06-03-2021 11:18 AM - edited 07-05-2021 01:23 PM
Cisco AIR-CAP3502I-A-K9, and 8540 Wireless Controller
Last week I got a call that there was no Wireless in one of our Buildings (Performing Arts Center aka PAC). After checking it, all 6 3502 APs were not providing wireless.
The APs have a solid green light, but i can stand under them with my laptop, phone and a fluke Air checker, and not detect a wireless signal.
A Shut/No-Shut on the switch port did not fix the issue, moving the APs to a different switch did not fix the issue.
I thought it could be a switch issue, so I configured a spare 3502 and it works in that building just fine, so that rules out the switch. I configured some new 3802s to give them a temporary wireless until i get the old 3502s and enclosures replaced in the near future.
Now this week, I got an incident yesterday evening that another building did not have Wireless Connectivity.
This building has 11, Cisco 3502 APs and all are doing the same thing as the 3502s in the PAC. Same torubleshooting steps, same results.
It seems that these devices are all dying together, has anyone else been encountering this issue recently?
06-03-2021 03:24 PM
What firmware is the controller running on?
06-04-2021 05:27 AM
Software Version: 8.5.151.0
06-03-2021 05:56 PM
Is the certificate expired on those AP’s? Take a look at this just in case.
https://www.wiresandwi.fi/blog/cisco-wlc-or-ap-device-certificate-expired-what-you-can-do
06-04-2021 05:28 AM - edited 06-04-2021 05:48 AM
Regarding the WCL,
There is an expired evaluation license, but we have a Permanent RTU license that superceeds the evaluation license.
Also, we are at 879 of 6000 units, so we have not maxed out the license.
I'll have to look into how to find the certificate of the AP itself.
-EDIT-
Looked over the link you posted, and both my Cisco SHA1 device cert, and Cisco SHA2 device cert are good till 2025
06-04-2021 06:06 AM
06-15-2021 08:45 AM - edited 06-15-2021 08:48 AM
Hello All,
Sorry for the late reply, I was on vacation last week.
I consoled into the AP (a 4 of them actually) and I am seeing this on all of them:
10.60.249.100 and 10.66.249.100 are the IPs of the Wireless controllers.
*Mar 1 00:14:44.475: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 0 CLI Request Triggered%No matching route to delete
Translating "CISCO-CAPWAP-CONTROLLER.LSCS.prv"...domain server (10.201.145.185)
*Mar 1 00:14:55.503: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.60.249.100 obtained through DHCP
*Mar 1 00:14:55.503: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.66.249.100 obtained through DHCP
*Jun 15 15:25:00.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.66.249.100 peer_port: 5246
*Jun 15 15:25:00.210: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.66.249.100
*Jun 15 15:25:00.210: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.66.249.100:5246
*Jun 15 15:25:23.718: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Jun 15 15:26:05.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.66.249.100 peer_port: 5246
*Jun 15 15:26:05.210: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.66.249.100
*Jun 15 15:26:05.210: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.66.249.100:5246
*Jun 15 15:27:10.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.60.249.100 peer_port: 5246
*Jun 15 15:27:10.210: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.60.249.100
*Jun 15 15:27:10.210: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.60.249.100:5246
*Jun 15 15:28:15.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.60.249.100 peer_port: 5246
*Jun 15 15:28:15.210: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.60.249.100
*Jun 15 15:28:15.210: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.60.249.100:5246
*Jun 15 15:29:28.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.66.249.100 peer_port: 5246
*Jun 15 15:29:28.210: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.66.249.100
*Jun 15 15:29:28.210: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.66.249.100:5246
So it looks like a certificate issue, based upon this error that they are all receiving.
*Jun 15 15:29:28.210: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert
However, if i take a spare 3502AP that hasn't been on the network, it connects to the controller(s), and works fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide