Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9248
Views
37
Helpful
17
Replies

Inter-Release Controller Mobility (IRCM) with 5508 Fail : Control Path Down

Go to solution
Bill lo
Level 1
Level 1

‎01-16-2021 05:05 AM - edited ‎07-05-2021 01:01 PM

Hi  all

Device info as below:

WLC-5508 controller running  8.5.164.216 

WLC-9800 controller running  17.3.2a

 

The situation:

After config the mobility setting ;  the status displayed is :Control Path Down

From the WLC-9800 show logg  , found that the WLC-5508's MIC is expired:

 

Jan 16 12:40:22.264: %DTLS_TRACE_MSG-3-WLC_DTLS_ERR: Chassis 2 R0/0: mobilityd: DTLS Error, session:10.36.197.177[16666], Certificate validation failed
Jan 16 12:40:52.263: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 16D8553C000000119DEC) has expired. Validity period ended on 2020-11-23T17:58:29Z
Jan 16 12:40:52.265: %CERT_MGR_ERRMSG-3-CERT_VALIDATION_ERR: Chassis 2 R0/0: mobilityd: Certificate Validation Error, Cert validation status:pki_ssl_status@pki_ssl_status:PKI_SSL_ERROR

 

Is there any  way to let WLC-9800 ignore  the MIC expired ?

I have already excute the  command on the WLC-5508 : config ap cert-expiry-ignore mic  enable

 

--------------------------------------------------------------------------

Other  information:

WLC-5508

(TPE-WLC-5508-6) >show mobility summary encryption

Mobility Number of Mobility members configure.... 2
MAC Address               IP Address        Group Name   Secure   Data Encryption    Status
1c:df:0f:c7:02:c0       10.36.197.177      Foxconn-RF   N/A         N/A                  Up
4c:e1:75:02:32:eb     10.5.100.9           Cisco             Enabled   Disabled            Control Path Down

(TPE-WLC-5508-6) >show mobility summary

Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... Foxconn-RF
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0xd58a
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 48

Controllers configured in the Mobility Group
MAC Address         IP Address            Group Name    Multicast IP       Status
1c:df:0f:c7:02:c0    10.36.197.177     Foxconn-RF      0.0.0.0              Up
4c:e1:75:02:32:eb  10.5.100.9          Cisco                 0.0.0.0             Control Path Down

 

 

WLC-9800

WLC01-C9800-40#show wireless management trustpoint
Trustpoint Name : CISCO_IDEVID_SUDI
Certificate Info : Available
Certificate Type : MIC
Certificate Hash : 585d9f405a1cf79f7c5cf752a1eb0bec33874d1f
Private key Info : Available
FIPS suitability : Not Applicable

!

WLC01-C9800-40#show wireless mobilit summary
Mobility Summary

Wireless Management VLAN: 100
Wireless Management IP Address: 10.5.100.9
Wireless Management IPv6 Address:
Mobility Control Message DSCP Value: 48
Mobility Keepalive Interval/Count: 10/3
Mobility Group Name: Cisco
Mobility Multicast Ipv4 address: 0.0.0.0
Mobility Multicast Ipv6 address: ::
Mobility MAC Address: 4ce1.7502.32eb
Mobility Domain Identifier: 0xdc29

Controllers configured in the Mobility Domain:

IP                      Public Ip            MAC Address               Group Name      Multicast IPv4    Multicast IPv6      Status     PMTU
------------------ ------------------------------------------------------------------------------
10.5.100.9         N/A                   4ce1.7502.32eb         Cisco                 0.0.0.0              ::                              N/A       N/A
10.36.197.177  10.36.197.177   1cdf.0fc7.02c0           Foxconn-RF       0.0.0.0              ::             Control Path Down  1385

 

0 Helpful
17 Replies 17

Go to solution
Rich R
VIP
VIP
In response to sumithliyanage

‎12-14-2023 07:27 AM

What version of software on 5508?
What version of software on 9800?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Go to solution
sumithliyanage
Level 1
Level 1
In response to sumithliyanage

‎12-14-2023 07:36 AM

C9800 - 17.6.4

C5508- 8.3.143.0

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to sumithliyanage

‎12-14-2023 08:06 AM

Upgrade 9800 as per TAC recommended link below - currently 17.9.4 + SMU_CSCwh87343 + APSP (as needed) OR 17.9.4a + APSP(as needed) for all deployments.

8.3.143.0 does not support IRCM with 9800!  Upgrade to 8.5.182.108 and check the compatibility matrix (below) for AP compatibility.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card