Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1460
Views
0
Helpful
6
Replies

C3502 APs dropping off and not communicating with Controller

justthompson
Level 1
Level 1

‎06-03-2021 11:18 AM - edited ‎07-05-2021 01:23 PM

Cisco AIR-CAP3502I-A-K9, and 8540 Wireless Controller
Last week I got a call that there was no Wireless in one of our Buildings (Performing Arts Center aka PAC). After checking it, all 6 3502 APs were not providing wireless.

The APs have a solid green light, but i can stand under them with my laptop, phone and a fluke Air checker, and not detect a wireless signal.

A Shut/No-Shut on the switch port did not fix the issue, moving the APs to a different switch did not fix the issue. 
I thought it could be a switch issue, so I configured a spare 3502 and it works in that building just fine, so that rules out the switch. I configured some new 3802s to give them a temporary wireless until i get the old 3502s and enclosures replaced in the near future.

Now this week, I got an incident yesterday evening that another building did not have Wireless Connectivity.

This building has 11, Cisco 3502 APs and all are doing the same thing as the 3502s in the PAC. Same torubleshooting steps, same results.

 

It seems that these devices are all dying together, has anyone else been encountering this issue recently?

0 Helpful
6 Replies 6

Leo Laohoo
Hall of Fame
Hall of Fame

‎06-03-2021 03:24 PM

What firmware is the controller running on?

0 Helpful

justthompson
Level 1
Level 1
In response to Leo Laohoo

‎06-04-2021 05:27 AM

Software Version: 8.5.151.0

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎06-03-2021 05:56 PM

Is the certificate expired on those AP’s?  Take a look at this just in case.

https://www.wiresandwi.fi/blog/cisco-wlc-or-ap-device-certificate-expired-what-you-can-do

-Scott
*** Please rate helpful posts ***
0 Helpful

justthompson
Level 1
Level 1
In response to Scott Fella

‎06-04-2021 05:28 AM - edited ‎06-04-2021 05:48 AM

Regarding the WCL,
There is an expired evaluation license, but we have a Permanent RTU license that superceeds the evaluation license.

Also, we are at 879 of 6000 units, so we have not maxed out the license.

I'll have to look into how to find the certificate of the AP itself.

 

-EDIT-

Looked over the link you posted, and both my Cisco SHA1 device cert, and Cisco SHA2 device cert are good till 2025

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to justthompson

‎06-04-2021 06:06 AM

You have to take some debuts or console outputs from AP’s and possibly open a tac case. Could be many things but dropping off with no reason and a bunch of them. Who knows… if you have redundant controllers, I would personally of moved aps over and or reboot the primary just for kicks and from experience.
-Scott
*** Please rate helpful posts ***
0 Helpful

justthompson
Level 1
Level 1

‎06-15-2021 08:45 AM - edited ‎06-15-2021 08:48 AM

Hello All,

Sorry for the late reply, I was on vacation last week.

I consoled into the AP (a 4 of them actually) and I am seeing this on all of them:

10.60.249.100 and 10.66.249.100 are the IPs of the Wireless controllers.

 

*Mar 1 00:14:44.475: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 0 CLI Request Triggered%No matching route to delete
Translating "CISCO-CAPWAP-CONTROLLER.LSCS.prv"...domain server (10.201.145.185)

*Mar 1 00:14:55.503: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.60.249.100 obtained through DHCP
*Mar 1 00:14:55.503: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.66.249.100 obtained through DHCP
*Jun 15 15:25:00.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.66.249.100 peer_port: 5246
*Jun 15 15:25:00.210: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.66.249.100
*Jun 15 15:25:00.210: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.66.249.100:5246
*Jun 15 15:25:23.718: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Jun 15 15:26:05.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.66.249.100 peer_port: 5246
*Jun 15 15:26:05.210: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.66.249.100
*Jun 15 15:26:05.210: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.66.249.100:5246
*Jun 15 15:27:10.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.60.249.100 peer_port: 5246
*Jun 15 15:27:10.210: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.60.249.100
*Jun 15 15:27:10.210: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.60.249.100:5246
*Jun 15 15:28:15.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.60.249.100 peer_port: 5246
*Jun 15 15:28:15.210: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.60.249.100
*Jun 15 15:28:15.210: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.60.249.100:5246
*Jun 15 15:29:28.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.66.249.100 peer_port: 5246
*Jun 15 15:29:28.210: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.66.249.100
*Jun 15 15:29:28.210: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.66.249.100:5246

 

So it looks like a certificate issue, based upon this error that they are all receiving.

*Jun 15 15:29:28.210: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert

 

However, if i take a spare 3502AP that hasn't been on the network, it connects to the controller(s), and works fine.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card