cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1470
Views
0
Helpful
9
Replies

Adding APs to Cisco 5520 Wireless Controller

LHigdon
Level 1
Level 1

Hello,

I am trying to register new APs to our 5520 wireless controller, and I am seeing the following errors in the message logs:

 

*spamApTask4: Oct 13 07:33:23.148: %CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:9079 00:09:0f:09:00:10: Failed to create DTLS connection for AP 10.208.19.106 (29779).
*spamApTask4: Oct 13 07:33:23.148: %DTLS-3-PKI_ERROR: openssl_dtls.c:483 PKI initialization error : Certificate initialization failed
*spamApTask4: Oct 13 07:33:23.148: %LOG-3-Q_IND: sshpmcert.c:885 Accessing certificate table before initialization
*spamApTask4: Oct 13 07:33:23.148: %SSHPM-3-CERT_TABLE_INVALID: sshpmcert.c:885 Accessing certificate table before initialization
*spamApTask4: Oct 13 07:32:42.153: %CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:9079 00:09:0f:09:00:10: Failed to create DTLS connection for AP 10.208.19.102 (36700).
*spamApTask4: Oct 13 07:32:42.153: %DTLS-3-PKI_ERROR: openssl_dtls.c:483 PKI initialization error : Certificate initialization failed
*spamApTask4: Oct 13 07:32:42.153: %LOG-3-Q_IND: sshpmcert.c:885 Accessing certificate table before initialization
*spamApTask4: Oct 13 07:32:42.153: %SSHPM-3-CERT_TABLE_INVALID: sshpmcert.c:885 Accessing certificate table before initialization
*spamApTask4: Oct 13 07:32:34.153: %CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:9079 00:09:0f:09:00:10: Failed to create DTLS connection for AP 10.208.19.102 (36700).
*spamApTask4: Oct 13 07:32:34.153: %DTLS-3-PKI_ERROR: openssl_dtls.c:483 PKI initialization error : Certificate initialization failed
*spamApTask4: Oct 13 07:32:34.153: %LOG-3-Q_IND: sshpmcert.c:885 Accessing certificate table before initialization
*spamApTask4: Oct 13 07:32:34.153: %SSHPM-3-CERT_TABLE_INVALID: sshpmcert.c:885 Accessing certificate table before initialization
*spamApTask6: Oct 13 07:32:31.506: %CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:9079 00:09:0f:09:00:10: Failed to create DTLS connection for AP 10.208.19.101 (29718).

 

I have tried to tell the device to ingore certs, allow self assigned, etc and I am still seeing these. My controller software version is 8.2.166.0.

 

Any help would be greatly appreciated. This is a new controller install as well.

9 Replies 9

Leo Laohoo
Hall of Fame
Hall of Fame

Post the complete output to the following commands: 

1.  WLC:  sh sysinfo

2.  WLC:  sh time

3.  AP:  sh version

4.  AP:  sh capwap client rcb

5.  AP:  sh ip interface brief

6.  Console into the AP and reboot the AP.  Post the entire boot-up process.

Show sys info:

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.2.166.0
RTOS Version..................................... 8.2.166.0
Bootloader Version............................... 8.3.15.177
Emergency Image Version.......................... 8.3.143.0

Build Type....................................... DATA + WPS

System Name...................................... USLS-WLC
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.2170
Redundancy Mode.................................. Disabled
IP Address....................................... 10.10.130.118
IPv6 Address..................................... ::
System Up Time................................... 0 days 0 hrs 18 mins 3 secs
System Timezone Location......................... (GMT -5:00) Eastern Time (US and Canada)
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180


--More-- or (q)uit
Configured Country............................... US - United States
Operating Environment............................ Commercial (10 to 35 C)
Internal Temp Alarm Limits....................... 10 to 38 C
Internal Temperature............................. +22 C
Fan Status....................................... OK

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 3
Number of Active Clients......................... 0

Burned-in MAC Address............................ C4:F7:D5:C7:9D:D5
Power Supply 1................................... Present, OK
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 1500
System Nas-Id....................................
WLC MIC Certificate Types........................ SHA1
Licensing Type................................... RTU

 

Show time:

 

(Cisco Controller) >show time

Time............................................. Wed Oct 13 07:42:58 2021

Timezone delta................................... 0:0
Timezone location................................ (GMT -5:00) Eastern Time (US and Canada)

NTP Servers
NTP Polling Interval......................... 86400

Index NTP Key Index NTP Server Status NTP Msg Auth Status
------- ----------------------------------------------------------------------------------------------
1 0 10.10.130.1 In Progress AUTH DISABLED

 

I cannot console in the APs. I do not have physical access to them at my location and I cannot SSH into them. 


@LHigdon wrote:
Index NTP Key Index NTP Server          Status      NTP Msg Auth Status
-----------------------------------------------------------------------------------------------------
 1     0            10.10.130.1         In Progress AUTH DISABLED

WLC time and date is incorrect. 

If NTP was working fine, the Status message would be "In Sync".  

Hello Leo,

 

I just corrected that:

 

(Cisco Controller) >show time

Time............................................. Wed Oct 13 07:57:57 2021

Timezone delta................................... 0:0
Timezone location................................ (GMT -5:00) Eastern Time (US and Canada)

NTP Servers
NTP Polling Interval......................... 86400

Index NTP Key Index NTP Server Status NTP Msg Auth Status
------- ----------------------------------------------------------------------------------------------
2 0 10.10.130.123 In Sync AUTH DISABLED

 

I still see the same errors in the log. 

what model of AP? are they the same model as the ones currently anchored and working?

if the APs are newer models they may not be supported with the version you are running. 8.2 is a pretty old version

they are all AIR-CAP2702E-B-K9 and this is a new install. There are no other APs.

I need to see the console of that AP.

Rich R
VIP
VIP

1. You should not be using 8.2.166.0!  Refer to https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc4

If all your APs are 2702 then you should be using 8.10.162.0

If you have other older APs then check them against https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html#ctr-ap_support to see the highest release you can use.  You can probably at least use 8.5

 

2. I've said this on a number of posts recently but apparently nobody searches before posting so I'll say it again:

Have you carefully read the field notice https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html and followed ALL the steps in the right order?

 

Oh and you should also check this: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy67885

Cisco shipped a whole batch of WLC missing Flexflash which contains the WLC certificates.

They even sent us one of the faulty units as a RMA replacement!

If you've got one of those faulty units then you need to get it replaced by RMA with TAC.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: