Table of Contents

How CAPWAP works in HiveOS and how to debug issues

CAPWAP - Control And Provisioning of Wireless Access Points

When your Access Point get disconnected from HiveManager (both Classic or NG), you have to check few basic stuff before going into a deep debug.

show capwap client

CAPWAP client:   Enabled
CAPWAP transport mode:  UDP
RUN state: Connected securely to the CAPWAP server
CAPWAP client IP:
CAPWAP server IP:
HiveManager Primary
HiveManager Backup Name:
CAPWAP Default Server Name:
Virtual HiveManager Name: VHM-IKILYXPE
Server destination Port: 12222
CAPWAP send event:       Enabled
CAPWAP DTLS state:       Enabled
CAPWAP DTLS negotiation: Disabled
     DTLS next connect status:   Enable
     DTLS always accept bootstrap passphrase: Enabled
     DTLS session status: Connected
     DTLS key type: passphrase
     DTLS session cut interval:     5 seconds
     DTLS handshake wait interval: 60 seconds
     DTLS Max retry count:          3
     DTLS authorize failed:         0
     DTLS reconnect count:          0
Discovery interval:      5 seconds
Heartbeat interval:     30 seconds
Max discovery interval: 10 seconds
Neighbor dead interval:105 seconds
Silent interval:        15 seconds
Wait join interval:     60 seconds
Discovery count:         0
Max discovery count:     3
Retransmit count:        0
Max retransmit count:    2
Primary server tries:    0
Backup server tries:     0
Keepalives lost/sent:    4/2835
Event packet drop due to buffer shortage: 0
Event packet drop due to loss connection: 4

Sometime is better to have all the counters cleared:

clear capwap client counter

In the output message, you can easily recognize

Your Access Point IP

CAPWAP client IP:

The reverse IP address of CAPWAP server

CAPWAP server IP:

The FQDN of your assigned CAPWAP server

HiveManager Primary

and the FQDN of your assigned CAPWAP backup server

HiveManager Backup Name:

and also the FQDN of your default redirector server

CAPWAP Default Server Name:

If you’ve accidentally shutdown the CAPWAP client, you should have a RED led on your AP and the “Disabled” status on your output. Normal state is, of course, enabled:

CAPWAP client: Enabled

Depending on what the Access Point discovered in the boot phase, the CAPWAP transport could be UDP or HTTP over TCP. The default mode id UDP:

CAPWAP transport mode: UDP

if your firewall is blocking UPD/12222 (this is the RFC port/proto used for CAPWAP), you can manually force the HTTP transport over TCP:

capwap client transport HTTP

Now, if your Access Point is still with RED led status, check the default networking settings: your management interface !

show interface mgt0

Admin state=enabled; Operational state=up;
DHCP client=disabled;
Default IP subnet=;
IP addr=; Netmask=; Default Gateway:;
IPV6 address autoconfig enable
IPV6 link local addr=fe80::9e5d:12ff:fe5b:32c0/64
VLAN id=1;  Native vlan id=1;
MAC addr=9c5d:125b:32c0; MTU=1500;
Rx packets=24189; errors=0; dropped=0;
Tx packets=15452; errors=0; dropped=0;
Rx bytes=4902310 (4.675 MB); Tx bytes=4149386 (3.957 MB);

you should at least reach your default gateway ( in my case) and, before call the security team, ensure your DNS is working too!


PING ( 56(84) bytes of data.

if you’re not able to resolve any FQDN, well, you found the problem. Probably just need to add manually the DNS server ip address:

dns server-ip

but, if your access point is in DHCP mode, you have to check the networking settings:

show interface mgt0 dhcp client

HM=HiveManager; SLS=system log server;

DHCP client: Enabled
Timeout for applying static IP or default IP: 20 secs
State: Network configuration received; Get IP address from the server; Relay agent
Lease time: 600 seconds; VLAN: 1
Duration time: 299 seconds

Get options from server:
Netmask (option number 1):
Router (option number 3):
DNS server (option number 6):
Log server (option number 7):
DNS domain (option number 15): local.lan
NTP server (option number 42):
HM string (option 43 suboption 225):
HM IP (option 43 suboption 226):
SLS string (option 43 suboption 227):
SLS IP (option 43 suboption 228):
PPSK server IP (option 43 suboption 229):
RADIUS server IP (option 43 suboption 230):
RADIUS accounting server IP (option 43 suboption 231):
Backup HM string (option 43 suboption 232):
Backup HM IP (option 43 suboption 233):

If the networking layer is fully working, probably it’s better to check for any interface errors

show interface mgt0 | include errors

Rx packets=25184; errors=0; dropped=0;
Tx packets=16118; errors=0; dropped=0;

show interface eth0 | include errors

Rx packets=10384584; errors=0; dropped=0;
Tx packets= 8443112; errors=0; dropped=0;

If CAPWAP is working as expected, you should have 0 CAPWAP packet lost:

show capwap client | include Keepalives
Keepalives lost/sent: 0/3253

Sometime you need to re-initialize the CAPWAP process, starting from the beginning, but instead do a reset config (factory default of the device) you can clear the actual capwap session with:

no capwap client server enable
no capwap client server name
no capwap client server backup name
no capwap client vhm-name
no capwap client transport 

and re-enable the client:

capwap client server enable

Communication between Aerohive access devices such as APs and HiveManager uses three types of channels or protocols:


CAPWAP and HTTPS are predominantly used for most transfers (SCP is no longer used in NG).

Aerohive devices send a keep alive message every 30 seconds to HiveManager over CAPWAP. CAPWAP is also used for sending network management commands, client connection events and AP status events. APs indicate the availability of statistical data files to HM based on report sampling intervals. HiveManager queries reporting data once every 30 minutes for client and AP level statistics (default).

If everything is working as expected, you should be able to performa a capwap ping to your server

capwap ping

CAPWAP ping parameters:
    Destination server: (
    Destination port: 12222
    Count: 5
    Size: 56(82) bytes
    Timeout: 5 seconds
CAPWAP ping result:
    82 bytes from udp port 12222: seq=1 time=51.939 ms
    82 bytes from udp port 12222: seq=2 time=47.258 ms
    82 bytes from udp port 12222: seq=3 time=47.393 ms
    82 bytes from udp port 12222: seq=4 time=47.400 ms
    82 bytes from udp port 12222: seq=5 time=49.844 ms
    ------- CAPWAP ping statistics -------
    5 packets transmitted, 5 received, 0.00% packet loss, time 5282.97ms
    rtt min/avg/max = 47.258/48.766/51.939 ms

Be aware: CAPWAP ping is not ICMP !

    ping              Perform a CAPWAP ping (Note: A CAPWAP ping does not use
                      ICMP echo requests, but UDP packets similar to those
                      used for CAPWAP heartbeats.)

If you see something different in the log (show log buffer | include capwap) like:

capwap: CAPWAP:Exit current DTLS connect!
capwap: CAPWAP_HM:Ready connecting to HM
capwap: CAPWAP_HM:use broadcast, ip=, port=12222
capwap: CAPWAP_HM:get capwap server ip ( for name (
capwap: CAPWAP_HM:can not find the ip address of hostname  (hivemanager),reason:Unknown host
capwap: CAPWAP_HM:user doesn't config primary and backup HM's name,use fixed server name and pre-defined server name to try
capwap: CAPWAP_HM:get hivemanager name from scd (first:, second:).
capwap: CAPWAP_HM:Choose HM IP or name for connecting....
capwap: CAPWAP: capwap predefine server name file isn't exist.
capwap: CAPWAP: capwap client doesn't receive echo packet 2 times, CAPWAP client reconnect
capwap: CAPWAP: capwap client reconnect because the neighbor dead interval elapsed during the previous CAPWAP session (reason id: 1006)
capwap: CAPWAP: capwap client doesn't receive echo packet 2 times
capwap: CAPWAP: capwap client doesn't receive echo packet 1 times

it means that there isn’t the Serial Number in the global Aerohive redirector.

If you need to manually add the Access Point into a specific instance or into a specific HiveManager, you can easly configure through the local https instance or through the CLI:

capwap client server name YOUR-HIVEMANAGER-FQDN-HERE
capwap client vhm-name VHM-NAME-HERE

Just use question mark after the command to get help as usual (capwap client ?)

My last advice for the capwap debug: remove any DPI (Deep Packet Inspection) rule, SSL inspection, SSL Control, HTTPS proxy/reverse proxy/manipulation and so on…DTLS (Datagram Transport Layer Security) is VERY susceptible!

—– TO BE CONTINUED: proxy config, deep debug, throubleshooting, transport ….stay tuned
Enjoy capwap!