cAP ax find not CAPsMAN and get no config

RouterOS Wireless Networking
1

Hello,

i have a problem with provisioning my cAP ax with CAPsMAN.
Screenshot 2023-10-22 005946.png
I have start the cAP ax normal and install the latest OS: 7.11.2
Screenshot 2023-10-22 005532.png
In a second step i reset the cAP ax to CAPS Mode
Screenshot 2023-10-22 005735.png
I get an IP address from my router und can also ping it.

My router is an RB5009 with a bride and 4 configured vlan.
Screenshot 2023-10-22 010114.png
The CAPsMAN is configured to all interfaces
Screenshot 2023-10-22 010223.png
And the Firewall is turend off for truble shooting:
Screenshot 2023-10-22 010341.png
Also my config from the router on the end,

i hope someone can help me to solve the issue or design misstake from me :slight_smile:

Thanks


# 2023-10-21 22:21:13 by RouterOS 7.11.2
#
# model = RB5009UG+S+
/caps-man configuration
add country=austria distance=indoors installation=indoor mode=ap name=\
    cfg1 security.authentication-types=wpa2-psk .encryption=aes-ccm \
    ssid=WiFi
/interface bridge
add admin-mac=78:9A:18:02:C2:E6 auto-mac=no frame-types=\
    admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-pppoe
set [ find default-name=ether2 ] name=ether2-mac-winbox
set [ find default-name=ether3 ] name=ether3-vlan-216-dmz
set [ find default-name=ether4 ] name=ether4-vlan-217-mgmt
set [ find default-name=ether5 ] name=ether5-vlan-218-inside
set [ find default-name=ether6 ] name=ether6-test
set [ find default-name=ether7 ] name=ether7-bonding1
set [ find default-name=ether8 ] name=ether8-bonding1
set [ find default-name=sfp-sfpplus1 ] name=sfp1-trunk
/interface vlan
add interface=bridge name=vlan-1-default vlan-id=1
add interface=bridge name=vlan-216-dmz vlan-id=216
add interface=bridge name=vlan-217-mgmt vlan-id=217
add interface=bridge name=vlan-218-inside vlan-id=218
add interface=bridge name=vlan-219-domain vlan-id=219
/interface bonding
add mode=802.3ad name=bonding1-trunk slaves=ether7-bonding1,ether8-bonding1
/interface list
add comment="contains the interfaces to the internet" name=WAN
add comment="contains all interfaces for intranet" name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=119 name=domain-search value="0x03'dmz'0x09'schloff'0x02'co'0x0004'\
    mgmt'0xC00406'inside'0xC00406'domain'0xC004"
add code=43 name=disable-netbios value=0x010400000002
/ip pool
add name=pool-dmz ranges=172.27.216.65-172.27.216.126
add name=pool-mgmt ranges=172.27.217.129-172.27.217.199
add name=pool-inside ranges=172.27.218.65-172.27.218.126
add name=pool-domain ranges=172.27.219.65-172.27.219.126
add name=pool-default ranges=172.27.1.65-172.27.1.126
/ip dhcp-server
add address-pool=pool-mgmt interface=vlan-217-mgmt name=mgmt
add address-pool=pool-dmz interface=vlan-216-dmz name=dmz
add address-pool=pool-inside interface=vlan-218-inside name=inside
add address-pool=pool-default interface=vlan-1-default name=default
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-vlan-216-dmz pvid=216
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4-vlan-217-mgmt pvid=217
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5-vlan-218-inside pvid=218
add bridge=bridge interface=ether6-test
add bridge=bridge interface=bonding1-trunk
add bridge=bridge interface=sfp1-trunk
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,bonding1-trunk,sfp1-trunk vlan-ids=216
add bridge=bridge tagged=bridge,bonding1-trunk,sfp1-trunk vlan-ids=217
add bridge=bridge tagged=bridge,bonding1-trunk,sfp1-trunk vlan-ids=218
add bridge=bridge tagged=bridge,bonding1-trunk untagged=sfp1-trunk vlan-ids=\
    219
add bridge=bridge tagged=bridge,bonding1-trunk,sfp1-trunk vlan-ids=1
/interface list member
add interface=bridge list=LAN
add interface=ether1-pppoe list=WAN
add interface=ether2-mac-winbox list=LAN
/ip address
add address=172.27.217.254/25 interface=vlan-217-mgmt network=172.27.217.128
add address=172.27.216.254/24 interface=vlan-216-dmz network=172.27.216.0
add address=172.27.218.254/24 interface=vlan-218-inside network=172.27.218.0
add address=172.27.1.254/24 interface=vlan-1-default network=172.27.1.0
/ip dhcp-client
add interface=ether1-pppoe use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=172.27.1.0/24 caps-manager=172.27.1.254 dns-server=172.27.1.254 \
    gateway=172.27.1.254
add address=172.27.216.0/24 dhcp-option=domain-search,disable-netbios \
    dns-server=172.27.216.254 domain=dmz.schloff.co gateway=172.27.216.254
add address=172.27.217.128/25 dhcp-option=domain-search,disable-netbios \
    dns-server=172.27.217.254 domain=mgmt.schloff.co gateway=172.27.217.254
add address=172.27.218.0/24 dhcp-option=domain-search,disable-netbios \
    dns-server=172.27.218.254 domain=inside.schloff.co gateway=\
    172.27.218.254
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
    verify-doh-cert=yes
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked!" \
    connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="drop invalid!" connection-state=invalid \
    disabled=yes
add action=accept chain=input comment="accept ICMP!" disabled=yes protocol=\
    icmp
add action=accept chain=input comment=\
    "accept to local loopback (for CAPsMAN)!" disabled=yes dst-address=\
    127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN!" disabled=\
    yes in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy!" disabled=\
    yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy!" disabled=\
    yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack! \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "accept established,related, untracked!" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="drop invalid!" connection-state=\
    invalid disabled=yes
add action=drop chain=forward comment="drop all from WAN not DSTNATed!" \
    connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade! ipsec-policy=out,none \
    out-interface-list=WAN
/system identity
set name=fw
/system logging
add topics=debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=time-a-b.nist.gov
add address=time-a-g.nist.gov
/tool mac-server
set allowed-interface-list=LAN
2

At this point we may be more interested in the caps config …
Because that log shows it can not find capsman.
And time/date stay horribly wrong as well.
Definitely not correct.

So my first look would be to that device.

This is what a normal log file looks for a cap AX in caps mode after reboot.
(obviously I don’t have debug on …)

[xyz@AP01-vergaderzaalboven] /log> print
09:42:46 system,info router rebooted
09:42:57 interface,info ether1 link up (speed 1G, full duplex)
09:42:58 dhcp,info dhcp-client on bridgeLocal got IP address 150.227.113.221
09:43:02 caps,info selected CAPsMAN RB5009_KT@
09:43:03 caps,info connected to RB5009_KT@
09:43:06 system,info,account user admin logged in by romon via winbox
11:43:43 system,critical,info ntp change time Oct/22/2023 11:43:24 => Oct/22/2023 11:43:43
11:44:47 system,info,account user admin logged in from 10.255.250.1 via local

3

You are running the “old” CAPsMAN while the cAP ax only supports the wifiwave2 CAPsMAN. No backward compatibility, will never come (I think I red that).

You will need to install wifiwave2 on the RB5009 and configure it from there:
https://help.mikrotik.com/docs/display/ROS/WifiWave2#WifiWave2-WifiWave2CAPsMAN

4

Dang ! Totally missed that …

5

Thanks for this Information now i am on WiFi Wave2 and CAPsMAN :slight_smile:

Screenshot 2023-10-22 223341.png
Screenshot 2023-10-22 223341.png769×389 13.2 KB

Now i have also installed the wifiwave2.npk on the Router :slight_smile:
Screenshot 2023-10-22 223535.png
Screenshot 2023-10-22 223535.png661×135 5.24 KB

6

Thanks for the Information, after install the wifiwave2, it get a connection and config.