Troubleshooting the Access Point to Controller Join Process
AP can fail to join a controller for many reasons: a RADIUS authorization is pending; self-signed certificates are not enabled on the controller; the AP and the controller regulatory domains do not match, and so on.
Controller software enables you to configure the AP to send all CAPWAP-related errors to a syslog server. You do not have to enable any debug commands on the controller. View all the of the CAPWAP error messages from the syslog server itself.
The AP is not maintained on the controller until it receives a CAPWAP join request from the AP. Therefore, it can be challenging to determine why the CAPWAP discovery request from a particular AP was rejected. To troubleshoot such joining problems without enabling CAPWAP debug commands on the controller, the controller collects information for all APs that send a discovery message and maintains information for any AP that has successfully joined it.
The controller collects all join-related information for each AP that sends a CAPWAP discovery request to the controller. The collection begins with the first discovery message received from the AP and ends with the last configuration payload sent from the controller to the AP.
When the controller maintains join-related information for the maximum number of APs, it does not collect information for any more APs.
An AP sends all syslog messages to IP address 255.255.255.255 by default.
You can also configure a DHCP server to return a syslog server IP address to the AP using option 7 on the server. The AP then starts sending all syslog messages to this IP address.
You can configure the syslog server for APs and view the AP join information only from the controller CLI interface.