Hi Marce,

But i am getting the error as DTLS Issue when the AP's contacting to the controller.

If i am manually upgrading the firmware to 12.4(25e) JA06 then only the AP is able to Join.

Do you have any document that i can refer to upgrade the firmware automatically using DHCP Scope Option or anyway that modifying the controller settings to allow the AP to join overriding the DTLS issue.

Thanks,

Ramesh

Do you have any document that i can refer to upgrade the firmware automatically using DHCP Scope Option or anyway that modifying the controller settings to allow the AP to join overriding the DTLS issue.

You mean DHCP Option 43?  Won't make any difference.  DTLS issue could sometimes have something to do with incorrect country code configured on the WLC or the MIC of the AP has expired.  Console into the AP and post the output to the command "sh crypto ca certificate" as well as the following additional commands: 

NEW WLC:  sh sysinfo; 

NEW WLC:  sh time; and

AP:  sh version

As mentioned by marce, 1130 can join a controller running up to the latest 8.0.110.0 firmware without any issue.  

Hi Leo,

Let me explain the scenario.

I have 2 controllers, 1st is WLC 2106 (Old One SW 6.0.199.4 & IP is 10.1.1.1/24) and 2nd is WLC 5508 (New One SW 8.0.110.0 is 10.2.2.1/24).

I am in the progress of migrating the Cisco Access Points 1131AG ( where acting as LAP ) to join in the new controller.

But the AP always using the old controller ip 10.1.1.1/24 for join to the controller.

But the AP 1131 is getting the IP via DHCP and DHCP option 43 is mentioned in the scope.

At the same time i have new cap2702 ap which is connecting to the new controller without any issues, where both for both the ap's the switch configuration is same.

Below is the output error i am getting,

*Feb  2 12:30:31.000: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for 10.1.1.1 is reached.
*Feb  2 12:31:00.999: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 10.1.1.1:5246
*Feb  2 12:31:01.044: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Feb  2 12:31:01.044: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Feb  2 12:31:01.052: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Feb  2 12:31:01.052: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Feb  2 12:31:01.067: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Feb  2 12:31:01.067: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Feb  2 12:31:01.069: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Feb  2 12:31:01.099: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Feb  2 12:31:01.101: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Feb  2 12:31:01.127: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Feb  2 12:31:01.128: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Feb  2 12:31:11.067: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Feb  2 12:31:11.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.1.1 peer_port: 5246
*Feb  2 12:31:11.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Feb  2 12:31:41.000: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:2015 Max retransmission count reached!
*Feb  2 12:31:41.000: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for 10.1.1.1 is reached.

Please advise.

Thanks,

Ramesh

*Feb  2 12:31:11.067: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Feb  2 12:31:11.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.1.1 peer_port: 5246

Ok, you are saying that the 2106 has the IP address of 10.1.1.1/24.  The error message above says that DHCP Option 43 is still pointing to 10.1.1.1.

Alternatively, go into the 2106 GUI and look for the AP in question.  Go to the "High Availability" tab and check the details there.

Hi Leo,

There is no HA IP is assigned in the WLC2106.

And the DHCP Scope is using Option 43 IP 10.2.2.1

But still the AP is using the Old WLC IP for registration.

But the AP 1131AG is taking the IP from the correct DHCP Scope of network pool 10.2.2.51 - 100 

Thanks,

Ramesh

There is no HA IP is assigned in the WLC2106.

Can you explain this?  Are you saying that in the HA tab only the WLC name is there and no IP address?

Hi Leo,

No there is no HA name or IP assigned in the Old WLC.

Thanks,

Ramesh

Hi Ramesh,

if this WLC is still connecting to the old WLC then either you have to remove OLD WLC ip from HA tab or. you can do this:

AP#debug capwap console cli

AP#clear capwap private- config

or 

erase nvram:

but after doing that SP will get a new ip from dhcp and then you also have the name of AP.

Regards

Hi Sandeep,

Yes if i am resetting the AP and executing the command "clear capwap private-config", then i can able to get registered with the controller.

But as per the Cisco document it will automatically registers with the new controller without performing the above mentioned process.

Even i switched off the old controller wlc2106, but i am facing the same issue.

Where i need to migrate more than 50 numbers of 1131AG to wlc 5508, so i cant go and do the reset process for each AP because most of the AP's are located in different country.

Please advise us the way to make it join to the new controller without performing the reset procedure.

Thanks,

Ramesh

Hi Sandeep,

Good idea mate let me check this on tomorrow and will update to you.

Thanks,

Ramesh