Here's a strange one..but first, thanks Rob for the doc's, I think they saved the day. In going through the doc's I found that enabling the SSC certs in the controllers was necessary. So once doing that, I re-thinned My AP and was trying to find it, when out of the blue it joined on it's own. Now according to Cisco's doc I was suppose to put the cert info in, but this AP did it on it's own with the controller.

Perhaps this is magic or just enabling the ssc certs on the controllers.

Anyone else run into this?

Jeff

Hi Jeff,

First off, you are most welcome!

I'm guessing that you used the newest version of the LWAPP Upgrade Tool (3.2) which has this resolved Caveat;

Resolved Caveats in Release 3.2

•CSCsj40023-IOS-to-LWAPP upgrade tool SSC load failure

After access points run through the IOS-to-LWAPP conversion process, the access points report successful installation of the required self-signed certificate (SSC). However, the SSC is not installed. The access points cannot join the controller.

So once you enabled SSC's for the WLC it was added automatically :)

Hope this helps!

Rob

Since I was feeling lucky, and that 1st one worked I tried a second. It followed the doc more closely and I got up to actually entering the CSV cert into the WCS for my controllers..BUT, it never joined getting these messages:

Mar 1 00:00:05.529: %LINK-3-UPDOWN: Interface FastEthernet0, changed state top

*Mar 1 00:00:06.529: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEtherp

*Mar 1 00:00:23.624: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY

*Mar 1 00:00:23.656: SSC Load Current Size crypto_mykey 116, offset 5014, Save4

*Mar 1 00:00:32.272: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned 3

*Mar 1 00:00:44.991: %LWAPP-5-CHANGED: LWAPP changed state to JOIN

*Mar 19 13:28:32.006: LWAPP_CLIENT_ERROR_DEBUG:

*Mar 19 13:28:32.007: peer certificate verification failed

*Mar 19 13:28:32.007: LWAPP_CLIENT_ERROR_DEBUG: spamDecodeJoinReply : Certificad

*Mar 19 13:28:32.007: LWAPP_CLIENT_ERROR_DEBUG: Unable to decode join reply

*Mar 19 13:28:36.803: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not re

*Mar 19 13:28:36.803: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses.

*Mar 19 13:28:36.975: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload R.

*Mar 19 13:28:36.975: %LWAPP-5-CHANGED: LWAPP changed state to DOWN

After this it reboots. So I'm not sure where the cert is going wrong here. I've read through the doc and can't find a possible solution.

Any ideas?

Jeff

Hi Jeff,

Living on the edge! Make sure that the time on the machine that is running the LWAPP Upgrade tool and the WLC is close.

http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp161264

Let us know,

Rob

Yeah that's Me..edge-liver. I followed the link you sent and read through it in case I missed a step, and I did exactly those steps. The one thing tho, is that I had to set it up in the 'controller template' I didn't have a 'configure' 'template' in the WCS OR the local controller. Also, I added the cert to 4 controllers, still no good.

From My debug pki I got this at the controller side to go with the ap stuff...I added an attachment of the WISM side.

What I have here is a failure to communicate..

Jeff

Hi Jeff,

I wish that I could tell you what the problem is here but I am not exactly sure. The failure to communicate must be in my brain :)

The attachment you sent doesn't really tell us where this is breaking down. The LWAPP Debugs during this time may be more revealing. Can you try capturing them and sending them along.

The only other thing that I can think of right now would be to revert the AP back to Autonomous and re-run the Upgrade in case the Cert is corrupted??

Let us know,

Rob

I have noticed that some APs, when converted, do no always generate an SSC, rather, they have an MIC. If your AP generates SSCs, then doing a "debug pm pki enable" will allow you to see the key hash so that you can enter it manually.

Seems I had a few things going on. I found that reverting back and then going through the upgrade process, WITH the right time, fixed the cert problem. Thanks guys for helping me out on that one. Took me awhile to actually check the time/date stamp. Also I found out, that when an AP has been created/made this side of 2005, it just connects to the Wism's without having to enter the SSC or Mic into the WCS. I had 2 like that and 2 where I had to enter the certs. So right now, I have 4 done and looking to do another 70..

Thanks for all the help, I finally think I have this a bit down now,

Jeff

Hi Jeff,

Great work! Thanks for posting back with your results. 5 points for this very kind follow-up :)

Take care,

Rob