Solved: Re: AIR-AP1562I-E-K9 not joining WLC 5508

mhmservice · ‎06-03-2020

Hi all

I have 2x newly installed AIR-AP1562I-E-K9 that won't join a 5508 controller

I have added AP MACs to the "AP Policy" section of the web interface (never had to do that before for other APs)

"debug capwap errors enable" gives the following (not very helpful):

*spamApTask6: Jun 03 15:43:37.539: [SA] 4c:xx:xx:xx:xx:xx ApModel: AIR-AP1562I-E-K9

CDP on the switch with AP Connected shows as follows:

Device ID: AP4CE1.xxxx.xxxx
Entry address(es):
IP address: 10.x.x.x
Platform: cisco AIR-AP1562I-E-K9, Capabilities: Router Trans-Bridge
Interface: GigabitEthernet0/21, Port ID (outgoing port): GigabitEthernet0
Holdtime : 146 sec

Version :
Cisco AP Software, ap3g3-k9w8 Version: 8.3.143.0
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2014-2015 by Cisco Systems, Inc.

advertisement version: 2
Power drawn: 29.900 Watts
Power request id: 27402, Power management id: 2
Power request levels are:29900 15400 0 0 0
Management address(es):
IP address: 10.x.x.x

Controller running the following software

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.3.143.0
Bootloader Version............................... 1.0.20

Does anyone have any ideas to fix this? Other APs in the site work fine (mix of 1602 and 1702)

The AP is installed in an extremely inaccessible location in a remote branch so console connection isn't an easy option..

mhmservice · ‎06-12-2020

I was affected by this bug

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

Our SHA1 certificate expired in March 2020, I hadn't tried to connect any new APs since then

I worked around it by changing the time on the WLC back to 2019 and the APs joined instantly

I will try to get the fixed firmware mentioned installed

View solution in original post

Sandeep Choudhary · ‎06-03-2020

paste the output of the command:

sh sysinfo from WLC

Check if time and date settings are corecct on WLC

Check if you add the correct AP mac address on wlc.

alos check the status (Monitoring>>Statistics>>AP Joint)

Regards

Dont forget to arte helpful posts

mhmservice · ‎06-04-2020

sh sysinfo:

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.3.143.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.101.1
Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
OUI File Update Time............................. Sun Sep 07 10:44:07 IST 2014

Build Type....................................... DATA + WPS

System Name...................................... WLC1
System Location.................................. 
System Contact................................... 
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. SSO
IP Address....................................... 10.4.1.8
IPv6 Address..................................... ::
Last Reset....................................... Software reset
System Up Time................................... 58 days 16 hrs 48 mins 16 secs
System Timezone Location......................... (GMT +1:00) Amsterdam, Berlin, Rome, Vienna
System Stats Realtime Interval................... 5

--More-- or (q)uit
System Stats Normal Interval..................... 180

Configured Country............................... Multiple Countries : CA,DE,RU,US,ZA
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +38 C
External Temperature............................. +27 C
Fan Status....................................... OK

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 10
Number of Active Clients......................... 125

OUI Classification Failure Count................. 0

Burned-in MAC Address............................ xx:xx:xx:xx:xx:xx
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 500
System Nas-Id.................................... 
WLC MIC Certificate Types........................ SHA1

Screenshot of AP Join section:

Sandeep Choudhary · ‎06-04-2020

Are you sure you add the correct AP MAC address in WLC ?

I hope the AP1562 trying to join as MESH in WLC.

Mesh functionality for 1562 is not supported on 8.3. Mesh supported only from 8.4.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn83mr1.html#concept_A28403142D9D4CD2BE5C0B8F7A1434B9

Run the command on AP - CLI:

capwap ap mode local|flexconnect

change mode on AP as either local or flexconnect.

Regards

Dont forget to rate helpful posts

mhmservice · ‎06-10-2020

Hi,

That command doesn't exist on the AP

I managed to get on the console, im getting the following errors. It's set to static config as I tried to program in the WLC name just see if it helped,

[*06/10/2020 16:45:23.9415] CAPWAP State: Discovery
[*06/10/2020 16:45:23.9437] Discovery Request sent to 10.4.1.8, discovery type STATIC_CONFIG(1)
[*06/10/2020 16:45:24.0945] Discovery Request sent to 10.4.1.8, discovery type STATIC_CONFIG(1)
[*06/10/2020 16:45:24.0982] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*06/10/2020 16:45:24.0983] Discovery Response from 10.4.1.8
[*06/10/2020 16:45:39.0069] Discovery Response from 10.4.1.8
[*06/10/2020 16:45:39.0000]
[*06/10/2020 16:45:39.0000] CAPWAP State: DTLS Setup
[*06/10/2020 16:45:39.0005] dtls_connectionDB_add_connection: Number of DTLS connections exceeded two
[*06/10/2020 16:45:39.2923] dtls_load_ca_certs: LSC Root Certificate not present
[*06/10/2020 16:45:39.2924]
[*06/10/2020 16:45:39.2951] dtls_verify_con_cert: Controller certificate verification error
[*06/10/2020 16:45:39.2951] dtls_process_packet: controller cert verification failed
[*06/10/2020 16:45:39.2955] DTLS: Received packet 0x26f1000 caused DTLS to close connection
[*06/10/2020 16:45:39.2955] sendPacketToDtls: DTLS: Closing connection 0x26c7a00.
[*06/10/2020 16:45:39.2955]
[*06/10/2020 16:45:39.2955] Lost connection to the controller, going to restart CAPWAP...
[*06/10/2020 16:45:39.2955]
[*06/10/2020 16:45:39.2956] Restarting CAPWAP State Machine.
[*06/10/2020 16:45:39.3002] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Setup(3).
[*06/10/2020 16:45:39.3008] Failed to disconnect DTLS-CTRL session.
[*06/10/2020 16:45:39.3008]
[*06/10/2020 16:45:39.3008] CAPWAP State: DTLS Teardown
[*06/10/2020 16:45:39.3111] DTLS: Error while processing DTLS packet 0x26f3000.
[*06/10/2020 16:45:43.9413] No more AP manager addresses remain..
[*06/10/2020 16:45:43.9413] No valid AP manager found for controller 'WLC1' (ip: 10.4.1.8)
[*06/10/2020 16:45:43.9413] Failed to join controller WLC1.
[*06/10/2020 16:45:43.9413] Failed to join controller.
[*06/10/2020 16:45:39.0000]
[*06/10/2020 16:45:39.0000] CAPWAP State: DTLS Setup
[*06/10/2020 16:45:39.0002] dtls_new_connection: Connection 0x26c7a00 is already there for this server port 5246, Deleting it. Number of connections: 56
[*06/10/2020 16:45:39.0002]
[*06/10/2020 16:45:39.0004] dtls_connectionDB_add_connection: Number of DTLS connections exceeded two
[*06/10/2020 16:45:39.2955] dtls_load_ca_certs: LSC Root Certificate not present
[*06/10/2020 16:45:39.2955]
[*06/10/2020 16:45:39.2981] dtls_verify_con_cert: Controller certificate verification error
[*06/10/2020 16:45:39.2981] dtls_process_packet: controller cert verification failed
[*06/10/2020 16:45:39.2985] DTLS: Received packet 0x270a000 caused DTLS to close connection
[*06/10/2020 16:45:39.2985] sendPacketToDtls: DTLS: Closing connection 0x26c7a00.
[*06/10/2020 16:45:39.2985]
[*06/10/2020 16:45:39.2985] Lost connection to the controller, going to restart CAPWAP...
[*06/10/2020 16:45:39.2985]
[*06/10/2020 16:45:39.2986] Restarting CAPWAP State Machine.
[*06/10/2020 16:45:39.3033] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Setup(3).
[*06/10/2020 16:45:39.3039] Failed to disconnect DTLS-CTRL session.
[*06/10/2020 16:45:39.3039]
[*06/10/2020 16:45:39.3039] CAPWAP State: DTLS Teardown
[*06/10/2020 16:45:39.3142] DTLS: Error while processing DTLS packet 0x26f5000.
[*06/10/2020 16:45:43.9415]
[*06/10/2020 16:45:43.9415] CAPWAP State: Discovery
[*06/10/2020 16:45:43.9427] Discovery Request sent to 10.4.1.8, discovery type STATIC_CONFIG(1)
[*06/10/2020 16:45:44.0941] Discovery Request sent to 10.4.1.8, discovery type STATIC_CONFIG(1)
[*06/10/2020 16:45:44.0950] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*06/10/2020 16:45:44.0951] Discovery Response from 10.4.1.8
[*06/10/2020 16:45:58.0084] Discovery Response from 10.4.1.8
[*06/10/2020 16:45:58.0000]
[*06/10/2020 16:45:58.0000] CAPWAP State: DTLS Setup
[*06/10/2020 16:45:58.0032] dtls_connectionDB_add_connection: Number of DTLS connections exceeded two
[*06/10/2020 16:45:58.2967] dtls_load_ca_certs: LSC Root Certificate not present
[*06/10/2020 16:45:58.2967]
[*06/10/2020 16:45:58.2994] dtls_verify_con_cert: Controller certificate verification error
[*06/10/2020 16:45:58.2994] dtls_process_packet: controller cert verification failed
[*06/10/2020 16:45:58.2997] DTLS: Received packet 0x26f3000 caused DTLS to close connection
[*06/10/2020 16:45:58.2998] sendPacketToDtls: DTLS: Closing connection 0x26c7a00.
[*06/10/2020 16:45:58.2998]
[*06/10/2020 16:45:58.2998] Lost connection to the controller, going to restart CAPWAP...
[*06/10/2020 16:45:58.2998]
[*06/10/2020 16:45:58.2999] Restarting CAPWAP State Machine.
[*06/10/2020 16:45:58.3044] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Setup(3).
[*06/10/2020 16:45:58.3050] Failed to disconnect DTLS-CTRL session.
[*06/10/2020 16:45:58.3051]
[*06/10/2020 16:45:58.3051] CAPWAP State: DTLS Teardown
[*06/10/2020 16:45:58.3158] DTLS: Error while processing DTLS packet 0x270a000.
[*06/10/2020 16:46:02.9413] No more AP manager addresses remain..
[*06/10/2020 16:46:02.9413] No valid AP manager found for controller 'WLC1' (ip: 10.4.1.8)
[*06/10/2020 16:46:02.9413] Failed to join controller WLC1.
[*06/10/2020 16:46:02.9413] Failed to join controller.
[*06/10/2020 16:45:58.0000]
[*06/10/2020 16:45:58.0000] CAPWAP State: DTLS Setup
[*06/10/2020 16:45:58.0002] dtls_new_connection: Connection 0x26c7a00 is already there for this server port 5246, Deleting it. Number of connections: 58
[*06/10/2020 16:45:58.0002]
[*06/10/2020 16:45:58.0004] dtls_connectionDB_add_connection: Number of DTLS connections exceeded two
[*06/10/2020 16:45:58.2907] dtls_load_ca_certs: LSC Root Certificate not present
[*06/10/2020 16:45:58.2907]
[*06/10/2020 16:45:58.2934] dtls_verify_con_cert: Controller certificate verification error
[*06/10/2020 16:45:58.2934] dtls_process_packet: controller cert verification failed
[*06/10/2020 16:45:58.2938] DTLS: Received packet 0x26f1000 caused DTLS to close connection
[*06/10/2020 16:45:58.2938] sendPacketToDtls: DTLS: Closing connection 0x26c7a00.
[*06/10/2020 16:45:58.2938]
[*06/10/2020 16:45:58.2938] Lost connection to the controller, going to restart CAPWAP...
[*06/10/2020 16:45:58.2938]
[*06/10/2020 16:45:58.2940] Restarting CAPWAP State Machine.
[*06/10/2020 16:45:58.2985] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Setup(3).
[*06/10/2020 16:45:58.3001] Failed to disconnect DTLS-CTRL session.
[*06/10/2020 16:45:58.3001]
[*06/10/2020 16:45:58.3001] CAPWAP State: DTLS Teardown
[*06/10/2020 16:45:58.3093] DTLS: Error while processing DTLS packet 0x2708000.

Rich R · ‎06-10-2020

What command doesn't exist?
Did you set the AP to local mode?
I've checked my logs from doing the almost identical thing back in January and "capwap ap mode local" definitely solved the problem for me. After that the AP restarted, discovered and joined the WLC, downloaded the new software, and rebooted into normal operation.
The only difference is my AP started with 8.8.100.0 and was joining a WLC running 8.9.111.0 at the time.
8.3.143.0 is rather old so you could be hitting a bug that's been long since fixed in a later release.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Leo Laohoo · ‎06-10-2020

@mhmservice wrote:

IP Address....................................... 10.4.1.8

This is the Management IP address of the WLC.

@mhmservice wrote:

[*06/10/2020 16:45:43.9413] No valid AP manager found for controller 'WLC1' (ip: 192.168.10.10)

The AP is looking for a controller with the wrong Management IP address.

Is DHCP option 43 enabled?

mhmservice · ‎06-11-2020

Sorry I accidentally censored the IP

Where it says 192.168.10.10 it actually says 10.4.1.8, so its not connecting to the wrong controller, ive corrected the previous post now

With regards to the command "capwap ap mode local"... the AP doesn't support that :( I have a bunch of other commands like "capwap ap erase" and "capwap ap ip" but no "capwap ap mode"

Rich R · ‎06-11-2020

- With regards to the command "capwap ap mode local"... the AP doesn't support that :( I have a bunch of other commands like "capwap ap erase" and "capwap ap ip" but no "capwap ap mode"
Then I think you might need to consider upgrading to more recent code ...

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

mhmservice · ‎06-11-2020

I would if I could ... i have a lot of APs which are not supported past 8.3

Rich R · ‎06-11-2020

Then at least get onto the latest 8.3 release:
https://software.cisco.com/download/home/282600534/type/280926587/release/8.3.150.0

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Leo Laohoo · ‎06-11-2020

Post the complete output to the following command:

show capwap client rcb

mhmservice · ‎06-11-2020

I will get this and report back

mhmservice · ‎06-12-2020

show capwap client rcb
AdminState : ADMIN_ENABLED
OperationState : DTLS SETUP
Name : AP4CE1.xxx.xxxx
SwVer : 8.3.143.0
HwVer : 1.0.0.0
MwarApMgrIp : 10.4.1.8
MwarName : WLC1
MwarHwVer : 0.0.0.0
Location : default location
ApMode : Local
ApSubMode : Not Configured
CAPWAP Path MTU : 576
CAPWAP UDP-Lite : Enabled
IP Prefer-mode : IPv4
AP Link DTLS Encryption : OFF
AP Tcp MSS Adjust : Disabled
LinkAuditing : disabled

Leo Laohoo · ‎06-03-2020

Console into the AP and post the complete output to the command "sh capwap client rcb". The APs must've been purchased with MESH firmware.