Solucionado: Re: How to add AIR-AP1832I-A-K9 to WLC --- Version 8.3.133.0

JonRedn11 · ‎09-11-2023

Hi,

I'm trying to add but I can't do it. I have a message in the WLC:

%CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c: Failed to create DTLS connection for AP

I tried with the command in the AP without result: capwap ap erase all

In the WLC I have the correct time.

Thanks in advance!

Thxs.

Daniel Ordóñez Flores · ‎09-11-2023

Hi @JonRedn11

can you share the complete boot process

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

Ver la solución en mensaje original publicado

Daniel Ordóñez Flores · ‎09-11-2023

Hi @JonRedn11

can you share the complete boot process

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

JonRedn11 · ‎09-11-2023

Hi @Daniel Ordóñez Flores,

I'll do that. In the meantime, Could you please take a look this logs:

WLC's log

*spamApTask3: Sep 08 18:14:44.355: %CAPWAP-3-DTLS_DB_ERR: capwap_ac_sm.c:9442 Failed to create DTLS connection for AP's IP (5256).

AP's log

Sep 8 21:07:56 kernel: [*09/08/2023 21:07:56.0000] CAPWAP State: DTLS Setup
Sep 8 21:08:53 kernel: [*09/08/2023 21:08:53.0222] dtls_disconnect: ERROR shutting down dtls connection ...
Sep 8 21:08:53 kernel: [*09/08/2023 21:08:53.0222]
Sep 8 21:08:53 kernel: [*09/08/2023 21:08:53.0222]
Sep 8 21:08:53 kernel: [*09/08/2023 21:08:53.0222] CAPWAP State: DTLS Teardown
Sep 8 21:07:56 kernel: [*09/08/2023 21:08:57.7807] No more AP manager addresses remain..
Sep 8 21:07:56 kernel: [*09/08/2023 21:08:57.7807] No valid AP manager found for controller 'MyWLC_CISCO' (ip: ...)
Sep 8 21:07:56 kernel: [*09/08/2023 21:08:57.7807] Failed to join controller MyWLC_CISCO.
Sep 8 21:07:56 kernel: [*09/08/2023 21:08:57.7807] Failed to join controller.
Sep 8 21:07:56 kernel: [*09/08/2023 21:07:56.0000]
Sep 8 21:07:56 kernel: [*09/08/2023 21:07:56.0000] CAPWAP State: DTLS Setup
Sep 8 21:08:53 kernel: [*09/08/2023 21:08:53.0222] dtls_disconnect: ERROR shutting down dtls connection ...
Sep 8 21:08:53 kernel: [*09/08/2023 21:08:53.0222]
Sep 8 21:08:53 kernel: [*09/08/2023 21:08:53.0222]
Sep 8 21:08:53 kernel: [*09/08/2023 21:08:53.0222] CAPWAP State: DTLS Teardown
Sep 8 21:08:54 FIPS[17413]: *** shell: FIPS Mode = disabled ***
Sep 8 21:08:57 kernel: [*09/08/2023 21:08:57.7807]
Sep 8 21:08:57 kernel: [*09/08/2023 21:08:57.7807] CAPWAP State: Discovery
Sep 8 21:08:57 kernel: [*09/08/2023 21:08:57.7807] Discovery Request sent to ..., discovery type STATIC_CONFIG(1)
Sep 8 21:08:57 kernel: [*09/08/2023 21:08:57.7907] Discovery Request sent to ..., discovery type STATIC_CONFIG(1)
Sep 8 21:08:57 kernel: [*09/08/2023 21:08:57.7907] Discovery Request sent to ..., discovery type STATIC_CONFIG(1)
Sep 8 21:08:57 kernel: [*09/08/2023 21:08:57.7907] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
Sep 8 21:08:57 kernel: [*09/08/2023 21:08:57.7907] Discovery Response from ...
Sep 8 21:10:09 kernel: [*09/08/2023 21:10:09.0000] Discovery Response from ...
Sep 8 21:10:09 kernel: [*09/08/2023 21:10:09.0000]
Sep 8 21:10:09 kernel: [*09/08/2023 21:10:09.0000] CAPWAP State: DTLS Setup

I'll write soon.

Best regards.

Jo

Daniel Ordóñez Flores · ‎09-11-2023

Hi again @JonRedn11

What version has the WLC

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

JonRedn11 · ‎09-11-2023

Hi @Daniel Ordóñez Flores, 8.3.133.0

Daniel Ordóñez Flores · ‎09-12-2023

Hi @JPavonM

You need to update the 1832I with one of these versions:

15.3(3)JD11
15.3(3)JDA11

https://software.cisco.com/download/home/286288035/type/286288051/release/15.3.3-JD11?i=!pp

Lately be sure that you're using a valid country code in your WLC for -A RF Domain

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

JonRedn11 · ‎09-12-2023

Hi @Daniel Ordóñez Flores,

Ok, I'll try to do this update in the ap and I'll share the result.

Thanks.

@Daniel Ordóñez Flores ha escrito:
Hi @JPavonM
You need to update the 1832I with one of these versions:
15.3(3)JD11
15.3(3)JDA11
https://software.cisco.com/download/home/286288035/type/286288051/release/15.3.3-JD11?i=!pp
Lately be sure that you're using a valid country code in your WLC for -A RF Domain

Daniel Ordóñez Flores · ‎09-12-2023

Great, I will be aware about it

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

JPavonM · ‎09-11-2023

The certificate of the AP maybe expired, check this https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

JonRedn11 · ‎09-12-2023

Hi @JPavonM ,

In fact, the certificate was expired in WLC side, but I had had this steps without results:

- Disable Network Time Protocol (NTP).
- Change the WLC clock time to a recent earlier time when the certificates were still valid. If you set the clock back too far, newer APs might not be able to join.
- Enter the config ap cert-expiry-ignore {mic|ssc} enable command.

Side WLC:

----------------------------

Certificate Name: Cisco SHA1 device cert

--More-- or (q)uit

Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT2504-K9-7c69f655d720, emailAddress=support@cisco.com
Issuer Name :
O=Cisco Systems, CN=Cisco Manufacturing CA
Serial Number (Hex):
2C1988680000003B0137
Validity :
Start : Aug 30 03:07:58 2013 GMT
End : Aug 30 03:17:58 2023 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : d6:06:39:cb:2a:24:6b:ba:24:f6:be:b0:4c:4d:58:7a:b2:22:0a:63
SHA256 Fingerprint : 4e:bc:84:df:60:eb:db:6f:e9:40:78:68:78:7e:8a:aa:60:30:9e:92:f0:8c:65:df:21:58:27:95:54:61:30:37

----------------------------

Side AP:

SHA1:
----------------------------- Device Certificate -----------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1f:56:7f:7f:00:00:00:0d:04:5b
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=Cisco Systems, CN=Cisco Manufacturing CA
Validity
Not Before: Nov 3 08:24:32 2016 GMT
Not After : Nov 3 08:34:32 2026 GMT
Subject: C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AP1G4-D42C 44D81D08/emailAddress=support@cisco.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)

JPavonM · ‎09-12-2023

Is there any way you can upgrade to any of the latest TAC recommended releases?

Try 8.5.182.11 (https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#toc-hId-937503882) which is EoL,or latest 8.10 train (https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#toc-hId-1746850508) this would renew your WLC certificate.

JonRedn11 · ‎09-12-2023

@JPavonM, Wow! It's a little difficult but I'll try to do. Is the only way to fix the problem?

Anyway, Could you please tell me how to do this? Which software can I get from this link https://software.cisco.com/download/specialrelease/2702eede2b47a5c3bb40795bbe836af6

Thxs.

JPavonM · ‎09-12-2023

Yes this is the solution to your problem where WLC's certificate is expired, see the Field Note:

It does depend on the WLC model you have, but if you're using a CT2504 check the Advisory to upgrade the FUS (https://software.cisco.com/download/home/283848165/type/284364857/release/2.0.0.0).

I would recommend you to go to 8.10 as this is still supported by Cisco TAC.

Networking Avior Airlines · ‎09-12-2023

@JPavonM, I have a model 2504 (image attached). So, can I use this update too, right?

https://software.cisco.com/download/home/283848165/type/284364857/release/2.0.0.0

BTW, I have some other models added to WLC,e.g: AIR-LAP1041N-A-K9, AIR-LAP1142N-A-K9... after the update, this devices will still work, right?

Thanks a lot!

JPavonM · ‎09-12-2023

Here you can check the compatibility matrix, and the problem is that those LAP1041 weet EOS after 8.3 so they won't work anymore (https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html#aireos-ctr_ap_support).

It seems to me this is the right time to move forward and replace those legacy Wi-Fi 4 APs.

If this is not an option due to budget restrictions, then you can deploy a virtual WLC and split the APs between physical one (Wi-Fi 5 APs) and virtual one (legacy Wi-Fi 4 APs).

For WLC2504 you need to install FUS software first, and then the new AireOS 8.5 software.

Here it is the link to get the vWLC (https://software.cisco.com/download/home/284464214/type/280926587/release/8.10.185.0), you can download the "Cisco Wireless LAN Small Scale Virtual Controller Installation with 60 day evaluation license." (AIR_CTVM-K9_8_10_185_0.ova) and then move some linceses between them.

This is the Deployment Guide for the virtual WLC (https://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_Virtual_Wireless_LAN_Controller_Deployment_Guide_8-2.html).