cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

268
Views
0
Helpful
2
Replies
Beginner

In Cisco Switch 3850 not able to add AP

Hello evrybody.

I'll tried to make a lab with cisco switch 3850-24ps and few AP AIR-CAP2702I-A-K9. The task at first is easy at once: make cisco switch a wirless controller and joined ap, but I could'n do this. Tryiedcofigured switch from console and from GUI, but the result and errors the same.

The errors from the switch:

*Dec 4 15:10:36.892: *%DTLS-3-PKI_ERROR:Switch 1 R0/0: wcm: PKI initialization error : Certificate initialization failed
*Dec 4 15:10:36.892: *%CAPWAP-3-DTLS_DB_ERR:Switch 1 R0/0: wcm: 0000.0000.0000: Failed to create DTLS connection for AP 10:0:0:6 (45847).
*Dec 4 15:11:06.062: *%CAPWAP-6-DTLS_CONN_ERR2:Switch 1 R0/0: wcm: DTLS connection not found for AP 10.0.0.7 (35954), Controller: 10.0.0.1 (5246) dtls payload
*Dec 4 15:11:22.891: *%CAPWAP-6-DTLS_CONN_ERR2:Switch 1 R0/0: wcm: DTLS connection not found for AP 10.0.0.6 (45847), Controller: 10.0.0.1 (5246) dtls payload
*Dec 4 15:11:26.061: *%DTLS-3-PKI_ERROR:Switch 1 R0/0: wcm: PKI initialization error : Certificate initialization failed
*Dec 4 15:11:26.062: *%CAPWAP-3-DTLS_DB_ERR:Switch 1 R0/0: wcm: 0000.0000.0000: Failed to create DTLS connection for AP 10:0:0:7 (35954).


Errors from the one of access points:

*Dec 4 15:16:16.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.0.1 peer_port: 5246
*Dec 4 15:16:19.531: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Dec 4 15:16:45.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0x45F18CC!

*Dec 4 15:17:15.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.0.1:5246
*Dec 4 15:17:15.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

 

 

Configuration from the Cisco 3850:

Current configuration : 9563 bytes
!
! Last configuration change at 14:58:19 UTC Wed Dec 4 2019
!
version 16.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname WCL
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
switch 1 provision ws-c3850-24p
!
!
!
!
!
!
!
ip name-server 172.24.1.1
ip domain name navy.dod.ua
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool WIRELESS_MGMT_POOL
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
!
!
!
!
!
!
!
!
!
!
central-management-version 720575944674246658
!
crypto pki trustpoint TP-self-signed-2961917191
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2961917191
revocation-check none
rsakeypair TP-self-signed-2961917191
!
!
crypto pki certificate chain TP-self-signed-2961917191
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393631 39313731 3931301E 170D3139 31323034 31323239
35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39363139
31373139 31308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100E3A5 3C4B0382 D222F78C C1A081C6 A6DD20DF 47CBE299 6C9709E2
3B3B695F 1EBDD5A8 0D5A7481 AB37FDE0 E6CD1A75 30A31479 306169E2 B858222A
7F24F396 EEE460E5 4F17E0C0 5A047211 C993A7B9 581EFAA1 01A62B44 1D817E31
CE2E1028 E84D1992 61EF1D73 E7DA511C 503802B1 A6F30D3A 3E5EEB02 B331C214
C0C1AD8A A63DB824 44F92F86 EC07B158 7E8E7EB7 79BA2972 222E6F94 0153C881
3A1993C0 E645744F 9F8C03EE A80B4671 298E285E 0A07045E F96F6EC5 DA026F46
87506CEF 08C683C0 98F8B9B3 CB8B77AA EFF626F6 B994C9C5 84CD39DF 0FE35222
B4760154 70359692 758E7CA3 DDF3C8B2 8CD3B31E E0F8C4A1 F42BCED8 95CF273A
F575C511 66750203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 144DB48A C3BDC002 3F237C20 11F7F75A E6643B08
85301D06 03551D0E 04160414 4DB48AC3 BDC0023F 237C2011 F7F75AE6 643B0885
300D0609 2A864886 F70D0101 05050003 82010100 D048D2D5 D9AC67B7 D8990CBB
A365F5CA FC80043D 73C105B1 01B0CD56 BA79AB70 06031D3E CD9CAEF8 8359EAF2
F26FA6AA CC2C803D 8BD69186 2FC00AE6 EE4B40B7 37A3FD0A 07559825 8F83BA23
729EF4F9 D595DD0A 0F9454CE 427711E6 04FD4037 9F6871BC C6EEBE1A CDF8C841
064D2D5C F0211523 3034FF34 BC18EBB4 5D7CA478 8F5D6108 D2AA467B 47F58D97
BCA9439A FC7DB9CE B3BF4939 56E63853 C65860A0 19701CA6 EEA3CC90 DEC7D11B
4F50B0BA 2926F757 0F22A718 CF2BBCBB A8FB5BD0 71FC0299 99B22E2F C7DC2183
C571613C 19136C5D 1DC5301F D4A8E9FD 07BDEFCC ED96A31C 815D7D49 3FAB0FE3
B0E649C6 3AF5D537 F2E692B7 ED2EF62B 65DAAFB7
quit
!
license boot level ipservicesk9
diagnostic bootup level minimal
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
username kolomoetsav privilege 15 secret 5 $1$NAbt$NpYAeDE1L7HcEW4AdQzDW.
!
redundancy
mode sso
!
!
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, SGT Cache Full, LOGGING
class-map match-any system-cpp-default
description DHCP snooping, show forward and rest of traffic
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, Crypto Control, Exception, EGR Exception, NFL SAMPLED DATA, Gold Pkt, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-control-low-priority
description ICMP redirect and general punt
class-map match-any system-cpp-police-wireless-priority1
description Wireless priority 1
class-map match-any system-cpp-police-wireless-priority2
description Wireless priority 2
class-map match-any system-cpp-police-wireless-priority3-4-5
description Wireless priority 3,4 and 5
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
policy-map system-cpp-policy
class system-cpp-police-data
police rate 200 pps
class system-cpp-police-sys-data
police rate 100 pps
class system-cpp-police-sw-forward
police rate 1000 pps
class system-cpp-police-multicast
police rate 500 pps
class system-cpp-police-multicast-end-station
police rate 2000 pps
class system-cpp-police-punt-webauth
class system-cpp-police-l2-control
class system-cpp-police-routing-control
police rate 1800 pps
class system-cpp-police-control-low-priority
class system-cpp-police-wireless-priority1
class system-cpp-police-wireless-priority2
class system-cpp-police-wireless-priority3-4-5
class system-cpp-police-topology-control
class system-cpp-police-dot1x-auth
class system-cpp-police-protocol-snooping
class system-cpp-police-forus
class system-cpp-default
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 192.168.85.10 255.255.255.0
negotiation auto
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
ip address 10.10.10.231 255.255.255.0
!
interface Vlan2
ip dhcp relay information trusted
ip address 10.0.0.1 255.255.255.0
ip helper-address 10.0.0.1
!
ip default-gateway 192.168.85.11
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 192.168.85.11
ip ssh version 2
!
ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data
permit tcp any any eq 22
permit tcp any any eq 465
permit tcp any any eq 143
permit tcp any any eq 993
permit tcp any any eq 995
permit tcp any any eq 1914
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq smtp
permit tcp any any eq pop3
ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf
permit udp any any range 16384 32767
permit tcp any any range 50000 59999
ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger
permit tcp any any range 2300 2400
permit udp any any range 2300 2400
permit tcp any any range 6881 6999
permit tcp any any range 28800 29100
permit tcp any any eq 1214
permit udp any any eq 1214
permit tcp any any eq 3689
permit udp any any eq 3689
permit tcp any any eq 11999
ip access-list extended AutoQos-4.0-wlan-Acl-Signaling
permit tcp any any range 2000 2002
permit tcp any any range 5060 5061
permit udp any any range 5060 5061
ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data
permit tcp any any eq 443
permit tcp any any eq 1521
permit udp any any eq 1521
permit tcp any any eq 1526
permit udp any any eq 1526
permit tcp any any eq 1575
permit udp any any eq 1575
permit tcp any any eq 1630
permit udp any any eq 1630
permit tcp any any eq 1527
permit tcp any any eq 6200
permit tcp any any eq 3389
permit tcp any any eq 5985
permit tcp any any eq 8080
!
!
!
!
control-plane
service-policy input system-cpp-policy
!
!
no vstack
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login local
transport preferred none
transport input ssh
line vty 5 15
login local
transport preferred none
transport input ssh
!
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
FastEthernewireless mobility controller
wireless management interface Vlan2
wlan WIFI 1 WIFI
client vlan 2
no security wpa akm dot1x
security wpa akm psk set-key ascii 0 11111111
no shutdown
ap country UA
ap dot11 airtime-fairness policy-name Default 0
ap group default-group
ap hyperlocation ble-beacon 0
ap hyperlocation ble-beacon 1
ap hyperlocation ble-beacon 2
ap hyperlocation ble-beacon 3
ap hyperlocation ble-beacon 4
end

 

With Best Regards and thanks for help))))

Everyone's tags (1)
2 REPLIES 2
Highlighted
VIP Rising star

Re: In Cisco Switch 3850 not able to add AP

I'm missing some time synchronization 

try setting op the 3850 as ntp server for the AP

otherwise setup the 3850 as ntp client to the same source that the AP can use.

Beginner

Re: In Cisco Switch 3850 not able to add AP

Thank's but not help.

ntp master

interface Vlan2
ip dhcp relay information trusted
ip address 10.0.0.1 255.255.255.0
ip helper-address 10.0.0.1
ntp broadcast

 

Error is tha same.

Dec 10 16:33:11.511: *%CAPWAP-6-DTLS_CONN_ERR2:Switch 1 R0/0: wcm: DTLS connection not found for AP 10.0.0.5 (35954), Controller: 10.0.0.1 (5246) dtls payload
Dec 10 16:33:47.011: *%DTLS-3-PKI_ERROR:Switch 1 R0/0: wcm: PKI initialization error : Certificate initialization failed
Dec 10 16:33:47.012: *%CAPWAP-3-DTLS_DB_ERR:Switch 1 R0/0: wcm: 0000.0000.0000: Failed to create DTLS connection for AP 10:0:0:6 (35954).
Dec 10 16:33:49.011: *%DTLS-3-PKI_ERROR:Switch 1 R0/0: wcm: PKI initialization error : Certificate initialization failed
Dec 10 16:33:49.012: *%CAPWAP-3-DTLS_DB_ERR:Switch 1 R0/0: wcm: 0000.0000.0000: Failed to create DTLS connection for AP 10:0:0:6 (35954).
Dec 10 16:33:53.011: *%DTLS-3-PKI_ERROR:Switch 1 R0/0: wcm: PKI initialization error : Certificate initialization failed
Dec 10 16:33:53.011: *%CAPWAP-3-DTLS_DB_ERR:Switch 1 R0/0: wcm: 0000.0000.0000: Failed to create DTLS connection for AP 10:0:0:6 (35954).
Dec 10 16:34:01.011: *%DTLS-3-PKI_ERROR:Switch 1 R0/0: wcm: PKI initialization error : Certificate initialization failed
Dec 10 16:34:01.011: *%CAPWAP-3-DTLS_DB_ERR:Switch 1 R0/0: wcm: 0000.0000.0000: Failed to create DTLS connection for AP 10:0:0:6 (35954).
Dec 10 16:34:08.922: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet1/0/1 (1), with Switch.sw-cis.navy.dod.ua FastEthernet0/28 (3).
WCL>
WCL>en
WCL#sh ap jo
WCL#sh ap join s
WCL#sh ap join stats s
WCL#sh ap join stats summary
Number of APs : 1

Base MAC Ethernet MAC AP Name IP Address Status
---------------------------------------------------------------------------------
5c83.8fd8.c71c 0000.0000.0000 AP5c83.8fd8.c71c 10.0.0.6 Not Joined

CreatePlease to create content
Content for Community-Ad

August's Community Spotlight Awards