Thank you very much for your reply

I tried several ways based on the link. They cannot work, but the something like "certificate failed ..." not show up again in the logging. Please see below. Do not know why I still cannot see the ap can join in after I tried to change system time with different year. Can you please see what is going on? Thank you very much.  

 

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.252.0
RTOS Version..................................... 7.0.252.0
Bootloader Version............................... 4.0.217.0
Emergency Image Version.......................... N/A
Build Type....................................... DATA + WPS

System Name...................................... Cisco_68:ca:03
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3
IP Address....................................... 10.0.100.34
System Up Time................................... 0 days 0 hrs 49 mins 3 secs
System Timezone Location.........................

Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +39 C

 

 

*Nov 1 00:28:13.001: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for 2.2.2.2 is reached.
*Nov 1 00:28:43.050: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 2.2.2.2:5246
*Nov 1 00:27:43.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 2.2.2.2 peer_port: 5246
*Nov 1 00:28:13.000: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:2017 Max retransmission count reached!
*Nov 1 00:28:13.000: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for 2.2.2.2 is reached.
*Nov 1 00:28:43.049: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 2.2.2.2:5246
*Nov 1 00:27:43.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 2.2.2.2 peer_port: 5246
*Nov 1 00:28:13.000: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:2017 Max retransmission count reached!
*Nov 1 00:28:13.000: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for 2.2.2.2 is reached.
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Nov 1 00:28:43.050: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 2.2.2.2:5246
*Nov 1 00:28:43.102: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Nov 1 00:28:43.102: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Nov 1 00:28:43.126: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Nov 1 00:28:43.126: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Nov 1 00:28:44.125: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 1 00:28:44.125: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Nov 1 00:28:44.279: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Nov 1 00:28:44.299: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Nov 1 00:28:44.312: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 1 00:28:44.324: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Nov 1 00:28:44.338: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Nov 1 00:28:45.312: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Nov 1 00:28:45.338: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up

*Nov 1 00:28:53.299: status of voice_diag_test from WLC is false
*Aug 1 00:27:47.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 2.2.2.2 peer_port: 5246
*Aug 1 00:27:47.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Aug 1 00:28:16.999: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:2017 Max retransmission count reached!
*Aug 1 00:28:16.999: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for 2.2.2.2 is reached.
*Aug 1 00:28:47.050: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 2.2.2.2:5246
*Aug 1 00:27:47.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 2.2.2.2 peer_port: 5246
*Aug 1 00:28:17.000: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:2017 Max retransmission count reached!
*Aug 1 00:28:17.000: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for 2.2.2.2 is reached.

Well, I don’t know what else you can do. The equipment you have is so very old. You are better off looking for a 2504 with at least an upgraded 8.5 image and a 3702 that at least supports 802.11ac. Many here used that link I posted to get older access points with expired certificates to join a controller. So if that doesn’t help, then maybe someone else can chime in.

Like Scott said if you use end of life equipment you must be prepared to hack your way around the bugs yourself.  Also read https://community.cisco.com/t5/wireless-mobility-documents/lightweight-ap-fail-to-create-capwap-lwapp-connection-due-to/ta-p/3155111 If you follow the field notice fully (remembering that both your AP *and* WLC certs have probably expired) then it should work. If it doesn't then you'll just have to work it out with debugs and troubleshooting.  You can get 2nd hand equipment that's more up to date relatively cheaply so you should give that serious consideration versus the time and effort you're wasting on end of life/end of support kit.