CAPWAP Tunnel Between AP and WLC Down
Presenting Symptom
Wireless clients cannot connect to the network, and the AP shows 'Down' status in the WLC's AP list.
Network Context
A small branch office with one Cisco 9800 WLC and two Cisco 9130 APs. The WLC is connected to the core switch via a trunk port, and APs are connected to access switches. APs are in Layer 2 mode, and CAPWAP is used for management and data traffic. IOS version 17.3 on WLC and 17.3 on APs.
Diagnostic Steps
Check AP status on WLC
show ap summaryAP Name Slots AP Model Ethernet MAC Location Country IP Address State AP01 2 9130 xxxx.xxxx.xxxx default US 10.10.10.2 Down
If AP state is 'Down', the CAPWAP tunnel is not established. Normal state is 'Registered' or 'Run'.
Verify CAPWAP discovery process on AP
show capwap client rcbState: DTLS Teardown (or Discovery, or Join)
If state is not 'Run', the CAPWAP tunnel is not fully established. Look for 'DTLS Teardown' indicating DTLS failure, or 'Discovery' meaning no WLC found.
Check AP IP connectivity to WLC
ping <WLC-management-IP> from AP console or test via switchSuccess rate is 100 percent (5/5)
If ping fails, there is a Layer 3 connectivity issue. Check routing, VLANs, or firewall rules.
Verify CAPWAP UDP ports are open
show capwap client configCAPWAP UDP Port: 5246 (control), 5247 (data)
Ensure that UDP 5246 and 5247 are not blocked between AP and WLC. Use extended ACLs or firewall logs to verify.
Check WLC CAPWAP configuration
show running-config | section apap capwap source-interface Vlan100 ap capwap controller ip address 10.10.10.1
Verify that the WLC has a CAPWAP source interface and that APs are configured to discover the correct WLC IP.
Root Cause
The CAPWAP control plane DTLS handshake is failing because the AP's clock is not synchronized with the WLC, causing certificate validation failure. The AP's time is off by more than 5 minutes, which is the default tolerance for DTLS certificate validation.
Resolution
Verification
After applying the fix, verify AP status: show ap summary Expected output shows AP state as 'Registered'. Also verify CAPWAP tunnel: show capwap client rcb Expected state: 'Run'. Check DTLS status: show capwap client dtls Expected: DTLS session established.
Prevention
1. Configure NTP on the WLC and ensure APs obtain time via CAPWAP (default behavior). 2. Use a local NTP server or reliable public NTP server to avoid clock drift. 3. If using certificates, ensure AP and WLC certificates are valid and not expired.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify why an AP is not joining the WLC. The exam tests knowledge of CAPWAP states, DTLS, and common issues like time synchronization. Key fact: DTLS requires time synchronization within 5 minutes for certificate validation.
Exam Tips
Remember that CAPWAP uses UDP ports 5246 (control) and 5247 (data).
Time synchronization is critical for DTLS; if AP and WLC times differ by more than 5 minutes, the tunnel fails.
Use 'show capwap client rcb' to check the CAPWAP state machine; 'DTLS Teardown' indicates certificate or time issue.
Commands Used in This Scenario
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions