Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3763
Views
17
Helpful
11
Replies

Issue with moving AP from 5508 WLC to 9800-l

ivickery
Level 1
Level 1

‎08-17-2020 06:31 PM - edited ‎07-05-2021 12:24 PM

Hi all,

 

I have a WLC 5508 controller running 8.5.140.0 and I am trying to move the access points off this controller to a 9800-l running ios-xe 16.12.3

 

When I move an AP from the 5508 to the 9800 it will not join.

I have checked the other posts with similar issues and I have enabled data encryption on the AP and on the 9800-L controller as per the documentation. but this didn't solve the issue.

 

In the packet capture on the 9800 I can see the

1. discover request and response

2. Client Hello and response

3. Client Key exchange followed by the change cipher from the controller with everything set to use DTLS 1.0

4. AP sends a capwap join request 

5. the WLC responds with a encrypted alert message. 

6 the ap tries to send data but the WLC does not respond.

 

within the packet capture taken of the join request I can see the mac address of the of the ap (WTP Board data Base MAC Address) This address is on the 9800.

 

At this stage I am stuck, as there is nothing in the 9800-l logs to prevent it from joining.

I will be very grateful for some assistance on the issue.

 

Ian Vickery

 

 

0 Helpful
11 Replies 11

Scott Fella
Hall of Fame
Hall of Fame

‎08-17-2020 08:04 PM

Is your AP’s supported on the IOS-XE code? You didn’t mention what ap(s) you have. Also, DTLS is not required, mobility is not required if you are moving AP’s to the 9800. It’s the same as AireOS. Make sure you have the time, country code defined and make sure the aps are supported.
-Scott
*** Please rate helpful posts ***

ivickery
Level 1
Level 1
In response to Scott Fella

‎08-18-2020 02:44 PM

The Access points are 2800.

I have used a brand new unit and it connected successfully to the 9800 controller

I failed this to the 5800, and the AP associated fine.

I then went to reassociate the same ap back to the 9800 but will not join.

 

I have check the date and time settings and they are correct and in sync.

 

Do you have any other suggestions?

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to ivickery

‎08-18-2020 06:32 PM

Factory reset the ap. Hold the mode button and power up the ap. Hold the mode button for >20 seconds. The led will flash red then release. Try that.
-Scott
*** Please rate helpful posts ***
0 Helpful

ivickery
Level 1
Level 1
In response to Scott Fella

‎08-18-2020 06:42 PM

since it is in a remote location  I have done a factory reset via the CLI

I haven't tried it with the mode button.

 

In the packet captures taken it discovers the WLC authenticates sends the join message, and receives an encrypted alert back from the WLC.

 

I do notice the CAPwap tunnel is using TLS1.0  but when connected to the 5508 it is using TLS1.2

 

Regards

Ian Vickery 

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to ivickery

‎08-18-2020 06:56 PM

It would of been better to test locally first to make sure things work. I have a 4802 not a 2800 and I had no issue. Again, could just be something with the 2800. Have you opened a TAC case? I know folks were having a lot of issues with the 2800/3800.
-Scott
*** Please rate helpful posts ***

ivickery
Level 1
Level 1
In response to Scott Fella

‎08-18-2020 07:40 PM

Yes I have now opened a TAC case. 

We will post the solution here. when I get a response.

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni
In response to ivickery

‎08-19-2020 08:09 AM

Can you post show certificate all from 5508 controller?

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

Rich R
VIP
VIP
In response to Arshad Safrulla

‎08-20-2020 04:55 AM

I can't find the details right now but I seem to recall that the AP needs to be running a very recent AireOS image before it can join to 9800 so upgrade the AP to 8.10.130.0 then try to join to 9800. You obviously can't upgrade the 5508 to that so you may need to download the image directly to the AP or setup a virtual WLC for the purpose of the transition.
------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Rahul Pawar
Level 1
Level 1
In response to Rich R

‎06-07-2023 03:04 AM

Hi,

Is this the only solution. Because I am also having a similar scenario. Wherein my customer has 2800/3800 series AP and 5508 WLC. Not the 5508 is running on 8.5.171.0 code which refers to 15.3(3)JF14 IOS version on AP and if I check the wireless compatibility matrix then I need to have 15.3.(3)JPJ10 IOS version on the AP to get the AP connected to C9800 WLC. So its obvious that to get the AP to 15.3(3)JPJ10 I need to also upgrade 5508 WLC which is not possible since the last code support for 5508 WLC is 8.5.182.0 which refers to 15.3(3)JF15. which will not help in the migration. So how can we upgrade only the IOS version of the AP that too in bulk option. Because the AP count is very high. Doing it one by one would take a lot of time.  

0 Helpful

Rasika Nayanajith
VIP Alumni
VIP Alumni
In response to Rahul Pawar

‎06-07-2023 02:07 PM

Hi Rahul,

I would suggest your 9800 to be on 17.9.3 code and test moving one AP across to test & see how it goes. I would not expect major issues

HTH
Rasika

Rahul Pawar
Level 1
Level 1

‎06-09-2023 02:45 AM

Thanks Rasika. Your input helps. Also I did found one article wherein it is mentioned we can do pre download image on the AP using the WLANPoller tool. Not sure of this tool. Have not heard or used this before. Below is the link.

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/217908-migrate-from-aireos-wlc-to-catalyst-9800.html

Review Cisco Networking for a $25 gift card
Top