Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2191
Views
0
Helpful
9
Replies

Adding APs to Cisco 5520 Wireless Controller

LHigdon
Level 1
Level 1

‎10-13-2021 04:36 AM

Hello,

I am trying to register new APs to our 5520 wireless controller, and I am seeing the following errors in the message logs:

 

*spamApTask4: Oct 13 07:33:23.148: %CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:9079 00:09:0f:09:00:10: Failed to create DTLS connection for AP 10.208.19.106 (29779).
*spamApTask4: Oct 13 07:33:23.148: %DTLS-3-PKI_ERROR: openssl_dtls.c:483 PKI initialization error : Certificate initialization failed
*spamApTask4: Oct 13 07:33:23.148: %LOG-3-Q_IND: sshpmcert.c:885 Accessing certificate table before initialization
*spamApTask4: Oct 13 07:33:23.148: %SSHPM-3-CERT_TABLE_INVALID: sshpmcert.c:885 Accessing certificate table before initialization
*spamApTask4: Oct 13 07:32:42.153: %CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:9079 00:09:0f:09:00:10: Failed to create DTLS connection for AP 10.208.19.102 (36700).
*spamApTask4: Oct 13 07:32:42.153: %DTLS-3-PKI_ERROR: openssl_dtls.c:483 PKI initialization error : Certificate initialization failed
*spamApTask4: Oct 13 07:32:42.153: %LOG-3-Q_IND: sshpmcert.c:885 Accessing certificate table before initialization
*spamApTask4: Oct 13 07:32:42.153: %SSHPM-3-CERT_TABLE_INVALID: sshpmcert.c:885 Accessing certificate table before initialization
*spamApTask4: Oct 13 07:32:34.153: %CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:9079 00:09:0f:09:00:10: Failed to create DTLS connection for AP 10.208.19.102 (36700).
*spamApTask4: Oct 13 07:32:34.153: %DTLS-3-PKI_ERROR: openssl_dtls.c:483 PKI initialization error : Certificate initialization failed
*spamApTask4: Oct 13 07:32:34.153: %LOG-3-Q_IND: sshpmcert.c:885 Accessing certificate table before initialization
*spamApTask4: Oct 13 07:32:34.153: %SSHPM-3-CERT_TABLE_INVALID: sshpmcert.c:885 Accessing certificate table before initialization
*spamApTask6: Oct 13 07:32:31.506: %CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:9079 00:09:0f:09:00:10: Failed to create DTLS connection for AP 10.208.19.101 (29718).

 

I have tried to tell the device to ingore certs, allow self assigned, etc and I am still seeing these. My controller software version is 8.2.166.0.

 

Any help would be greatly appreciated. This is a new controller install as well.

Labels:
0 Helpful
9 Replies 9

Leo Laohoo
Hall of Fame
Hall of Fame

‎10-13-2021 04:40 AM

Post the complete output to the following commands: 

1.  WLC:  sh sysinfo

2.  WLC:  sh time

3.  AP:  sh version

4.  AP:  sh capwap client rcb

5.  AP:  sh ip interface brief

6.  Console into the AP and reboot the AP.  Post the entire boot-up process.

0 Helpful

LHigdon
Level 1
Level 1
In response to Leo Laohoo

‎10-13-2021 04:45 AM

Show sys info:

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.2.166.0
RTOS Version..................................... 8.2.166.0
Bootloader Version............................... 8.3.15.177
Emergency Image Version.......................... 8.3.143.0

Build Type....................................... DATA + WPS

System Name...................................... USLS-WLC
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.2170
Redundancy Mode.................................. Disabled
IP Address....................................... 10.10.130.118
IPv6 Address..................................... ::
System Up Time................................... 0 days 0 hrs 18 mins 3 secs
System Timezone Location......................... (GMT -5:00) Eastern Time (US and Canada)
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180


--More-- or (q)uit
Configured Country............................... US - United States
Operating Environment............................ Commercial (10 to 35 C)
Internal Temp Alarm Limits....................... 10 to 38 C
Internal Temperature............................. +22 C
Fan Status....................................... OK

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 3
Number of Active Clients......................... 0

Burned-in MAC Address............................ C4:F7:D5:C7:9D:D5
Power Supply 1................................... Present, OK
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 1500
System Nas-Id....................................
WLC MIC Certificate Types........................ SHA1
Licensing Type................................... RTU

 

Show time:

 

(Cisco Controller) >show time

Time............................................. Wed Oct 13 07:42:58 2021

Timezone delta................................... 0:0
Timezone location................................ (GMT -5:00) Eastern Time (US and Canada)

NTP Servers
NTP Polling Interval......................... 86400

Index NTP Key Index NTP Server Status NTP Msg Auth Status
------- ----------------------------------------------------------------------------------------------
1 0 10.10.130.1 In Progress AUTH DISABLED

 

I cannot console in the APs. I do not have physical access to them at my location and I cannot SSH into them. 

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to LHigdon

‎10-13-2021 04:49 AM

@LHigdon wrote:
Index NTP Key Index NTP Server          Status      NTP Msg Auth Status
-----------------------------------------------------------------------------------------------------
 1     0            10.10.130.1         In Progress AUTH DISABLED

WLC time and date is incorrect. 

If NTP was working fine, the Status message would be "In Sync".  

0 Helpful

LHigdon
Level 1
Level 1
In response to Leo Laohoo

‎10-13-2021 05:00 AM

Hello Leo,

 

I just corrected that:

 

(Cisco Controller) >show time

Time............................................. Wed Oct 13 07:57:57 2021

Timezone delta................................... 0:0
Timezone location................................ (GMT -5:00) Eastern Time (US and Canada)

NTP Servers
NTP Polling Interval......................... 86400

Index NTP Key Index NTP Server Status NTP Msg Auth Status
------- ----------------------------------------------------------------------------------------------
2 0 10.10.130.123 In Sync AUTH DISABLED

 

I still see the same errors in the log. 

0 Helpful

cmarva
Level 4
Level 4
In response to LHigdon

‎10-13-2021 06:19 AM

what model of AP? are they the same model as the ones currently anchored and working?

if the APs are newer models they may not be supported with the version you are running. 8.2 is a pretty old version

0 Helpful

LHigdon
Level 1
Level 1
In response to cmarva

‎10-13-2021 06:27 AM

they are all AIR-CAP2702E-B-K9 and this is a new install. There are no other APs.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to LHigdon

‎10-13-2021 02:26 PM

I need to see the console of that AP.

0 Helpful

Rich R
VIP
VIP

‎10-13-2021 06:55 AM

1. You should not be using 8.2.166.0!  Refer to https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc4

If all your APs are 2702 then you should be using 8.10.162.0

If you have other older APs then check them against https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html#ctr-ap_support to see the highest release you can use.  You can probably at least use 8.5

 

2. I've said this on a number of posts recently but apparently nobody searches before posting so I'll say it again:

Have you carefully read the field notice https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html and followed ALL the steps in the right order?

 

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Rich R
VIP
VIP
In response to Rich R

‎10-13-2021 07:17 AM

Oh and you should also check this: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy67885

Cisco shipped a whole batch of WLC missing Flexflash which contains the WLC certificates.

They even sent us one of the faulty units as a RMA replacement!

If you've got one of those faulty units then you need to get it replaced by RMA with TAC.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card