Solved: Re: AP NOT Joined - Page 3

antonioxud80 · ‎11-27-2020

Good Evening,

I have a problem with a cisco 5508 controller, no ap are unable to connect.

*spamApTask2: Nov 27 18:14:50.099: 00:5f:86:1e:66:e0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 100, joined Aps =0
*spamApTask2: Nov 27 18:14:50.099: 00:5f:86:1e:66:e0 Primary Discovery Response sent to 10.40.94.199:15203

*spamApTask6: Nov 27 18:14:50.249: c4:0a:cb:5c:7a:90 Primary Discovery Request from 10.40.94.114:48716

*spamApTask6: Nov 27 18:14:50.249: c4:0a:cb:5c:7a:90 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 100, joined Aps =0
*spamApTask6: Nov 27 18:14:50.250: c4:0a:cb:5c:7a:90 Primary Discovery Response sent to 10.40.94.114:48716

*spamApTask6: Nov 27 18:14:50.250: c4:0a:cb:5c:7a:90 Primary Discovery Request from 10.40.94.114:48716

*spamApTask6: Nov 27 18:14:50.250: c4:0a:cb:5c:7a:90 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 100, joined Aps =0
*spamApTask6: Nov 27 18:14:50.250: c4:0a:cb:5c:7a:90 Primary Discovery Response sent to 10.40.94.114:48716

*spamApTask4: Nov 27 18:14:50.251: c4:0a:cb:2d:c3:d0 Primary Discovery Request from 10.40.94.59:1321

Do you have any suggestions?

many thanks

Regards Antonio

antonioxud80 · ‎11-28-2020

*Nov 28 12:38:27.001: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.40.92.8:5246
*Nov 28 12:38:27.051: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Nov 28 12:38:27.064: %CAPWAP-3-ERRORLOG: Binding Config Initialization failed for binding 1

*Nov 28 12:38:27.070: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Nov 28 12:38:27.089: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 28 12:38:28.077: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 28 12:38:28.099: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Nov 28 12:38:28.105: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Nov 28 12:38:29.124: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 28 12:38:30.125: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Nov 28 12:38:37.086: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Nov 28 12:42:51.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.40.92.9 peer_port: 5246
*Nov 28 12:42:51.128: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 3948E4B6000000317F37) has expired. Validity period ended on 05:40:06 UTC Jul 2 2020Peer certificate verification failed 001A

*Nov 28 12:42:51.128: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Nov 28 12:42:51.128: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!
*Nov 28 12:42:51.128: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.40.92.9:5246
*Nov 28 12:42:51.128: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.40.92.9:5246
*Nov 28 12:42:51.132: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

I Have problems with the ceriticates

How I can fix it?

thanks

antonioxud80 · ‎11-28-2020

the solution should be this command. but I don't know what I'm doing wrong?

Can you help me?

(Cisco Controller) >config ap cert-expiry-ignore {mic|ssc} enable

Incorrect usage. Use the '?' or <TAB> key to list commands.

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.4.121.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS

System Name...................................... WLC-2
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. Disabled
IP Address....................................... 10.40.92.8
Last Reset....................................... Software reset
System Up Time................................... 2 days 21 hrs 34 mins 25 secs
System Timezone Location.........................
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

Configured Country............................... Multiple Countries:IT,US
Operating Environment............................ Commercial (0 to 40 C)

--More-- or (q)uit
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +45 C
External Temperature............................. +32 C
Fan Status....................................... OK

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 6
Number of Active Clients......................... 14

Memory Current Usage............................. Unknown
Memory Average Usage............................. Unknown
CPU Current Usage................................ Unknown
CPU Average Usage................................ Unknown

Burned-in MAC Address............................ 70:CA:9B:C9:45:80
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 100

ajc · ‎11-27-2020

More information:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn80mr2.html#pgfId-1286693

Cisco Lightweight Access Points that were manufactured over 10 years ago may fail to create a CAPWAP or LWAPP connection due to certificate expiration. You may allow the Access Points with Manufactured Installed Certificates (MICs) or Self-signed Certificates (SSCs) beyond their expiration date to associate with Cisco WLC.

On Cisco WLCs, the AP lifetime-check parameter (MEANS AP CERTIFICATE EXPIRATION DATE VALIDATION) is enabled by default. We recommend that you configure the Cisco WLC to ignore the expiration date on the APs’ MICs and SSCs by entering this command:

(Cisco Controller) >config ap cert-expiry-ignore {mic | ssc} enable

When the config ap cert-expiry-ignore { mic | ssc } enable command is entered, Cisco WLC ignores the expiration date on the APs' MICs or SSCs, allowing APs or Cisco WLCs with certificates that are more than 10 years old to connect with each other. The AP lifetime-check parameter must remain enabled as long as APs with expired MICs or SSCs are managed by this Cisco WLC.

You can see the configuration state by entering this command:

(Cisco Controller) >show certificate summary

Web Administration Certificate................... 3rd Party

Web Authentication Certificate................... Locally Generated

Certificate compatibility mode:.................. off

Lifetime Check for MIC.......................... Enable

Lifetime Check for SSC.......................... Enable

ajc · ‎11-27-2020

Also as it was indicated before, check the date/time

WLC misconfigured clock/time or WLC not synchronizing with NTP Servers

Password:************

(Cisco Controller) >show tim

Time............................................. Fri Nov 27 15:08:49 2020

Timezone delta................................... 0:0

Timezone location................................ (GMT -5:00) Eastern Time (US and Canada)

NTP Servers

NTP Polling Interval......................... 3600

Index NTP Key Index NTP Server Status NTP Msg Auth Status

------- ------------------------------------------------------------------- ---------------------------

1 0 10.10.10.1 In Sync AUTH DISABLED

2 0 10.10.10.2 In Sync AUTH DISABLED

(Cisco Controller) >

antonioxud80 · ‎11-27-2020

(Cisco Controller) >show time

Time............................................. Fri Nov 27 22:38:48 2020

Timezone delta................................... 0:0
Timezone location................................

NTP Servers
NTP Polling Interval......................... 86400

Index NTP Key Index NTP Server NTP Msg Auth Status
------- ---------------------------------------------------------------
1 0 10.39.90.244 AUTH DISABLED

antonioxud80 · ‎11-27-2020

(Cisco Controller) >show time

Time............................................. Fri Nov 27 22:57:16 2020

Timezone delta................................... 0:0
Timezone location................................

NTP Servers
NTP Polling Interval......................... 86400

Index NTP Key Index NTP Server NTP Msg Auth Status
------- ---------------------------------------------------------------
1 0 10.39.90.244 AUTH DISABLED

MHM Cisco World · ‎11-27-2020

do you use DHCP WLC discovery, i.e. you specify the IP address of WLC in DHCP Server?
do you config AP-mangamer as management IP? are they in same Subnet?
Make sure the AP can connect to both management IP and AP-manger of WLC, i.e. check the routing from AP to WLC.
NOTE:- if this is new AP join then make sure the MASTER mode is enable under WLC.

antonioxud80 · ‎11-27-2020

HI MHM Cisco Wold,

I use static Ip address on the controller.

The Aps and the controller are in the same subnet.

Sorry I foget to mention that in my infrastrcuture there are 3 controllers Cisco 5508 with 100 licenses on each.In total I have 230 APS, 200 are working without problems on the first 2 controllers. On the third one i should have abot 30 APs, but i cannot see them.

thanks

MHM Cisco World · ‎11-27-2020

master mode disable on the two full and make master enable for third with empty AP join list.
the AP receive discovery from the three WLC and send join to wrong one.
try this method and check the AP join.
after AP join disable Master mode.

antonioxud80 · ‎11-27-2020

I checked all three controllers, none have this option enabled. Now I have enabled this option on the controller number 3 which does not recognize the Ap, for the moment nothing has changed

ajc · ‎11-27-2020

I see you have configured IT (Italy) and US (United States) as countries

Scott Fella · ‎11-27-2020

You sure you have license activated? If you can’t get one ap to join, it seems like you might have some issue with that controller. Make sure the time, country code is set on that controller.

-Scott
*** Please rate helpful posts ***

antonioxud80 · ‎11-27-2020

Hi Scott,

I checked the licenses, Time, country and everything is the same as the controllers working

thanks

ajc · ‎11-27-2020

As a final note, if the issue is an expired certificate on the AP, go to the WLC and apply:

config ap cert-expiry-ignore mic enable

By default is DISABLED, meaning that IGNORE is not considered so the validation of the certificate takes place.

antonioxud80 · ‎11-27-2020

it is not working

(Cisco Controller) config>
(Cisco Controller) config> ap cert-expiry-ignore mic enable

Incorrect usage. Use the '?' or <TAB> key to list commands.