Re: AP Fails to vWLC

uni1389 · ‎04-04-2025

Hello Guys.

I am established lab Wireless Topology for testing purposes . I am using vWLC(8.10.196.0) with 2xAPs AIR-LAP1042N-E-K9 (Cisco IOS Software, C1040 Software (C1140-RCVK9W8-M), Version 12.4(23c)JA). am getting following error during AP joining to vWLC. Is there any possibilty to joins olds APs with vWLC.

***********************************************************************
*Apr 4 13:27:55.999: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Apr 4 13:26:51.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.0.150 peer_port: 5246
*Apr 4 13:26:51.014: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Apr 4 13:26:51.014: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Apr 4 13:26:51.014: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:333 Certificate verified failed!
*Apr 4 13:26:51.014: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.0.150
*Apr 4 13:26:51.014: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.0.150:5246
*Apr 4 13:26:51.014: %DTLS-3-BAD_RECORD: Erroneous record received from 192.168.0.150: Malformed Certificate
*Apr 4 13:26:51.015: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.0.150:5246
*Apr 4 13:26:51.015: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)

*Apr 4 13:27:56.000: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 4 13:27:56.000: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Apr 4 13:27:56.017: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Apr 4 13:28:06.018: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Apr 4 13:29:14.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.0.150 peer_port: 5246
*Apr 4 13:29:14.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Apr 4 13:29:14.010: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Apr 4 13:29:14.010: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Apr 4 13:29:14.010: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:333 Certificate verified failed!
*Apr 4 13:29:14.011: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.0.150
*Apr 4 13:29:14.011: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.0.150:5246
*Apr 4 13:29:14.011: %DTLS-3-BAD_RECORD: Erroneous record received from 192.168.0.150: Malformed Certificate
*Apr 4 13:29:14.011: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.0.150:5246

**************************************************************************************************

MHM Cisco World · ‎04-04-2025

https://www.wiresandwi.fi/blog/cisco-wlc-or-ap-device-certificate-expired-what-you-can-do

marce1000 · ‎04-04-2025

FYI : https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Leo Laohoo · ‎04-04-2025

1040/1140 last firmware support is 8.4.X.X.

uni1389 · ‎04-07-2025

It means that I should go with Cisco IOS vWLC 8.4 or below right. ? or still any further workaround be there. ?

*****************************************************
AP#show capwap ip config

LWAPP Static IP Configuration
IP Address 192.168.0.211
IP netmask 255.255.255.0
Default Gateway 192.168.0.1
Primary Controller 192.168.0.150

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)

*Apr 7 09:48:05.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.0.150:5246
*Apr 7 09:48:06.059: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Apr 7 09:48:06.097: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Apr 7 09:48:06.098: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Apr 7 09:48:06.100: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 7 09:48:06.190: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Apr 7 09:48:06.195: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Apr 7 09:48:07.097: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Apr 7 09:48:07.126: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Apr 7 09:48:07.131: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Apr 7 09:48:08.121: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Apr 7 09:48:08.126: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Apr 7 09:48:08.153: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Apr 7 09:48:08.159: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Apr 7 09:48:08.164: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 7 09:48:09.153: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Apr 7 09:48:09.159: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Apr 7 09:48:09.185: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 7 09:48:10.185: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Apr 7 09:48:16.198: %CAPWAP-3-ERRORLOG: Selected MWAR 'ciscovwlc'(index 0).
*Apr 7 09:48:16.198: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Apr 7 09:48:18.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.0.150 peer_port: 5246
*Apr 7 09:48:18.812: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.0.150 peer_port: 5246
*Apr 7 09:48:18.813: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.0.150
*Apr 7 09:48:23.812: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.0.150

**********************************************************

AP#show version | inc flash
System image file is "flash:/c1140-k9w8-mx.152-4.JB5/c1140-k9w8-mx.152-4.JB5"
32K bytes of flash-simulated non-volatile configuration memory.
**********************************************************

Leo Laohoo · ‎04-07-2025

FN63942 - Cisco Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP Connections Due to Certificate Expiration

uni1389 · ‎04-07-2025

Now I have vWLC version 8.2.170.0 and AP has following IOS. any suggestions to test vWLC features on lab eviornmwent. I can upgrade/degrade IOS from both APs/vWLCs.

Cisco IOS Software, C1040 Software (C1140-K9W8-M), Version 15.2(4)JB5, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 01-May-14 23:13 by prod_rel_team

ROM: Bootstrap program is C1040 boot loader
BOOTLDR: C1040 Boot Loader (C1140-BOOT-M) Version 12.4(23c)JA3, RELEASE SOFTWARE (fc1)

AP6c20.5648.ebad uptime is 42 minutes
System returned to ROM by reload
System image file is "flash:/c1140-k9w8-mx.152-4.JB5/c1140-k9w8-mx.152-4.JB5"

********************************************************************

AP6c20.5648.ebad#show capwap ip config

LWAPP Static IP Configuration
IP Address 192.168.0.211
IP netmask 255.255.255.0
Default Gateway 192.168.0.1
Primary Controller 192.168.0.91

******************************************************************************************************

*Apr 7 14:04:27.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.0.91 peer_port: 5246
*Apr 7 14:04:27.814: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.0.91 peer_port: 5246
*Apr 7 14:04:27.816: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.0.91
*Apr 7 14:04:32.814: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.0.91
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)

*Apr 7 14:05:26.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.0.91:5246
*Apr 7 14:05:27.058: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Apr 7 14:05:27.096: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Apr 7 14:05:27.097: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Apr 7 14:05:27.100: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 7 14:05:27.188: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Apr 7 14:05:27.190: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Apr 7 14:05:28.096: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Apr 7 14:05:28.126: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Apr 7 14:05:28.131: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Apr 7 14:05:29.120: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Apr 7 14:05:29.126: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Apr 7 14:05:29.152: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Apr 7 14:05:29.158: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Apr 7 14:05:29.163: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 7 14:05:30.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Apr 7 14:05:30.158: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Apr 7 14:05:30.184: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 7 14:05:31.184: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Apr 7 14:05:37.193: %CAPWAP-3-ERRORLOG: Selected MWAR 'vWLC8.2'(index 0).
*Apr 7 14:05:37.193: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Apr 7 14:05:39.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.0.91 peer_port: 5246
*Apr 7 14:05:39.811: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.0.91 peer_port: 5246
*Apr 7 14:05:39.812: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.0.91

AP6c20.5648.ebad#show ip int br
Interface IP-Address OK? Method Status Protocol
BVI1 192.168.0.211 YES TFTP up up
Dot11Radio0 unassigned NO unset up up
Dot11Radio1 unassigned NO unset up up
GigabitEthernet0 unassigned NO unset up up

***************************************************

Leo Laohoo · ‎04-07-2025

What is the serial number of the AP?

uni1389 · ‎04-08-2025

sent per message. regards

Leo Laohoo · ‎04-08-2025

Let's try this: Roll back the year of the WLC to 2020 and reboot the AP.

Rich R · ‎04-13-2025

Did you get it working @uni1389 ?
Even with the right software you still need to follow all the instructions in FN63942, in the right order.
Did you configure config ap cert-expiry-ignore mic enable on the WLC?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390