cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3553
Views
30
Helpful
17
Replies

AP cannot join vwlc 8.10

eigrpy
Level 4
Level 4

Hello, AP3602 can join vwlc8.0 but cannot join vwlc8.10-, Is this wlc version too high? If so , what is the latest version of vwlc the AP can join? The below is the AP message. Thank you!

 

 

*Apr 3 22:55:45.000: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:508 Certificate verified failed!
*Apr 3 22:55:45.003: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.0.10.6:5246
*Apr 3 22:55:45.003: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.10.6:5246
*Apr 3 22:56:53.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.10.6 peer_port: 5246
*Apr 3 22:56:53.000: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF

17 Replies 17

Scott Fella
Hall of Fame
Hall of Fame
Yes it is. Take a look at the compatibility matrix. This will come in handy.

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
-Scott
*** Please rate helpful posts ***

Thanks for your reply. The link does not list vWLC

Can you tell what is the latest version of vwlc the AP can join?

You look at the code.
-Scott
*** Please rate helpful posts ***

Look at the ap model and see what image it first was supported, what is the last supported image, or if it’s still supported.
-Scott
*** Please rate helpful posts ***

Thank you very much for your reply.

What that mean with " - " in the table? I also have ap 3700, how about this 3700?

 

Capture.PNG

Leo Laohoo
Hall of Fame
Hall of Fame

The "final" AP support for a 3600 is 8.5.X.X. 

" - " means it has not have final. if this is case, based on the table, the ap 3700 could be compatible with wlc up to latest one, which is 8.10-

That is correct.
-Scott
*** Please rate helpful posts ***

the ios of vwlc changed to 8.5(AIR_CTVM-K9_8_5_161_0.ova) from 8.10 based the table, but it still cannot work. The below is the AP message:

 

 

909c.b654#sh version
Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JA12, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Fri 20-Oct-17 20:51 by prod_rel_team

ROM: Bootstrap program is C3700 boot loader
BOOTLDR: C3700 Boot Loader (AP3G2-BOOT-M) LoaderVersion 15.2(4)JB, RELEASE SOFTWARE (fc1)

APd8b1.909c.b654 uptime is 58 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g2-k9w8-mx.153-3.JA12/ap3g2-k9w8-xx.153-3.JA12"
Last reload reason:

 

 

 

/////////////

*Apr 4 02:43:04.003: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:508 Certificate verified failed!
*Apr 4 02:43:04.003: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.0.10.5:5246
*Apr 4 02:43:04.003: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.10.5:5246
*Apr 4 02:44:08.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Apr 4 02:44:09.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.10.5 peer_port: 5246
*Apr 4 02:44:14.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:929 Unexpected message received while expecting HelloVerifyRequest
*Apr 4 02:44:14.999: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to 10.0.10.5:5246
*Apr 4 02:44:14.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.10.5:5246
*Apr 4 02:45:35.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Apr 4 02:45:24.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.10.5 peer_port: 5246
*Apr 4 02:45:37.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:929 Unexpected message received while expecting HelloVerifyRequest
*Apr 4 02:45:37.999: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to 10.0.10.5:5246
*Apr 4 02:45:37.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.10.5:5246
*Apr 4 02:46:28.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

You can just search the internet for some pieces of your output. Here is one thing I found searching.
https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63916.html
-Scott
*** Please rate helpful posts ***


@eigrpy wrote:

System image file is "flash:/ap3g2-k9w8-mx.153-3.JA12/ap3g2-k9w8-xx.153-3.JA12"


This means the AP has joined a controller and downloaded the full CAPWAP firmware.  In enable mode, do the following: 

debug capwap console cli
clear capwap private

Reboot the AP by pulling the power (do not use the "reload" command).

No, it cannot work after entering that command

we cannot say ap joined. the ap keeps sending message: "sending Join Request to 10.0.10.5" (wlc) and we cannot see it in wlc

Try to just factory reset the ap. Hold the mode button down and power on the ap while still holding the mode button. Wait for the led to flash red which takes around 20 seconds. Also make sure the ap is on the same subnet as the wlc management for an easier join.
Console into the ap and look at the messages. If the ap still does not join, copy some of the messages and just do a search. You will find other post that might provide you with your answers.
-Scott
*** Please rate helpful posts ***

Tried all your suggestions, but none of them can work. I list the below vwlc and i cannot try all of them. I appreciate if some one can tell which one can work for ap 3700 or 3600. I cannot believe cisco compatibility matrix. I know one version can work, but it is too old. That's why i am trying to get new one. Thank you all for your time and suggestions

 


MFG_CTVM_LARGE_8.6.101.0.iso 319.62 MB

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: