Dear Community,
We are experiencing an issue with over 50 of our APs (model: AIR-AP2802E-E-K9) suddenly stopping appearing in the WLC (model: 8500 Series). These APs previously functioned correctly within our environment but are no longer showing up in the controller.
Please note the following:
- We do not have access to the APs' CLI, as the credentials are unavailable so we are unable to get some logs. We would be grateful if anyone could provide the default credentials so we can try
- These APs are located approximately 340 kilometers away from our office, so accessing the console directly is not an option.
- In terms of reachability, the Wireless LAN Controller (WLC-8500) can reach the access points (APs), with DHCP functioning correctly, and both Option 43 and DNS configurations in place.
(Cisco Controller) >ping 10.128.91.1
Send count=3, Receive count=3 from 10.128.91.1
- WLC-8500 EOL and EOS we can not open case support with Cisco
- We attempted to add APs to our new WLC 9800 as a workaround, and while they are appearing successfully, we currently do not have sufficient licenses to support the number of APs.
We would greatly appreciate any assistance or guidance in resolving this issue. Below are some relevant logs and system information for reference:
Debug Logs from WLC (debug capwap error enable)
*spamApTask3: Oct 15 16:04:42.694: [PA] 00:5d:73:e6:db:e0 Could not find image version of bundled AP(apType: 55)!!!
*spamApTask3: Oct 15 16:04:42.694: [PA] 00:5d:73:e6:db:e0 Unable to get AP Bundled Version. Using Controller Version!!!
*spamApTask6: Oct 15 16:04:42.764: [PA] 28:ac:9e:73:58:40 DTLS connection was closed
*spamApTask7: Oct 15 16:04:42.783: [PA] 28:ac:9e:73:58:40 DTLS connection was closed
u*spamApTask6: Oct 15 16:04:42.828: [PA] 28:ac:9e:73:58:40 DTLS connection was closed
*spamApTask0: Oct 15 16:04:42.846: [PA] 00:5d:73:e6:56:40 ApModel: AIR-AP2802E-E-K9
*spamApTask0: Oct 15 16:04:42.846: [PA] 00:5d:73:e6:56:40 Could not find image version of bundled AP(apType: 55)!!!
*spamApTask0: Oct 15 16:04:42.846: [PA] 00:5d:73:e6:56:40 Unable to get AP Bundled Version. Using Controller Version!!!
----------------------------------------------------------------------------------------------------------------
WLC System Information (show sysinfo)
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.3.150.0
RTOS Version..................................... 8.3.150.0
Bootloader Version............................... 7.5.102.0
Emergency Image Version.......................... 7.5.102.0
OUI File Update Time............................. Sun Sep 07 10:44:07 IST 2014
Build Type....................................... DATA + WPS
System Name...................................... SAU-AKH-DC-WLC-1
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1615
Redundancy Mode.................................. SSO
IP Address....................................... 10.98.216.10
IPv6 Address..................................... ::
System Up Time................................... 172 days 4 hrs 16 mins 1 secs
System Timezone Location.........................
System Stats Realtime Interval................... 5
--More-- or (q)uit
System Stats Normal Interval..................... 180
Configured Country............................... SA - Saudi Arabia
Operating Environment............................ Commercial (10 to 35 C)
Internal Temp Alarm Limits....................... 10 to 38 C
Internal Temperature............................. +17 C
Fan Status....................................... OK
RAID Volume Status
Drive 0.......................................... Good
Drive 1.......................................... Good
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 15
Number of Active Clients......................... 1803
OUI Classification Failure Count................. 108716591
Burned-in MAC Address............................ F8:72:EA:67:3C:80
Power Supply 1................................... Present, OK
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 6000
--More-- or (q)uit
System Nas-Id.................................... SAU-AKH-DC-WLC-1
WLC MIC Certificate Types........................ SHA1
Licensing Type................................... RTU
---------------------------------------------------------------------------------------------------------------
(Cisco Controller) >show license summary
Feature name: ap_count (base)
License type: Permanent
License state: Active, In-use
RTU License Count: 1000
Feature name: ap_count
License type: Evaluation
License Eula: Not Accepted
Evaluation total period: 12 weeks 6 days
License state: Inactive, Not-In-Use
RTU License Count: 6000
Feature name: ap_count (adder)
License type: Permanent
License state: Active, In-use
RTU License Count: 400
we also notice on our monitoring system Zabbix this below log
" WLC Device has been replaced (new serial number received)"
@jagan.chowdam @marce1000 @Flavio Miranda
Thank you for your support
The issue has been resolved
- We identify that certificate expiry issue on the WLC.
- We checked which certificate is used by WLC for establishing DTLS connection with APs and the cert was "Cisco SHA1 device cert" The certificate on the WLC was valid till 13th Aug 2024 as below:
Certificate Name: Cisco SHA1 device cert
--More-- or (q)uit
Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT8510-K9-f872ea673c80, emailAddress=support@cisco.com
Issuer Name :
O=Cisco Systems, CN=Cisco Manufacturing CA
Serial Number (Hex):
76AAC0ED000000053C77
Validity :
Start : Aug 13 15:41:13 2014 GMT
End : Aug 13 15:51:13 2024 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : 2f:b2:1d:e1:97:d6:30:59:7e:8e:ed:30:aa:2c:c8:28:42:b2:2c:5a
SHA256 Fingerprint : 82:2f:d7:ba:10:3f:8b:b2:44:80:82:f4:e2:87:09:cc:c4:8c:0d:22:ee:bb:63:1d:ee:a2:88:4a:2c:28:d6:93
- We removed the NTP server and reverted the WLC time to Aug 1st, 2024.
- The APs started to join the WLC.
- We readded the NTP server. the APs were stable on the WLC, and clients connected.
- The behavior is documented for AP-COS APs in Cisco bug ID CSCvb93909 which has fix in AireOS 8.5 and later.
WLC with the issue persisting:
WLC After Resolving the issue:
