cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
348
Views
5
Helpful
7
Replies
Highlighted
Beginner

C9120AXI-E not joining C9800-40

Hello, 

 

we set up a new C9800 Cluster with version 17.3.1.

We configured DNS Option 43 and a Trustpoint on our WLAN MGMT. NTP on the controller is set.

But the AP is still not joining the WLC. 

We see following output in the AP:

 

[*10/29/2020 07:34:36.9839] CAPWAP State: Discovery

[*10/29/2020 07:34:36.9849] Got WLC address 10.127.0.5 from DHCP.

[*10/29/2020 07:34:36.9849] IP DNS query for CISCO-CAPWAP-CONTROLLER.xxx

[*10/29/2020 07:34:36.9929] Discovery Request sent to 10.127.0.5, discovery type DHCP(2)

[*10/29/2020 07:34:36.9939] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)

[*10/29/2020 07:34:36.9949] Discovery Response from 10.127.0.5

[*10/29/2020 07:34:36.9959] Discovery Response from 10.127.0.5

[*10/29/2020 07:34:46.0000]

[*10/29/2020 07:34:46.0000] CAPWAP State: DTLS Setup

[*10/29/2020 07:34:46.3440] dtls_process_packet: DTLS Error: 1046

[*10/29/2020 07:34:46.3440] dtls_process_packet: The controller shut down the DTLS connection.

[*10/29/2020 07:34:46.3440] dtls_process_packet: Please verify that the AP certificate is valid and has not expired.

 

on WLC:

Oct 29 08:54:41.841 MET: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 2 R0/0: wncd: AP Event: Session-IP:10.127.2.24[5257] CAPWAP DTLS session closed for AP, cause: DTLS handshake error

Oct 29 08:54:41.841 MET: %DTLS_TRACE_MSG-3-EWLC_DTLS_ERR: Chassis 2 R0/0: wncd: DTLS Error, session:10.127.2.24[5257] Mac:a488.7385.7e00, Certificate validation failed

Oct 29 08:54:41.841 MET: %CERT_MGR_ERRMSG-3-CERT_VALIDATION_ERR: Chassis 2 R0/0: wncd: Certificate Validation Error, Cert validation status:pki_ssl_status@pki_ssl_status:PKI_SSL_ERROR

 

I see, there is some problem with the certificate. Has anyone a idea how to solve it?

7 REPLIES 7
Highlighted
Cisco Employee

can you share the following? 

show ap auth-list

show wireless management trustpoint

show clock 

 

AP: 

show capwap client config

Saludos,
Rafael - TAC
Highlighted
Beginner

Hello Rafael, 

 

sure, thanks for you help.

 

Cheers

Mathias

Highlighted
Cisco Employee

9800 appliance does not require a trustpoint. Wireless management trustpoint is required only for virtual WLC deployment. You can remove the trustpoint by using "no wireless management trustpoint" command in config mode

 

9800(config)#no wireless management trustpoint
9800(config)#exit

This will remove the incorrect trustpoint and will auto generate a new one.

 

To confirm the correct trustpoint, use the show command, example below:
9800#show wireless management trustpoint
Trustpoint Name : CISCO_IDEVID_SUDI
Certificate Info : Available
Certificate Type : MIC
Private key Info : Available
FIPS suitability : Not Applicable

 

 

Highlighted
Beginner

After typing the command i got on the ap:

 

[*10/30/2020 06:15:13.7709] CAPWAP State: Discovery
[*10/30/2020 06:15:13.7719] Got WLC address 10.127.0.5 from DHCP.
[*10/30/2020 06:15:13.7719] IP DNS query for CISCO-CAPWAP-CONTROLLER.ee.emp-eaw.ch
[*10/30/2020 06:15:13.7799] Discovery Request sent to 10.127.0.5, discovery type DHCP(2)
[*10/30/2020 06:15:13.7839] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*10/30/2020 06:15:13.7839] Discovery Response from 10.127.0.5
[*10/30/2020 06:15:13.7849] Discovery Response from 10.127.0.5
[*10/30/2020 06:15:25.0000]
[*10/30/2020 06:15:25.0000] CAPWAP State: DTLS Setup
[*10/30/2020 06:15:25.6598] dtls_process_packet: DTLS Error: 1051
[*10/30/2020 06:15:25.6598] dtls_process_packet: The controller shut down the DTLS connection.
[*10/30/2020 06:15:25.6598] dtls_process_packet: Please verify that the AP certificate is valid and has not expired.
[*10/30/2020 06:16:21.5637]
[*10/30/2020 06:16:21.5637] CAPWAP State: DTLS Teardown
[*10/30/2020 06:16:21.5757] Aborting image download(0x0): Dtls cleanup,
[*10/30/2020 06:16:21.6377] do ABORT, part1 is active part
[*10/30/2020 06:16:21.6527] upgrade.sh: Cleanup tmp files ...
[*10/30/2020 06:16:26.3140] No more AP manager addresses remain..
[*10/30/2020 06:16:26.3140] No valid AP manager found for controller 'ee-wlc' (ip: 10.127.0.5)
[*10/30/2020 06:16:26.3140] Failed to join controller ee-wlc.
[*10/30/2020 06:16:26.3140] Failed to join controller.
[*10/30/2020 06:16:27.3140] ipv6 gw config loop in discovery timer expiry
[*10/30/2020 06:16:29.3138] ipv6 gw config loop in discovery timer expiry
[*10/30/2020 06:16:31.3137] ipv6 gw config loop in discovery timer expiry
[*10/30/2020 06:16:33.3136] ipv6 gw config loop in discovery timer expiry
[*10/30/2020 06:16:35.3145] ipv6 gw config loop in discovery timer expiry
[*10/30/2020 06:16:37.3144] ipv6 gw config loop in Ac discovery
[*10/30/2020 06:16:39.3153] ipv6 gw config loop in Ac discovery
[*10/30/2020 06:16:41.3163] ipv6 gw config loop in Ac discovery
[*10/30/2020 06:16:43.3162] ipv6 gw config loop in Ac discovery

 

on the wlc:

Oct 30 07:10:01.788 MET: %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: Chassis 2 R0/0: wncd: AP Event: Session-IP:10.127.2.24[5257] CAPWAP DTLS session closed for AP, cause: DTLS handshake error

 

ee-wlc#show wireless management trustpoint
Trustpoint Name : CISCO_IDEVID_SUDI
Certificate Info : Available
Certificate Type : MIC
Certificate Hash : 578b8fe7f7a2f8aa282cabf03a32250b6dba4170
Private key Info : Available
FIPS suitability : Not Applicable

Highlighted

I can see that you originally had bad cert “ee-wlc.pfx” but now you fixed it and showing the correct one CISCO_IDEVID_SUDI.

Next check is the WLC country code, is it valid to what AP manufactured code or not. You can check that using: show wireless country configured

Meaning, if the AP is for example AIR-APxxxx-E-K9 then you can’t join it to a WLC with country code configured as US

If you want to fix the counrt code use:

ap dot11 5ghz shutdown

ap dot11 24ghz shutdown

wireless country XX

no ap dot11 5ghz shutdown

no ap dot11 24ghz shutdown

 

If the country code is correct then:

Next Check…

I can see that the AP was joining AireOS WLC before that was running 8.10 code

Rejoin the AP to the AireOS WLC and then

Login to the AireOS WLC and Navigate to Security > Certificate > SSC and uncheck Enable SSC Hash Validation, after that click Apply

After that you can join that AP back to the 9800

I’m deleting the next check because it is not valid in your case 9800-40 this check is valid only for ssc which is in 9800-CL or the virtual case and you’re using the MIC cert so that’s why

Highlighted
Beginner

The countrycode is ch and the ap is C9120AXI-E. So i think this is correct.

Highlighted
Beginner

Ok, after a reboot of the WLC the AP joined.

I cannot say, which answer was the solution.