Thank you the help that fixed it.

Seth

Hi,

i have this issue log while connection between AP and wlc,

can anyone help to sort this out

*Nov 25 11:08:35.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.12.100 peer_port: 5246
*Nov 25 11:09:26.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0x8717754!

*Nov 25 11:09:34.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.12.100:5246
*Nov 25 11:09:59.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Nov 25 11:10:00.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.12.100 peer_port: 5246
*Nov 25 11:10:51.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0x8717754!

*Nov 25 11:10:59.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.12.100:5246
*Nov 25 11:11:24.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Nov 25 11:11:25.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.12.100 peer_port: 5246

HI Majil,

Create a new thread and paste this info:

sh sysinfo from WLC

sh version from AP Regards

Seeing absolutely identical circumstances here Manjil - did you ever obtain a fix?

Seeing absolutely identical circumstances here Manjil - did you ever obtain a fix?

This is a very, very old thread.  Kindly create a new thread so we can have a look.

Duly noted. New thread is here: https://supportforums.cisco.com/discussion/13119406/cisco-1532i-not-joining-wlc5508

Feel free to take a look.

Leo i have changed  regulatory domain-country code and restarted the device and issue has been resolved.

I am having the same problem just different hardware.

WISM running 6.0.199.4

AP is a 1231 that was converted from Autonomous to lightweight.

The error codes I am getting are exactly what this thread has listed.  The APs came up already and were talking to the controller.  I took the ap off and now when I plug it back in I get the error.  I have take the sha1 key from the upgrade tool and added it to the controller under security/ap policy and the ap still will not come up.  Any ideas as to what else I can try?

If you've configured both controllers on the WiSM make sure you've added the SSC (the SHA key) to both controllers.

can you post the error you're receiving to verify the issue is the same?

Yes I have added it to both controllers.  Actually we have 12 wisms split between 2 mobility groups.    Here is the error.

*Mar 25 16:14:07.718: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Mar 25 16:14:07.719: %DTLS-5-PEER_DISCONNECT: Peer 192.168.251.234 has closed connection.
*Mar 25 16:14:07.719: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.251
.234:5246
*Mar 25 16:14:07.720: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
*Mar 25 16:15:11.129: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 25 16:15:11.130: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 25 16:15:11.130: bsnInitRcbSlot: slot 1 has NO radio
*Mar 25 16:15:11.145: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administrat
ively down
*Mar 25 16:15:11.165: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 25 16:15:11.167: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 25 16:15:11.179: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 25 16:15:11.185: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 25 16:15:11.197: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 25 16:15:21.164: %CAPWAP-3-ERRORLOG: Selected MWAR 'c6509-2-wism-8-2'(index 0).
*Mar 25 16:15:21.164: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Mar 25 16:15:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168
.251.184 peer_port: 5246
*Mar 25 16:15:23.002: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Mar 25 16:15:24.804: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip:
192.168.251.184 peer_port: 5246
*Mar 25 16:15:24.806: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.251.184
*Mar 25 16:15:24.807: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Mar 25 16:15:24.811: %DTLS-5-ALERT: Received WARNING : Close notify alert from 192.168.25
1.184
*Mar 25 16:15:24.811: %DTLS-5-PEER_DISCONNECT: Peer 192.168.251.184 has closed connection.
*Mar 25 16:15:24.811: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.251
.184:5246
*Mar 25 16:15:24.813: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Mar 25 16:15:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168
.251.234 peer_port: 5246
*Mar 25 16:15:23.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Mar 25 16:15:24.710: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 192.1
68.251.234
*Mar 25 16:15:24.711: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Mar 25 16:15:24.711: %DTLS-5-PEER_DISCONNECT: Peer 192.168.251.234 has closed connection.
*Mar 25 16:15:24.711: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.251
.234:5246
*Mar 25 16:15:24.713: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

Do I need to add to all WLC in the Mobility group?  I have set via cli of the ap its primary controller so it seems that the other controllers should not come into play.  it tries to come up on the controller i have defined.  and yes there is room for the ap to join.  I only have 26 aps on that controller.  Whats bothering me is that these aps already up and working after i upgraded them.  i have them sitting here on my bench.  so they have not been on any other network other than the one that i used to upgrade.  there is connectivty to  the WLC so its not a routing or switching issue.

Does anybody have any ideas about this?

When you say they were working prior to upgrade... do you mean they worked as Autonomous or they were on an older version of LWAPP code and have now been upgraded to a newer LWAPP/CAPWAP version?

On the WLC the AP is trying to join... Can you verify that the WLC is set too accept SSC from APs?

Login to WLC --->Security--->[LeftPane] click AAA --->AP Policies....

is the "Accept Self Signed Certificates (SSC)" checked?

They were running on another WISM that is at a 5.x version as lightweight.  They were moved over to a new WISM running 6.0.199.4 and they worked fine for about a week.  Then they just stopped.  When i console into them I get the error that I previously posted.  The first thing I did was go to the controller that they are trying to associate to and made sure under security/ap policies that accept SSC was enabled.  Which it was.  After fighting with it for a while I decided to take it back down to Autonomous and then reupgrade it.  I did this using the Cisco upgrade tool.  Everything went like it should have.  The ap converted and downloaded the image, rebooted and loaded the new image and joined the controller.  It ran fine for 20-30 minutes with no issues.  I took it offline (unplugged it) and set it on my desk.  2 days later when I went to install it, it was right back to where it was at giving me the certificate error.  Before I took it out into the field to install it I brought it back up on the same exact port I used to upgrade it.   Since I used the upgrade tool I had the SSC so I added it to the controller manually.  Still I get the same error.  I am stuck.  I have 5 of these that are acting this way out of 14 that were moved over originally.  It makes no sense.  They were all running the same code and came from the same controller.  I have 9 that are still up and functioning and 5 that are not.  Any ideas?