Re: C9120AXI-E not joining C9800-40

Bothwalker · ‎10-29-2020

Hello,

we set up a new C9800 Cluster with version 17.3.1.

We configured DNS Option 43 and a Trustpoint on our WLAN MGMT. NTP on the controller is set.

But the AP is still not joining the WLC.

We see following output in the AP:

[*10/29/2020 07:34:36.9839] CAPWAP State: Discovery

[*10/29/2020 07:34:36.9849] Got WLC address 10.127.0.5 from DHCP.

[*10/29/2020 07:34:36.9849] IP DNS query for CISCO-CAPWAP-CONTROLLER.xxx

[*10/29/2020 07:34:36.9929] Discovery Request sent to 10.127.0.5, discovery type DHCP(2)

[*10/29/2020 07:34:36.9939] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)

[*10/29/2020 07:34:36.9949] Discovery Response from 10.127.0.5

[*10/29/2020 07:34:36.9959] Discovery Response from 10.127.0.5

[*10/29/2020 07:34:46.0000]

[*10/29/2020 07:34:46.0000] CAPWAP State: DTLS Setup

[*10/29/2020 07:34:46.3440] dtls_process_packet: DTLS Error: 1046

[*10/29/2020 07:34:46.3440] dtls_process_packet: The controller shut down the DTLS connection.

[*10/29/2020 07:34:46.3440] dtls_process_packet: Please verify that the AP certificate is valid and has not expired.

on WLC:

Oct 29 08:54:41.841 MET: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 2 R0/0: wncd: AP Event: Session-IP:10.127.2.24[5257] CAPWAP DTLS session closed for AP, cause: DTLS handshake error

Oct 29 08:54:41.841 MET: %DTLS_TRACE_MSG-3-EWLC_DTLS_ERR: Chassis 2 R0/0: wncd: DTLS Error, session:10.127.2.24[5257] Mac:a488.7385.7e00, Certificate validation failed

Oct 29 08:54:41.841 MET: %CERT_MGR_ERRMSG-3-CERT_VALIDATION_ERR: Chassis 2 R0/0: wncd: Certificate Validation Error, Cert validation status:pki_ssl_status@pki_ssl_status:PKI_SSL_ERROR

I see, there is some problem with the certificate. Has anyone a idea how to solve it?

Rafael E · ‎10-29-2020

can you share the following?

show ap auth-list

show wireless management trustpoint

show clock

AP:

show capwap client config

Saludos,
Rafael - TAC

Bothwalker · ‎10-29-2020

Hello Rafael,

sure, thanks for you help.

Cheers

Mathias

srkala · ‎10-29-2020

9800 appliance does not require a trustpoint. Wireless management trustpoint is required only for virtual WLC deployment. You can remove the trustpoint by using "no wireless management trustpoint" command in config mode

9800(config)#no wireless management trustpoint
9800(config)#exit

This will remove the incorrect trustpoint and will auto generate a new one.

To confirm the correct trustpoint, use the show command, example below:
9800#show wireless management trustpoint
Trustpoint Name : CISCO_IDEVID_SUDI
Certificate Info : Available
Certificate Type : MIC
Private key Info : Available
FIPS suitability : Not Applicable

Bothwalker · ‎10-29-2020

After typing the command i got on the ap:

[*10/30/2020 06:15:13.7709] CAPWAP State: Discovery
[*10/30/2020 06:15:13.7719] Got WLC address 10.127.0.5 from DHCP.
[*10/30/2020 06:15:13.7719] IP DNS query for CISCO-CAPWAP-CONTROLLER.ee.emp-eaw.ch
[*10/30/2020 06:15:13.7799] Discovery Request sent to 10.127.0.5, discovery type DHCP(2)
[*10/30/2020 06:15:13.7839] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*10/30/2020 06:15:13.7839] Discovery Response from 10.127.0.5
[*10/30/2020 06:15:13.7849] Discovery Response from 10.127.0.5
[*10/30/2020 06:15:25.0000]
[*10/30/2020 06:15:25.0000] CAPWAP State: DTLS Setup
[*10/30/2020 06:15:25.6598] dtls_process_packet: DTLS Error: 1051
[*10/30/2020 06:15:25.6598] dtls_process_packet: The controller shut down the DTLS connection.
[*10/30/2020 06:15:25.6598] dtls_process_packet: Please verify that the AP certificate is valid and has not expired.
[*10/30/2020 06:16:21.5637]
[*10/30/2020 06:16:21.5637] CAPWAP State: DTLS Teardown
[*10/30/2020 06:16:21.5757] Aborting image download(0x0): Dtls cleanup,
[*10/30/2020 06:16:21.6377] do ABORT, part1 is active part
[*10/30/2020 06:16:21.6527] upgrade.sh: Cleanup tmp files ...
[*10/30/2020 06:16:26.3140] No more AP manager addresses remain..
[*10/30/2020 06:16:26.3140] No valid AP manager found for controller 'ee-wlc' (ip: 10.127.0.5)
[*10/30/2020 06:16:26.3140] Failed to join controller ee-wlc.
[*10/30/2020 06:16:26.3140] Failed to join controller.
[*10/30/2020 06:16:27.3140] ipv6 gw config loop in discovery timer expiry
[*10/30/2020 06:16:29.3138] ipv6 gw config loop in discovery timer expiry
[*10/30/2020 06:16:31.3137] ipv6 gw config loop in discovery timer expiry
[*10/30/2020 06:16:33.3136] ipv6 gw config loop in discovery timer expiry
[*10/30/2020 06:16:35.3145] ipv6 gw config loop in discovery timer expiry
[*10/30/2020 06:16:37.3144] ipv6 gw config loop in Ac discovery
[*10/30/2020 06:16:39.3153] ipv6 gw config loop in Ac discovery
[*10/30/2020 06:16:41.3163] ipv6 gw config loop in Ac discovery
[*10/30/2020 06:16:43.3162] ipv6 gw config loop in Ac discovery

on the wlc:

Oct 30 07:10:01.788 MET: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 2 R0/0: wncd: AP Event: Session-IP:10.127.2.24[5257] CAPWAP DTLS session closed for AP, cause: DTLS handshake error

ee-wlc#show wireless management trustpoint
Trustpoint Name : CISCO_IDEVID_SUDI
Certificate Info : Available
Certificate Type : MIC
Certificate Hash : 578b8fe7f7a2f8aa282cabf03a32250b6dba4170
Private key Info : Available
FIPS suitability : Not Applicable

Grendizer · ‎10-30-2020

I can see that you originally had bad cert “ee-wlc.pfx” but now you fixed it and showing the correct one CISCO_IDEVID_SUDI.

Next check is the WLC country code, is it valid to what AP manufactured code or not. You can check that using: show wireless country configured

Meaning, if the AP is for example AIR-APxxxx-E-K9 then you can’t join it to a WLC with country code configured as US

If you want to fix the counrt code use:

ap dot11 5ghz shutdown

ap dot11 24ghz shutdown

wireless country XX

no ap dot11 5ghz shutdown

no ap dot11 24ghz shutdown

If the country code is correct then:

~~Next Check…~~

~~I can see that the AP was joining AireOS WLC before that was running 8.10 code~~

~~Rejoin the AP to the AireOS WLC and then~~

~~Login to the AireOS WLC and Navigate to Security > Certificate > SSC and uncheck Enable SSC Hash Validation, after that click Apply~~

~~After that you can join that AP back to the 9800~~

I’m deleting the next check because it is not valid in your case 9800-40 this check is valid only for ssc which is in 9800-CL or the virtual case and you’re using the MIC cert so that’s why

Bothwalker · ‎10-30-2020

The countrycode is ch and the ap is C9120AXI-E. So i think this is correct.

Bothwalker · ‎10-30-2020

Ok, after a reboot of the WLC the AP joined.

I cannot say, which answer was the solution.

aleopoldie · ‎04-30-2021

Hello Bothwalker,

I faced the same issue with 9120 AP's while option 43 was correctly configured.

I had to manually set "capwap ap primary-base <WLC hostname> X.X.X.X" on every AP...

I'm not sure why but I was running 16.12.04a, perhaps I should have upgraded to 17.3.3 and test again-