Cisco WLC Firmware 7.4 bug prevents clients from roaming between Flexconnect Access Points

Leave a reply

Recently I deployed an Cisco Wireless LAN Controller (WLC) with Cisco Aironet 2600i Access Points that were configured with Flexconnect local switching. During roaming tests with a Macbook Pro, the client could roam between Access Points just fine, however, when using an HP Laptop or iPhone (and numerous other devices), the connection was lost when the client roamed to another access point.

Since the 2600 serie Access points require at least WLC Firmware 7.4, I was using the latest firmware at that time, firmware 7.4.100.

After diving into the log messages on the controller, I saw the following messages appear frequently:

#CAPWAP-3-SEM_RELEASE_ERR: capwap_ac_db.c:106 The system could not release exclusive access of AP entry for aa:bb:cc:dd:ee:ff in the database

and

#LWAPP-3-VENDOR_SPEC_ERR: spam_lrad.c:12845 The system has failed decoding vendor specific payload

It seems this is a bug in the firmware. I found this thread which lead me to the following bug ID (not publicly viewable at the moment)

Resolution Continue reading →

Howto Configure a Wireless Mesh Network using a Cisco Wireless LAN Controller (WLC)

Leave a reply

In this howto I want to show you how to create a Wireless Mesh network using Cisco AP’s and a Cisco Wireless LAN Controller. In this example I use a Cisco WLC with firmware 7.4 and Cisco 2600 series Access Points.

Some Mesh terminology first. When configuring a Mesh network you can configure your access points in 1 of 2 AP modes: Roof-Top AP (often called Root-AP) (RAP) or Mesh AP (MAP). The RAP will be the only access point that has a wired connection to the LAN. The MAP’s will be connected to other MAP’s or to the RAP using a wireless backhaul. In this example the 5 Ghz radio will be used for the backhaul. The backhaul is always encrypted using AES. The 2.4 Ghz range is used for leveraging wireless to end-users.

Second, Configure your WLC like the way you normally would, connect all access points to the LAN, create a WLAN and verify the AP’s are joined to the controller by logging in to the controller with a browser and navigate to the Wireless tab. You should see your access points here.

Now, let’s take a look at the steps needed for configuration of the wireless mesh network:

1. Configure AP Authentication:

If you skip this step and setup your access points as a bridge, they will not come back online again. Configuring AP Authentication can be done by adding the mac address of the AP’s to the controller’s database. This can be done in 2 ways:

Continue reading →

Cisco 1600 / 2600 / 3600 AP: Convert Lightweight IOS to Autonomous IOS

Leave a reply

While the above seems rather easy to do using previously available methods, I stumbled upon a problem when wanting to convert a lightweight 2600 AP to autonomous mode. On the 1142 platform, I used the following commands:

debug capwap console cli
debug capwap client no-reload
archive download-sw /overwrite tftp://x.x.x.x/c1140-k9w8-tar.152-2.JA.tar

However, when using the same trick on a 2600 AP, it resets the BVI1 interface to use DHCP in the middle of the firmware download process, cancelling the firmware download:


Premature end of tar file
ERROR: Problem extracting files from archive.
Download image failed, notify controller!!! From:7.4.1.37 to 7.4.1.37, FailureCode:3

The procedure to convert the AP to autonomous mode is the following:

Restart the Access Point
While it loads the image in flash, press Escape, you’ll enter ROMMON mode

The system boot has been aborted. The following
commands will finish loading the operating system
software:

ether_init
tftp_init
boot

Set the IP address for the gigabit 0 interface:

ap: set IP_ADDR 10.0.2.1
ap: set netmask 255.255.255.0

Initialize the tftp, ethernet and flash subsystems: Continue reading →

Outlook 2007 Errors when setting Full Access Permissions incorrectly

Leave a reply

Last week I was at a customer site where Outlook 2007 clients started to behave strange when connected to a Microsoft Exchange 2010 SP2 environment. The symptoms included –but were not limited to- the following:

Task list did not display
Not able to search in mailbox
Duplicatie results when searching the mailbox
No reminders
Synchronization Problems
Error: “There was a problem reading one or more of your reminders. Some reminders
may not appear. Cannot locate recurrence info for this appointment.”
When clicking the folder list in Outlook 2007, the mailbox was visible twice.

It seems this issue has to do with incorrect permissions on the users mailbox. Exchange uses the NT AUTHORITY\SELF permission to give users permission to their own mailbox. However, in this environment the mailbox owner user was also added to the list, which made for duplicate permissions and accompanying errors.

Continue reading →

Lync 2010 Mobility Error: Can’t verify the certificate from the server. Please contact your support team

Leave a reply

With the Lync 2010 mobility add-on out in the wild for quite some time now I see an issue that comes looking round the corner in almost every deployment. It’s called internal wifi clients.

This article explains the certificate error that can appear if your environment is incorrectly configured. Use this article by Lync MVP Jeff Schertz if you haven’t configured your Lync environment for mobility yet.

Introduction

While external desktop clients need both the Lync 2010 Edge server and a Forefront server in the DMZ, the lync 2010 mobility add-on is designed to work via the reverse proxy only (Forefront TMG is used in this article). While this seems logical for external clients, internal clients should use the forefront server as well to reach the mobility website. So if you have iPhone or iPad clients on the internal wifi network, some adjustments have to be made to your lync deployment.

This article uses a simple setup to explain the issue, however the same problem can exist if your setup has split up the Lync roles across multiple servers. This article uses an infrastructure with the following features:

Simple Lync environment with 1 internal server, 1 edge server and 1 forefront server.
Split brain DNS configured.

Internal mobile clients connect to a lync environment as follows:

Image Source: Technet

The internal employee logs on using the Lync 2010 mobile client (i.e. Lync for iOS)
The client looks for the lyncdiscoverinternal.company.com DNS record. In most deployments, split brain DNS is configured, so your public DNS zone is also configured on the internal DNS environment.
The lyncdiscoverinternal record points to your forefront server, which in turn redirects you to the internal site on your lync server (on port 443).
Here, it downloads a file with information about the autodiscover configuration, which tells the client where to find the external Lync site.
You are now redirected to the external site on the Lync server (on port 4443).

Forefront Setup Continue reading →

Exchange 2013 – Howto Configure Offline Outlook Web App (OWA)

Leave a reply

As you may have read, Exchange 2013 features an option to let your users use Outlook Web App (OWA) when they are not connected to the network. Yes, like in disconnected from any network. This article focuses on the configuration of offline OWA and what the client experience looks like.

The Client Experience

With Exchange 2013 configured for OWA out of the box, without any configuration on the Exchange end, every user has the possibility to set up his or her Outlook Web App for offline use. This is achieved by the following process:

Logon to OWA using the normal procedure
Click the gear icon in the upper-right corner and select “Use Mail Offline”

OWA will ask whether you’re the only user using this computer, since your mail will be saved on this computer. Continue reading →

Howto Configure Exchange 2013 Client Access

7 Replies

This article covers the configuration of the Exchange 2013 client access role. I’d like to keep internal and external URL’s the same for the sake of simplicity, plus an added advantage is that you can use a single certificate on the in and outside.

The hostname for the front-end server in the examples below is “MX01″. Replace this value to correspond with the Exchange 2013 front-end server in your environment. The public namespace in the examples below is called “techdom.nl”. Adjust the public namespace to resemble the one you use in your environment.

Configuring Internal DNS

To make the external namespace available on the internal LAN, fire up a remote desktop connection to your AD / DNS server and start the DNS management console.

Create a new Forward Lookup zone by right-clicking “Forward Lookup Zone” and choose “New Zone..”
Choose next, select Primary zone and choose to store the zone in Active Directory.
Choose next, and select the option “To all DNS Servers running on domain controllers in this domain” and click next. This option will replicate the newly created zone to all DNS servers within the domain.
Configure the zone name. In this example I will use “techdom.nl”
Leave the dynamic update type as “Allow only secure dynamic updates” and click next
Right-click the newly created zone and create a new record by choosing “New Host (A or AAAA))…”

Configure the name “webmail” and add the IP address of your Exchange 2013 front End server.
Enable “Create associated pointer (PTR) record and click “Add Host” Continue reading →

Exchange 2010 – How to use Calendar Repair to fix missing or corrupted calendar items

Leave a reply

Note: While calendar repair was introduced with Exchange 2010, it has been greatly improved in Exchange 2010 SP1 and SP2. This article was written on an Exchange environment with SP2 installed.

When you’re the administrator in an Exchange environment where calendars and ActiveSync are day to day business, then you’re probably familiar with the following issues:

corrupt calendar items
disappearing calendar items
wrong meeting times
calendar items losing their owner
calendar items being available in outlook but don’t seem to sync to mobile devices like iPhone / iPad devices or vice versa.
Accepted meeting requests on a mobile device don’t seem to be accepted in Outlook or vice versa.

Exchange 2010 has a great feature on board that can check this calendar madness for you, and eventually fix it. All you have to do is enable calendar repair in your environment.

Calendar repair works with a period of time that’s called the “work cycle”. In this period of time, the mailbox server has to be sure a mailbox is checked once. So if you’d configure a work cycle of 7 days, the mailbox server has to be sure all mailboxes are checked once in this period of time. Besides this, the “work cycle checkpoint” specifies when the queue for the calendar repair attendant is refreshed.

The last thing to configure is the IntervalEndWindow, which specifies the amount of days into the future that calendar items have to be checked. If this EndWindow would be set to 30, the calendar repair attendant would check all calendar items in a mailbox from now to 30 days into the future, counting from the time that the process runs.

Please note that the calendar repair assistent will take the current load of the exchange server into account; making sure calendar repair will never disrupt the systems primary task: servicing clients.

Configuring the Calendar Repair Assistent

Configure the Calendar Repair Assistent with the following cmdlet:

Continue reading →

Howto Install Exchange 2013 Using Powershell on Windows Server 2012

Leave a reply

Exchange 2013 has been released to manufacturing several weeks ago. This article describes howto install the new Exchange and it’s prerequisites for a multi-role installation on Windows Server 2012. A multi-role installation for Exchange 2013 refers to having both the Mailbox and Client Access on a single server since these are the only roles available.

Role Seperation

Remember Exchange 2003 where we had just 2 roles? A front-end and a back-end? With the all-new Exchange 2013 the different roles available in Exchange 2007 and 2010 are gone and instead, we now have Mailbox and a Client Access Role at our disposal; which in turn host various services:

Mailbox Role

Transport Service
Client Access Service
Unified Messaging Service
Mailbox Service

Client Access Role

Front End Transport Service
Client Access Front End Service

Setting Up the Prequisites

Fire up a remote desktop (or powershell) connection to your Exchange server and open the Powershell console.
Install the necessary Windows features with the following command:

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

After installation, you’ll get a succesfull exit code saying you need to restart your server to complete the setup:

When your server is back from the reboot, download and install the following prerequisite software in this order: Continue reading →

Howto Upgrade Forefront Unified Access Gateway (UAG) to SP3

2 Replies

As most of Microsoft’s products are provided with an easy procedure to install a service pack to introduce new features and fix bugs, unfortunately Forefront UAG is not among them. When Forefront UAG is updated using the procedure outlined at http://technet.microsoft.com/library/jj590870 you will loose your configuration. While the article mentions you should backup your configuration, it doesn’t say you will loose your configuration if you don’t backup.

The the steps below to retain your configuration throughout the upgrade process.

1. Download the following files:

Microsoft Forefront UAG SP1 Update 1 from http://www.microsoft.com/en-us/download/details.aspx?id=27604
Microsoft Forefront TMG 2010 SP2 from http://www.microsoft.com/en-us/download/details.aspx?id=27603
Microsoft Forefront UAG SP2 from http://www.microsoft.com/en-us/download/details.aspx?id=30459
Microsoft Forefront UAG Sp3 from http://www.microsoft.com/en-us/download/details.aspx?id=36788

2. Save your backup as follows:

Login to your Forefront UAG server using Remote Desktop
Start the Forefront UAG Management Console
Choose File, Export and save your configuration to a location of your liking as an XML file.

Please note: While Forefront UAG creates a backup of your configuration everytime you activate the configuration, this file cannot be used when you upgrade to SP3. You have to have a backup in the form of an XML file!

3. Install the updates in the following order:

Continue reading →

Techdom.nl

My private knowledgebase made public!

Cisco WLC Firmware 7.4 bug prevents clients from roaming between Flexconnect Access Points

Howto Configure a Wireless Mesh Network using a Cisco Wireless LAN Controller (WLC)

Cisco 1600 / 2600 / 3600 AP: Convert Lightweight IOS to Autonomous IOS

Outlook 2007 Errors when setting Full Access Permissions incorrectly

Lync 2010 Mobility Error: Can’t verify the certificate from the server. Please contact your support team

Exchange 2013 – Howto Configure Offline Outlook Web App (OWA)

Howto Configure Exchange 2013 Client Access

Exchange 2010 – How to use Calendar Repair to fix missing or corrupted calendar items

Howto Install Exchange 2013 Using Powershell on Windows Server 2012

Howto Upgrade Forefront Unified Access Gateway (UAG) to SP3