AP cannot join vwlc 8.10

eigrpy · ‎04-03-2021

Hello, AP3602 can join vwlc8.0 but cannot join vwlc8.10-, Is this wlc version too high? If so , what is the latest version of vwlc the AP can join? The below is the AP message. Thank you!

*Apr 3 22:55:45.000: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:508 Certificate verified failed!
*Apr 3 22:55:45.003: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.0.10.6:5246
*Apr 3 22:55:45.003: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.10.6:5246
*Apr 3 22:56:53.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.10.6 peer_port: 5246
*Apr 3 22:56:53.000: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF

Scott Fella · ‎04-03-2021

Yes it is. Take a look at the compatibility matrix. This will come in handy.

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

-Scott
*** Please rate helpful posts ***

eigrpy · ‎04-03-2021

Thanks for your reply. The link does not list vWLC

Can you tell what is the latest version of vwlc the AP can join?

Scott Fella · ‎04-03-2021

You look at the code.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎04-03-2021

Look at the ap model and see what image it first was supported, what is the last supported image, or if it’s still supported.

-Scott
*** Please rate helpful posts ***

eigrpy · ‎04-03-2021

Thank you very much for your reply.

What that mean with " - " in the table? I also have ap 3700, how about this 3700?

Leo Laohoo · ‎04-03-2021

The "final" AP support for a 3600 is 8.5.X.X.

eigrpy · ‎04-03-2021

" - " means it has not have final. if this is case, based on the table, the ap 3700 could be compatible with wlc up to latest one, which is 8.10-

Scott Fella · ‎04-03-2021

That is correct.

-Scott
*** Please rate helpful posts ***

eigrpy · ‎04-03-2021

the ios of vwlc changed to 8.5(AIR_CTVM-K9_8_5_161_0.ova) from 8.10 based the table, but it still cannot work. The below is the AP message:

909c.b654#sh version
Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JA12, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Fri 20-Oct-17 20:51 by prod_rel_team

ROM: Bootstrap program is C3700 boot loader
BOOTLDR: C3700 Boot Loader (AP3G2-BOOT-M) LoaderVersion 15.2(4)JB, RELEASE SOFTWARE (fc1)

APd8b1.909c.b654 uptime is 58 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g2-k9w8-mx.153-3.JA12/ap3g2-k9w8-xx.153-3.JA12"
Last reload reason:

/////////////

*Apr 4 02:43:04.003: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:508 Certificate verified failed!
*Apr 4 02:43:04.003: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.0.10.5:5246
*Apr 4 02:43:04.003: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.10.5:5246
*Apr 4 02:44:08.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Apr 4 02:44:09.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.10.5 peer_port: 5246
*Apr 4 02:44:14.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:929 Unexpected message received while expecting HelloVerifyRequest
*Apr 4 02:44:14.999: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to 10.0.10.5:5246
*Apr 4 02:44:14.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.10.5:5246
*Apr 4 02:45:35.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Apr 4 02:45:24.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.10.5 peer_port: 5246
*Apr 4 02:45:37.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:929 Unexpected message received while expecting HelloVerifyRequest
*Apr 4 02:45:37.999: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to 10.0.10.5:5246
*Apr 4 02:45:37.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.10.5:5246
*Apr 4 02:46:28.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

Scott Fella · ‎04-03-2021

You can just search the internet for some pieces of your output. Here is one thing I found searching.
https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63916.html

-Scott
*** Please rate helpful posts ***

Leo Laohoo · ‎04-03-2021

@eigrpy wrote:

System image file is "flash:/ap3g2-k9w8-mx.153-3.JA12/ap3g2-k9w8-xx.153-3.JA12"

This means the AP has joined a controller and downloaded the full CAPWAP firmware. In enable mode, do the following:

debug capwap console cli
clear capwap private

Reboot the AP by pulling the power (do not use the "reload" command).

eigrpy · ‎04-03-2021

No, it cannot work after entering that command

we cannot say ap joined. the ap keeps sending message: "sending Join Request to 10.0.10.5" (wlc) and we cannot see it in wlc

Scott Fella · ‎04-03-2021

Try to just factory reset the ap. Hold the mode button down and power on the ap while still holding the mode button. Wait for the led to flash red which takes around 20 seconds. Also make sure the ap is on the same subnet as the wlc management for an easier join.
Console into the ap and look at the messages. If the ap still does not join, copy some of the messages and just do a search. You will find other post that might provide you with your answers.

-Scott
*** Please rate helpful posts ***

eigrpy · ‎04-04-2021

Tried all your suggestions, but none of them can work. I list the below vwlc and i cannot try all of them. I appreciate if some one can tell which one can work for ap 3700 or 3600. I cannot believe cisco compatibility matrix. I know one version can work, but it is too old. That's why i am trying to get new one. Thank you all for your time and suggestions

MFG_CTVM_LARGE_8.6.101.0.iso 319.62 MB