Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5847
Views
10
Helpful
8
Replies

Mobility Express's internal AP cannot join itself

Rps-Cheers
VIP
VIP

‎12-21-2018 06:27 AM - edited ‎07-05-2021 09:37 AM 

we have download a config file from one ME ap and upload it to another ME ap,we have changed the WLC's MAC addr and Serial number of that config file before upload it.after that,the internal ap of ME ap cannot join itself.

There is the error log:
CAPWAP State: DTLS Setup
dtls_process_packet: DTLS Error: 1046
dtls_process_packet: The controller shut down the DTLS connection.
No more AP manager addresses remain..
dtls_process_packet: Please verify that the AP certificate is valid and has not expired.
dtls_disconnect: ERROR shutting down dtls connection ...
CAPWAP State: DTLS Teardown
No more AP manager addresses remain..
No valid AP manager found for controller 'WLC-001' (ip: 192.168.1.100)
Failed to join controller WLC-001.
Failed to join controller.

I have check the time of WLC,it's right.And the timezone also have no problem.I don't know if there will be a problem when use another ME's config file.So,i want to know whether we cannot do that.if we can do that,Is there any workaround?

Thanks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
1 person had this problem
Labels:
0 Helpful
8 Replies 8

Rasika Nayanajith
VIP
VIP

‎12-22-2018 12:57 PM

Does your 2nd AP has IP address on same 192.168.1.0/x24 subnet ? What AP models are these & what version you running on your ME AP ?

 

HTH

Rasika

0 Helpful

Rps-Cheers
VIP
VIP
In response to Rasika Nayanajith

‎12-22-2018 10:05 PM

Hi,

Yes,ip addr of Master AP is 192.168.1.100/24,and 192.168.1.150/24 is internal lap’s ip addr .ap model is 1832I,and the version of Master AP is 8.5.131.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
0 Helpful

Rasika Nayanajith
VIP
VIP
In response to Rps-Cheers

‎12-23-2018 02:23 PM

Have you configured correct time & proper country code in WLC?

Post "show sysinfo" from WLC & "show ver" from AP CLI

 

Rasika

0 Helpful

Rps-Cheers
VIP
VIP
In response to Rasika Nayanajith

‎12-23-2018 10:07 PM

HI Rasika:

Mobility Express WLC:

---------------show time---------------


Time............................................. Wed Sep 19 13:32:03 2018

Timezone delta................................... 0:0
Timezone location................................ (GMT +8:00) HongKong, Bejing, Chongquing

----------------------
---------------Show sysinfo---------------

System Information
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.5.131.0

System Name...................................... WLC-001
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.2371
IP Address....................................... 192.168.1.100
Last Reset....................................... 1: reload command

System Up Time................................... 0 days 0 hrs 4 mins 34 secs
System Timezone Location......................... (GMT +8:00) HongKong, Bejing, Chongquing
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

Configured Country............................... CN - China

--More-- or (q)uit

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 3
Number of Active Clients......................... 0

OUI Classification Failure Count................. 0

Burned-in MAC Address............................ (Suppress display)
Maximum number of APs supported.................. 50
System Nas-Id....................................
WLC MIC Certificate Types........................ SHA1/SHA2




Mobility Express LAP:

AP#show clock
*13:29:22 HKT Wed Sep 19 2018
--------------------------
***** show version *****
Restricted Rights Legend

Use, duplication, or disclosure by the Government is subject to
restrictions as set forth in subparagraph (c) of the Commercial
Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and
subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

This product contains some software licensed under the
"GNU General Public License, version 2" provided with
ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html

This product contains some software licensed under the
"GNU Library General Public License, version 2" provided
with ABSOLUTELY NO WARRANTY under the terms of "GNU Library
General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html

This product contains some software licensed under the
"GNU Lesser General Public License, version 2.1" provided
with ABSOLUTELY NO WARRANTY under the terms of "GNU Lesser
General Public License, version 2.1", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html

This product contains some software licensed under the
"GNU General Public License, version 3" provided with
ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, Version 3", available here:
http://www.gnu.org/licenses/gpl.html.

This product contains some software licensed under the
"GNU Affero General Public License, version 3" provided
with ABSOLUTELY NO WARRANTY under the terms of
"GNU Affero General Public License, version 3", available here:
http://www.gnu.org/licenses/agpl-3.0.html.

Cisco AP Software, (ap1g4), C1832, RELEASE SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Tue Jun 5 07:25:50 PDT 2018

ROM: Bootstrap program is U-Boot boot loader
BOOTLDR: U-Boot boot loader Version 30

AP uptime is 0 days, 0 hours, 6 minutes
Last reload time : Wed Sep 19 13:33:35 UTC 2018
Last reload reason : reload command

cisco AIR-AP1832I-H-K9 ARMv7 Processor rev 0 (v7l) with 997268/495032K bytes of memory.
Processor board ID KWC23210AUS
AP Running Image : 8.5.131.0
Primary Boot Image : 8.5.131.0
Backup Boot Image : 8.3.143.0
AP Image type : MOBILITY EXPRESS IMAGE
AP Configuration : MOBILITY EXPRESS CAPABLE
2 Gigabit Ethernet interfaces
2 802.11 Radios
Radio FW version : 5fd9df2ef70d087b014a57c17ecc942b
NSS FW version : wstephen,

Base ethernet MAC Address :(suppress display)
Part Number : 0-0000-00
PCA Assembly Number : 074-104313-03
PCA Revision Number : 01
PCB Serial Number : KWC23210AUS
Top Assembly Part Number : 074-104313-03
Top Assembly Serial Number : KWC23210AUS
Top Revision Number : A0
Product/Model Number : AIR-AP1832I-H-K9


----------------------------
***** show config *****
AP Name : AP
Admin State : Enabled
AP Mode : FlexConnect
AP Submode : None
Location : default location
Reboot Reason : Static IP Addr Set
Primary controller name :
Primary controller IP :
Secondary controller name :
Secondary controller IP :
Tertiary controller name :
Tertiary controller IP :
AP join priority : 1
IP Prefer-mode : IPv4
CAPWAP UDP-Lite : Unconfigured
Last Joined Controller name: WLC
DTLS Encryption State : Disabled
Discovery Timer : 10
Heartbeat Timer : 30
CDP State : Enabled
Watchdog monitoring : Enabled
IOX : Disabled
RRM State : Enabled
LSC State : Disabled
SSH State : Enabled
AP Username : Test
Session Timeout : 300
Extlog Host : 0.0.0.0
Extlog Flags : 0
Extlog Status Interval : 0
Syslog Host : 255.255.255.255
Syslog Facility : 0
Syslog Level : errors
Core Dump TFTP IP Addr :
Core Dump File Compression : Disabled
Core Dump Filename :
Client Trace Status : Enabled(All)
Client Trace All Clients : Enabled
Client Trace Filter : 0x0E000000
Client Trace Out ConsoleLog: Disabled
WLC Link LAG status : Disabled
AP Link LAG status : Disabled
AP WSA Mode : Disabled
--------------------------
***** show capwap client rcb *****
AdminState : ADMIN_ENABLED
OperationState : DTLS SETUP
Name : AP
SwVer : 8.5.131.0
HwVer : 1.0.0.0
MwarApMgrIp : 192.168.1.100
MwarName : WLC-001
MwarHwVer : 0.0.0.0
Location : default location
ApMode : FlexConnect
ApSubMode : Not Configured
CAPWAP Path MTU : 576
CAPWAP UDP-Lite : Enabled
IP Prefer-mode : IPv4
AP Link DTLS Encryption : OFF
AP TCP MSS Adjust : Enabled
AP TCP MSS size : 1250
LinkAuditing : disabled
Efficient Upgrade State : Disabled
Flex Group Name : default-flexgroup
AP Group Name : default-group
Cisco Trustsec Config
AP Inline Tagging Mode : Disabled
AP Sgacl Enforcement : Disabled
AP Override Status : Disabled

Thanks a lot!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
0 Helpful

prkashid
Cisco Employee
Cisco Employee
In response to Rps-Cheers

‎11-11-2020 01:55 PM

Hi,

 

How did you fix the issue? I'm seeing the exact same issue on 5520 wlc after upgrading to 8.10.142, AP models are AIR-AP2802I-B-K9 and AIR-AP3802I-B-K9. 

I downgraded the wlc back to 8.10.130, but AP still can't join the wlc. Same AP can join 9800 controller, but not 5520.

 

Logs from AP console -

[*11/11/2020 21:46:38.8818] CAPWAP State: Discovery
[*11/11/2020 21:46:38.8865] Got WLC address 100.1.1.10 from DHCP.
[*11/11/2020 21:46:38.8866] IP DNS query for CISCO-CAPWAP-CONTROLLER.talpha.com
[*11/11/2020 21:46:38.9520] Discovery Request sent to 100.1.1.10, discovery type DHCP(2)
[*11/11/2020 21:46:38.9549] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*11/11/2020 21:46:38.9551] Discovery Response from 100.1.1.10
[*11/11/2020 21:46:49.0003]
[*11/11/2020 21:46:49.0003] CAPWAP State: DTLS Setup
[*11/11/2020 21:46:49.0030] dtls_process_packet: DTLS Error: 1040
[*11/11/2020 21:46:49.0030] dtls_process_packet: The controller shut down the DTLS connection.
[*11/11/2020 21:46:49.0030] dtls_process_packet: Please verify that the AP certificate is valid and has not expired.
[*11/11/2020 21:47:46.0357]
[*11/11/2020 21:47:46.0357] CAPWAP State: DTLS Teardown
[*11/11/2020 21:47:46.1040] upgrade.sh: Script called with args:[ABORT]
[*11/11/2020 21:47:46.1597] do ABORT, part1 is active part
[*11/11/2020 21:47:46.1737] upgrade.sh: Cleanup tmp files ...
[*11/11/2020 21:47:46.2011] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Teardown(4).
[*11/11/2020 21:47:46.2012] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Teardown(4).
[*11/11/2020 21:47:50.7872] No more AP manager addresses remain..
[*11/11/2020 21:47:50.7872] No valid AP manager found for controller 'C5520-WLC' (ip: 100.1.1.10)
[*11/11/2020 21:47:50.7872] Failed to join controller C5520-WLC.
[*11/11/2020 21:47:50.7872] Failed to join controller.

 

AP MIC cert -

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5f:f8:7b:28:2b:54:dc:8d:42:a3:15:b5:68:c9:ad:ff
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=Cisco Systems, CN=Cisco Root CA 2048
Validity
Not Before: May 14 20:17:12 2004 GMT
Not After : May 14 20:25:42 2029 GMT
Subject: O=Cisco Systems, CN=Cisco Root CA 2048
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)

#sh clock
*21:53:57 UTC Wed Nov 11 2020

 

WLC cert -

Certificate Name: Cisco Root CA SHA1 cert

Subject Name :
O=Cisco Systems, CN=Cisco Root CA 2048
Issuer Name :
O=Cisco Systems, CN=Cisco Root CA 2048
Serial Number (Hex):
5FF87B282B54DC8D42A315B568C9ADFF
Validity :
Start : May 14 20:17:12 2004 GMT
End : May 14 20:25:42 2029 GMT
Signature Algorithm :
sha1WithRSAEncryption

(C5520-WLC) >show time

Time............................................. Wed Nov 11 21:54:05 2020

Timezone delta................................... 0:0
Timezone location................................ (GMT) London, Lisbon, Dublin, Edinburgh

0 Helpful

Rps-Cheers
VIP
VIP
In response to prkashid

‎11-11-2020 05:39 PM

This does not seem to be a same problem. But it looks like AP or WLC certificate issue. Should you use the command "show certificate all" to check “Certificate Name: Cisco SHA1 device cert”? not “Certificate Name: Cisco Root CA SHA1 cert”

 

Thx & BR

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
0 Helpful

SimaXx
Level 1
Level 1

‎01-23-2019 01:53 AM

Hi,

Verify that your ntp settings are ok and not blocked by the firewall.

I just had the same problem.

regards,

gvillegas11
Level 1
Level 1
In response to SimaXx

‎05-04-2023 04:11 AM

Hi,

I have the same problem and I notice that the WLC time is correct but the AP time and date is incorrect. Any suggestion how to set the time and date of AP C9120axi?

"clock set" command is not available in the AP.

regards,

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card