cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
975
Views
0
Helpful
6
Replies

Access point 3702 fail to join Cisco 4500 Sup8E WLC

rvcitsupport
Level 1
Level 1

Hi all,

We are trying to deploy our wireless network using wireless controller function on Cisco 4500 Sup8E.

However, we have got a very weird problem with Cisco 3702E AP joining Cisco 4500 Sup8E WLC.

Device information:

- Cisco Sup8E: cat4500es8-UNIVERSALK9-M - Version 03.07.03E 

'WS-X45-SUP8-E'
   License Level: ipbase   Type: Permanent Right-To-Use

StoreIndex: 6 Feature: apcount  Version: 1.0
      License Type: PermanentRightToUse
      License State: Active, Not in Use, EULA accepted
      License Count: 100/0

Configured Country.............................: VN  - Vietnam
  Configured Country Codes
  VN  - Vietnam : 802.11a Indoor,Outdoor/ 802.11b / 802.11g

- Cisco 3702E AP:

AIR-CAP3702E-E-K9

Connection:  AP connects to an access port on Cisco 4500 Sup8E, AP is on same VLAN with wireless management interface of WLC. AP and WLC can ping successfully.

Problem: AP cannot join WLC with the following log. It seems that AP and WLC could not establish DTLS connection. I cannot find any errors within the log files for further investigation.

- Log on WLC: attachment (WLC-01.txt)

Loop with messages:

DTLS connection find by 0x1facf4e4 with Local 172.29.149.131:5246  Peer 172.29.149.175:33324
ecbd.1d4b.57b0 Buffer length 69, alloc_len 73
ecbd.1d4b.57b0 record=Handshake epoch=0 seq=0
ecbd.1d4b.57b0 con->rx_seq_valid 255 con->rx_epoch 1 epoch 0
ecbd.1d4b.57b0 Epoch 0 expired
ecbd.1d4b.57b0 Nothing to be done for this packet! 0x225f57f0

- Log on AP: attachment (AP-01.txt)

Loop with messages:

%CAPWAP-3-ERRORLOG: Selected MWAR 'SW-3F_1'(index 0).
%CAPWAP-3-ERRORLOG: Go join a capwap controller
%CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.29.149.131 peer_port: 5246
DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2176 Max retransmission count reached!
%DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.29.149.131:5246

Many thanks in advanced!

6 Replies 6

Leo Laohoo
Hall of Fame
Hall of Fame

Post the complete output to the WLC command "sh clock".

Hi Leo,

Below was the clock on both WLC and AP:

WLC#sh clock
16:19:28.052 Vietnam Wed May 11 2016

AP#sh clock
*09:19:16.443 UTC Wed May 11 2016

We use NTP for WLC.

Ok, so can you please post the bootup of the AP?  I want to see the AP get an IP address and the IP address of the WLC.  

Hi Leo,

Thank for your reply and sorry for late reply!

We use static IP for our APs and manually configure WLC IP address on APs.

We have one more information about our environment:

- AP 3702E formerly joined to WLC 2504 (Software version 7.6.120.0)

- We are migrating it to WLC on SUP8E (03.07.03E)

I found that AP 3702E tried to join with message:

AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS

Therefore, I issue command 'ap dtls secure-cipher AES256_SHA2' on WLC SUP8E and AP can successfully join to WLC SUP8E.

However, the problem happens with some of our AP 1602, they cannot join to WLC SUP8E.

We suspect that MIC certificate version mismatch may cause this issue.

Could you instruct us how to check these information on both APs and WLC?

Thanks!

Check the Release Notes for IOS version 3.7.3E for a possible bug.

rvcitsupport
Level 1
Level 1

Hi Leo,

Thank for your reply and sorry for late reply!

We use static IP for our APs and manually configure WLC IP address on APs.

We have one more information about our environment:

- AP 3702E formerly joined to WLC 2504 (Software version 7.6.120.0)

- We are migrating it to WLC on SUP8E (03.07.03E)

I found that AP 3702E tried to join with message:

AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS

Therefore, I issue command 'ap dtls secure-cipher AES256_SHA2' on WLC SUP8E and AP can successfully join to WLC SUP8E.

However, the problem happens with some of our AP 1602, they cannot join to WLC SUP8E.

We suspect that MIC certificate version mismatch may cause this issue.

Could you instruct us how to check these information on both APs and WLC?

Thanks!

Review Cisco Networking for a $25 gift card