https://community.cisco.com/t5/wireless/cisco-5508-wireless-lan-controller-upgrade-from-8-0-152-0-to-8-5/m-p/5353677#M287842 <P>Cisco 5508 Wireless LAN Controller (WLC) from Software Version 8.0.x to 8.5.140.0 when legacy Access Points (APs) such as the AIR-CAP3502I-A-K9/AIR-CAP3602I-A-K9/AIR-CAP3702I-A-K9 series fail to register due to expired Manufacturing Installed Certificates (MIC) and DTLS handshake failures.<BR /><BR />Error log:</P><P><SPAN>*Mar&nbsp; 1 00:01:36.347: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.</SPAN></P><P><SPAN>*Dec&nbsp; 2 16:33:45.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.</SPAN></P><P><SPAN>&nbsp;</SPAN><SPAN>*Dec&nbsp; 2 16:33:46.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.111.4.4 peer_port: 5246</SPAN></P><P><SPAN>*Dec&nbsp; 2 16:33:46.235: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed.&nbsp; The certificate (SN: 1C2C8A5900000009D45D) has expired.&nbsp;&nbsp;&nbsp; Validity period ended on 03:08:22 UTC May 10 2023Peer certificate verification failed 001A</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>*Dec&nbsp; 2 16:33:46.235: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:508 Certificate verified failed!</SPAN></P><P><SPAN>*Dec&nbsp; 2 16:33:46.235: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.111.4.4:5246</SPAN></P><P><SPAN>*Dec&nbsp; 2 16:33:46.235: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.111.4.4:5246</SPAN></P><P><BR />Cause:</P><P>Legacy APs ship with MICs that have reached end-of-life (EOL) validity windows. After the WLC upgrade DTLS negotiations enforce certificate checks aligned to SHA-2 requirements, causing CAPWAP DTLS to fail when AP MICs are expired.</P><P>Solution:</P><OL><LI>Backup the current configuration:<BR /><STRONG>GUI → Commands → Upload File → select TFTP/SFTP, server IP, and path.<BR /></STRONG>Save a verified backup.</LI><LI>Reboot the WLC on current code to ensure a clean state:<BR /><STRONG>GUI → Commands → Reboot.</STRONG></LI><LI>Temporarily set the controller date to a year within AP MIC validity (example: 2021):<BR /><STRONG>GUI → Commands → Set Time.<BR /></STRONG>Note: Do not use NTP during this step.</LI><LI>Transfer the 8.5.140.0 image:<BR /><STRONG>GUI → Commands → Download File → choose TFTP/SFTP, server IP, path, and filename. </STRONG></LI><LI>Reboot into 8.5.140.0 and save configuration.</LI><LI>Temporarily ignore MIC certificate expiry for APs:<BR /><STRONG>CLI → WLC&gt; config ap cert-expiry-ignore mic enable</STRONG></LI><LI>Remove/disable NTP servers:<BR /><STRONG>GUI → Controller → NTP → Server → remove entries.</STRONG> This avoids time drift corrections until APs complete join and image negotiation.</LI><LI>Allow 5–10 minutes for APs to boot, download any required image bundles, and register. Monitor join status.</LI></OL><P><BR /><BR /><BR /></P> Wed, 10 Dec 2025 02:25:41 GMT 00un9wsyaSrkvoKmS5d6 2025-12-10T02:25:41Z https://community.cisco.com/t5/wireless/cisco-5508-wireless-lan-controller-upgrade-from-8-0-152-0-to-8-5/m-p/5353677#M287842 <P>Cisco 5508 Wireless LAN Controller (WLC) from Software Version 8.0.x to 8.5.140.0 when legacy Access Points (APs) such as the AIR-CAP3502I-A-K9/AIR-CAP3602I-A-K9/AIR-CAP3702I-A-K9 series fail to register due to expired Manufacturing Installed Certificates (MIC) and DTLS handshake failures.<BR /><BR />Error log:</P><P><SPAN>*Mar&nbsp; 1 00:01:36.347: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.</SPAN></P><P><SPAN>*Dec&nbsp; 2 16:33:45.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.</SPAN></P><P><SPAN>&nbsp;</SPAN><SPAN>*Dec&nbsp; 2 16:33:46.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.111.4.4 peer_port: 5246</SPAN></P><P><SPAN>*Dec&nbsp; 2 16:33:46.235: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed.&nbsp; The certificate (SN: 1C2C8A5900000009D45D) has expired.&nbsp;&nbsp;&nbsp; Validity period ended on 03:08:22 UTC May 10 2023Peer certificate verification failed 001A</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>*Dec&nbsp; 2 16:33:46.235: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:508 Certificate verified failed!</SPAN></P><P><SPAN>*Dec&nbsp; 2 16:33:46.235: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.111.4.4:5246</SPAN></P><P><SPAN>*Dec&nbsp; 2 16:33:46.235: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.111.4.4:5246</SPAN></P><P><BR />Cause:</P><P>Legacy APs ship with MICs that have reached end-of-life (EOL) validity windows. After the WLC upgrade DTLS negotiations enforce certificate checks aligned to SHA-2 requirements, causing CAPWAP DTLS to fail when AP MICs are expired.</P><P>Solution:</P><OL><LI>Backup the current configuration:<BR /><STRONG>GUI → Commands → Upload File → select TFTP/SFTP, server IP, and path.<BR /></STRONG>Save a verified backup.</LI><LI>Reboot the WLC on current code to ensure a clean state:<BR /><STRONG>GUI → Commands → Reboot.</STRONG></LI><LI>Temporarily set the controller date to a year within AP MIC validity (example: 2021):<BR /><STRONG>GUI → Commands → Set Time.<BR /></STRONG>Note: Do not use NTP during this step.</LI><LI>Transfer the 8.5.140.0 image:<BR /><STRONG>GUI → Commands → Download File → choose TFTP/SFTP, server IP, path, and filename. </STRONG></LI><LI>Reboot into 8.5.140.0 and save configuration.</LI><LI>Temporarily ignore MIC certificate expiry for APs:<BR /><STRONG>CLI → WLC&gt; config ap cert-expiry-ignore mic enable</STRONG></LI><LI>Remove/disable NTP servers:<BR /><STRONG>GUI → Controller → NTP → Server → remove entries.</STRONG> This avoids time drift corrections until APs complete join and image negotiation.</LI><LI>Allow 5–10 minutes for APs to boot, download any required image bundles, and register. Monitor join status.</LI></OL><P><BR /><BR /><BR /></P> Wed, 10 Dec 2025 02:25:41 GMT https://community.cisco.com/t5/wireless/cisco-5508-wireless-lan-controller-upgrade-from-8-0-152-0-to-8-5/m-p/5353677#M287842 00un9wsyaSrkvoKmS5d6 2025-12-10T02:25:41Z