05-27-2024 02:01 AM
hello.
I am leaving an inquiry because the C9115 does not join the C9800 controller.
AP logs cannot be collected at this time.
It is connected to C9800, but it becomes separated from the controller again.
C9800 version : 17.13.1
Please understand that we only have C9800 logs.
*May 27 15:56:03.104: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 1 R0/0: wncd: AP Event: AP Name: APXXXX Mac: XXXX Session-IP: 172.17.29.110[5255] 172.17.11.15[5246] Disjoined DTLS close alert from peer
*May 27 15:56:08.539: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 1 R0/0: wncd: AP Event: AP Name: APXXXX Mac:XXXX Session-IP: 172.17.29.113[5267] 172.17.11.15[5246] Disjoined DTLS handshake failed
*May 27 15:56:15.916: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 1 R0/0: wncd: AP Event: AP Name: APXXXX Mac:XXXX Session-IP: 172.17.29.118[5255] 172.17.11.15[5246] Disjoined DTLS handshake failed
*May 27 15:56:22.497: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 1 R0/0: wncd: AP Event: AP Name: APXXXX Mac:XXXX Session-IP: 172.17.29.131[5255] 172.17.11.15[5246] Disjoined DTLS handshake failed
*May 27 15:56:33.627: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 1 R0/0: wncd: AP Event: AP Name: APXXXX Mac:XXXX Session-IP: 172.17.29.109[5252] 172.17.11.15[5246] Disjoined DTLS handshake failed
*May 27 15:56:38.671: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 1 R0/0: wncd: AP Event: AP Name: APXXXX Mac:XXXX Session-IP: 172.17.29.127[5270] 172.17.11.15[5246] Disjoined DTLS handshake expired
*May 27 15:56:48.926: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 1 R0/0: wncd: AP Event: AP Name: APXXXX Mac:XXXX Session-IP: 172.17.29.121[5279] 172.17.11.15[5246] Disjoined DTLS handshake failed
*May 27 15:57:01.810: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 1 R0/0: wncd: AP Event: AP Name: APXXXX Mac: Session-IP: 172.17.29.102[5253] 172.17.11.15[5246] Disjoined DTLS handshake failed
*May 27 15:57:12.335: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 1 R0/0: wncd: AP Event: AP Name: APXXXX Mac: Session-IP: 172.17.29.106[5253] 172.17.11.15[5246] Disjoined DTLS handshake failed
*May 27 15:57:14.409: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet0/1/1, changed state to down
*May 27 15:57:15.888: %PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed.
*May 27 15:57:16.121: %PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed.
*May 27 15:57:15.890: %CERT_MGR_ERRMSG-3-CERT_VALIDATION_ERR: Chassis 1 R0/0: wncd: Certificate Validation Error, Cert validation status:pki_ssl_status@pki_ssl_status:PKI_SSL_VERIFY_FAILURE
*May 27 15:57:15.890: %DTLS_TRACE_MSG-3-WLC_DTLS_ERR: Chassis 1 R0/0: wncd: DTLS Error, session:172.17.29.103[5252] MAC: XXXX, Certificate validation failed
*May 27 15:57:19.664: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 1 R0/0: wncd: AP Event: AP Name: APXXXX Mac: Session-IP: 172.17.29.137[5259] 172.17.11.15[5246] Disjoined DTLS handshake failed
*May 27 15:57:24.354: %PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed.
*May 27 15:57:24.356: %CERT_MGR_ERRMSG-3-CERT_VALIDATION_ERR: Chassis 1 R0/0: wncd: Certificate Validation Error, Cert validation status:pki_ssl_status@pki_ssl_status:PKI_SSL_VERIFY_FAILURE
*May 27 15:57:24.356: %DTLS_TRACE_MSG-3-WLC_DTLS_ERR: Chassis 1 R0/0: wncd: DTLS Error, session:172.17.30.109[5257] MAC: XXXX, Certificate validation failed
*May 27 15:57:28.651: %PKI-3-CERTIFICATE_INVALID: Certificate chain validation has faile
WLC#
05-27-2024 02:21 AM
- Have a checkup of the C9800 controller configuration with the CLI command show tech wireless and
feed the output from that into Wireless Config Analyzer
- Check logs on the AP too when that happens
- Check switchport for AP-connection , look at interface error counters
Check interface status and obtained speed and duplex mode
- Debug the AP joining process in detail using https://logadvisor.cisco.com/logadvisor/wireless/9800/9800APJoin
M.
05-27-2024 02:33 AM
We will collect show tech and find out on our next visit. Thank you for the useful information.
05-27-2024 02:39 AM
- Tx ; reminder , for WirelessAnalyzer to work use : show tech wireless
not simple show tech
(feed output from the correct command into Wireless Config Analyzer)
M.
05-27-2024 02:24 AM
Is this only AP having issue ? any other AP joined WLC ?
is this working setup or new setup ?
You have DTLS handshake issue.
try re-create a certificate and reload WLC and test again.
05-27-2024 02:31 AM
The overall situation for 48 APs is the same.
This is a new configuration.
How can I generate a new certificate?
05-27-2024 03:08 AM
check below guide :
05-27-2024 02:28 AM
CSCwh61011
05-27-2024 04:00 AM
@Leo Laohoo CSCwh61011 is supposed to be fixed in 17.13.1 which @my9774 is using.
05-27-2024 04:01 AM - edited 05-27-2024 04:02 AM
1. As @marce1000 check why your controller interface is flapping - nothing will work if the port doesn't stay up!
2. Agree with @balaji.bandi that you might have a WLC certificate issue - also refer to the Best Practices link below.
05-27-2024 05:16 AM
- I do agree with @Rich R that the whole sequence of DTLS and certificate errors could be misleading here ; it is important to first focus on this part of the output :
>....: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet0/1/1, changed state to down
We can see that a TenG interface is being used which is perfectly possible but :
- Check switchport for AP-connection , look at interface error counters
- Check interface status and obtained speed and duplex mode
Which I mentioned earlier ; it will also become imperative to be able to check the AP logs ; and for instance be able to look at
tx-rx counters.
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide