Join/Config/Run
After the successful DTLS session establishment, the join and configuration requests/responses follow. Because after every ChangeCipherSpec in DTLS the session uses previous negotiated encryption, you only see "DTLS application data" in a sniffer trace, which makes all the following packets such as Join or Configure packets invisible. Also, refer to Figure 4-6, which shows the sniffer trace from a complete CAPWAP session establishment. Starting at frame 62, you only see DTLS Application-Data.
To troubleshoot what is going on inside the DTLS application data tunnel, you have to run debugs on the controller or on the AP. Example 4-2 shows the debug output taken on an AP. From there you see the join request and response and how the AP does an image and configuration verification to make sure it is running the same version of code that resides on the controller and has the most up-to-date configuration.
Example 4-2 Access Point debug capwap client packet Output
Example 4-2 Access Point debug capwap client packet Output
Example 4-2 Access Point debug capwap client packet Output
Example 4-2 Access Point debug capwap client packet Output
Example 4-2 Access Point debug capwap client packet Output
The final state that you want all APs to be in is Run and after the AP passes the configuration and version validation, it moves the AP state into the Run state so it can start servicing clients.
