Solved: Re: AP wont establish connection to WLC

JDT69RR · ‎11-30-2021

After factory resetting the AP's this is what i am getting...

No connection to the WLC. This happened to two AP's out of 4.

*Mar 1 00:00:13.514: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed (15)
*Mar 1 00:00:13.517: *** CRASH_LOG = YES

*Mar 1 00:00:13.517: 64bit PCIE devices
*Mar 1 00:00:14.624: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed (1-6)
*Mar 1 00:00:14.624: Security Core found.

*Mar 1 00:00:14.637: Registering HW DTLS
Base Ethernet MAC address: 28:94:0F:26:29:D4

*Mar 1 00:00:16.870: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:18.213: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 (4)
*Mar 1 00:00:18.220: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:18.339: loading Power Tables from ram:/Z2.bin. Class = A
*Mar 1 00:00:18.339: record size of 2ss: 404 read_ptr: 2758100

*Mar 1 00:00:21.535: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 (4)
*Mar 1 00:00:21.585: loading Power Tables from ram:/Z5.bin. Class = A
*Mar 1 00:00:21.585: record size of 2ss: 404 read_ptr: 2758100
capwap_read_version_info: Info file flash:/ap3g1-k9w8-mx.152-2.JB2/info not find
*Nov 30 21:01:54.119: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 15.3(3)JC9, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Fri 20-Oct-17 19:26 by prod_rel_team
*Nov 30 21:01:54.119: %SNMP-5-COLDSTART: SNMP agent on host AP2894.0f26.29d4 is undergoing a cold start
*Nov 30 21:01:54.305: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 30 21:01:54.468: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Nov 30 21:01:54.468: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to uplwapp_crypto_init: MIC Present and Parsed Successfully

*Nov 30 21:01:55.185: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Nov 30 21:02:02.317: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.20.84, mask 255.255.255.0, hostname AP2894.0f26.29d4

*Nov 30 21:02:11.647: Currently running a Release Image
validate_sha2_block: Failed to get certificate chain
*Nov 30 21:02:11.666: Using SHA-1 signed certificate for image signing validation.%Default route without gateway, if not a point-to-point interface, may impact performance
*Nov 30 21:02:17.372: AP image integrity check PASSED

*Nov 30 21:02:17.382: Non-recovery image. PNP Not required.

*Nov 30 21:02:17.445: validate_sha2_block:No SHA2 Block present on this AP.

*Nov 30 21:02:17.473: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Nov 30 21:02:17.473: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Nov 30 21:02:24.699: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Nov 30 21:02:25.790: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 30 21:02:26.791: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Nov 30 21:02:27.583: Logging LWAPP message to 255.255.255.255.

*Nov 30 21:02:27.590: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 0 CLI Request Triggered
*Nov 30 21:02:27.602: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 514 started - CLI initiated
*Nov 30 21:02:27.885: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up%No matching route to delete
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (75.75.75.75)
*Nov 30 21:02:38.609: %CAPWAP-5-DHCP_OPTION_43: Controller address 192.168.20.13 obtained through DHCP (75.75.76.76)

*Nov 30 21:03:25.078: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Nov 30 21:22:01.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.20.13 peer_port: 5246
*Nov 30 21:22:01.207: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 192.168.20.13
*Nov 30 21:22:01.207: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.20.13:5246

Sandeep Choudhary · ‎12-01-2021

I suspect the certificate in the AP has expired.

https://community.cisco.com/t5/wireless-mobility-documents/lightweight-ap-fail-to-create-capwap-lwapp-connection-due-to/ta-p/3155111

Please run this command on WLC and check again:

ON WLC CLI---> config ap cert-expiry-ignore mic enable

Regards

Dont forget to rate helpful posts

View solution in original post

JDT69RR · ‎11-30-2021

Sandeep Choudhary · ‎11-30-2021

Paste the output of these commands:

From AP:

show version

From WLC:

Show sysinfo

Show time

Regards

Dont forget to rate helpful posts

JDT69RR · ‎12-01-2021

AP's

1

AP2894.0f39.2466>show version
Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 15.3(3)JC9, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Fri 20-Oct-17 19:26 by prod_rel_team

ROM: Bootstrap program is C3500 boot loader
BOOTLDR: C3500 Boot Loader (AP3G1-BOOT-M), Version 15.3 [vtoky-imagetype 106]

AP2894.0f39.2466 uptime is 2 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g1-k9w8-mx.153-3.JC9/ap3g1-k9w8-xx.153-3.JC9"
Last reload reason:

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-CAP3502I-A-K9 (PowerPC460exr) processor (revision A0) with 98294K/32768K bytes of memory.
Processor board ID FTX1604E3MZ
PowerPC460exr CPU at 666Mhz, revision number 0x18A8
Last reset from power-on
LWAPP image version 8.2.164.0
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 28:94:0F:39:24:66
Part Number : 73-12175-05
PCB Serial Number : FOC154435AX
Top Assembly Part Number : 800-32891-01
Top Assembly Serial Number : FTX1604E3MZ
Top Revision Number : A0
Product/Model Number : AIR-CAP3502I-A-K9

Configuration register is 0xF

2

AP2894.0f26.29d4>show version
Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 15.3(3)JC9, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Fri 20-Oct-17 19:26 by prod_rel_team

ROM: Bootstrap program is C3500 boot loader
BOOTLDR: C3500 Boot Loader (AP3G1-BOOT-M), Version 15.3 [vtoky-imagetype 106]

AP2894.0f26.29d4 uptime is 0 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g1-k9w8-mx.153-3.JC9/ap3g1-k9w8-xx.153-3.JC9"
Last reload reason:

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If
U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-CAP3502I-A-K9 (PowerPC460exr) processor (revision A0) with 98294K/32768K bytes of memory.
Processor board ID FTX1604K3U9
PowerPC460exr CPU at 666Mhz, revision number 0x18A8
Last reset from power-on
LWAPP image version 8.2.164.0
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 28:94:0F:26:29:D4
Part Number : 73-12175-05
PCB Serial Number : FOC15467680
Top Assembly Part Number : 800-32891-01
Top Assembly Serial Number : FTX1604K3U9
Top Revision Number : A0
Product/Model Number : AIR-CAP3502I-A-K9

Configuration register is 0xF

From WLC:

(Cisco Controller) >Show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.2.164.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.101.1
Firmware Version................................. PIC 16.0

(Cisco Controller) >show time

Time............................................. Wed Dec 1 05:34:18 2021

Timezone delta................................... 0:0
Timezone location................................

NTP Servers
NTP Polling Interval......................... 600

Index NTP Key Index NTP Server Status NTP Msg Auth Status
------- ----------------------------------------------------------------------------------------------

Build Type....................................... DATA + WPS

System Name...................................... Cisco WLC
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1279
IP Address....................................... 192.168.20.13
IPv6 Address..................................... ::
Last Reset....................................... Software reset
System Up Time................................... 0 days 9 hrs 53 mins 42 secs
System Timezone Location.........................
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

--More-- or (q)uit

Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +39 C
External Temperature............................. +43 C
Fan Status....................................... 4900 rpm

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 2

Burned-in MAC Address............................ 84:78:AC:B3:E1:60
Maximum number of APs supported.................. 75
System Nas-Id....................................
WLC MIC Certificate Types........................ SHA1

marce1000 · ‎12-01-2021

- What is the controller model (name) ?

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

JDT69RR · ‎12-01-2021

2500

Sandeep Choudhary · ‎12-01-2021

I suspect the certificate in the AP has expired.

https://community.cisco.com/t5/wireless-mobility-documents/lightweight-ap-fail-to-create-capwap-lwapp-connection-due-to/ta-p/3155111

Please run this command on WLC and check again:

ON WLC CLI---> config ap cert-expiry-ignore mic enable

Regards

Dont forget to rate helpful posts

JDT69RR · ‎12-01-2021

@Sandeep Choudhary you hit the nail on the head! With that being said AP's are in service and working as intended. Thank you very much!