Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
139
Views
0
Helpful
5
Replies

Cisco AIR-AP3802I-E-K9 subordinate

MagicMike
Level 1
Level 1

‎02-19-2025 02:37 PM - edited ‎02-19-2025 04:56 PM

Hi all,

I have a few Cisco AIR-AP3802I-E-K9, one of them is set as the primary controller and I manage them from the mobility express page.
In the garage I want to fit 2 Cisco AIR-AP2702E-E-K9 (they have external antennas, and they have better coverage in there).

Firmware loaded on the AIR-AP3802I-E-K9:
https://software.cisco.com/download/home/286304536/type/286289839/release/8.10.190.0?i=!pp

Firmware loaded on the AIR-AP2702E-E-K9:
https://software.cisco.com/download/home/286256842/type/280775090/release/15.3.3-JPQ?i=!pp

From the 3802I firmware release notes I see that the 2702E is a subordinate of the 3802I:

https://www.cisco.com/c/en/us/td/docs/wireless/access_point/mob_exp/810/release_notes/b_ME_RN_810.html

However, for some reason the 2702E doesn't seem to work. I know I have done this in the past and it worked but I can't seem to figure it out now.

Any help will be highly appreciated.

Output of the 2702E:

 

Translating "CISCO-CAPWAP-CONTROLLER.home.arpa"...domain server (10.10.10.254)

*Feb 19 22:20:45.027: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Feb 19 22:20:45.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.10.123 peer_port: 5246
*Feb 19 22:20:46.203: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.10.10.123
*Feb 19 22:20:46.207: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.123:5246
*Feb 19 22:21:49.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Feb 19 22:21:50.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.10.123 peer_port: 5246
*Feb 19 22:21:50.203: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.10.10.123
*Feb 19 22:21:50.203: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.123:5246
*Feb 19 22:23:14.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Feb 19 22:23:15.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.10.123 peer_port: 5246
*Feb 19 22:23:15.203: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.10.10.123
*Feb 19 22:23:15.203: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.123:5246
*Feb 19 22:24:19.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Feb 19 22:24:20.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.10.123 peer_port: 5246
*Feb 19 22:24:20.203: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.10.10.123
*Feb 19 22:24:20.203: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.123:5246
Not in Bound state.
*Feb 19 22:25:30.515: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
*Feb 19 22:25:33.587: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.10.10.131, mask 255.255.255.0, hostname APf44e.0545.44c8

 

LATER EDIT:

I went on the primary controller, and I entered this command:

config ap cert-expiry-ignore mic enable

And now the output of the 2702E changed to

*Feb 20 00:55:11.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.17.11.123 peer_port: 5246
*Feb 20 00:55:11.239: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.17.11.123 peer_port: 5246
*Feb 20 00:55:11.243: %CAPWAP-5-SENDJOIN: sending Join Request to 10.17.11.123
*Feb 20 00:55:16.239: %CAPWAP-5-SENDJOIN: sending Join Request to 10.17.11.123
*Feb 20 00:55:16.239: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.17.11.123
*Feb 20 00:55:16.239: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.17.11.123:5246
*Feb 20 00:55:16.239: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

 

 

Labels:
0 Helpful
5 Replies 5

marce1000
Hall of Fame
Hall of Fame

‎02-19-2025 11:46 PM

 

  - The corresponding AP Capwap release for 8.10.196.0 is 

15.3(3)JK10

  ==>  Use that one on the 2700's
    - Make sure that the regulatory domain on the APs and the mobility express controller match.
    - Post the output from show version and show sysinfo on the 2700's

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

MagicMike
Level 1
Level 1
In response to marce1000

‎02-20-2025 12:19 PM - edited ‎02-20-2025 12:20 PM

I don't have access to 8.10.196.0, I have 8.10.190.0 on the 3802i.
I installed ap3g2-k9w8-xx.153-3.JK10 on a 2702i and I have the same output, what is the corresponding AP Capwap release for 8.10.190.0 ?

show sysinfo on the 2700 is not working.

thank you 

 

*Feb 20 20:16:34.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.17.11.123 peer_port: 5246
*Feb 20 20:16:34.239: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.17.11.123 peer_port: 5246
*Feb 20 20:16:34.239: %CAPWAP-5-SENDJOIN: sending Join Request to 10.17.11.123
*Feb 20 20:16:39.239: %CAPWAP-5-SENDJOIN: sending Join Request to 10.17.11.123
*Feb 20 20:16:39.239: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.17.11.123
*Feb 20 20:16:39.239: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.17.11.123:5246
*Feb 20 20:16:39.239: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.
APf44e.0545.4c88>show version
Cisco IOS Software, C2700 Software (AP3G2-K9W8-M), Version 15.3(3)JK10, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2023 by Cisco Systems, Inc.
Compiled Wed 27-Sep-23 18:06 by mcpre

ROM: Bootstrap program is C2700 boot loader
BOOTLDR: C2700 Boot Loader (AP3G2-BOOT-M) LoaderVersion 15.2(4)JB5m, RELEASE SOFTWARE (fc2)

APf44e.0545.4c88 uptime is 4 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g2-k9w8-mx.153-3.JK10/ap3g2-k9w8-xx.153-3.JK10"
Last reload reason:



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-CAP2702I-E-K9 (PowerPC) processor (revision A0) with 376814K/134656K bytes of memory.
Processor board ID FCZ1841D149
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 8.10.190.0
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: F4:4E:05:45:4C:88
Part Number                          : 73-15824-03
PCB Serial Number                    : FOC18387Q5W
Top Assembly Part Number             : 800-41174-01
Top Assembly Serial Number           : FCZ1841D149
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP2702I-E-K9



Configuration register is 0xF

APf44e.0545.4c88>

 

0 Helpful

marce1000
Hall of Fame
Hall of Fame
In response to MagicMike

‎02-20-2025 11:45 PM

 

 - @MagicMike wrote : I installed ap3g2-k9w8-xx.153-3.JK10 on a 2702i and I have the same output, what is the corresponding AP Capwap release for 8.10.190.0 ?

           Ref : https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
  >...

Table 7. Cisco AireOS Controller Software Releases, AP IOS Releases, and Supported Access Points
Cisco AireOS Controller Release Access Point IOS Release Supported Acccess Points

8.10.196.0

 15.3(3)JK11

Lightweight APs:9130E, 9130I, 9120, 9117, 9115, 9105, 1700, 1800i, 1810 OEAP,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

srimal99
Level 1
Level 1

‎02-20-2025 12:43 AM

@MagicMike Have you check the country code and does it match with ap ? 
docs related to 
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/16-12/config-guide/b_wl_16_12_cg/country-codes.html

0 Helpful

Dustin Anderson
VIP Alumni
VIP Alumni

‎02-20-2025 12:28 PM - edited ‎02-20-2025 01:07 PM

You may be hitting the expired MIC cert of the 27xx series I've seen before. Not sure on express if the commands work though.

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html 

 

Edit, realized you mentioned this.

also do the command:

config ap cert-expiry-ignore ssc enable

 

It is also getting a close from the controller, so may need to see the logs from the controller to see what it doesn't like about the AP. Some APs with old code can't handle date passed it's expired MIC. you could try to turn off NTP and turn back the date. 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card