View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Cisco Virtual Wireless LAN Controller (vWLC) 7.3 Installation Caveats

Average: 5 (1 vote)

Cisco Virtual Wireless LAN Controller LANCisco has released a Virtual Wireless LAN Controller (vWLC), a VM version of a controller that has always been an appliance or hardware module, with 60-day evaluation at installation. Your first thought might be less hardware cost and a WLC can take all the advantages of being a VM. For those of you who like to lab, like myself, but always have difficulty getting your hands on a WLC, this may seems like a great news that you can now have a WLC readily available for testing. Well, this is very true as long as you have thoroughly reviewed the vWLC Deployment Guide and understand all the requirements and limitations, otherwise, you may find out the hard way that things may not work the way you expected them to.

In this article, we will point out two important caveats that you need to be aware of in order to have a vWLC setup and functioning correctly. Please refer to the vWLC Deployment Guide for pre-requisites and detail installation steps.

You can watch a vWLC installation video at WL0001 - vWLC 7.3 VMware Installation

Caveat #1: Access point (AP) needs to have software version 7.3

As described in the deployment guide, vWLC does not use Manufacturing Installed Certificate (MIC), but instead use a Self Signed Certificate (SSC) and only an AP running 7.3 will accept the SSC. If the AP is one of the models shown in the following table that does not have the software version specified under the “Last Support” column, the chances are it is supported.

If you try to register an AP running prior software release, you will see a certificate error and fail registration messages. The following is a sample output from a 1131 AP that failed to join using LWAPP and went into booting loop.

Translating "CISCO-LWAPP-CONTROLLER"...domain server (
%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address, mask, hostname AP6-IRV220
%LWAPP-3-CLIENTEVENTLOG: Controller address obtained through DHCP
%LWAPP-3-CLIENTEVENTLOG: Did not get log server settings from DHCP.
%LWAPP-3-CLIENTEVENTLOG: Did not get any DNS options from DHCP.
%LWAPP-5-CHANGED: LWAPP changed state to JOIN
%LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
%LWAPP-3-CLIENTERRORLOG: Join Reply: certificate is not valid
%LWAPP-3-CLIENTERRORLOG: Join Reply: message decoding failed (controller- LM-WLC1)
%LWAPP-3-CLIENTERRORLOG: Join Timer: did not recieve join response (controller - LM-WLC1)
%LWAPP-3-CLIENTERRORLOG: Set Transport Address: no more AP manager IP addresses remain
%LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
%LWAPP-3-CLIENTERRORLOG: Join Reply: certificate is not valid
%LWAPP-3-CLIENTERRORLOG: Join Reply: message decoding failed (controller- LM-WLC1)
%LWAPP-3-CLIENTERRORLOG: Join Timer: did not recieve join response (controller - LM-WLC1)
%LWAPP-3-CLIENTERRORLOG: Set Transport Address: no more AP manager IP addresses remain
%SYS-4-PUPDATECLOCK: Periodic Clock update with ROMMON failed, because size left in ROMMON (4294967295), size needed (29), error code (-1)
%SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET JOIN RESPONSE.
%LWAPP-5-CHANGED: LWAPP changed state to DOWNXmodem file system is available.
flashfs[0]: 29 files, 8 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 15998976
flashfs[0]: Bytes used: 7141888
flashfs[0]: Bytes available: 8857088
flashfs[0]: flashfs fsck took 29 seconds.
Base ethernet MAC Address: 00:17:5A:CD:97:66
Initializing ethernet port 0...
Reset ethernet port 0...
Reset done!
ethernet link up, 100 mbps, full-duplex
Ethernet port 0 initialized: link is up
Loading "flash:/c1130-rcvk9w8-mx/c1130-rcvk9w8-mx"...#################################################################

Solution 1: Manually upgrade the access point to software 7.3

If you only have a few APs that need to be upgraded and have no access to a WLC running 7.3, you can perform manual upgrade by following the procedures below.

1. Download recovery software image for the AP (Use latest 15.x for newer models, or 12.4(x) for older models)
2. Rename the image to the name the AP will be searching for (eg. ap3g1-k9w7-tar.default). You will also see this on the AP console.
3. Configure TFTP server IP to 10.0.0.x and make sure it is on the same VLAN as the AP (AP, by default, will have IP of
4. Disconnect power from the AP.
5. Hold down Mode button and reconnect the power to the AP. (ie. Factory Reset the AP)
6. Release the Mode button when the LED turns red.
7. Once the AP is up and finds the new image on the TFTP server, it will proceed with an upgrade.

The following is sample output from upgrading a CAP3501 to IOS 15.x.

PCIE0: link is up.
PCIE0: VC0 is active
PCIE1: link is NOT up.
Check PCIe signals to radio, re-seat radio.
PCIE1 port 1 not initialized
64bit PCIE devices
PCIEx: initialization done
flashfs[0]: 4 files, 2 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31739904
flashfs[0]: Bytes used: 2314752
flashfs[0]: Bytes available: 29425152
flashfs[0]: flashfs fsck took 9 seconds.
Reading cookie from system serial eeprom...Done
Base Ethernet MAC address: 00:07:7d:13:01:ac
Ethernet speed is 1000 Mb - FULL duplex
button is pressed, wait for button to be released...
button pressed for 20 seconds
process_config_recovery: set IP address and config to default
process_config_recovery: image recovery
image_recovery: Download default IOS tar image tftp:// <<-- Important
examining image...
extracting info (263 bytes)
Image info:
Version Suffix: rcvk9w8-
Image Name: ap3g1-rcvk9w8-mx
Version Directory: ap3g1-rcvk9w8-mx
Ios Image Size: 123392
Total Image Size: 7588352
Image Family: AP3G1
Wireless Switch Management Version:
Extracting files...
ap3g1-rcvk9w8-mx/ (directory) 0 (bytes)
extracting ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-mx (113051 bytes)........................
extracting ap3g1-rcvk9w8-mx/ap3g1-boot-m_upg (393216 bytes).......................
extracting ap3g1-rcvk9w8-mx/u-boot.bin (393216 bytes).............................
extracting ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-xx (6676234 bytes)......................
extracting ap3g1-rcvk9w8-mx/info (263 bytes)
extracting info.ver (263 bytes)
Deleting target version: flash:/ap3g1-rcvk9w8-mx...done.
New software image installed in flash:/ap3g1-rcvk9w8-mx
Configuring system to use new image...done.
Requested system reload in took about 352 seconds
Loading "flash:/ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-mx"...################
File "flash:/ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-mx" uncompressed and installed, entry point: 0x4000
enet halted
IOS Secondary Bootloader - Starting system.
FLASH CHIP: Numonyx P33
Checking for Over Erased blocks
Xmodem file system is available.
<output omitted> *Mar 1 00:00:11.790: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:12.866: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3500 Software (AP3G1-RCVK9W8-M), Version 15.2(2)JA, RELEASE SOFTWARE (fc1)
Technical Support:
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Thu 23-Aug-12 05:33 by prod_rel_team
*Mar 1 00:00:12.875: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to uplwapp_crypto_init: MIC Present and Parsed Successfully
*Mar 1 00:00:13.875: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up

Solution 2: Upgrade through a WLC appliance running software 7.3

If you have a lot of APs to upgrade that renders manual upgrade impractical, the chances are you already have a WLC appliance. If the WLC supports software 7.3, you can simply upgrade the WLC and all the APs will be consequently upgraded. Here is the list of WLC that does NOT support 7.3

Controller Platforms Not Supported (from

The following controller platforms are not supported:
• Cisco 4400 Series Wireless LAN Controller
• Cisco 2100 Series Wireless LAN Controller
• Cisco Catalyst 3750G Integrated Wireless LAN Controller
• Cisco Catalyst 6500 Series/7600 Series Wireless Services Module (WiSM)
• Cisco Wireless LAN Controller Module (NM/NME)

Below is a console output of a 1131 AP that has been upgraded through a WLC running

AP0017.5acd.9766#sh ver
Cisco IOS Software, C1130 Software (C1130-K9W8-M), Version 12.4(25e)JAL, RELEASE SOFTWARE (fc1)
Technical Support:
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 22-Aug-12 17:13 by prod_rel_team
ROM: Bootstrap program is C1130 boot loader
BOOTLDR: C1130 Boot Loader (C1130-BOOT-M) Version 12.3(7)JA1, RELEASE SOFTWARE (fc1)
AP0017.5acd.9766 uptime is 9 minutes
System returned to ROM by power-on
System image file is "flash:/c1130-k9w8-mx.124-25e.JAL/c1130-k9w8-mx.124-25e.JAL"
<output omitted> cisco AIR-LAP1131AG-A-K9 (PowerPCElvis) processor (revision A0) with 27638K/5120K bytes of memory.
Processor board ID FTX1014T0M5
PowerPCElvis CPU at 262Mhz, revision number 0x0950
Last reset from power-on
LWAPP image version
1 FastEthernet interface
2 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:17:5A:CD:97:66
Part Number : 73-8962-09
PCA Assembly Number : 800-24818-08
PCA Revision Number : A0
PCB Serial Number : FOC1012xxxx
Top Assembly Part Number : 800-25544-06
Top Assembly Serial Number : FTX1014xxxx
Top Revision Number : A0
Product/Model Number : AIR-LAP1131AG-A-K9

After you have upgraded the AP, if you experience the certification verification error on initial configuration, try to erase the AP config (see commands below), potentially through console, and reload the AP to have it download new config from the controller.

  • clear capwap private-config
  • clear lwapp private-config

Caveat #2: Only FlexConnect mode is supported

Once you are able to join the AP to the vWLC, the work is not over. You might be surprised that you cannot see the SSID that you configured during the CLI setup wizard. This is because, by default, the AP comes up with Local mode. Going back to the deployment guide, it clearly states that only FlexConnect mode is supported so by switching the AP mode from Local to FlexConnect, you should start seeing your SSID after the AP recovers from reboot.

Access Point FlecConnect

As you can see, the most important thing is to get the AP to run 7.3. As long as you can find an upgrade path, you will be able to enjoy the vWLC whether for it is labbing purposes or production.

References: Cisco Virtual Wireless Controller Deployment Guide
                        Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points for Release

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


i have a AP1131 model , i upgrade my ios Version 12.4(25d)JA1 but i can not find the LWAPP image version May i know it should be install c1130-k9w8-mx.124-25e.JAL ios can run VCLC?" in cisco web i can not find c1130-k9w8-mx.124-25e.JAL image @@?"

The link you posted is for Autonomous AP. Please go to and download the latest lightweight recovery image (eg. c1130-rcvk9w8-tar.124-25e.JAL2.tar)

I have downloaded the latest version and I really appreciate your help.

i login my CCNA account but can"t downloaded the c1130-rcvk9w8-tar.124-25e.JAL2.tar . Anyone can share c1130-k9w7-tar.124-25d.JA2.tar for 1130AG Accesspoint..thx~

i upgrade my access point version c1130-k9w8-mx.124-25e.JAL but connect the VWLC will show error messages DTLS connection request sent peer_ip: peer_port:5246% Be sure to ask the CA administrator to revoke your certificates. No enrollment sessions are currently active. DTLS connection created sucessfully peer_ip peer_port: 5246

Hi Excuse my ignorance on esxi, but does the vswitch spit out 802.1q tagged frames out of the physical interface of the esxi server? What is the switchport config of the switch connecting to esxi? Trunk all vlans? Does the data port of the wlc use native vlan 64? Any clarification there would be appreciated Thanks

You can configure the ESXi to pass 802.1q tag to VM. The switchport is configured as trunk, and the management interface on WLC does not really need to be on Native vlan. Please check out this video. It might answer your question.


Hi I am trying to get my 1242 AP's to join my vWLC. I have loaded the latest recovery image on them, but I keep on getting a "malformed certificate error" I have check my time(NTP is correct)and erased all config from the AP(capwap private-config) but still no joy. I have read on another forum that my AP's need to have previously joined a physical WLC before they can join a vWLC is this correct? Thanks M

You join AP to a physical controller only to have it download the 7.3 or later software, but since you have already manually upgraded the AP (to 7.3 or later I assume), that should not be necessary. clear capwap/lwapp private-config should delete the old certificate that is already on the AP and usually solve the issue. Can you post the exact software version of the AP and the entire error message?

Hi I have two AP's (1242,1252) software ver (C1240-K9W8-M), Version 12.4(25e)JAM The vWLC is ver The error message on the 1242 is : *Mar 1 14:06:33.926: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER *Mar 1 14:06:44.927: %CAPWAP-3-ERRORLOG: Go join a capwap controller *Oct 21 21:22:53.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: peer_port: 5246 *Oct 21 21:22:54.343: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: peer_port: 5246 *Oct 21 21:22:54.344: %CAPWAP-5-SENDJOIN: sending Join Request to Be sure to ask the CA administrator to revoke your certificates. No enrollment sessions are currently active. *Oct 21 21:22:54.348: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination. *Oct 21 21:22:54.348: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5. *Oct 21 21:22:54.348: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller *Oct 21 21:22:54.348: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from *Oct 21 21:22:54.573: %DTLS-5-ALERT: Received WARNING : Close notify alert from *Oct 21 21:22:54.574: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to *Oct 21 21:22:54.642: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255 The error from the 1250 is: *Oct 21 21:31:26.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: peer_port: 5246 *Oct 21 21:31:26.000: %CAPWAP-5-CHANGED: CAPWAP changed state to *Oct 21 21:31:26.019: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed *Oct 21 21:31:26.019: %CAPWAP-3-ERRORLOG: Certificate verification failed! *Oct 21 21:31:26.019: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed! *Oct 21 21:31:26.019: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: *Oct 21 21:31:26.019: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to *Oct 21 21:31:26.019: %DTLS-3-BAD_RECORD: Erroneous record received from Malformed Certificate *Oct 21 21:31:26.019: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to *Oct 21 21:31:26.019: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination. *Oct 21 21:31:32.139: %CDP_PD-4-POWER_OK: 15.4 W power - NON_CISCO-NO_CDP_RECEIVED inline power source *Oct 21 21:31:32.167: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up *Oct 21 21:31:32.195: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up *Oct 21 21:31:33.147: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up *Oct 21 21:31:33.175: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up I have disabled the hash from the vWLC side but that still has not sorted the problem.

I assume you have tried to factory reset the AP already, if not, try it. Also, try the following commands 'test capwap erase' 'test capwap restart'

Hi, I have some problems with dhcp.I have vWLC. My ap joined to the controller. Clients connected, but cannot receive ip address. I know, what are exist some methods of receive address, with DHCP Proxy Mode and without, then you just need to prescribe ip helper-address on int vlan. I try both of them, but nothing helps. Do you have any idea about it?

Some basic troubleshooting includs making sure your user VLAN is configured properly on the vSwitch and also allowed on switchport trunk. Verify that you see user MAC address on the user VLAN of the port facing vWLC. Turn off DHCP proxy and run DHCP debug on the DGW switch and hopefully you would see DHCP request packet.

Thanks for response. I changed my scheme and dhcp was working. But I have another issue, then change to FlexConnect Local Switching on WLAN- my client cannot access to network. So, the question how it works if I have different networks on switch where connected AP and on controller side, and they haven't L2 connectivity.

When you do FlexConnect local switching, you need to make sure you configure SSID to VLAN mapping correctly on the AP. If you plan to use multiple VLAN, the switchport need to be configured as a trunk port with matching native VLAN number as the AP. The AP and controller do not need to share the same VLAN number

Thanks again. But, how i understand we need the same net in controller interface and wireless clients. So then we switch off the controller, clients lose the connectivity to controller interface.. and how it's work?

In FlexConnect mode, you do not need to have a controller interface that matches the client local VLAN since once the traffic are mapped from SSID to the VLAN and leaves the AP, it gets routed locally and those data traffic will never hit the controller. Only the control traffic are communicated between AP and conterller. Also if the controller goes down, wireless client traffic should continue to flow normally as long as the client do not need to reauthenticate, which requirs the controller participation.

Hi, But as I see, in video on youtube, you had the same network - clients(, ap( and interface controller(

FlexConnect AP can run either Central switching or Local switching per SSID. In most of our videos, the SSID uses Central switching which requires WLC to have an interface that user data traffic is mapped to. On contrary, if the SSID runs Local switching, the corresponding interface on WLC is not necessary but instead you do SSID to VLAN mapping to map user data traffic to the VLAN available on the switch the AP is connected to. Since our lab setup is very simple, we keep WLC, user, and AP on the same VLAN while in actuality, the AP can be anywhere in the network as long as it can reach the WLC.

AP version : c1130-k9w8-mx.124-25e.JAP10 *Jun 14 09:21:36.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: peer_port: 5246 *Jun 14 09:21:37.019: Failed to get CF_CERT_ISSUER_NAME_DECODEDPeer certificate verification failed 000B *Jun 14 09:21:37.023: %CAPWAP-3-ERRORLOG: Certificate verification failed! *Jun 14 09:21:37.023: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed! *Jun 14 09:21:37.023: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to *Jun 14 09:21:37.024: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to *Jun 14 09:21:37.024: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination. *Jun 14 09:22:41.000: %CAPWAP-3-ERRORLOG: Go join a capwap controller *Jun 14 09:21:36.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: peer_port: 5246 *Jun 14 09:21:36.022: Failed to get CF_CERT_ISSUER_NAME_DECODEDPeer certificate verification failed 000B *Jun 14 09:21:36.026: %CAPWAP-3-ERRORLOG: Certificate verification failed! *Jun 14 09:21:36.026: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed! *Jun 14 09:21:36.026: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to *Jun 14 09:21:36.027: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to *Jun 14 09:21:36.028: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination note : i tried to clear capwap private and cleae lwapp private and reload but didn't work i tried to test capwap restart and test capwap erase also didn't work

Do you have another AP both same or different model that can join? Can you also check time synchronization on WLc and AP?

no i don't have other AP and there is no AP joined to WLC , and i check time Sync. i there specific way to check time sync between AP and WLC and how can i be sure the time is synchronized between both ?

Any chance you have gone through this post?

Lab Minutes Classifieds