Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3438
Views
5
Helpful
8
Replies

Network rebooted now AP's will not join controller

Go to solution
Martin
Level 1
Level 1

‎05-07-2022 01:52 AM

Hi,

I have 3802i APs and a 2504 controler runniung 8.5.161.0.

My network rebooted the controller came back up fine, the NTP is set and have checked the clock and set to correct time, but none of the APs are joining the controller it was all working fine before the reboot.

 

I have consoled into an AP and here is the failure message

[*05/07/2022 08:39:43.0000] CAPWAP State: DTLS Setup
[*05/07/2022 08:39:43.0005] dtls_connectionDB_add_connection: Number of DTLS connections exceeded two
[*05/07/2022 08:39:43.6896] display_verify_cert_status: Verify Cert: FAILED at 0 depth: certificate has expired
[*05/07/2022 08:39:43.6903] dtls_verify_con_cert: Controller certificate verification error
[*05/07/2022 08:39:43.6903] dtls_process_packet: Controller certificate verification failed
[*05/07/2022 08:39:43.6907] sendPacketToDtls: DTLS: Closing connection 0x1b91a00.
[*05/07/2022 08:39:43.6908] Restarting CAPWAP State Machine.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
VIP
VIP
In response to Martin

‎05-07-2022 02:42 AM

 

 - Don't go into the wild , take actions only when problem mention in link is verified , you may try on controller :

         (Cisco Controller) >config ap cert-expiry-ignore mic enable
         (Cisco Controller) >config ap cert-expiry-ignore ssc enable

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

0 Helpful
8 Replies 8

Go to solution
marce1000
VIP
VIP

‎05-07-2022 02:21 AM

 

         - Are you affected by (please check) : https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html  ?

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
Martin
Level 1
Level 1
In response to marce1000

‎05-07-2022 02:25 AM

my software version is on there, but i cant get new software dont have the access on my CCO account

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to Martin

‎05-07-2022 02:30 AM

 

 - Sorry , the latter could be a show stopper , it is always advisable to have access to software (updates)  for business environments, anyway for current issue : also issue show logging on the controller, check what happens there when an ap can not join. Also note these bug reports : https://bst.cloudapps.cisco.com/bugsearch?pf=prdNm&kw=dtls_connectionDB_add_connection&bt=custV&sb=anfr 

 M.

 



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Martin
Level 1
Level 1

‎05-07-2022 02:36 AM

i changed the date as recomended by that link but now i get this

[*05/07/2015 09:33:20.0001] CAPWAP State: DTLS Setup
[*05/07/2015 09:33:20.0005] dtls_connectionDB_add_connection: Number of DTLS connections exceeded two
[*05/07/2015 09:33:20.6790] dtls_process_packet: DTLS Error: 1046
[*05/07/2015 09:33:20.6790] dtls_process_packet: The controller shut down the DTLS connection.
[*05/07/2015 09:33:20.6790] dtls_process_packet: Please verify that the AP certificate is valid and has not expired.
[*05/07/2015 09:34:17.0161] dtls_disconnect: ERROR shutting down dtls connection ...

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to Martin

‎05-07-2022 02:42 AM

 

 - Don't go into the wild , take actions only when problem mention in link is verified , you may try on controller :

         (Cisco Controller) >config ap cert-expiry-ignore mic enable
         (Cisco Controller) >config ap cert-expiry-ignore ssc enable

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Martin
Level 1
Level 1
In response to marce1000

‎05-07-2022 03:03 AM

Ok thanks, i have it working, but i would like to upgrade the software so its done properly. I have seen in the past if there is a major bug then cisco will supply the software for free i just cant remeber the page we go to for that

 

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to Martin

‎05-07-2022 03:40 AM

- If you can argue a security bug or problem , then they will give it to
you. Contact TAC. M.


-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Rich R
VIP
VIP

‎05-09-2022 11:14 AM

Well you software version already has the fix/workaround.

If you want to try to get something newer then you need to find a security advisory which applies to your hardware and software version and refer to the section "Customers Without Service Contracts" then contact TAC by email (not phone) referring to the advisory URL and text and specify the precise name/location of the file you require.

eg: https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20191106-wlc-dos.html

Your controller is past End of Vulnerability/Security Support https://www.cisco.com/c/en/us/products/collateral/wireless/2504-wireless-controller/eos-eol-notice-c51-740645.html so you may battle to find an advisory which would help you get anything newer than 8.5.161.0 so you other option is to search for the file you're looking for or speak to your supplier. 

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card