Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
314
Views
5
Helpful
11
Replies

Cisco Wlc2504 failure

Go to solution
alfred.vesely
Level 1
Level 1

‎12-08-2024 09:34 AM

Hi,

after a power loss, I often experienced that APs will not rejoin the controller due to false date and time. However, this time the problem isnt been solved by setting the correct time and I‘m getting the following error messages with no AP joining the controller anymore:

 

*sntpMainTask: Dec 08 18:28:51.556: #OSAPI-3-MSGQ_RUNNING_HIGH: osapi_msgq.c:874 Message queue SNTP-Q is nearing full. Capacity 3 Messages 3.
*osapiBsnTimer: Dec 08 18:28:35.612: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2962 Failed to complete DTLS handshake with peer 192.168.2.6
*osapiBsnTimer: Dec 08 18:28:34.412: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2962 Failed to complete DTLS handshake with peer 192.168.2.7
*osapiBsnTimer: Dec 08 18:28:12.812: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2962 Failed to complete DTLS handshake with peer 192.168.2.4
*sntpMainTask: Dec 08 18:28:01.536: #OSAPI-3-MSGQ_RUNNING_HIGH: osapi_msgq.c:874 Message queue SNTP-Q is nearing full. Capacity 3 Messages 3.
*sntpMainTask: Dec 08 18:27:31.524: #OSAPI-3-MSGQ_RUNNING_HIGH: osapi_msgq.c:874 Message queue SNTP-Q is nearing full. Capacity 3 Messages 3.
*sntpMainTask: Dec 08 18:27:21.520: #OSAPI-3-MSGQ_RUNNING_HIGH: osapi_msgq.c:874 Message queue SNTP-Q is nearing full. Capacity 3 Messages 3.
*osapiBsnTimer: Dec 08 18:27:19.612: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2962 Failed to complete DTLS handshake with peer 192.168.2.5
*sntpMainTask: Dec 08 18:26:31.500: #OSAPI-3-MSGQ_RUNNING_HIGH: osapi_msgq.c:874 Message queue SNTP-Q is nearing full. Capacity 3 Messages 3.

Any ideas how to fix? Thank you in advance and best regards, Alfred

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP
VIP
In response to alfred.vesely

‎12-09-2024 05:40 AM

Find a recent security advisory that affects 8.5 code and find the section which says "Customers without Contracts" then contact TAC quoting the URL of the advisory, the paragraph just mentioned and the version and URL https://software.cisco.com/download/specialrelease/9a6a7cf84f9fdf04b95c76e2ac7820e7 for the software you want to download and serial number of your WLC.  You'll have to mention which platform you need it for (2504) because they have all WLC models there at that URL.  Then TAC should publish it to you directly.

This advisory should be suitable: Cisco Wireless LAN Controller AireOS Software FIPS Mode Denial of Service Vulnerability because CSCwa40778 : Bug Search Tool (cisco.com) is fixed in 8.5.182.12. (even though the advisory itself says upgrade to 8.10)

"Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade."

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

11 Replies 11

Go to solution
Flavio Miranda
VIP
VIP

‎12-08-2024 09:47 AM

@alfred.vesely 

 what is the WLC  version and AP model and version?

The error message " Failed to complete DTLS handshake with" can often be related to certificate problem and depending on the WLC and AP model/version could be fixing by ignoring certificate on the capwap tunnel establishment with the command

config ap cert-expiry-ignore mic enable

 

Go to solution
alfred.vesely
Level 1
Level 1
In response to Flavio Miranda

‎12-08-2024 10:27 AM

WLC is running on 8.0.100.0, APs are 3702 und 1702, running on the same versions I guess

Can that command be set via GUI as well?

0 Helpful

Go to solution
marce1000
VIP
VIP

‎12-08-2024 09:48 AM

 

 - The SNTP-Q messages seem to be related to a bughttps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf33449
    In that context , use the latest/last release for the 2504 controller : https://software.cisco.com/download/specialrelease/9a6a7cf84f9fdf04b95c76e2ac7820e7

  APs . no longer joining could be due to https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html
  In this case the reverse may be applicable for a simple test disable NTP and do set the controller back in time , reboot it and check if the APs can join. If so , the Field Notice does apply ,

 M.

   



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
alfred.vesely
Level 1
Level 1
In response to marce1000

‎12-08-2024 10:17 AM

Thank you! Setting the WLC back in time helped! Unfortunately, I dont have a service contract, so I guess there will be no chance to get a working firmware?

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to alfred.vesely

‎12-08-2024 10:29 AM - edited ‎12-08-2024 10:29 AM

 

 @alfred.vesely wrote : I dont have a service contract, so I guess there will be no chance to get a working firmware?
                                   No unfortunately not ; if the controller is on 8.3 and above the workaround for expired certificates mentioned by @Flavio Miranda can be used :  config ap cert-expiry-ignore mic enable
                                 config ap cert-expiry-ignore ssc enable

(ignore the font and colors change; apparently due to some cut and pasting from the FN)
 But you won't have a fix for the bug.

 Since the aireos platforms are getting EOL , using last/latest release would have been better , because there is no support any more from cisco after that release.
 You may also start looking into the 9800 platform(s); you can download and deploy the virtual controller for free for testing and to get familiar with the platform. For use APs must be licensed (not the 9800 VM)

 M.

 

 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
alfred.vesely
Level 1
Level 1
In response to marce1000

‎12-08-2024 10:31 AM

Sorry for that question, but do you think it would be a good option to use a 3802 in mobility express as a controller as alternative to the 2504?

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to alfred.vesely

‎12-08-2024 10:37 AM

 

 - SInce it stays in the same older technology (mobility express) I am not in favor of it ; you must also be able to download software for it , if needed 
    Also always check compatibilities using ; https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html  when switching platforms.

   For the time being I would stick with the 2504 (with time set backwards), the SNTP-Q error is probably not that important.
   Untill a migration to 9800 controller(s) becomes possible,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
alfred.vesely
Level 1
Level 1
In response to marce1000

‎12-08-2024 11:43 AM

Somehow sad, I really liked the WLC familiy - changing to the 9800 family doesnt make sense for a 7AP enviroment for me, so sadly I will replace the system with another manufacturer

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to alfred.vesely

‎12-09-2024 05:40 AM

Find a recent security advisory that affects 8.5 code and find the section which says "Customers without Contracts" then contact TAC quoting the URL of the advisory, the paragraph just mentioned and the version and URL https://software.cisco.com/download/specialrelease/9a6a7cf84f9fdf04b95c76e2ac7820e7 for the software you want to download and serial number of your WLC.  You'll have to mention which platform you need it for (2504) because they have all WLC models there at that URL.  Then TAC should publish it to you directly.

This advisory should be suitable: Cisco Wireless LAN Controller AireOS Software FIPS Mode Denial of Service Vulnerability because CSCwa40778 : Bug Search Tool (cisco.com) is fixed in 8.5.182.12. (even though the advisory itself says upgrade to 8.10)

"Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade."

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
MHM Cisco World
VIP
VIP

‎12-08-2024 10:09 AM

Do you face before issue of AP joining WLC?

I think you before use workaround for cert. Expire by change date to be few years older' and now since wlc is use correct date the wlc is detect cert. Expire and AP can not join wlc.

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card