topic Re: Access point doesn't join the controller in Wireless

Access point doesn't join the controller

shamik — Thu, 30 May 2024 08:10:10 GMT

After resetting the Access point AIR-CAP1602E-E-K9

It doesn't join the controller Cisco 2500

These are the logs from Console of the AP

*May 30 10:03:21.999: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*May 30 10:02:17.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.10.50 peer_port: 5246
*May 30 10:02:17.275: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 172.16.10.50
*May 30 10:02:17.275: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*May 30 10:02:17.275: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.10.50:5246
*May 30 10:02:17.275: %CAPWAP-3-ERRORLOG: Invalid event 40 & state 3 combination.

Re: Access point doesn't join the controller

Leo Laohoo — Thu, 30 May 2024 09:35:11 GMT

FN63942 - Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP Connections Due to Certificate Expiration

FN72524 - During Software Upgrade/Downgrade, Cisco IOS APs Might Remain in Downloading State After December 4, 2022 Due to Certificate Expiration

Re: Access point doesn't join the controller

Rich R — Thu, 30 May 2024 14:46:33 GMT

Upgrade the controller to 8.5.182.11 software (link below) and follow the procedures detailed in the field notices which Leo linked and below in my signature.

The first thing you'll have to do is disable NTP and set the date back to before the certificate(s) expired (could be AP and WLC certs expired) - that will let the AP join again. Then upgrade the software and apply the additional config to WLC from (config ap cert-expiry-ignore mic enable). Once WLC and AP software have been upgraded and new config applied to WLC and updated to AP then you can re-enable NTP.

Re: Access point doesn't join the controller

shamik — Tue, 04 Jun 2024 06:52:28 GMT

I cannot upgrade my cisco WLC 2500 which is running 8.2.100.0, as I don't have any support contract active.

And I have 46 AP's currently working which is connected to the WLC,

AP Models connected are - AIR-CAP1602E-E-K9, AIR-AP1852I-E-K9, AIR-AP1852E-E-K9

Re: Access point doesn't join the controller

Mark Elsen — Tue, 04 Jun 2024 07:00:36 GMT

>...I cannot upgrade my cisco WLC 2500 which is running 8.2.100.0, as I don't have any support contract active.
- Then the only thing you can do is disable NTP and set the controller time backwards.

Re: Access point doesn't join the controller

Rich R — Mon, 17 Jun 2024 13:58:27 GMT

Find a recent security advisory that affects 8.5 code and find the section which says "Customers without Contracts" then email TAC (don't phone). You must quote the URL of the advisory, the paragraph just mentioned and the version and URL https://software.cisco.com/download/specialrelease/9a6a7cf84f9fdf04b95c76e2ac7820e7 for the software you want to download and the serial number of your WLC. You'll have to mention which platform you need it for (2504) because they have all of them there at that URL. Then TAC should publish the software to you directly.

This advisory should be suitable: Cisco Wireless LAN Controller AireOS Software FIPS Mode Denial of Service Vulnerability because CSCwa40778 : Bug Search Tool (cisco.com) is fixed in 8.5.182.12. (even though the advisory itself says upgrade to 8.10)

"Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade."