Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
17599
Views
21
Helpful
5
Replies

AP does not connect to the controller

Go to solution
burich96
Spotlight

‎01-11-2022 04:53 AM - edited ‎01-11-2022 04:54 AM

Hello, colleagues! I deployed the WLC 9800 on ESXi, transferred the access point 9105AXI to a lightweight one with the command "ap-type capwap".
But then a problem arose: the access point receives its IP from DHCP (15 VLAN), the controller sees it, but they do not want to work, the point does not connect (not join). In the controller:

"Reason for last AP connection failure: DTLS cert-chain not available"
On AP the following:
image.png

 

What should I do?

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni

‎01-11-2022 06:07 AM

Hi,

 

Looks like a trust point issue to me.

 

check this post:

 

https://gblogs.cisco.com/ch-tech/setup-your-lab-with-catalyst-9800-cl/

 

you can also manually create a trust point ....example:

 

WLC#wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 ...

 

Regards

Dont forget to rate helpful posts

View solution in original post

5 Replies 5

Go to solution
Flavio Miranda
VIP
VIP

‎01-11-2022 05:27 AM

Hi

 Most probably they are in diferrent time. Make sure both are on the same time.

Go to solution
burich96
Spotlight
In response to Flavio Miranda

‎01-11-2022 08:31 PM

Hi! At the moment, different time zones. What command can I use to change the time zone on the access point at the moment?

0 Helpful

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni

‎01-11-2022 06:07 AM

Hi,

 

Looks like a trust point issue to me.

 

check this post:

 

https://gblogs.cisco.com/ch-tech/setup-your-lab-with-catalyst-9800-cl/

 

you can also manually create a trust point ....example:

 

WLC#wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 ...

 

Regards

Dont forget to rate helpful posts

Go to solution
Rich R
VIP
VIP

‎01-11-2022 07:26 AM

Very common question - have you read previous posts on the subject?

Example: https://community.cisco.com/t5/wireless/9800-cl-wlc-no-valid-ap-manager-found-for-controller/td-p/3985577

 

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
Martin Pritchard
Level 1
Level 1

‎03-21-2024 03:21 AM

I had a similar issue last night when upgrading a 9800-80 from 17.9.4a to 17.9.5.  1600 APs all refusing to connect with a "DTLS cert-chain not available" error.
There's nothing in the release notes to say that the config needs to be changed, but there's a clue as to what the certificate ought to be.

The command wireless management trustpoint CISCO_IDEVID_CMCA3_SUDI fixed it; all APs started pouring in, realised they needed to switch firmware, cleared off and came back.

9800WLC#sh ap image
Total number of APs : 0


Number of APs
Initiated : 0
Downloading : 0
Predownloading : 0
Completed downloading : 0
Completed predownloading : 0
Not Supported : 0
Failed to Predownload : 0
Predownload in progress : No

9800WLC#wireless config validate
wireless management trustpoint is not set

9800WLC#show wireless management trustpoint
Trustpoint Name :
Certificate Info : Not Available
Private key Info : Not Available
FIPS suitability : Not Applicable

9800WLC#conf t
Enter configuration commands, one per line. End with CNTL/Z.
9800WLC(config)#wireless management trustpoint CISCO_IDEVID_CMCA3_SUDI
9800WLC(config)#^Z
9800WLC#show wireless management trustpoint
Trustpoint Name : CISCO_IDEVID_CMCA3_SUDI
Certificate Info : Available
Certificate Type : MIC
Certificate Hash : ****HIDDEN****
Private key Info : Available
FIPS suitability : Not Applicable

Review Cisco Networking for a $25 gift card
Top