Re: AP1832I didn’t join WLC 8.9.111

ItzikLevy4847 · ‎08-13-2019

Hi,

WLC seats on a virtual machine.

On log, I see cert validation failed

[*08/13/2019 08:58:32.8085] Discovery Response from 192.168.108.240

[*08/13/2019 08:58:51.4271] Selected MWAR 'QAEngWLC89100' 192.168.108.240 (index 0).

[*08/13/2019 08:58:51.4271] Ap mgr count=1

[*08/13/2019 08:58:51.4271] Go join a capwap controller.

[*08/13/2019 08:58:51.4271] Choosing AP Mgr with index 0, IP = 192.168.108.240, load = 7..

[*08/13/2019 08:58:51.4271] Synchronizing time with AC time: 1565686722

[*08/13/2019 08:58:42.0000] CAPWAP State: DTLS Setup.

[*08/13/2019 08:58:42.0000]

[*08/13/2019 08:58:42.0000] Cert Verification FAILED with error 20 (unable to get local issuer certificate) at 0 depth...

[*08/13/2019 08:58:42.0000]

[*08/13/2019 08:58:42.0000] /C=US/ST=California/L=San Jose/O=Cisco Virtual Wireless LAN Controller/CN=DEVICE-vWLC-AIR-CTVM-K9-005056A39B7A/emailAddress=support@vwlc.com

[*08/13/2019 08:58:42.0000] ./base_capwap/dtls/lnxshim/dtls_shim_crypto_util.c 1034: Verify Cert: FAILED at 0 depth: unable to get local issuer certificate

[*08/13/2019 08:58:42.0000] X509 OpenSSL Errors...

[*08/13/2019 08:58:42.0000]

[*08/13/2019 08:58:42.0000] NONE

[*08/13/2019 08:58:42.0000]

[*08/13/2019 08:58:42.0000] Certificate verification failed!

[*08/13/2019 08:58:42.0000] ./base_capwap/capwap/capwap_wtp_dtls.c 323: Certificate verified failed!

[*08/13/2019 08:58:42.0000] DTLS: Received packet caused DTLS to close connection

[*08/13/2019 08:58:42.0000]

[*08/13/2019 08:58:42.0000] Lost connection to the controller, going to restart CAPWAP...

Please advise.

Thanks

Rasika Nayanajith · ‎08-13-2019

It is failing due to certification validation.

Did you set vWLC time correctly ?

HTH

Rasika

*** Pls rate all useful responses ***

ItzikLevy4847 · ‎08-14-2019

Thank you.

Yes I think I did.

(Cisco Controller) >show time

Time............................................. Wed Aug 14 10:30:47 2019

Timezone delta................................... 0:0
Timezone location................................ (GMT +2:00) Jerusalem

NTP Servers
NTP Version.................................. 3
NTP Polling Interval......................... 3600

Index NTP Key Index NTP Server Status NTP Msg Auth Status
------- ---------------------------------------------------------------------
1 0 10.1.2.6 In Sync AUTH DISABLED

Log is the same as before:

[*08/14/2019 07:30:50.8085] Discovery Response from 192.168.108.240
[*08/14/2019 07:31:09.4370] Selected MWAR 'QAEngWLC89100' 192.168.108.240 (index 0).
[*08/14/2019 07:31:09.4370] Ap mgr count=1
[*08/14/2019 07:31:09.4370] Go join a capwap controller.
[*08/14/2019 07:31:09.4370] Choosing AP Mgr with index 0, IP = 192.168.108.240, load = 5..
[*08/14/2019 07:31:09.4370] Synchronizing time with AC time: 1565767860
[*08/14/2019 07:31:00.0000] CAPWAP State: DTLS Setup.
[*08/14/2019 07:31:00.0000]
[*08/14/2019 07:31:00.0000]
[*08/14/2019 07:31:00.0000] Cert Verification FAILED with error 20 (unable to get local issuer certificate) at 0 depth...
[*08/14/2019 07:31:00.0000]
[*08/14/2019 07:31:00.0000] /C=US/ST=California/L=San Jose/O=Cisco Virtual Wireless LAN Controller/CN=DEVICE-vWLC-AIR-CTVM-K9-005056A39B7A/emailAddress=support@vwlc.com
[*08/14/2019 07:31:00.0000] ./base_capwap/dtls/lnxshim/dtls_shim_crypto_util.c 1034: Verify Cert: FAILED at 0 depth: unable to get local issuer certificate
[*08/14/2019 07:31:00.0000] X509 OpenSSL Errors...
[*08/14/2019 07:31:00.0000]
[*08/14/2019 07:31:00.0000] NONE
[*08/14/2019 07:31:00.0000]
[*08/14/2019 07:31:00.0000]
[*08/14/2019 07:31:00.0000] Certificate verification failed!
[*08/14/2019 07:31:00.0000] ./base_capwap/capwap/capwap_wtp_dtls.c 323: Certificate verified failed!
[*08/14/2019 07:31:00.0000] DTLS: Received packet caused DTLS to close connection
[*08/14/2019 07:31:00.0000]
[*08/14/2019 07:31:00.0000] Lost connection to the controller, going to restart CAPWAP...
[*08/14/2019 07:31:00.0000]
[*08/14/2019 07:31:00.0000] Capwap restart.
[*08/14/2019 07:31:00.0000] CAPWAP State: DTLS Teardown.
[*08/14/2019 07:31:00.0000]
[*08/14/2019 07:31:00.0000] [DP] Deleting capwap datapath
[*08/14/2019 07:31:00.0000] CAPWAP data tunnel delete from forwarding succeeded
[*08/14/2019 07:31:04.7485] DTLS session cleanup completed. Restarting capwap state machine.
[*08/14/2019 07:31:04.7485] Previous CAPWAP state was DTLS Setup,numOfCapwapDiscoveryResp = 1.
[*08/14/2019 07:31:04.7485] Starting Discovery.
[*08/14/2019 07:31:04.7485] CAPWAP State: Discovery.
[*08/14/2019 07:31:04.7485]
[*08/14/2019 07:31:04.7485] Did not get log server settings from DHCP.
[*08/14/2019 07:31:04.7485] DNS Option IpAddr 10.1.2.6 SwitchName CISCO-CAPWAP-CONTROLLER.corp.aeroscout.com
[*08/14/2019 07:31:04.7485] DNS resolved CISCO-CAPWAP-CONTROLLER.corp.aeroscout.com
[*08/14/2019 07:31:04.7485] DNS discover addr: 192.168.150.2
[*08/14/2019 07:31:04.7685] Discovery Request sent to 192.168.1.1 with discovery type set to 1
[*08/14/2019 07:31:04.7985] Discovery Request sent to 192.168.150.2 with discovery type set to 3
[*08/14/2019 07:31:04.8185] Discovery Request sent to 255.255.255.255 with discovery type set to 0
[*08/14/2019 07:31:04.8185] Discovery Response from 192.168.108.240

Thanks

Leo Laohoo · ‎08-14-2019

Post the complete output to the following commands:
1. vWLC: sh sysinfo;
2. AP: sh ip interface brief; and
3. AP: sh version

ItzikLevy4847 · ‎08-14-2019

Thank you.

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.9.111.0
RTOS Version..................................... 8.9.111.0
Bootloader Version............................... 8.5.1.85
Emergency Image Version.......................... 8.9.100.0

OUI File Last Update Time........................ Tue Feb 06 10:44:07 UTC 2018
▒▒ ▒
Build Type....................................... DATA + WPS

System Name...................................... QAEngWLC89100
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1631
IP Address....................................... 192.168.108.240
IPv6 Address..................................... ::
System Up Time................................... 5 days 21 hrs 14 mins 7 secs
System Timezone Location......................... (GMT +2:00) Jerusalem
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

--More-- or (q)uit

Configured Country............................... Multiple Countries : IL,US

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 0

OUI Classification Failure Count................. 4

Memory Current Usage............................. 45
Memory Average Usage............................. 45
CPU Current Usage................................ 0
CPU Average Usage................................ 0

Flash Type....................................... Compact Flash Card
Flash Size....................................... 1073741824

Burned-in MAC Address............................ 00:50:56:A3:C2:3E
Maximum number of APs supported.................. 3000
System Nas-Id....................................
WLC MIC Certificate Types........................ SHA1
Licensing Type................................... RTU

--More-- or (q)uit
vWLC config...................................... Large

(Cisco Controller) >

show ip interface brief
gateway-ip : 192.168.108.1
gateway-mac : 00:50:56:A3:22:93
00:50:56:A3:55:6C
00:DE:FB:93:51:81

Interface IP-Address Method Status Protocol
wired0 192.168.108.47 DHCP up up
wired1 unassigned unset administatively down down
wifi0 unassigned unset administatively down down
wifi1 unassigned unset administatively down down
AP80E8.6FD8.5220>

Show version

Restricted Rights Legend

Use, duplication, or disclosure by the Government is subject to
restrictions as set forth in subparagraph (c) of the Commercial
Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and
subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

This product contains some software licensed under the
"GNU General Public License, version 2" provided with
ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html

This product contains some software licensed under the
"GNU Library General Public License, version 2" provided
with ABSOLUTELY NO WARRANTY under the terms of "GNU Library
General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html

This product contains some software licensed under the
"GNU Lesser General Public License, version 2.1" provided
with ABSOLUTELY NO WARRANTY under the terms of "GNU Lesser
General Public License, version 2.1", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html

Cisco AP Software, (ap1g4), [wlc-tools:/local/build/JENKINS/workspace/mobility-express-cco/v8_1_mr_throttle_respin_250915091023/router]
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Fri Sep 25 10:33:54 PDT 2015

ROM: Bootstrap program is U-Boot boot loader
BOOTLDR: U-Boot boot loader Version 21

AP80E8.6FD8.5220 uptime is 0 days, 0 hours, 1 minutes
Last reload time : Sun Oct 11 00:46:43 UTC 2015
Last reload reason : unknown

cisco AIR-AP1832I-B-K9 ARMv7 Processor rev 0 (v7l) with 997136/726424K bytes of memory.
Processor board ID KWC193300WB
AP Running Image : 8.1.122.0
Primary Boot Image : 8.1.122.0
Backup Boot Image : 0.0.0.0
AP Image type : MOBILITY EXPRESS IMAGE
AP Configuration : MOBILITY EXPRESS CAPABLE
2 Gigabit Ethernet interfaces
2 802.11 Radios
Radio FW version : 98abcb8ec39f5a28393e632baa5bfcdb
NSS FW version : NSS.AK.1.0.c4-00026-E_custC-1.24160.1

Base ethernet MAC Address : 80:E8:6F:D8:52:20
Part Number : 0-0000-00
PCA Assembly Number : 074-104313-01
PCA Revision Number : 01
PCB Serial Number : KWC193300WB
Top Assembly Part Number : 000-00000-00
Top Assembly Serial Number : KWC193300WB
Top Revision Number : A0
Product/Model Number : AIR-AP1832I-B-K9

Leo Laohoo · ‎08-14-2019

@ItzikLevy4847 wrote:

AP Image type : MOBILITY EXPRESS IMAGE

The AP is running Mobility Express image. This is the reason why it doesn't want to join the controller.

Remote or console into the AP and use the command "ap-type capwap" to convert the AP to CAPWAP.

ItzikLevy4847 · ‎08-14-2019

Thank you.

How can I solve that?

Thanks

ItzikLevy4847 · ‎08-14-2019

Thank you.

I tried it.

Ap image type stays Mobility Express Image

Thanks

cisco AIR-AP1832I-B-K9 ARMv7 Processor rev 0 (v7l) with 997136/727924K bytes of memory.
Processor board ID KWC193300WB
AP Running Image : 8.1.122.0
Primary Boot Image : 8.1.122.0
Backup Boot Image : 0.0.0.0
AP Image type : MOBILITY EXPRESS IMAGE
AP Configuration : NOT MOBILITY EXPRESS CAPABLE
2 Gigabit Ethernet interfaces
2 802.11 Radios
Radio FW version : 98abcb8ec39f5a28393e632baa5bfcdb
NSS FW version : NSS.AK.1.0.c4-00026-E_custC-1.24160.1

Base ethernet MAC Address : 80:E8:6F:D8:52:20
Part Number : 0-0000-00
PCA Assembly Number : 074-104313-01
PCA Revision Number : 01
PCB Serial Number : KWC193300WB
Top Assembly Part Number : 000-00000-00
Top Assembly Serial Number : KWC193300WB
Top Revision Number : A0
Product/Model Number : AIR-AP1832I-B-K9

Leo Laohoo · ‎08-14-2019

Did you reboot the AP?

ItzikLevy4847 · ‎08-14-2019

Yes

nawir · ‎10-14-2020

This is CAPWAP
# sh ver

cisco AIR-AP1832I-F-K9 ARMv7 Processor rev 0 (v7l) with 997268/712548K bytes of memory.

Processor board ID KWC224703U7

AP Running Image : 8.5.161.0

Primary Boot Image : 8.5.161.0

Backup Boot Image : 8.3.143.0

AP Image type : MOBILITY EXPRESS IMAGE

AP Configuration : NOT MOBILITY EXPRESS CAPABLE

2 Gigabit Ethernet interfaces

2 802.11 Radios

Radio FW version : 64035bf3490c0cb9e24ce9b09a56fe6c

NSS FW version : NSS.AK.C.CS-3-fix3

# ap-type mobility-express

# sh ver

AP Running Image : 8.5.161.0

Primary Boot Image : 8.5.161.0

Backup Boot Image : 8.3.143.0

AP Image type : MOBILITY EXPRESS IMAGE

AP Configuration : MOBILITY EXPRESS CAPABLE

NOTE:
-this link said AP1800 ap not support vWLC
https://community.cisco.com/t5/wireless-and-mobility/hardware-wlc-vs-mobility-express/td-p/2947058

I am still in doubt whether

1. AP Image ME+ "ap-type capwap" can connect to WLC
if yes
Do you think better in the future just use ME image instead of CAPWAP image
tq