Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
277
Views
0
Helpful
0
Replies

Cisco 5508 Wireless LAN Controller Upgrade from 8.0.152.0 to 8.5.140.0

00un9wsyaSrkvoKmS5d6
Level 1
Level 1

‎12-09-2025 06:25 PM

Cisco 5508 Wireless LAN Controller (WLC) from Software Version 8.0.x to 8.5.140.0 when legacy Access Points (APs) such as the AIR-CAP3502I-A-K9/AIR-CAP3602I-A-K9/AIR-CAP3702I-A-K9 series fail to register due to expired Manufacturing Installed Certificates (MIC) and DTLS handshake failures.

Error log:

*Mar  1 00:01:36.347: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Dec  2 16:33:45.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

 *Dec  2 16:33:46.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.111.4.4 peer_port: 5246

*Dec  2 16:33:46.235: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed.  The certificate (SN: 1C2C8A5900000009D45D) has expired.    Validity period ended on 03:08:22 UTC May 10 2023Peer certificate verification failed 001A

 

*Dec  2 16:33:46.235: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:508 Certificate verified failed!

*Dec  2 16:33:46.235: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.111.4.4:5246

*Dec  2 16:33:46.235: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.111.4.4:5246


Cause:

Legacy APs ship with MICs that have reached end-of-life (EOL) validity windows. After the WLC upgrade DTLS negotiations enforce certificate checks aligned to SHA-2 requirements, causing CAPWAP DTLS to fail when AP MICs are expired.

Solution:

  1. Backup the current configuration:
    GUI → Commands → Upload File → select TFTP/SFTP, server IP, and path.
    Save a verified backup.
  2. Reboot the WLC on current code to ensure a clean state:
    GUI → Commands → Reboot.
  3. Temporarily set the controller date to a year within AP MIC validity (example: 2021):
    GUI → Commands → Set Time.
    Note: Do not use NTP during this step.
  4. Transfer the 8.5.140.0 image:
    GUI → Commands → Download File → choose TFTP/SFTP, server IP, path, and filename.
  5. Reboot into 8.5.140.0 and save configuration.
  6. Temporarily ignore MIC certificate expiry for APs:
    CLI → WLC> config ap cert-expiry-ignore mic enable
  7. Remove/disable NTP servers:
    GUI → Controller → NTP → Server → remove entries. This avoids time drift corrections until APs complete join and image negotiation.
  8. Allow 5–10 minutes for APs to boot, download any required image bundles, and register. Monitor join status.




Labels:
Preview file
1465 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card