It is C1140. version 12.4 (18a) JA. 

 

Thanks

What firmware is the CONTROLLER running on?

That AP version correlate to WLC version 5.2.193.0 which won’t work with the cert expiry issue.

 

You need atleast version 7.0.252.0 or higher in order to ignore the certificates.

 

Your AP can support up to version 8.3 on the WLC.

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

 

 

<<< Pls remember to rate all useful responses >>>

 

A bit corrections, our WLC model is AIR-CT5508-K9, its firmware: 6.0.182.0

AP: It is C1142N N K9. version 12.4 (18a) JA.

So only this one stopped joining the Controller. Before I reset it to factory default, I remember the AP was saying:

%LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down

Does it mean the AP is faulty now?

Mang

No, it doesn't.
The fault may affect the AP but it is not being "mentioned" in the FN because the firmware is End-of-Support.
My recommendation is to upgrade the firmware to the latest 8.0.X.X.

Sorry actually WLC's software version is on: 8.0.140.0

 

We would think AP should talk to WLC? All the other 1142N N K9 still works?

 

Any other suggestions? Should I tick "Accept Self Signed Certificate (SSC)"  on WLC? would this effect something else? 

 

Thanks

Mang

 

the actual log from AP:

 

Please advise:

 

::▒8▒`ttT▒::8?ᩱ▒<:84xT▒n0▒▒
▒▒<44▒484P:<0|T::▒8▒`ttT▒::8?ᩱ▒<:84xT▒n0▒▒
▒▒<44▒484P:<0|T::▒8▒`ttT▒::8?ᩱ▒<:84xT▒n0▒▒
▒▒<44▒484P:<
IOS Bootloader - Starting system.
Xmodem file system is available.

DDR values used from system serial eeprom.
WRDTR,CLKTR: 0x86000800, 0x40000000
RQDC, RFDC : 0x8000003d, 0x00000216

PCIE0: link is up.
PCIE0: VC0 is active
PCIE1: link is up.
PCIE1: VC0 is active
PCIEx: initialization done
flashfs[0]: 67 files, 15 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 32385024
flashfs[0]: Bytes used: 20049408
flashfs[0]: Bytes available: 12335616
flashfs[0]: flashfs fsck took 22 seconds.
Reading cookie from system serial eeprom...Done
Base Ethernet MAC address: 00:22:bd:1a:39:50
Ethernet speed is 1000 Mb - FULL duplex
Loading "flash:/c1140-rcvk9w8-mx/c1140-rcvk9w8-mx"...#############################################################################################################################################################################################################################

File "flash:/c1140-rcvk9w8-mx/c1140-rcvk9w8-mx" uncompressed and installed, entry point: 0x4000
executing...
enet halted

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

 

Cisco IOS Software, C1140 Software (C1140-RCVK9W8-M), Version 12.4(18a)JA, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 21-Nov-08 01:28 by prod_rel_team
Image text-base: 0x00004000, data-base: 0x00430000

Proceeding with system init

Proceeding to unmask interrupts
Initializing flashfs...

flashfs[1]: 67 files, 15 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 32385024
flashfs[1]: Bytes used: 20049408
flashfs[1]: Bytes available: 12335616
flashfs[1]: flashfs fsck took 5 seconds.
flashfs[1]: Initialization complete....done Initializing flashfs.
Ethernet speed is 1000 Mb - FULL duplex

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-LAP1142N-N-K9 (PowerPC405ex) processor (revision A0) with 98294K/32768K bytes of memory.
Processor board ID FCW1336S029
PowerPC405ex CPU at 586Mhz, revision number 0x147E
Last reset from power-on
LWAPP image version 3.0.51.0
1 Gigabit Ethernet interface

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:22:BD:1A:39:50
Part Number : 73-11451-06
PCA Assembly Number : 800-30554-03
PCA Revision Number : A0
PCB Serial Number : FOC13331VKX
Top Assembly Part Number : 800-31273-01
Top Assembly Serial Number : FCW1336S029
Top Revision Number : A0
Product/Model Number : AIR-LAP1142N-N-K9
% Please define a domain-name first.
ip ssh version 2
^
% Invalid input detected at '^' marker.

transport input ssh
^
% Invalid input detected at '^' marker.

aaa new-model
^
% Invalid input detected at '^' marker.

aaa authentication login default local
^
% Invalid input detected at '^' marker.

login authentication default
^
% Invalid input detected at '^' marker.

transport input ssh
^
% Invalid input detected at '^' marker.

RS

Press RETURN to get started!

SI IDB null
RSSI IDB null
*Mar 1 00:00:06.866: *** CRASH_LOG = YES
Base Ethernet MAC address: 00:22:BD:1A:39:50

*Mar 1 00:00:07.071: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 1024 messages)

*Mar 1 00:00:09.121: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:09.167: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1140 Software (C1140-RCVK9W8-M), Version 12.4(18a)JA, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 21-Nov-08 01:28 by prod_rel_team
*Mar 1 00:00:09.195: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 1 00:00:10.122: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:18.035: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.8.44.57, mask 255.255.254.0, hostname Gym

logging origin-id string AP:0022.bd1a.3950
^
% Invalid input detected at '^' marker.

logging 255.255.255.255
^
% Invalid input detected at '^' marker.

logging trap 3
^
% Invalid input detected at '^' marker.

*Mar 1 00:00:28.099: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!
*Mar 1 00:00:28.222: Logging LWAPP message to 255.255.255.255.

*Mar 1 00:00:31.599: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED WS-C3750X-24P (2894.0f34.ed2e)
Translating "CISCO-LWAPP-CONTROLLER.mercedes.catholic.edu.au"...domain server (10.8.2.42) [OK]

*Mar 1 00:00:38.168: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Jan 22 23:56:34.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.8.46.2 peer_port: 5246
*Jan 22 23:56:34.820: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.8.46.2
*Jan 22 23:56:34.821: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Jan 22 23:56:34.821: %DTLS-5-PEER_DISCONNECT: Peer 10.8.46.2 has closed connection.
*Jan 22 23:56:34.821: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
*Jan 22 23:57:17.419: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED WS-C3750X-24P (2894.0f34.ed2e)
transport input ssh
^
% Invalid input detected at '^' marker.

RSSI IDB null
RSSI IDB null
*Jan 22 23:57:39.077: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Jan 22 23:57:49.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.8.46.2 peer_port: 5246
*Jan 22 23:57:49.822: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.8.46.2
*Jan 22 23:57:49.823: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Jan 22 23:57:49.823: %DTLS-5-PEER_DISCONNECT: Peer 10.8.46.2 has closed connection.
*Jan 22 23:57:49.823: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

AP is booting up the RCV firmware.
This means the AP has never joined a controller before.

Post the complete output to the following commands: 

1.  WLC:  sh sysinfo; 
2.  WLC:  sh time; &
3.  AP:  dir

The controller is running the firmware that fixes the FN, HOWEVER, the AP is running a very, very, very old RCV.  This particular version, 12.4(18a)JA, DOES NOT HAVE THE FIX. 

The only way to get the AP to join the controller is manually upgrade the firmware of the AP.  In order to do this, you'll need to do the following (in order): 

1.  Go HERE and download the filename "c1140-rcvk9w8-tar.153-3.JD17.tar";

2.  Push the firmware to the AP using the command "archive download-sw /over tftp://<TFTP IP Address>/c1140-rcvk9w8-tar.153-3.JD17.tar"

3.  Reboot the AP

 

HI Thanks for that. I cannot download the file. Seems the file is unpublished anymore, do you know where else I can download it?
Thanks

File "c1140-rcvk9w8-tar.153-3.JD17.tar" is still available and requires a valid Service Contract.
Send an email to TAC and ask them to publish it for you.

The file is actually still there to download but obviously you need a valid service contract:
https://software.cisco.com/download/home/282439881/type/280775090/release/15.3.3-JD17

Still not good. I can see it under Controller, but any devices cannot connect to it.

Error:

...domain server (10.8.2.42) [OK]

*Jan 29 05:30:40.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.8.46.2 peer_port: 5246
*Jan 29 05:30:40.546: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.8.46.2
*Jan 29 05:30:40.546: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.8.46.2:5246
*Jan 29 05:30:49.613: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Jan 29 05:30:50.635: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 29 05:30:51.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jan 29 05:30:51.661: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jan 29 05:30:52.661: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Jan 29 05:31:45.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.8.46.2 peer_port: 5246
*Jan 29 05:31:45.552: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.8.46.2
*Jan 29 05:31:45.552: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.8.46.2:5246
*Jan 29 05:51:1
*Jan 29 05:51:17.523: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Jan 29 05:51:17.609: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Jan 29 05:51:18.303: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller MERCEDES-WLC5508-2
*Jan 29 05:51:18.415: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Jan 29 05:51:18.415: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Jan 29 05:51:18.617: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jan 29 05:51:18.643: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.8.46.3:5246
*Jan 29 05:51:18.781: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 29 05:51:19.443: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jan 29 05:51:19.443: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Jan 29 05:51:19.643: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Jan 29 05:51:20.638: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Jan 29 05:51:20.664: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 29 05:51:20.669: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Jan 29 05:51:20.674: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Jan 29 05:51:21.664: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jan 29 05:51:21.669: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Jan 29 05:51:21.694: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jan 29 05:51:22.694: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Jan 29 05:33:03.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.8.46.2 peer_port: 5246
*Jan 29 05:33:03.554: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.8.46.2
*Jan 29 05:33:03.554: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.8.46.2:5246

What can I try next?

Thanks

Did you apply the workaround config *after* both WLC and AP were running updated software with the fix?  You may need to manually set the WLC time back to before cert expiry (and disable NTP) initially as per the field notice.  Once all hardware is running updated software, with fix applied, then it should work.