Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
892
Views
0
Helpful
5
Replies

Ciscp AP 2602 does not join wireless controller

Go to solution
noelciscoman
Level 1
Level 1

‎06-13-2023 12:57 PM

I have a Cisco 2602i that will not join a Cisco 5508 WLC.

When I watch the AP start up from console I see these messages:

*Jun 13 16:55:09.999: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jun 13 16:54:05.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.0.65 peer_port: 5246
*Jun 13 16:54:05.007: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 567A9C8300000000EBB9) has expired. Validity period ended on 14:43:58 UTC Jun 21 2022Peer certificate verification failed 001A

*Jun 13 16:54:05.007: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Jun 13 16:54:05.007: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:467 Certificate verified failed!
*Jun 13 16:54:05.007: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.10.0.65:5246
*Jun 13 16:54:05.007: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.0.65:5246

On the controller we see:  

*spamApTask7: Jun 13 14:50:26.832: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:955 Failed to complete DTLS handshake with peer 10.10.0.97

 

10.10.0.65 is the controller and 10.10.0.97 is AP.

 

We have applied the config to allow APs with expired certs:

config ap cert-expiry-ignore ssc enable
config ap cert-expiry-ignore mic enable

And we do have APs with expired certs that are joining the controller without issue.

I don't understand why the 2602 is not joining the controller.

Any help would be appreciated.

 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
noelciscoman
Level 1
Level 1
In response to Rich R

‎07-05-2023 01:42 PM

Nothing to do with setting the time resolved the issue of the 2602 not being able to join.  However, converting the AP to autonomous from light weight, and then back again to light weight did resolve the issue, and it joined the controller without a problem after that. 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
noelciscoman
Level 1
Level 1

‎06-13-2023 01:00 PM

I should mention that this is the only AP that is not joining the controller.  We have a mic of 1140s, 2600s, and 2700s, and all are joined but this problem 2602i.

Software version on the controller is 

8.3.150.0
0 Helpful

Go to solution
Rasika Nayanajith
VIP
VIP
In response to noelciscoman

‎06-13-2023 02:29 PM

You can try factory reset that AP (hold down reset button for 20-30s while powering the AP). Once boot you can point it to WLC using "capwap ap primary-base <WLC_NAME> <WLC_MGT_IP>"

Even though you are not hitting below issue, please note that if you upgrade your 5508 you will come across this issue.
https://www.cisco.com/c/en/us/support/docs/field-notices/725/fn72524.html 

HTH
Rasika
*** Pls rate all useful responses ***

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎06-13-2023 04:42 PM

Turn off NTP and set the year of the WLC to 2022.

0 Helpful

Go to solution
Rich R
VIP
VIP

‎06-15-2023 06:09 AM

Exactly as @Leo Laohoo said - you need to change the date to before the cert expired.
Then the AP can join the WLC and only then will it pick up the cert-expiry-ignore config from the WLC.
After that you can re-enable NTP on the WLC and the AP will keep working.  If you factory default the config as Rasika suggested then it will lose that config and you'd need to follow the same process again.

These steps are detailed in FN-63942 below.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Go to solution
noelciscoman
Level 1
Level 1
In response to Rich R

‎07-05-2023 01:42 PM

Nothing to do with setting the time resolved the issue of the 2602 not being able to join.  However, converting the AP to autonomous from light weight, and then back again to light weight did resolve the issue, and it joined the controller without a problem after that. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card