9800-80-WLC No AP Join after SW-Upgrade to 17.9.5

Gehrig_W · ‎07-10-2024

Hello Cisco-WLAN-Community,

I would like to report a WLAN-AP-Join-Problem that arised here during SW-Upgrade on 9800-80-WLC to version 17.9.5.

Despite the fact, that this hospital is running a HA-SSO-9800-solution, more than 1200 APs were no longer able to join after the SW-Upgrade. The horror shows up in AP join statistics in form of the following Error-message:

DTLS cert-chain not available

The planned Stackered AP Image Upgrade shows even success in Gui with 0 Percentage completion!

It went even worse, the predownloaded image went overwritten, while APs jumped on 5520-WLCs used as backup.

Several hours confusion and outages ended after I found a hint to a missing Trustpoint on the wireless management interface

in the 9800-Best practice Guide, chapter "Dealing with trustpoints"

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html

I don't no why this trustpoint disappeared in the dark during the SW-Update.

To me it looks like a clear bug and shame on Cisco for the outages created by this mess!

After adding Trustpoint Name : CISCO_IDEVID_CMCA3_SUDI to the Wireless Management Interface the APs started joining the 9800-WLC again. Sad to say, that this needed again a SW-Download and Downtime to overwrite the previously sucked 5520-image.

You can configure and check it in CLI:

wireless management trustpoint CISCO_IDEVID_CMCA3_SUDI

Unfortunately, the trustpoint-configuration on the Wireless-interface is not seen in the running config.

What a mess on this Cisco-WLAN-High-Availability-solution.

Is this a bug or a feature in SW-Version 17.9.5 ?

Kind regards

Wini

marce1000 · ‎07-10-2024

>...DTLS cert-chain not available
- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj58547

I don't know how or when (if) this bug is applicable to previous versions (too)
In any case it is always advisable if the (a) controller is upgraded to always check
the current state of the configuration with the CLI command show tech wireless and feed the
output from that into Wireless Config Analyzer
You will discover such issues faster then , or it should perhaps be considered mandatory , (after upgrading)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jagan.chowdam · ‎07-10-2024

I always review the IOS-XE release notes to identify any potential issues/gotcha before starting the upgrade.

In your case - "Modified Trustpoints for Secure Unique Device Identity (SUDI) Certificates". Also, look at the following point from "Behavior changes" section --

"If you have configured CISCO_IDEVID_SUDI trustpoint in your configuration, you will need to replace it with CISCO_IDEVID_CMCA3_SUDI to avoid client connection and AP join issues. The reason for this change being the CISCO_IDEVID_SUDI changed from SW-SUDI certificate in previous releases to HW-SUDI certificate. The processing of HW-SUDI certificate is much slower than the SW-SUDI. Here, CISCO_IDEVID_CMCA3_SUDI is the new SW-SUDI certificate."

IOS-XE release notes: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/release-notes/rn-17-9-9800.html

Jagan Chowdam

/**Pls rate useful responses**/