cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4194
Views
15
Helpful
25
Replies

1602 APs fail to join 7500 controller after update

clybumat1
Level 1
Level 1

I have two 1602 APs that are doing the same thing.  They initially join the 7500 controller, download the needed software, but after they reboot, they fail to re-join.  Here is the log info from one of the APs:


*Apr 22 23:36:17.067: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Apr 22 23:36:17.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.6.60 peer_port: 5246
*Apr 22 23:36:19.183: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:929 Unexpected message received while expecting HelloVerifyRequest
*Apr 22 23:36:19.183: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to "WLC IP ADDRESS REMOVED FOR PRIVACY REASONS"
*Apr 22 23:36:19.183: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to "WLC IP ADDRESS REMOVED FOR PRIVACY REASONS"
*Apr 22 23:37:22.067: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Apr 22 23:37:22.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.6.60 peer_port: 5246
*Apr 22 23:37:28.571: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:394 BD is not of DTLS Change Cipher Spec type
*Apr 22 23:37:28.571: %DTLS-5-SEND_ALERT: Send FATAL : Internal error Alert to "WLC IP ADDRESS REMOVED FOR PRIVACY REASONS"
*Apr 22 23:37:28.571: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to "WLC IP ADDRESS REMOVED FOR PRIVACY REASONS"

 

25 Replies 25

Try using the command config ap primary-base <wlcname> <ip address>

 

if its not joining post the output of the AP console logs. Lets check the error logs.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

Here are the AP logs. It repeats this over and over:

*May 7 23:35:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: "WLC IP HIDDEN FOR PRIVACY REASONS" peer_port: 5246
*May 7 23:35:29.579: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:394 BD is not of DTLS Change Cipher Spec type
*May 7 23:35:29.579: %DTLS-5-SEND_ALERT: Send FATAL : Internal error Alert to "WLC IP HIDDEN FOR PRIVACY REASONS"
*May 7 23:35:29.579: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to "WLC IP HIDDEN FOR PRIVACY REASONS"
*May 7 23:36:28.067: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

capwap ap controller ip address <wlc ip>
Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

Yes I tried that command, thanks. It still does not join with the same log info in my previous post.

There are so many Country codes enabled on the WLC . So are you running multiple domain APs on this single WLC?
Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

I'm not sure about multiple Domains, but the WLC holds over 1,000 APs, many from countries all over the world.

Also noticed this in bold:

 

*May 7 23:39:06.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.6.60 peer_port: 5246
*May 7 23:39:12.575: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:394 BD is not of DTLS Change Cipher Spec type
*May 7 23:39:12.575: %DTLS-5-SEND_ALERT: Send FATAL : Internal error Alert to "IP HIDDEN FOR PRIVACY REASONS"
*May 7 23:39:12.575: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to "IP HIDDEN FOR PRIVACY REASONS"
*May 7 23:40:39.067: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy15766/?rfs=iqvred

The error is matching with this bug but the rest or not. Reloading the WLC is workaround for this bug .
Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

Thanks. I have requested to have the WLC rebooted. We will see if this fixed it.

Try this out before reboot

Log into your Wireless LAN Controller.
•Select the Security tab.
•Expand AAA and select AP Policies.
•Click the Add button in the far right.
•Under Add AP to Authorization List enter the MAC Address of the Access Point in the MAC Address text box.(The MAC Address can be found either on the bottom of the Access Point
•Click the Add button.
•Click the Apply button.
•Click the Wireless tab.
•Under the Wireless>All APs the select then go to General tab, click the AP Mode drop down box and select Local.

Ref: https://community.cisco.com/t5/other-wireless-mobility-subjects/wlan-accesspoint-dtls-problem/m-p/3852804#M100274
Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

Thanks for the suggestion. However, when I get to the step to select the AP, it is not there.. So it seems it's still not joining the controller.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: