10-29-2020 12:59 AM - edited 07-05-2021 12:42 PM
Hello,
we set up a new C9800 Cluster with version 17.3.1.
We configured DNS Option 43 and a Trustpoint on our WLAN MGMT. NTP on the controller is set.
But the AP is still not joining the WLC.
We see following output in the AP:
[*10/29/2020 07:34:36.9839] CAPWAP State: Discovery
[*10/29/2020 07:34:36.9849] Got WLC address 10.127.0.5 from DHCP.
[*10/29/2020 07:34:36.9849] IP DNS query for CISCO-CAPWAP-CONTROLLER.xxx
[*10/29/2020 07:34:36.9929] Discovery Request sent to 10.127.0.5, discovery type DHCP(2)
[*10/29/2020 07:34:36.9939] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*10/29/2020 07:34:36.9949] Discovery Response from 10.127.0.5
[*10/29/2020 07:34:36.9959] Discovery Response from 10.127.0.5
[*10/29/2020 07:34:46.0000]
[*10/29/2020 07:34:46.0000] CAPWAP State: DTLS Setup
[*10/29/2020 07:34:46.3440] dtls_process_packet: DTLS Error: 1046
[*10/29/2020 07:34:46.3440] dtls_process_packet: The controller shut down the DTLS connection.
[*10/29/2020 07:34:46.3440] dtls_process_packet: Please verify that the AP certificate is valid and has not expired.
on WLC:
Oct 29 08:54:41.841 MET: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 2 R0/0: wncd: AP Event: Session-IP:10.127.2.24[5257] CAPWAP DTLS session closed for AP, cause: DTLS handshake error
Oct 29 08:54:41.841 MET: %DTLS_TRACE_MSG-3-EWLC_DTLS_ERR: Chassis 2 R0/0: wncd: DTLS Error, session:10.127.2.24[5257] Mac:a488.7385.7e00, Certificate validation failed
Oct 29 08:54:41.841 MET: %CERT_MGR_ERRMSG-3-CERT_VALIDATION_ERR: Chassis 2 R0/0: wncd: Certificate Validation Error, Cert validation status:pki_ssl_status@pki_ssl_status:PKI_SSL_ERROR
I see, there is some problem with the certificate. Has anyone a idea how to solve it?
10-29-2020 01:42 AM
can you share the following?
show ap auth-list
show wireless management trustpoint
show clock
AP:
show capwap client config
10-29-2020 02:53 AM
10-29-2020 12:03 PM
9800 appliance does not require a trustpoint. Wireless management trustpoint is required only for virtual WLC deployment. You can remove the trustpoint by using "no wireless management trustpoint" command in config mode
9800(config)#no wireless management trustpoint
9800(config)#exit
This will remove the incorrect trustpoint and will auto generate a new one.
To confirm the correct trustpoint, use the show command, example below:
9800#show wireless management trustpoint
Trustpoint Name : CISCO_IDEVID_SUDI
Certificate Info : Available
Certificate Type : MIC
Private key Info : Available
FIPS suitability : Not Applicable
10-29-2020 11:19 PM
After typing the command i got on the ap:
[*10/30/2020 06:15:13.7709] CAPWAP State: Discovery
[*10/30/2020 06:15:13.7719] Got WLC address 10.127.0.5 from DHCP.
[*10/30/2020 06:15:13.7719] IP DNS query for CISCO-CAPWAP-CONTROLLER.ee.emp-eaw.ch
[*10/30/2020 06:15:13.7799] Discovery Request sent to 10.127.0.5, discovery type DHCP(2)
[*10/30/2020 06:15:13.7839] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*10/30/2020 06:15:13.7839] Discovery Response from 10.127.0.5
[*10/30/2020 06:15:13.7849] Discovery Response from 10.127.0.5
[*10/30/2020 06:15:25.0000]
[*10/30/2020 06:15:25.0000] CAPWAP State: DTLS Setup
[*10/30/2020 06:15:25.6598] dtls_process_packet: DTLS Error: 1051
[*10/30/2020 06:15:25.6598] dtls_process_packet: The controller shut down the DTLS connection.
[*10/30/2020 06:15:25.6598] dtls_process_packet: Please verify that the AP certificate is valid and has not expired.
[*10/30/2020 06:16:21.5637]
[*10/30/2020 06:16:21.5637] CAPWAP State: DTLS Teardown
[*10/30/2020 06:16:21.5757] Aborting image download(0x0): Dtls cleanup,
[*10/30/2020 06:16:21.6377] do ABORT, part1 is active part
[*10/30/2020 06:16:21.6527] upgrade.sh: Cleanup tmp files ...
[*10/30/2020 06:16:26.3140] No more AP manager addresses remain..
[*10/30/2020 06:16:26.3140] No valid AP manager found for controller 'ee-wlc' (ip: 10.127.0.5)
[*10/30/2020 06:16:26.3140] Failed to join controller ee-wlc.
[*10/30/2020 06:16:26.3140] Failed to join controller.
[*10/30/2020 06:16:27.3140] ipv6 gw config loop in discovery timer expiry
[*10/30/2020 06:16:29.3138] ipv6 gw config loop in discovery timer expiry
[*10/30/2020 06:16:31.3137] ipv6 gw config loop in discovery timer expiry
[*10/30/2020 06:16:33.3136] ipv6 gw config loop in discovery timer expiry
[*10/30/2020 06:16:35.3145] ipv6 gw config loop in discovery timer expiry
[*10/30/2020 06:16:37.3144] ipv6 gw config loop in Ac discovery
[*10/30/2020 06:16:39.3153] ipv6 gw config loop in Ac discovery
[*10/30/2020 06:16:41.3163] ipv6 gw config loop in Ac discovery
[*10/30/2020 06:16:43.3162] ipv6 gw config loop in Ac discovery
on the wlc:
Oct 30 07:10:01.788 MET: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 2 R0/0: wncd: AP Event: Session-IP:10.127.2.24[5257] CAPWAP DTLS session closed for AP, cause: DTLS handshake error
ee-wlc#show wireless management trustpoint
Trustpoint Name : CISCO_IDEVID_SUDI
Certificate Info : Available
Certificate Type : MIC
Certificate Hash : 578b8fe7f7a2f8aa282cabf03a32250b6dba4170
Private key Info : Available
FIPS suitability : Not Applicable
10-30-2020 08:24 AM - edited 10-30-2020 08:35 AM
I can see that you originally had bad cert “ee-wlc.pfx” but now you fixed it and showing the correct one CISCO_IDEVID_SUDI.
Next check is the WLC country code, is it valid to what AP manufactured code or not. You can check that using: show wireless country configured
Meaning, if the AP is for example AIR-APxxxx-E-K9 then you can’t join it to a WLC with country code configured as US
If you want to fix the counrt code use:
ap dot11 5ghz shutdown
ap dot11 24ghz shutdown
wireless country XX
no ap dot11 5ghz shutdown
no ap dot11 24ghz shutdown
If the country code is correct then:
Next Check…
I can see that the AP was joining AireOS WLC before that was running 8.10 code
Rejoin the AP to the AireOS WLC and then
Login to the AireOS WLC and Navigate to Security > Certificate > SSC and uncheck Enable SSC Hash Validation, after that click Apply
After that you can join that AP back to the 9800
I’m deleting the next check because it is not valid in your case 9800-40 this check is valid only for ssc which is in 9800-CL or the virtual case and you’re using the MIC cert so that’s why
10-30-2020 09:18 AM
The countrycode is ch and the ap is C9120AXI-E. So i think this is correct.
10-30-2020 09:43 AM
Ok, after a reboot of the WLC the AP joined.
I cannot say, which answer was the solution.
04-30-2021 12:49 AM
Hello Bothwalker,
I faced the same issue with 9120 AP's while option 43 was correctly configured.
I had to manually set "capwap ap primary-base <WLC hostname> X.X.X.X" on every AP...
I'm not sure why but I was running 16.12.04a, perhaps I should have upgraded to 17.3.3 and test again-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide