01-28-2019 09:33 AM - edited 07-05-2021 09:45 AM
My educational client has approximately 50 3802i LAPs deployed across the campus. Over the weekend, they managed to blow up the only working copy of their vWLC. I was able to stand one up quickly and get new LAPs to connect, but I can't get the existing ones to connect to the new controller without resetting them at the console (ssh/telnet disabled). The problem appears to be a WLC/certificate validation error (APs are caching the old controller info).
I've tried the obvious stuff like giving the new controller a different name/IP, etc. I'm out of ideas.
I'd obviously like to avoid visiting 50 different classrooms and climbing the ladder 100 times to fix this. Is there a work around for resetting the APs if I don't have access to the old WLC or its certificates?
Thanks so much!
01-28-2019 10:06 AM
How do the APs configured to discover the WLC?
Do you see AP join request on the new controller from old APs? See whats the status under "Monitor --> Statistics --> AP Join".
Decode the " Last Error Summary" message for those old APs, if you see an entry there. Console into one AP and see the boot messages.
Check "Security --> Policy Configuration --> Accept Manufactured Installed Certificate (MIC)" is checked on the new controller. Also, you can check the other options such as "Self Signed Cert, Local Significant Cert etc'
Here is the good blog post about AP - WLC join process.
http://revolutionwifi.blogspot.com/2010/11/capwap-ap-join-process.html
Make sure you keep only the required AP Policies once the old APs join the WLC.
Check NTP and Country codes as well.
*** Please rate all helpful posts ***
Jagan
01-28-2019 10:10 AM
Thanks Jagan.
I see the discover but never a join request (all zeros in the stats). The country codes are good (these were working up until Friday when the server admin burned the VM to the ground). The clock is good. Ironically, there were six APs that worked without intervention. They are the same model but they were installed later, so I don't know what is different.
Resetting the config fixes the problem. I'm on AP 6 of 44 now.... ugh.
01-28-2019 10:11 AM
01-28-2019 10:12 AM
You can also try using the following command on your WLC.
config ap cert-expiry-ignore {mic|ssc} enable
With this command in effect, the WLC and AP will ignore the expiration date on the device MICs and SSCs.
01-28-2019 10:15 AM
01-28-2019 10:30 AM
Can you share AP boot console output.
Can you share debug output for the following on the WLC (filter it for one AP).
debug capwap events enable
debug capwap packet enable
debug pm pki enble
Jagan
01-28-2019 11:23 AM
01-28-2019 11:31 AM
06-25-2020 02:10 AM
if you run to such a problem. disable your NTP server. change the time manually to a year before and Ap's should join. after you can upload the new certs.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: