Solved: AP NOT Joined - Page 2

antonioxud80 · ‎11-27-2020

Good Evening,

I have a problem with a cisco 5508 controller, no ap are unable to connect.

*spamApTask2: Nov 27 18:14:50.099: 00:5f:86:1e:66:e0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 100, joined Aps =0
*spamApTask2: Nov 27 18:14:50.099: 00:5f:86:1e:66:e0 Primary Discovery Response sent to 10.40.94.199:15203

*spamApTask6: Nov 27 18:14:50.249: c4:0a:cb:5c:7a:90 Primary Discovery Request from 10.40.94.114:48716

*spamApTask6: Nov 27 18:14:50.249: c4:0a:cb:5c:7a:90 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 100, joined Aps =0
*spamApTask6: Nov 27 18:14:50.250: c4:0a:cb:5c:7a:90 Primary Discovery Response sent to 10.40.94.114:48716

*spamApTask6: Nov 27 18:14:50.250: c4:0a:cb:5c:7a:90 Primary Discovery Request from 10.40.94.114:48716

*spamApTask6: Nov 27 18:14:50.250: c4:0a:cb:5c:7a:90 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 100, joined Aps =0
*spamApTask6: Nov 27 18:14:50.250: c4:0a:cb:5c:7a:90 Primary Discovery Response sent to 10.40.94.114:48716

*spamApTask4: Nov 27 18:14:50.251: c4:0a:cb:2d:c3:d0 Primary Discovery Request from 10.40.94.59:1321

Do you have any suggestions?

many thanks

Regards Antonio

ajc · ‎11-28-2020

That is one of the workaround (changing time) I did not post on purpose because I would not do/suggest it.

In addition to that, CHECK for the certificate expiration date on your WLC as well because at some point you could be affected by that situation. USE disabling the CERTIFICATE verification on the WLC instead of manipulating clock/date on your WLC.

antonioxud80 · ‎11-28-2020

Hi,

please can you indicate to me which command I shoud use to accomplish this?

WLC 5508

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.4.121.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS

I used the following command without success:

(Cisco Controller) >config ap cert-expiry-ignore {mic|ssc} enable

Incorrect usage. Use the '?' or <TAB> key to list commands.

many thanks

Antonio

ajc · ‎11-28-2020

READ THE WHOLE MESSAGE NEXT.

Let me provide you more information. On my case, the SHA1 certificate on my WLC expired so the AP`s could NOT join. I am giving you the output of my WLC with that problem (we had to migrate the APs to another WLC until this situation is solved).

There is a lot of information from the following SHOW COMMAND, so SEARCH for only SHA1 DEVICE CERT (I replaced some no relevant information below with ****)

(Cisco Controller) >show certificate all

---------------------------

Certificate Name: Cisco SHA1 device cert

Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT5508-K9-f866f2fa6c20, emailAddress=support@cisco.com
Issuer Name :
O=Cisco Systems, CN=Cisco Manufacturing CA
Serial Number (Hex):
******************************
Validity :
Start : Oct 22 13:06:24 2010 GMT
End : Oct 22 13:16:24 2020 GMT ----- WLC SHA1 CERTIFICATE EXPIRED ON OCTOBER THIS YEAR
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : ****************
SHA256 Fingerprint : ***************

Now regarding the part about IGNORING the expired cert from the AP, this is the command. You are running an OLD version on your 5508. IF THE COMMAND is not available on your current version, you can upgrade the WLC to version 8.3.143.0 which I has been running for over 2 years with NO issues. That version has actually a FIX for a memory leak bug that occurs on previous versions.

(Cisco Controller) >config
(Cisco Controller) config>ap cert-expiry-ignore ?

mic Configures cert-expiry-ignore check operation for MIC.
ssc Configures cert-expiry-ignore check operation for SSC.

(Cisco Controller) config>ap cert-expiry-ignore mic ?

enable Enabling will ignore the lifetime-check for MIC.
disable Disabling will do the lifetime-check for MIC.

(Cisco Controller) config>ap cert-expiry-ignore mic enable ?

(Cisco Controller) config>ap cert-expiry-ignore mic enable

(Cisco Controller) config>exit

(Cisco Controller) >save
(Cisco Controller) save>config

Are you sure you want to save? (y/n) y

Configuration Saved!

(Cisco Controller) save>exit
(Cisco Controller) >logout

TO VALIDATE changes applied:

(Cisco Controller) >show certificate summary
Web Administration Certificate................... 3rd Party
Web Authentication Certificate................... 3rd Party
Certificate compatibility mode:.................. off
Lifetime Check Ignore for MIC ................... Enable
Lifetime Check Ignore for SSC ................... Enable

(Cisco Controller) >

sulimanalassiry · ‎02-08-2023

Hi,

Actually I faced scenario 1, so how can I fix it please?

thanks

Rich R · ‎02-08-2023

@sulimanalassiry you'll have to explain what you mean by "scenario 1"?
What exactly is the problem you're having?
Have you read through all the field notices etc in my signature below?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

sulimanalassiry · ‎02-09-2023

The employee can't see SSID wirless network - Cisco Community

ajc · ‎02-08-2023

You need to explain your situation, what code are you running, what is the error message you are getting, provide more details.

sulimanalassiry · ‎02-09-2023

visit link please..

The employee can't see SSID wirless network - Cisco Community

Scott Fella · ‎02-08-2023

You should open a new thread with details of your equipment and error you are seeing.

-Scott
*** Please rate helpful posts ***

sulimanalassiry · ‎02-09-2023

Ok, you can visit the link please...

thanks you..

The employee can't see SSID wirless network - Cisco Community

ajc · ‎11-27-2020

On the WLC side:

WLC_CLI: show certificate all

Certificate Name: Cisco SHA1 device cert
Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT2504-K9-d0c282d65a20, MAILTO=support@cisco.com
Issuer Name :
O=Cisco Systems, CN=Cisco Manufacturing CA
Serial Number :
454384735992863371807890
Validity :
Start : 2011 Jul 26th, 20:17:17 GMT
End : 2021 Jul 26th, 20:27:17 GMT
Signature Algorithm :
rsa-pkcs1-sha1
Hash key :
SHA1 Fingerprint : 98:89:eb:12:2a:98:bc:fe:ad:5b:8f:23:63:0f:47:d1:36:ce:f5:be
MD5 Fingerprint : ba:f3:98:9a:cd:f8:01:08:84:b8:66:3c:6a:6c:d3:05

antonioxud80 · ‎11-27-2020

(Cisco Controller) >show certificate summary
Web Administration Certificate................... 3rd Party
Web Authentication Certificate................... 3rd Party
Certificate compatibility mode:.................. off

ajc · ‎11-27-2020

You have not posted the CLI commands about certificate expiration on both sides the AP and the WLC. I suspect you are having an issue with expired certificate on the AP side.

On the AP side, privilege mode, run this

AP_CLI#sh crypto pki certificates

AND look for the section named CERTIFICATE that is similar to the next one:

Certificate
Status: Available
Certificate Serial Number: 728AF4350000001E4C89
Certificate Usage: General Purpose
Issuer:
cn=Cisco Manufacturing CA
o=Cisco Systems
Subject:
Name: C1130-001c58b5b3a4
ea=support@cisco.com
cn=C1130-001c58b5b3a4
o=Cisco Systems
l=San Jose
st=California
c=US
CRL Distribution Points:
http://www.cisco.com/security/crl/cmca.crl
Validity Date:
start date: 04:22:10 UTC Jul 11 2007
end date: 04:32:10 UTC Jul 11 2017
Associated Trustpoints: Cisco_IOS_MIC_cert

antonioxud80 · ‎11-28-2020

AP507ok#sh crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): 00
Certificate Usage: General Purpose
Issuer:
e=support@airespace.com
cn=ca
ou=none
o=airespace Inc
l=San Jose
st=California
c=US
Subject:
e=support@airespace.com
cn=ca
ou=none
o=airespace Inc
l=San Jose
st=California
c=US
Validity Date:
start date: 23:38:55 UTC Feb 12 2003
end date: 23:38:55 UTC Nov 11 2012
Associated Trustpoints: airespace-old-root-cert
Storage:

CA Certificate
Status: Available
Certificate Serial Number (hex): 00
Certificate Usage: Signature
Issuer:
e=support@airespace.com
cn=Airespace Root CA
ou=Engineering
o=Airespace Inc.
l=San Jose
st=California
c=US
Subject:
e=support@airespace.com
cn=Airespace Root CA
ou=Engineering
o=Airespace Inc.
l=San Jose
st=California
c=US
Validity Date:
start date: 13:41:22 UTC Jul 31 2003
end date: 13:41:22 UTC Apr 29 2013
Associated Trustpoints: airespace-new-root-cert
Storage:

CA Certificate
Status: Available
Certificate Serial Number (hex): 03
Certificate Usage: General Purpose
Issuer:
e=support@airespace.com
cn=Airespace Root CA
ou=Engineering
o=Airespace Inc.
l=San Jose
st=California
c=US
Subject:
e=support@airespace.com
cn=Airespace Device CA
ou=Engineering
o=Airespace Inc.
l=San Jose
st=California
c=US
Validity Date:
start date: 22:37:13 UTC Apr 28 2005
end date: 22:37:13 UTC Jan 26 2015
Associated Trustpoints: airespace-device-root-cert
Storage:

CA Certificate
Status: Available
Certificate Serial Number (hex): 5FF87B282B54DC8D42A315B568C9ADFF
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2048
o=Cisco Systems
Subject:
cn=Cisco Root CA 2048
o=Cisco Systems
Validity Date:
start date: 20:17:12 UTC May 14 2004
end date: 20:25:42 UTC May 14 2029
Associated Trustpoints: Trustpool cisco-root-cert
Storage:

Certificate
Status: Available
Certificate Serial Number (hex): 1F365378000000281834
Certificate Usage: General Purpose
Issuer:
cn=Cisco Manufacturing CA
o=Cisco Systems
Subject:
Name: AP3G1-6400f184bc8d
e=support@cisco.com
cn=AP3G1-6400f184bc8d
o=Cisco Systems
l=San Jose
st=California
c=US
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/cmca.crl
Validity Date:
start date: 06:37:27 UTC Mar 15 2011
end date: 06:47:27 UTC Mar 15 2021
Associated Trustpoints: Cisco_IOS_MIC_cert
Storage:

CA Certificate
Status: Available
Certificate Serial Number (hex): 6A6967B3000000000003
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2048
o=Cisco Systems
Subject:
cn=Cisco Manufacturing CA
o=Cisco Systems
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2048.crl
Validity Date:
start date: 22:16:01 UTC Jun 10 2005
end date: 20:25:42 UTC May 14 2029
Associated Trustpoints: Trustpool Cisco_IOS_MIC_cert
Storage:

ajc · ‎11-27-2020

This link helps

https://community.cisco.com/t5/wireless-mobility-documents/lightweight-ap-fail-to-create-capwap-lwapp-connection-due-to/ta-p/3155111

I had to disable on the WLC side the Certificate Verification of the AP's with expired one. For the WLC the situation is worse because we HAD to migrate the AP's from the 5508 WLC with certificate expired to another 8510 WLC. I have something to do now, I will provide you the command to ignore the AP certificate validation later.