Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3505
Views
15
Helpful
8
Replies

AP negotiated unexpected DTLS version v1.0 on C9800L

MM15
Level 1
Level 1

‎10-11-2022 05:48 AM

Hi,

Has anyone experienced this problem on C9800L? please suggest

%CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 1 R/0: wncd: AP Event: AP Name: XXXX @~V Mac: xxxx.xxxx.xxxx
Session-IP: x.x.x.x[5272] x.x.x.x[5246] Disjoined Unexpected DTLS versionlic_sIm_event_notification: Received global event notification 16386
YAPMGR_TRACE_MESSAGE-3-WLC_GEN_ERR: Chassis 1 R0/0: wncd: Error in AP Join, XXXX , mac:xxxx.xxxx.xxxxModel AIR-AP18321-S-K9, AP negotiated unexpected DTLS version v1.0

0 Helpful
8 Replies 8

Rasika Nayanajith
VIP
VIP

‎10-11-2022 07:17 AM - edited ‎10-11-2022 07:19 AM

What version of firmware on your 9800 ?

May be AP came up with old image that uses DTLS 1.0. In typical 9800 deployments, I have seen AP uses DTLS v1.2. You can take PCAP on WLC GUI (Troubleshooting -> Packet Capture) to verify it.

HTH
Rasika
*** Pls rate all useful responses ***

MM15
Level 1
Level 1

‎10-11-2022 08:48 PM

In the previous event, these APs were used with the WLC2504, but after migrating to the C9800 there was a problem. Can we hard reset the AP or need to upgrade the AP image?

Or is there any other solution, please suggest.

0 Helpful

Rich R
VIP
VIP

‎10-12-2022 06:20 AM

@MM15 you did not answer @Rasika Nayanajith's question!
It's very difficult to provide accurate answers if you don't supply the correct detailed information!
Based on the very limited information you've provided I'd guess your AP has very old software and the 9800 has one of the newer 17.3 or later versions of IOS-XE which are not compatible.
Resetting the AP will not resolve that problem - you must upgrade the AP software.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

MM15
Level 1
Level 1
In response to Rich R

‎10-13-2022 06:38 AM

I’m trying to upgrade AP image. 2504 using 8.5 and 9800 using 17.9. But if upgrading the AP image works, It would be difficult to upgrade one by one.

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni
In response to MM15

‎10-13-2022 01:45 PM

Hi Supakorn,

If you are talking about an WAVE1 AP, i am pretty certain that it doesn't support dtls 1.2. But considering that you are running 17.9 in 9800L Wave1 AP's are not supported. 

I am not sure why this error is and I will not be worrying too much as long as AP registers to the 9800 WLC. If you have a security concern and wants to limit the dtls versions in use then you can hardcode your 9800 WLC using below command. (there is a possibilty either an unsupported AP trying to join the new WLC or an AP registered to 2504 trying to register the 17.9 with dtls v.1.0)

ap dtls-cipher <Choose the preferred cipher by using ?>
ap dtls-version <Chose the preferred dtls version>

Then you can use the below command to verify what ciphers and dtls versions ap has negotiated. 

show wireless dtls connections

 

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Rich R
VIP
VIP

‎10-13-2022 06:55 AM - edited ‎10-13-2022 06:58 AM

2504 using 8.5

What version *exactly* is the 2504 running? 

Anything older than 8.5.182.0 is almost certain to not work. 

So you could try upgrading the 2504 to 8.5.182.0 if it isn't already.

If that doesn't work then you could downgrade the 9800 to the earliest release which it will support (which will probably work), migrate all the APs, and then upgrade the 9800 to your preferred release.  Always remember to read the release notes carefully and note any warnings/caveats mentioned in https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc10 and https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214749-tac-recommended-ios-xe-builds-for-wirele.html

Otherwise, you'll just have to do each AP individually.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

MM15
Level 1
Level 1
In response to Rich R

‎10-16-2022 09:25 PM

That's good advice. I'll try upgrading to 2504 or downgrade 9800.

0 Helpful

Rich R
VIP
VIP

‎10-13-2022 03:19 PM

@Arshad Safrulla the output above shows it's an 1832 so it is wave 2 - I suspect running very old 8.5 code (if indeed it is running 8.5 as OP claims):
"YAPMGR_TRACE_MESSAGE-3-WLC_GEN_ERR: Chassis 1 R0/0: wncd: Error in AP Join, XXXX , mac:xxxx.xxxx.xxxxModel AIR-AP18321-S-K9, AP negotiated unexpected DTLS version v1.0

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card