Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
557
Views
2
Helpful
3
Replies

AIR-CAP3702E failed to join to WLC(C9800)

Lucas Woo
Level 1
Level 1

‎03-02-2023 06:05 AM

As a tittle suggests, AP failed to join to WLC (C9800) after first booting.

The other day, we stopped the power of AP because of planned power outage.

After finishing that and AP was power on, AP failed to join to WLC (C9800).

A long time ago, We changed the Primary Controller from C5508 to C9800 with this command.
# config ap primary-base {name new WLC} {name AP}172.20.130.251
※ IP address of old WLC(C5508):172.20.130.250

As I mentioned above, We changed the setting of Primary Controller, but AP tried to join to old WLC(C5508) first after booting.

After failing, We rebooted AP and it joined to new WLC successfully.


I have no idea why AP tried to join to old WLC(C5508) and joined to new WLC (C9800) sucessfully after rebooting.


The results of show logging are as below.

【Loggs of failing to join to WLC】
===============
*Feb 19 06:52:46.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: {Global IP address} peer_port: 5246
*Feb 19 06:53:15.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0xDD4E520!

*Feb 19 06:53:45.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to {Global IP address}:5246
*Feb 19 06:53:45.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Feb 19 06:53:46.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.20.130.250 peer_port: 5246
*Feb 19 06:53:46.759: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.20.130.250 peer_port: 5246
*Feb 19 06:53:46.759: %CAPWAP-5-SENDJOIN: sending Join Request to 172.20.130.250perform archive download capwap:/c3700 tar file
*Feb 19 06:53:46.795: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
*Feb 19 06:58:46.171: Currently running a Release Image

*Feb 19 06:58:46.195: Using SHA-2 signed certificate for image signing validation.
*Feb 19 06:58:46.267: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: xxxxxxxxxxxxxxxxxx) has expired. Validity period ended on 21:43:46 UTC Dec 4 2022
*Feb 19 06:58:46.267: Image signing certificate validation failed.

*Feb 19 06:58:46.267: Failed to validate signature
*Feb 19 06:58:46.267: Digital Signature Failed Validation (flash:/update/ap3g2-k9w8-mx.153-3.JF9/final_hash)
*Feb 19 06:58:46.267: AP image integrity check FAILED
Aborting Image Download
===============


【Loggs of success to join to WLC (after rebooting)】
===============
*Feb 20 02:41:13.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.20.130.251 peer_port: 5246
*Feb 20 02:41:13.211: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.20.130.251 peer_port: 5246
*Feb 20 02:41:13.211: %CAPWAP-5-SENDJOIN: sending Join Request to 172.20.130.251
*Feb 20 02:41:13.251: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to the reason code 27
*Feb 20 02:41:13.259: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller {Name WLC}
*Feb 20 02:41:13.267: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Feb 20 02:41:13.327: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 27
*Feb 20 02:41:14.263: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Feb 20 02:41:14.267: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Feb 20 02:41:14.267: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Feb 20 02:41:14.271: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Feb 20 02:41:15.307: %DOT11-6-DFS_SCAN_START: DFS: Scanning frequency 5660 MHz for 60 seconds.
*Feb 20 02:41:15.311: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Feb 20 02:41:16.311: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Feb 20 02:41:35.615: %CLEANAIR-6-STATE: Slot 1 enabled
*Feb 20 02:42:15.319: %DOT11-6-DFS_SCAN_COMPLETE: DFS scan complete on frequency 5660 MHz
===============


#show capwap ip config

LWAPP Static IP Configuration
Primary Controller 172.20.130.250


AP-1A-P16A#show capwap client config
adminState ADMIN_ENABLED(1)
mwarIPAddress 172.20.130.251

0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎03-02-2023 06:07 AM - edited ‎03-02-2023 06:08 AM

 %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. 

check field notice :

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

https://www.cisco.com/c/en/us/support/docs/field-notices/725/fn72524.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Scott Fella
Hall of Fame
Hall of Fame

‎03-02-2023 08:56 AM

@Lucas Woo take a look at the various discovery methods for an ap to discover a controller.  Make sure you have changed those discovery if you have implemented that in the past.  Option 43 for DHCP, DNS and or if the ap is in the same subnet as the controller.  AP's can also know of the other controller if mobility has been configured between the two.  

Seems like you still have the 5508 in production on the same subnet as the 9800.  

-Scott
*** Please rate helpful posts ***

Rich R
VIP
VIP

‎03-04-2023 03:50 AM

And even if you update all the discovery methods the AP "remembers" WLCs it was able to join in the past.

If you want it to completely forget the old WLC then when you have cleaned up all the discovery options do a factory default reset on the AP and then it will forget past WLCs.  But like Scott says if it's on the same subnet as the WLC then it will always discover it through subnet broadcast.

The expired cert on the 5508 code actually prevented it from downloading and joining the 5508 in this case (and it could have kept doing that forever) but if you are still using the 5508 then you do at least need to think about updating that to 8.5.182.7. (8.5.140.0 is very old!)

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card