Solved: Re: AP1700 trying to associate to WLC 9800

Calin Cristea · ‎02-13-2023

Hi guys,

I have a 1702 AP that is connected to a wlc 2504 and works fine. I need to move the AP to a new controller, WLC-9800-CL with software version 17.3.6.

I have icmp and capwapp connectivity between AP and controller. This are the messages that i am seing on the AP while i am trying to associate.

172.20.2.100 - WLC

*Feb 14 06:32:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.20.2.100 peer_port: 5246
*Feb 14 06:32:55.019: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF

*Feb 14 06:32:55.023: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:508 Certificate verified failed!
*Feb 14 06:32:55.023: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 172.20.2.100:5246
*Feb 14 06:32:55.023: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.20.2.100:5246
*Feb 14 06:33:59.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Feb 14 06:34:00.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.20.2.100 peer_port: 5246
*Feb 14 06:34:00.027: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF

*Feb 14 06:34:00.027: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:508 Certificate verified failed!
*Feb 14 06:34:00.027: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 172.20.2.100:5246
*Feb 14 06:34:00.027: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.20.2.100:5246
*Feb 14 06:35:04.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

I have read this , but i don`t know if it applies:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-8/config-guide/b_wl_17_8_cg/m_controller-self-signed-certificate.pdf

Calin Cristea · ‎02-14-2023

Hi, i have found a solution and it worked.

I have created a DHCP reservation for the AP on the router.

ip dhcp pool AP1
host 10.1.2.3 255.255.0.0
client-identifier 022c.b02d.568d.b4
default-router 10.1.2.1
dns-server 10.1.2.10
option 43 hex xxx.xxx.xxx
lease 0 3

option 43 hex is the ip of the controller

On Cisco AP, i have enabled the commands:

debug capwap console cli

Did a reload in , so that i will not be left out
AP#reload in 2

System configuration has been modified. Save? [yes/no]: yes
AP#clear capwap private-config
AP#clear capwap ap ip address
AP#
*Feb 14 10:54:28.335: %LWAPP-3-LWAPP_INTERFACE_GOT_IP_ADDRESS: Interface BVI1 obtained IP from DHCP...
*Feb 14 10:54:28.403: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.2.3, mask 255.255.0.0, hostname
*Feb 14 10:54:28.403: %LWAPP-3-LWAPP_INTERFACE_GOT_IP_ADDRESS: Interface BVI1 obtained IP from DHCP...

AP#reload

System configuration has been modified. Save? [yes/no]: yes

Now the AP joined the new controller.
Note: ip`s are changed for security reasons, but the procedure works.

View solution in original post

Haydn Andrews · ‎02-13-2023

Most likely hitting this https://www.cisco.com/c/en/us/support/docs/wireless/aironet-700-series-access-points/218447-ios-ap-image-download-fails-due-to-expir.html

roll clock back to before 4 Dec 2022 on the 9800 and get the AP to join.

Once joined 17.3.6 it will be fine.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Leo Laohoo · ‎02-13-2023

Or wait for the release of 17.9.3 (end of February 2023).

Calin Cristea · ‎02-14-2023

Hi Leo, thank you for you`re answer. 17.9.3 will not support AP 1700.

Leo Laohoo · ‎02-14-2023

@Calin Cristea wrote:
17.9.3 will not support AP 1700.

Read the Release Notes for 17.9.3 -- That is all I am going to say.

Calin Cristea · ‎02-14-2023

Hi, i have found a solution and it worked.

I have created a DHCP reservation for the AP on the router.

ip dhcp pool AP1
host 10.1.2.3 255.255.0.0
client-identifier 022c.b02d.568d.b4
default-router 10.1.2.1
dns-server 10.1.2.10
option 43 hex xxx.xxx.xxx
lease 0 3

option 43 hex is the ip of the controller

On Cisco AP, i have enabled the commands:

debug capwap console cli

Did a reload in , so that i will not be left out
AP#reload in 2

System configuration has been modified. Save? [yes/no]: yes
AP#clear capwap private-config
AP#clear capwap ap ip address
AP#
*Feb 14 10:54:28.335: %LWAPP-3-LWAPP_INTERFACE_GOT_IP_ADDRESS: Interface BVI1 obtained IP from DHCP...
*Feb 14 10:54:28.403: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.2.3, mask 255.255.0.0, hostname
*Feb 14 10:54:28.403: %LWAPP-3-LWAPP_INTERFACE_GOT_IP_ADDRESS: Interface BVI1 obtained IP from DHCP...

AP#reload

System configuration has been modified. Save? [yes/no]: yes

Now the AP joined the new controller.
Note: ip`s are changed for security reasons, but the procedure works.

Rich R · ‎02-14-2023

There's no reason why using a static IP assignment for the AP should make any difference to the certificate so that doesn't make any sense at all!
It's much more likely that you're encountering one of the field notices mentioned in my signature below. If using 17.3.6 then you should ensure you also have all AP service packs up to APSP7 installed.
https://software.cisco.com/download/home/286322605/type/286325254/release/17.3.6

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Calin Cristea · ‎02-14-2023

Hello Rich, first thank you for you`re answer. Yes, you are right, it does not make any sense static ip with the error that i had.
Just that, the Access Point was already associated to a 2504 WLC. I have tried moving the AP, with no luck (with the error message attached).
That`s why i needed to fully reset the Access Point. I could not reset the Access Point via pushing the reset button, because the AP is on a remote location. That`s why i have reseted the AP. The AP lost it`s IP, that`s why i have created a dhcp reservation. So that i will not lose conectivity to the AP. That`s why i have setup hex value of the controller. To push from DHCP the join command. Because i lost conectivity onto the AP , after the resetting the AP.

All upgrades were already installed.

Rich R · ‎02-14-2023

Right ok that makes sense then. That is how it's recommended to configure your APs anyway (using DHCP with option 43) but no need to use static reservation - dynamic IP is fine.
So the answer was really a factory default reset of the AP which solves all sorts of join problems like this.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390