Access points can fail to join a switchcontroller for many reasons such as a RADIUS authorization is pending, self-signed certificates are not enabled on the switchcontroller, the access point and switchcontroller’s regulatory domains do not match, and so on.
You can configure the access points to send all CAPWAP-related errors to a syslog server. You do not need to enable any debug commands on the switchcontroller because all of the CAPWAP error messages can be viewed from the syslog server itself.
The state of the access point is not maintained on the switchcontroller until it receives a CAPWAP join request from the access point, so it can be difficult to determine why the CAPWAP discovery request from a certain access point was rejected. In order to troubleshoot such joining issues without enabling CAPWAP debug commands on the switchcontroller, the switchcontroller collects information for all access points that send a discovery message to this switchcontroller and maintains information for any access points that have successfully joined this switchcontroller.
The switchcontroller collects all join-related information for each access point that sends a CAPWAP discovery request to the switchcontroller. Collection begins when the first discovery message is received from the access point and ends when the last configuration payload is sent from the switchcontroller to the access point.
When the switchcontroller is maintaining join-related information for the maximum number of access points, it does not collect information for any more access points.
You can also configure a DHCP server to return a syslog server IP address to the access point using option 7 on the server. The access point then starts sending all syslog messages to this IP address.
You can configure the syslog server IP address through the access point CLI, if the access point is not connected to the switchcontroller by entering the capwap ap log-server syslog_server_IP_address command.
When the access point joins a switchcontroller for the first time, the switchcontroller pushes the global syslog server IP address (the default is 255.255.255.255) to the access point. After that, the access point sends all syslog messages to this IP address, until it is overridden by one of the following scenarios:
The access point is still connected to the same switchcontroller, and you changed the global syslog server IP address configuration on the switchcontroller by using the ap syslog host Syslog_Server_IP_Address command. In this case, the switchcontroller pushes the new global syslog server IP address to the access point.
The access point is still connected to the same switchcontroller, and you configured a specific syslog server IP address for the access point on the switchcontroller by using the ap name Cisco_AP syslog host Syslog_Host_IP_Address command. In this case, the switchcontroller pushes the new specific syslog server IP address to the access point.
The access point gets disconnected from the switchcontroller, and you configured the syslog server IP address from the access point CLI by using the capwap ap log-server syslog_server_IP_address command. This command works only if the access point is not connected to any switchcontroller.
The access point gets disconnected from the switchcontroller and joins another switchcontroller. In this case, the new switchcontroller pushes its global syslog server IP address to the access point.
Whenever a new syslog server IP address overrides the existing syslog server IP address, the old address is erased from persistent storage, and the new address is stored in its place. The access point also starts sending all syslog messages to the new IP address, if the access point can reach the syslog server IP address.