M.

Thank you for the reply. I had ran the ignore command for MIC. After your post also ran the command for SSC. Tried a couple date ranges. The AP pops right up on the GUI so I have to think it's not an expired certificate issue?? Maybe my thinking is wrong. AP goes right back to the disassociation cycle with 181 being the cause.

 - @JoelDarbro50834  - The problem , as seen from the logs is likely not related to expired MIC or SSC indeed ,so then you need to look at my other reply : https://community.cisco.com/t5/wireless/ap-fails-to-join-updated-wlc/m-p/5269210/highlight/true#M281441

    Now this could be a showstopper : if you look at the bug report being mentioned then the versions mentioned for the
    problem is 8.8.x and 8.7.x which are already beyond what the 2504 can run and so would be any bugfixes.
    But it's unclear why you get the issue now and not before.

    In general I see it as a 'native' problem when using an older controller(s) ; I can only recommend to go back to the (a)
    version that works, (or a controller which you had with the working version)

  M.
  

Being just a home lab setup, I don't have any way to download new firmware.

I hate to think you are likely correct. One last thing I wanted to try was to console into the AP and see if I could reset it to factory defaults. One the GUI wireless tab it is still showing 8.0.152.0 as the current software. It has never managed to load 8.5.151.0.

I had found in a post one time that Cisco had a subscription for home labs $199 where you could download older software for personal use??

  - You could indeed try to install the needed CAPWAP image (version) manually ; I think these are free for download.
     Procedure can be found here : https://community.cisco.com/t5/wireless-mobility-knowledge-base/access-point-rommon-recovery-ap-prompt-recovery-example/ta-p/3119495
                                           Of course you will use other images ,

  M.
     

I consoled into the AP. Log below. It looks like it doesn't have the new CAPWAP image then suffers a fatal error after downloading CAPWAP image. 

When the new WLC is up the wireless tab has 0.0.0.0 in the IP address field. Is it not getting assigned a valid IP address? On the router, I can ping it and it's always at 10.0.0.65. I can ping the WLC from the AP.

Couldn't find a Cisco site where I could download a new CAPWAP file to manually load.

Main goal with moving to newer WLC and firmware was to have more compatible APs to use.

*Mar 1 00:01:34.295: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Apr 1 16:13:17.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.0.20 peer_port: 5246
examining image...
*Apr 1 16:13:18.399: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.0.0.20 peer_port: 5246
*Apr 1 16:13:18.399: %CAPWAP-5-SENDJOIN: sending Join Request to 10.0.0.20perform archive download capwap:/c1570 tar file
*Apr 1 16:13:18.467: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
ERROR: Image is not a valid IOS image archive.
Download image failed, notify controller!!! From:8.0.152.0 to 0.0.0.0, FailureCode:3

archive download: takes 80 seconds

*Apr 1 16:14:38.471: capwap_image_proc: problem extracting tar file
*Apr 1 16:14:38.471: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.0.20:5246
*Apr 1 16:14:39.575: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Apr 1 16:14:39.583: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Apr 1 16:14:40.575: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state

 - @JoelDarbro50834  Looks like a wrong image was installed ; try https://software.cisco.com/download/home/286283431/type/280775090/release/15.3.3-JF10

   M.

I have the Cisco 8.5.182.12 aes and associated bundle files. From reading the release notes, it says I can upgrade directly from the current IOS version. I’m not clear from the release notes if upgrading the IOS will automatically generate a new/valid AP capwap image to download?? There was a note about the AP downloading the image twice, but that referenced an older model AP.

It does install the AP images with the new controller code.
Double download only applies to 1700/2700/3700 APs because of the change of name of the 3700 image. (ap3g2/c3700)

Thank you Rich

i had actually found your earlier post when researching this problem on the forum. I read the attached field notes. I now have 8.5.182.12 aes and bundle files. I’ve read the release notes and double checked the compatibility matrix.

It isn’t 100% clear to me if the iOS upgrade will create a new AP image and correct the problem or if I need to try and get the C3700 AP tar file and do a manual AP image install first.

its been a long time since I’ve upgraded WLC software. I’ll have to do more studying first.

This is a home lab, so why not just downgrade back to what you had working?  Then you can figure out what code version you need? You can also then upgrade slowly with to see what versions work and don't.  That way you have some practice upgrading and downgrading, not just upgrading. What you don't want to do is read too many post and not being clear about what it say's.  You can brick your device and then you will be out of luck.