AP803 does not connect to the WLC

raffzwo · ‎10-28-2020

Hello everyone,

i have a small problem with an IR829M and the AP803 it contains.
The setup looks like this:

WLC 5520 Management (172.16.0.10 SFP Port 1 / 1G) --- (172.16.0.1 GE0/0/1) ISR 4400 Series Router (192.168.2.251 GE0/0/0) --- (192.168.2.249 GE0) IR829M (192.168.125.1 Wlan-GE 0) --- (192.168.125.2 BVI1) AP803

I can reach the WLC by ping but still get an error message on the CLI of the router:
Please check router config to ensure connectivity between WLC and AP

There are also no ACLs that could somehow block communication.

software:
WLC 5520: 8.10.130.0
AP: 15.3(3)JF4 -> UPGRADED TO 15.3.3-JK3

IR829M: 15.9(3)M2a

The AP receives the controller IP via DHCP option 43.

Can anyone help me?
If more information is needed, I will provide it.

Best regards

marce1000 · ‎10-28-2020

- Check all compatibility requirements between ap and controller here :

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

raffzwo · ‎10-28-2020

Thanks for your post

I upgraded the integrated AP803 (15.3(3)JK3) to the latest software version which is supported by the WLC code (8.10.130.0)

Unfortunately that did not solve my problem

Rich R · ‎10-28-2020

"I can reach the WLC by ping" - so you can ping the WLC from the AP or not?

If you can't ping then it's a routing problem which you need to fix first. WLC needs a default route or specific route to reach AP and AP needs a default route (from DHCP) to reach the WLC. Both routers need routes to reach WLC and AP.

Is the AP running a CAPWAP (k9w8) IOS image? If it's running an autonomous image (k9w7) then you'll have to change it to lightweight https://software.cisco.com/download/home/286289271/type/280775090/release/15.3.3-JK3

"show capwap client rcb" from AP and the full logs from the AP from boot

"show ap join stats summary <Cisco AP Mac>" and "show ap join stats detailed <Cisco AP Mac>" from the WLC and any logs from the WLC which might indicate what the problem is.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

raffzwo · ‎10-28-2020

Hi,

this is the output I get for the WLC commands:

(Cisco Controller) >show ap join stats summary all

Number of APs.............................................. 1

Base Mac             AP EthernetMac       AP Name                 IP Address         Status
70:6d:15:d9:f0:00    N A                  AP706d.15d9.f00c        192.168.125.132    Not Joined


(Cisco Controller) >show ap join stats detailed 706d.15d9.f00c
No join information found for AP: 70:6d:15:d9:f0:0c

The AP runs on software version 15.3.3-JK3

(Cisco Controller) >ping 192.168.125.133

Send count=3, Receive count=3 from 192.168.125.133

The AP is currently cycling through the DHCP addresses available in the pool

Thanks

raffzwo · ‎10-28-2020

Hi,

i have upgraded the AP to the software compatible with the WLC

8.10.130.0 (WLC) - 15.3(3)JK3 (AP803)

Now I get a Bad Certificate error:

*Oct 28 14:46:46.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Oct 28 14:47:43.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.0.10 peer_port: 5246Peer certificate verification failed FFFFFFFF

*Oct 28 14:47:43.003: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:509 Certificate verified failed!
*Oct 28 14:47:43.003: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 172.16.0.10:5246
*Oct 28 14:47:43.003: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.0.10:5246

Thanks

Rich R · ‎10-29-2020

Have you checked https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html ?

Also have you tried to reset the AP to factory default?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

raffzwo · ‎10-29-2020

hi,

8.10.130.0 does not seem to be affected

i also have a wlc3504 with the same code running and no problems there when trying to connect the AP

i've tested with a new IR829M with really basic config only to see if the AP connects but that did not work either

dumb question: is there anything else that i need to do when deploying the 5520? i just went through the config wizard on the CLI and assigned IP addresses to the management port and SP

thanks for your help

raffzwo · ‎10-30-2020

today i compared the certificates on both WLCs (show certificate all)

i found out that the 3504 had one certificate more installed (na server ca cert)

Certificate Name: NA server CA cert

     Subject Name :
         C=PL, ST=mazowieckie, L=Warsaw, O=PANSA, CN=PANSA Netadmin Root CA
     Issuer Name :
         C=PL, ST=mazowieckie, L=Warsaw, O=PANSA, CN=PANSA Netadmin Root CA
     Serial Number (Hex):
         AE5CF404924E37EC
     Validity :
         Start : Jul  6 08:17:00 2018 GMT
         End   : Jul  1 08:17:00 2038 GMT
     Signature Algorithm :
         sha256WithRSAEncryption
     Hash key :
         SHA1 Fingerprint  : 87:55:82:30:32:7e:2f:dc:d2:e4:6c:c4:6c:e6:9f:0a:d1:2f:da:2a
         SHA256 Fingerprint  : c3:90:36:14:dd:69:09:17:26:b2:a5:84:3d:ee:0a:f0:c9:e9:4e:d1:0d:5c:c1:5f:d8:f3:cc:12:d7:f6:f6:58

i downloaded the cert from the WLC 3504 and imported it on the 5520

that did not fix the issue

is there any way to make sure that all the certificates are correct?

best regards

raffzwo · ‎10-30-2020

i found out that there is no trustpoint on the 5520 for my APs while debugging

*Oct 30 13:27:45.003: CRYPTO_PKI: (6000F) Adding peer certificate
*Oct 30 13:27:45.003: CRYPTO_PKI: ip-ext-val: IP extension validation not required
*Oct 30 13:27:45.003: CRYPTO_PKI: (6000F) Check for identical certs
*Oct 30 13:27:45.003: CRYPTO_PKI : (6000F) Validating non-trusted cert
*Oct 30 13:27:45.003: CRYPTO_PKI: (6000F) Create a list of suitable trustpoints
*Oct 30 13:27:45.003: CRYPTO_PKI: (6000F) No suitable trustpoints foundPeer certificate verification failed FFFFFFFF

can anyone tell if reinstalling the WLC software would help with the certs or should i copy the certs from my 3504 over to my 5520

patoberli · ‎11-02-2020

Never heard of this.

Have you enabled this on the WLC: Accept Manufactured Installed Certificate (MIC) ?

If the AP is to old, make sure this here is enabled on the WLC:

config ap cert-expiry-ignore {mic|ssc} enable

raffzwo · ‎11-03-2020

I have already tried it with these settings
The AP is an integrated AP803 in the IR829M Router

patoberli · ‎11-03-2020

Does it work with the 3504?

raffzwo · ‎11-03-2020

works fine with the 3504

i don't have to play around with any of these settings on the 3504

patoberli · ‎11-03-2020

Then it should be also working with the 5520. Either some configuration is different or something is broken. You could compare it by using a show run-config on both WLC.