05 September 2012
Cisco Virtual Wireless LAN Controller (vWLC) - Installing and Troubleshooting
On the 30th of August 2012, Cisco released the Wireless LAN Controller release 7.3.101. which also includes support of the Virtual Wireless LAN Controller (vWLC). The release notes can be found from Cisco at http://www.cisco.com/en/US/partner/docs/wireless/controller/release/notes/crn73.html
The following post is the experienced I had installing and troubleshooting the vWLC. I followed this guide by Cisco http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd2d04.shtml#NetPro but ran into a few issues.
Points To Keep In Mind on the vWLC:
Open the vSphere client. I currently use ESXi 4.1.
Select the .ova file.
As you can see here the vWLC only requires 8GB of HDD space.
Give this VM a name or leave it at the default.
Select a datastore to installe the vWLC.
Select thick provision format.
Review and click finish.
It only takes about a minute or two to deploy.
Power On vWLC Host For The First Time
Power on the vWLC host.
Basic Configuration (configure the time correctly or the certificates will be invalid)
It takes roughly about four minutes to get to the Configuration Wizard Tool form power on. Go through the wizard like any other WLC. When asked to configure NTP, make sure that your NTP is working correctly. If it is not or you are unsure, manually configure the time instead of using NTP. This is important as it will affect the generation of the self-signed certificate. (Also check the time on the ESX server is right)
Logging On To vWLC and Activating Evaluation License
Log on to the vWLC with the credentials configured before.
As you can see the main page states 0 Access Points supported.
Got to Management then Software Activation then Licenses.
I am not sure why the only way to get the EULA to come up, is to change the priority and click 'Set Priority'.
Reboot the vWLC.
Configure DHCP Option 43 For WLC Discovery
I have configured a DHCP pool/server on the switch. I then add Option 43 which contains the vWLC IP address in hex format for the access point to find the vWLC.
Access Point Must be 7.3 Or Above To Join vWLC
The statement above is stated in the deployment guide by Cisco. This is interesting as if you don't have an existing WLC that is on release 7.3 or above, the access point will not join the vWLC. This has to do with the vWLC using a self-signed certificate and the access point not being able to verify the certificate.
I then started looking at Cisco's website to see if there is a way around it but couldn't find anything. I realised that there is a new lightweight image for the Cisco 3500 access point I used that was released on the same date as the vWLC. I gave that a go to see if the access point would join the vWLC.
It actually works and the vWLC shows that the access point joined and started downloading the full image.
Invalid Certificate Caused By Incorrect Time
After downloading the joining the vWLC and downloading the image, I thought the access point would join the vWLC without a problem. Instead I got the error message below.
I checked the self-signed certificate and realised that the certificate was invalid due to the clock. I updated the time but couldn't find a way to re-generate the self-signed certificates used to authenticate the access points (you can re-generate the SSL self-signed certificates). I had no choice but to rebuild the vWLC and making sure I have the time right. It turned out that the vWLC could not contact my NTP server. I ended up manually configuring the time during the wizard at the start.
After rebuilding and re-configuring the vWLC, I checked that the self-signed certificates is valid and that the access point could join the vWLC.
Access Point Must Be In FlexConnect Mode
When the access point showed up on the vWLC, for some reason it is in FlexConnect mode. I changed it to local mode. I created a test SSID to see if the clients cant connect to the access point controlled by the vWLC. The SSID does not broadcast at all. The error message I am getting is from the access point stating '*Sep 5 13:56:19.186: %LWAPP-3-CLIENTERRORLOG: Delete VAP: received a delete request for an invalid WLAN ID 1' I have tried to remove the SSID (WLAN ID1), rebooting both the vWLC and access point without any luck.
The next day I read up the guide and release notes again and found this 'APs will be operating in FlexConnect mode only.' That was the problem, vWLC will only work with access points in FlexConnect mode.
Testing Wireless Connection
I went back to the vWLC change the access point back to FlexConnect mode.
After the access point rebooted in FlexConnect mode, the test SSID started broadcasting and I could connect to it.
Wireless client connected to vWLC on Android device.
Wireless client connected shown in the vWLC.
The following post is the experienced I had installing and troubleshooting the vWLC. I followed this guide by Cisco http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd2d04.shtml#NetPro but ran into a few issues.
Points To Keep In Mind on the vWLC:
- Could not configure Telnet session to vWLC ESX host on ESXi 4.1
- Cisco Access Point not on code 7.3 and above would not join vWLC
- Incorrect time configure initially caused the self-signed certificate (SSC) on the vWLC to be invalid
- Access points only work in FlexConnect mode
vWLC Requirements
The following are the vWLC requirements extracted from the .ova template:
Downloading The vWLC
The following are the vWLC requirements extracted from the .ova template:
- 1 CPU
- 2GB RAM
- 8GB HDD
- 2 NICs (probably can get away with one and not using the service port)
Downloading The vWLC
The vWLC software (AIR-CTVM-7-3-101-0.ova) from Cisco is a .ova file. This is a package that will unpack and create the virtual machine.
Deploy OVA Template
Open the vSphere client. I currently use ESXi 4.1.
Select the .ova file.
As you can see here the vWLC only requires 8GB of HDD space.
Give this VM a name or leave it at the default.
Select a datastore to installe the vWLC.
Select thick provision format.
Review and click finish.
It only takes about a minute or two to deploy.
Power on the vWLC host.
Basic Configuration (configure the time correctly or the certificates will be invalid)
It takes roughly about four minutes to get to the Configuration Wizard Tool form power on. Go through the wizard like any other WLC. When asked to configure NTP, make sure that your NTP is working correctly. If it is not or you are unsure, manually configure the time instead of using NTP. This is important as it will affect the generation of the self-signed certificate. (Also check the time on the ESX server is right)
Logging On To vWLC and Activating Evaluation License
Log on to the vWLC with the credentials configured before.
As you can see the main page states 0 Access Points supported.
Got to Management then Software Activation then Licenses.
I am not sure why the only way to get the EULA to come up, is to change the priority and click 'Set Priority'.
Reboot the vWLC.
Configure DHCP Option 43 For WLC Discovery
I have configured a DHCP pool/server on the switch. I then add Option 43 which contains the vWLC IP address in hex format for the access point to find the vWLC.
Access Point Must be 7.3 Or Above To Join vWLC
The statement above is stated in the deployment guide by Cisco. This is interesting as if you don't have an existing WLC that is on release 7.3 or above, the access point will not join the vWLC. This has to do with the vWLC using a self-signed certificate and the access point not being able to verify the certificate.
I had to use the recovery method to get the new lightweight image on.
It actually works and the vWLC shows that the access point joined and started downloading the full image.
After downloading the joining the vWLC and downloading the image, I thought the access point would join the vWLC without a problem. Instead I got the error message below.
I checked the self-signed certificate and realised that the certificate was invalid due to the clock. I updated the time but couldn't find a way to re-generate the self-signed certificates used to authenticate the access points (you can re-generate the SSL self-signed certificates). I had no choice but to rebuild the vWLC and making sure I have the time right. It turned out that the vWLC could not contact my NTP server. I ended up manually configuring the time during the wizard at the start.
After rebuilding and re-configuring the vWLC, I checked that the self-signed certificates is valid and that the access point could join the vWLC.
Access Point Must Be In FlexConnect Mode
When the access point showed up on the vWLC, for some reason it is in FlexConnect mode. I changed it to local mode. I created a test SSID to see if the clients cant connect to the access point controlled by the vWLC. The SSID does not broadcast at all. The error message I am getting is from the access point stating '*Sep 5 13:56:19.186: %LWAPP-3-CLIENTERRORLOG: Delete VAP: received a delete request for an invalid WLAN ID 1' I have tried to remove the SSID (WLAN ID1), rebooting both the vWLC and access point without any luck.
The next day I read up the guide and release notes again and found this 'APs will be operating in FlexConnect mode only.' That was the problem, vWLC will only work with access points in FlexConnect mode.
Testing Wireless Connection
I went back to the vWLC change the access point back to FlexConnect mode.
After the access point rebooted in FlexConnect mode, the test SSID started broadcasting and I could connect to it.
Wireless client connected to vWLC on Android device.
Wireless client connected shown in the vWLC.
Labels: AP can't join vWLC, Cisco Virtual Wireless LAN Controller, vWLC, vWLC requirements, vWLC self signed certificate, vWLC time, WLC 7.3
