Re: AP 2702 cannot join WLC

Draganst · ‎07-17-2023

Hello everyone,

I have a problem with AIR-CAP2702I-E-K9 series of Cisco’s Access Points. 2 out of 15 APs won't associate with the WLC 8540 even though they have exactly the same configuration. I'm using only one IP address to test the APs. The two APs that cannot associate do not show any specific log error, the only thing I noticed is that I cannot ping these two APs even when I connect them directly to the PC, but I can ping the others. I formatted the flash of all APs and installed the identical version of IOS. The Accept Manufactured Installed Certificate (MIC) option is enabled on the WLC and the MAC addresses of all APs has already added to the WLC.

I have already read similar problems with Cisco APs.

Mark Elsen · ‎07-17-2023

>...that I cannot ping these two APs
- If you can not ping the APs and you must make sure that they can go through the basic boot process and find an ip address (usually you will be using DHCP for that). -> Check the boot process of the involved access points ,

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Leo Laohoo · ‎07-18-2023

@Draganst wrote:
The Accept Manufactured Installed Certificate (MIC) option is enabled on the WLC and the MAC addresses of all APs has already added to the WLC.

What about the date of the WLC? Did anyone roll back the year to 2022?

Rich R · ‎07-29-2023

Collect the complete console logs from those 2 APs from power-on and attach here as .txt files.
However if you can't ping the AP that suggests a basic layer 2/layer 3 issue so you might have 2 faulty APs.
If they're faulty the logs should make that clear - they either won't boot or they will report problems after booting.
You'd also be wise to read through the field notices below and make sure you're using an up to date code version as per TAC recommended link below.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Draganst · ‎07-31-2023

@Leo Laohoo The date was January 2023. and I set the time correctly but without success.

I've attached 2 files with logs from APs, and when I compare those 2 files, the logs are almost identical. However, when I compare them with logs from the AP that joined the WLC, I've got an additional log :

*Jan 7, 14:52:49.115: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS

After that, another DTLS communication take place.

Leo Laohoo · ‎07-31-2023

@Draganst wrote:
The date was January 2023. and I set the time correctly but without success.

Read what I said. I did not say (or imply) setting the time and date correctly. I said "roll back the year to 2022".

Draganst · ‎08-01-2023

Sorry. Yes, 6 months ago we rolled back the date of the WLC to 2022 because of expired certificates on the APs. More about that:

https://www.cisco.com/c/en/us/support/docs/wireless/aironet-700-series-access-points/218447-ios-ap-image-download-fails-due-to-expir.html

We no longer do that. Now I flash the AP with the proper image, so the AP doesn't have to download an image from the WLC.

Leo Laohoo · ‎08-01-2023

@Draganst wrote:

Sorry. Yes, 6 months ago we rolled back the date of the WLC to 2022 because of expired certificates on the APs.

I am not here discussing about what happened 6 months ago. I am talking about now.

Let me ask again (for brevity sake): Did anyone make any attempts to roll back the date to 2022 or not?

Draganst · ‎08-01-2023

As far as I know, nobody made any attempts to roll back the date to 2022.

Rich R · ‎07-31-2023

GigabitEthernet0 comes up and then it seems to do nothing.
Are you using static IP config on the AP or DHCP?
What WLC discovery method are you using?
CAPWAP DTLS state machine will only start after the AP establishes IP connectivity and discovers a controller to join.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Draganst · ‎07-31-2023

I configured a static IP of the AP and also of the WLC. The configuration exaple is below:

capwap ap ip address x.x.x.x mask x.x.x.x
capwap ap ip default-gateway x.x.x.x
capwap ap controller ip address x.x.x.x