Solved: Cannot Connect AP 2702i with WLC 5508

MartonBaksa0515 · ‎07-17-2020

Hi!

I am super new to Cisco gear. I have intermediate experience with Juniper gear though. I am wondering if you are able to help me with my issue.

I have done the initial configuration of the WLC and then I plugged my 2702i into the same switch and the same VLAN as the wlc management interface. I believe that the two are able to see eachother but they don't seem to be talking to each other properly. I see the following looping out of the AP's console:

*Jul 18 02:27:20.003: %CAPWAP-3-ERRORLOG: Failed to load configuration from flash. Resetting to default config
*Jul 18 02:27:20.011: %LWAPP-3-CLIENTERRORLOG: Config load from flash failed. Initialising Cfg

*Jul 18 02:27:30.015: %CAPWAP-3-ERRORLOG: Go join a capwap controller 
*Jul 18 02:28:35.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.2.1 peer_port: 5246
*Jul 18 02:28:48.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:924 Unexpected message received while expecting HelloVerifyRequest
*Jul 18 02:28:48.999: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to 10.1.2.1:5246
*Jul 18 02:28:48.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.1.2.1:5246
*Jul 18 02:28:48.999: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is not established. 10.1.2.1, 147E, 10.1.100.3, A7A4, 0
*Jul 18 02:28:48.999: %CAPWAP-3-ERRORLOG: Invalid event 40 & state 3 combination.
*Jul 18 02:28:48.999: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is not established. 10.1.2.1, 147E, 10.1.100.3, A7A4, 0
*Jul 18 02:28:48.999: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is not established. 10.1.2.1, 147E, 10.1.100.3, A7A4, 0
*Jul 18 02:29:39.999: %CAPWAP-3-ERRORLOG: Go join a capwap controller 
*Jul 18 02:28:35.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.2.1 peer_port: 5246
*Jul 18 02:28:35.007: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed.  The certificate (SN: 337BE2450000001859C2) has expired.    Validity period ended on 16:44:27 UTC Feb 25 2020Peer certificate verification failed 001A

*Jul 18 02:28:35.007: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Jul 18 02:28:35.007: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:467 Certificate verified failed!
*Jul 18 02:28:35.007: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.1.2.1:5246
*Jul 18 02:28:35.007: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.1.2.1:5246
*Jul 18 02:28:35.007: %CAPWAP-3-ERRORLOG: Invalid event 40 & state 3 combination.

I see that I have a 37 AP license available and in use in the software management. I am sure that I simply misconfigured something, but honestly I don't know where to start with troubleshooting cisco gear.

Thank you!

Best,

Marton

edit:spelling

Leo Laohoo · ‎07-17-2020

@MartonBaksa0515 wrote:

*Jul 18 02:28:35.007: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed.  The certificate (SN: 337BE2450000001859C2) has expired.    Validity period ended on 16:44:27 UTC Feb 25 2020Peer certificate verification failed 001A

Read FN - 63942 - Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP/LWAPP Connections Due to Certificate Expiration

Post the complete output to the following WLC commands:

sh sysinfo
sh time

Post the complete output to the following AP commands:

sh version

View solution in original post

Scott Fella · ‎07-17-2020

There are guides out there that can help, search for “Cisco ap join issues”. A few notes... make sure NTP or the time is set, the controller image supports the ap model, ap gets a valid dhcp address, country code is define that matches the ap, and license which you already verified. As long as all these are met and the ap is on the same subnet as the wlc management, the ap should join.
It’s also best to post the whole output from the ap console starting when you boot the ap up.

-Scott
*** Please rate helpful posts ***

Mark Elsen · ‎07-17-2020

- Verify licensing setup with show license summary. Also make sure that QoS settings, if used, do not hamper CAPWAP traffic on your Intranet.

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Leo Laohoo · ‎07-17-2020

@MartonBaksa0515 wrote:

*Jul 18 02:28:35.007: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed.  The certificate (SN: 337BE2450000001859C2) has expired.    Validity period ended on 16:44:27 UTC Feb 25 2020Peer certificate verification failed 001A

Read FN - 63942 - Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP/LWAPP Connections Due to Certificate Expiration

Post the complete output to the following WLC commands:

sh sysinfo
sh time

Post the complete output to the following AP commands:

sh version

MartonBaksa0515 · ‎07-18-2020

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

^ This was the ticket! Once I connected the AP, it automatically downloaded a newer version of software and I was able to move the time back to normal.

Thank you!

syed.shameem1 · ‎07-20-2020

Logs show that this is a certificate issue.

Check the certificate whether mic is checked under Ap Policies.

And also check for any bugs and possibly, try to upgrade the software version.

Chris C'Leon · ‎07-21-2020

looks like your WLC certification has expired, to confirm certification has expired run the following command on the WLC:

(Cisco Controller)> show certificate all -> and scroll down until you find this particular certificate and check the Validity End Date.

if it's expired, you can Disable the device certificate authentication all together and let the AP join the WLC anyway using:

(Cisco Controller)> config ap cert-expiry-ignore mic enable