.20.20, mask 255.255.255.0, hostname AP0035.2074.17fb

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (172.16.1.120)

The problem turned out to be a DNS-related issue. By issuing a few ping commands from the access point, we would see that it was able to get the needed connectivity, but were unable to resolve “cisco-capwap-controller”.

Ping towards the Internet worked fine:

AP0035.2074.17fb#debug capwap client detail
CAPWAP Client DETAIL display debugging is on
AP0035.2074.17fb#ping vg.no
Translating "vg.no"...domain server (172.16.1.120) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 195.88.54.16, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms

Ping (and resolution) of WLC did not work:

AP0035.2074.17fb#ping cisco-capwap-controller
% Unrecognized host or address, or protocol not running.

Ping and resolution of the FQDN of the WLC worked:

AP0035.2074.17fb#ping cisco-capwap-controller.omit.local
Translating "cisco-capwap-controller.omit.local"...domain server (172.16.1.120)
*Mar  1 00:14:21.227: CAPWAP_DETAIL: Dtls Event = 40 Capwap State = 2. [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.32.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
AP0035.2074.17fb#

Definitely a DNS issue then.
I could also find a problem when issuing the command “show ip dns view” through the console port of the access point, we would see something is missing.

AP0035.2074.17fb#show ip dns view
DNS View default parameters:
Logging is off
DNS Resolver settings:
  Domain lookup is enabled
  Default domain name:
  Domain search list:
  Lookup timeout: 3 seconds
  Lookup retries: 2
  Domain name-servers:
    172.16.1.120
DNS Server settings:
  Forwarding of queries is enabled
  Forwarder timeout: 3 seconds
  Forwarder retries: 2
  Forwarder addresses:

So my adding option 15 in MS DNS, “DNS Domain Name” – or as it would look in a Windows ipconfig-output: DNS-suffix.
dns-wlc

AP0035.2074.17fb#show ip dns view
DNS View default parameters:
Logging is off
DNS Resolver settings:
  Domain lookup is enabled
  Default domain name: omit.local
  Domain search list:
  Lookup timeout: 3 seconds
  Lookup retries: 2
  Domain name-servers:
    172.16.1.120
DNS Server settings:
  Forwarding of queries is enabled
  Forwarder timeout: 3 seconds
  Forwarder retries: 2
  Forwarder addresses:

Now, this DNS option had been missing since forever, so my guess was that something changed within the DNS-server itself. I would imagine that previously the DNS-server automatically assumed omit.local as DNS suffix if missing from the DNS-request.
Anyway, hopefully this will assist someone who might be experiencing the same issue.

Download as PDF
5.00 avg. rating (99% score) - 1 vote

Author: Gos

Have been working in the IT business since 2003 and have had network and security as field of focus since 2008.

Leave a Reply

Your email address will not be published. Required fields are marked *