Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2046
Views
4
Helpful
4
Replies

APs not joining vWLC

ArSh21
Level 3
Level 3

‎05-17-2023 06:03 AM

Hello, 

I'm facing an issue of APs (different models) not joining a newly installed vWLC (v 8.10)

The APs were previously joined in WLC 2504, but the 2504 failed and we cannot repair it. 

So we configured a vWLC, but APs don't join. These are the logs I get from one of the APs (model 702i with IOS 15.3):

*May 17 13:41:35.999: %CAPWAP-3-EVENTLOG: Wait DTLS timer has expired
*May 17 13:41:35.999: %CAPWAP-3-EVENTLOG: Dtls session establishment failed
*May 17 13:41:35.999: %CAPWAP-3-EVENTLOG: CAPWAP State: DTLS Teardown.
*May 17 13:41:41.003: %CAPWAP-3-EVENTLOG: DTLS session cleanup completed. Restarting capwap state machine.
*May 17 13:41:41.003: %CAPWAP-3-EVENTLOG: Previous CAPWAP state was DTLS Setup,numOfCapwapDiscoveryResp = 3.
*May 17 13:41:41.003: %CAPWAP-3-EVENTLOG: Attempting to join next controller
*May 17 13:41:41.003: %CAPWAP-3-EVENTLOG: Go Join the next controller

*May 17 13:41:41.003: %CAPWAP-3-EVENTLOG: Calling wtpGetAcToJoin from timer expiry.
*May 17 13:41:41.003: %CAPWAP-3-EVENTLOG: Selected MWAR 'Cisco-000c.29a4.b9ae' (index 0).
*May 17 13:41:41.003: %CAPWAP-3-EVENTLOG: Ap mgr count=0
*May 17 13:41:41.003: %CAPWAP-3-EVENTLOG: Go Join the next controller

*May 17 13:41:41.003: %CAPWAP-3-EVENTLOG: Remove discovery response at index 0

*May 17 13:41:41.003: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.
Peer certificate verification failed 001A

*May 17 13:41:41.055: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:496 Certificate verified failed!

I checked the community the FN-63942 but the work around don't work. 

 

Any idea how to solve this? 

Thank You!

Labels:
0 Helpful
4 Replies 4

Flavio Miranda
VIP
VIP

‎05-17-2023 06:34 AM

Hi

 I have a few things you can check.

Date and time on the WLC

Activate licensing (even evaluation licensing needs to be enable)

Make sure you enable the correct country for your APs.

make sure reachabilityis fine

Last factory reset one AP to test, in case all the above is OK.

 

ArSh21
Level 3
Level 3
In response to Flavio Miranda

‎05-17-2023 06:42 AM

Hello Flavio,

Date and time are correct (I even tried the workaround of changing the time).

License is activated (it is evaluation and it is enabled).

Country is correct.

Reachability is ok, both can ping each other.

I will factory reset the AP and get back to you. 

 

Thank You!

0 Helpful

Rich R
VIP
VIP

‎05-18-2023 04:32 PM - edited ‎05-18-2023 04:36 PM

@Flavio Miranda has summarised all the key points.
All I will add is make sure your software is up to date per TAC recommended (link below) - currently 8.10.185.0 - and review all the field notice links below.

PS: You might want to read FN63942 again carefully - you need to perform all the steps in the right order.
Workaround config on WLC
Set time back
AP joins, downloads new software and workaround config.
Only at that point is the AP "fixed".

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

ArSh21
Level 3
Level 3

‎05-21-2023 02:01 AM

Hello Rich,

Thank you very much! 

We actually dropped the vWLC and got an appliance.

The APs connected with the appliance right away. 

Thank you!

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card