Cisco AIR-AP3802I-E-K9 subordinate

MagicMike · ‎02-19-2025

Hi all,

I have a few Cisco AIR-AP3802I-E-K9, one of them is set as the primary controller and I manage them from the mobility express page.
In the garage I want to fit 2 Cisco AIR-AP2702E-E-K9 (they have external antennas, and they have better coverage in there).

Firmware loaded on the AIR-AP3802I-E-K9:
https://software.cisco.com/download/home/286304536/type/286289839/release/8.10.190.0?i=!pp

Firmware loaded on the AIR-AP2702E-E-K9:
https://software.cisco.com/download/home/286256842/type/280775090/release/15.3.3-JPQ?i=!pp

From the 3802I firmware release notes I see that the 2702E is a subordinate of the 3802I:

https://www.cisco.com/c/en/us/td/docs/wireless/access_point/mob_exp/810/release_notes/b_ME_RN_810.html

However, for some reason the 2702E doesn't seem to work. I know I have done this in the past and it worked but I can't seem to figure it out now.

Any help will be highly appreciated.

Output of the 2702E:

Translating "CISCO-CAPWAP-CONTROLLER.home.arpa"...domain server (10.10.10.254)

*Feb 19 22:20:45.027: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Feb 19 22:20:45.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.10.123 peer_port: 5246
*Feb 19 22:20:46.203: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.10.10.123
*Feb 19 22:20:46.207: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.123:5246
*Feb 19 22:21:49.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Feb 19 22:21:50.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.10.123 peer_port: 5246
*Feb 19 22:21:50.203: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.10.10.123
*Feb 19 22:21:50.203: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.123:5246
*Feb 19 22:23:14.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Feb 19 22:23:15.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.10.123 peer_port: 5246
*Feb 19 22:23:15.203: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.10.10.123
*Feb 19 22:23:15.203: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.123:5246
*Feb 19 22:24:19.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Feb 19 22:24:20.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.10.123 peer_port: 5246
*Feb 19 22:24:20.203: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.10.10.123
*Feb 19 22:24:20.203: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.123:5246
Not in Bound state.
*Feb 19 22:25:30.515: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
*Feb 19 22:25:33.587: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.10.10.131, mask 255.255.255.0, hostname APf44e.0545.44c8

LATER EDIT:

I went on the primary controller, and I entered this command:

config ap cert-expiry-ignore mic enable

And now the output of the 2702E changed to

*Feb 20 00:55:11.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.17.11.123 peer_port: 5246
*Feb 20 00:55:11.239: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.17.11.123 peer_port: 5246
*Feb 20 00:55:11.243: %CAPWAP-5-SENDJOIN: sending Join Request to 10.17.11.123
*Feb 20 00:55:16.239: %CAPWAP-5-SENDJOIN: sending Join Request to 10.17.11.123
*Feb 20 00:55:16.239: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.17.11.123
*Feb 20 00:55:16.239: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.17.11.123:5246
*Feb 20 00:55:16.239: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

marce1000 · ‎02-19-2025

- The corresponding AP Capwap release for 8.10.196.0 is

15.3(3)JK10

==> Use that one on the 2700's
- Make sure that the regulatory domain on the APs and the mobility express controller match.
- Post the output from show version and show sysinfo on the 2700's

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MagicMike · ‎02-20-2025

I don't have access to 8.10.196.0, I have 8.10.190.0 on the 3802i.
I installed ap3g2-k9w8-xx.153-3.JK10 on a 2702i and I have the same output, what is the corresponding AP Capwap release for 8.10.190.0 ?

show sysinfo on the 2700 is not working.

thank you

*Feb 20 20:16:34.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.17.11.123 peer_port: 5246
*Feb 20 20:16:34.239: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.17.11.123 peer_port: 5246
*Feb 20 20:16:34.239: %CAPWAP-5-SENDJOIN: sending Join Request to 10.17.11.123
*Feb 20 20:16:39.239: %CAPWAP-5-SENDJOIN: sending Join Request to 10.17.11.123
*Feb 20 20:16:39.239: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.17.11.123
*Feb 20 20:16:39.239: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.17.11.123:5246
*Feb 20 20:16:39.239: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

APf44e.0545.4c88>show version
Cisco IOS Software, C2700 Software (AP3G2-K9W8-M), Version 15.3(3)JK10, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2023 by Cisco Systems, Inc.
Compiled Wed 27-Sep-23 18:06 by mcpre

ROM: Bootstrap program is C2700 boot loader
BOOTLDR: C2700 Boot Loader (AP3G2-BOOT-M) LoaderVersion 15.2(4)JB5m, RELEASE SOFTWARE (fc2)

APf44e.0545.4c88 uptime is 4 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g2-k9w8-mx.153-3.JK10/ap3g2-k9w8-xx.153-3.JK10"
Last reload reason:



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-CAP2702I-E-K9 (PowerPC) processor (revision A0) with 376814K/134656K bytes of memory.
Processor board ID FCZ1841D149
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 8.10.190.0
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: F4:4E:05:45:4C:88
Part Number                          : 73-15824-03
PCB Serial Number                    : FOC18387Q5W
Top Assembly Part Number             : 800-41174-01
Top Assembly Serial Number           : FCZ1841D149
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP2702I-E-K9



Configuration register is 0xF

APf44e.0545.4c88>

marce1000 · ‎02-20-2025

- @MagicMike wrote : I installed ap3g2-k9w8-xx.153-3.JK10 on a 2702i and I have the same output, what is the corresponding AP Capwap release for 8.10.190.0 ?

Ref : https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
>...

**Table 7**. Cisco AireOS Controller Software Releases, AP IOS Releases, and Supported Access Points
Cisco AireOS Controller Release	Access Point IOS Release	Supported Acccess Points
8.10.196.0	15.3(3)JK11	Lightweight APs:9130E, 9130I, 9120, 9117, 9115, 9105, 1700, 1800i, 1810 OEAP,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Scott Fella · ‎02-21-2025

Not having access to download images is the biggest problem folks have and one of the biggest gotchas that make them mad. It's hard to have a Cisco environment and no support which allows you to download images, because eventually, you will need to.

-Scott
*** Please rate helpful posts ***

srimal99 · ‎02-20-2025

@MagicMike Have you check the country code and does it match with ap ?
docs related to
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/16-12/config-guide/b_wl_16_12_cg/country-codes.html

Dustin Anderson · ‎02-20-2025

You may be hitting the expired MIC cert of the 27xx series I've seen before. Not sure on express if the commands work though.

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

Edit, realized you mentioned this.

also do the command:

config ap cert-expiry-ignore ssc enable

It is also getting a close from the controller, so may need to see the logs from the controller to see what it doesn't like about the AP. Some APs with old code can't handle date passed it's expired MIC. you could try to turn off NTP and turn back the date.

MagicMike · ‎02-21-2025

@marce1000 @Dustin Anderson @srimal99 I tried everything you guys said. thank you

Via GUI (Advanced>CONTROLLER TOOLS>Troubleshooting Files>Download SUpport Bundle), I downloaded the tech_support.tgz archive, extracted, inside the ctrl folder I have found a file called msg.txt that is full of logs like this:

*spamApTask0: Feb 21 14:40:55.661: %LWAPP-3-LWAPP_JOIN_AP_JOIN_ERR: capwap_ac_sm.c:5244 The system has received a join request from AP 10.17.11.107 that doesn'tsupport image download through GUI. Change the image downloadmode to either TFTP or CCO
*spamApTask0: Feb 21 14:40:55.412: %CAPWAP-3-CCO_ASD_LOG_ERROR: spam_lrad.c:103777 CCO ASD logging failed on AP-MAC f4:4e:05:45:4c:88, reason: Index not found unable to delete tmp log
*spamApTask0: Feb 21 14:40:55.412: %LWAPP-3-AP_DEL: spam_lrad.c:6090 88:1d:fc:2c:a1:e0: Entry deleted for AP: 10.17.11.107 (54472) reason : Multiple Join Request.
*spamApTask0: Feb 21 14:40:55.411: %CAPWAP-3-DTLS_CON_CLOSED: capwap_ac_dtls.c:149 Not sending DTLS session closed notification to CAPWAP for AP 88:1d:fc:2c:a1:e0
*spamApTask0: Feb 21 14:40:55.411: %CAPWAP-3-DTLS_CLOSED_ERR: capwap_ac_sm.c:7521 88:1d:fc:2c:a1:e0:  DTLS connection closed forAP  10:17:11:107 (54472), Controller: 10:17:11:123 (5246) Multiple Join Request

This error message indicates that the Access Point (AP 2702i with firmware 15.3(3)JK10 with IP address 10.17.11.107) is trying to join the controller (3802i with firmware 8.10.190.0), but it doesn't support image download through the GUI.

could this be the issue?

EDIT:

I have found this -> https://community.cisco.com/t5/wireless/dtls-5-send-alert-send-fatal-close-notify-alert-to-xxx-xxx-xxx/td-p/4692452 I am going to try to and understand it and replicate and comeback with my findings.

marce1000 · ‎02-21-2025

@MagicMike FYI : https://community.cisco.com/t5/wireless/dtls-5-send-alert-send-fatal-close-notify-alert-to-xxx-xxx-xxx/m-p/4692846/highlight/true#M246382

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MagicMike · ‎02-21-2025

We fixed it, thank you all!

As I said before, Access Point AP 2702i is trying to join the controller 3802i, but it doesn't support image download through the GUI.

I logged in to 3802i and went to -> Management>Software update and I set it like this:

Transfer Mode: TFTP (it was previously set to HTTP)
IP Address (IPv4)/Name: 10.17.11.30 (a windows machine running Tftpd64 by Ph. Jounin)
File Path****: AIR-AP3800-K9-ME-8-10-190-0/
And SAVE

****I had to go here -> Software Download - Cisco Systems and download AIR-AP3800-K9-ME-8-10-190-0.zip , I then extracted the zip file in the root of the TFTP server.

After I pressed SAVE, a few seconds later the 2702i started to download the the firmware and joined the others.

Problem fixed.

I will install a TFTP server on a linux machine and have it running 24/7, so when I add other APs, if needed, they will all get the firmware from there.

Thank you @marce1000 @Scott Fella @Dustin Anderson @srimal99 for your input!