10-26-2017 03:28 AM - edited 07-05-2021 07:46 AM
Hi
I have upgraded a Wireless Controller from version 7.4.114.0 to version 8.0.140.0 and some of the APs don't register afterwards.
10 1142N APs have upgraded and registered without problems but the last one won't register. It just keeps rebooting.
I have followed this tshoot guide without success: https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/119286-lap-notjoin-wlc-tshoot.html?referring_site=cisco_cli_analyzer
On the controller i get the following errors for the AP:
*spamApTask4: Oct 26 11:52:46.694: [PA] 11:22:33:44:55:66 DTLS connection not found, creating new connection for 10:130:11:201 (61571) 10:130:0:28 (5246)
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: called to evaluate <cscoSha2IdCert>
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: comparing to row 4, ID cert >bsnSslWebauthCert<
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: comparing to row 3, ID cert >bsnSslWebadminCert<
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: failed to find matching cert.
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetDERIDCert: Using SHA2 Id cert on WLC
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: called to evaluate <cscoDefaultIdCert>
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: comparing to row 4, ID cert >bsnSslWebauthCert<
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: comparing to row 3, ID cert >bsnSslWebadminCert<
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCertFromCID: called to get cert for CID 123a156c
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCertFromCID: comparing to row 4, certname >bsnSslWebauthCert<
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCertFromCID: comparing to row 3, certname >bsnSslWebadminCert<
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: called to evaluate <cscoSha2IdCert>
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: comparing to row 4, ID cert >bsnSslWebauthCert<
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: comparing to row 3, ID cert >bsnSslWebadminCert<
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.694: [PA] sshpmGetCID: failed to find matching cert.
*spamApTask4: Oct 26 11:52:46.695: [PA] sshpmGetDERIDCertPrivateKey: Using SHA2 Id cert Private Keys on WLC
*spamApTask4: Oct 26 11:52:46.695: [PA] sshpmGetCID: called to evaluate <cscoDefaultIdCert>
*spamApTask4: Oct 26 11:52:46.695: [PA] sshpmGetCID: comparing to row 4, ID cert >bsnSslWebauthCert<
*spamApTask4: Oct 26 11:52:46.695: [PA] sshpmGetCID: comparing to row 3, ID cert >bsnSslWebadminCert<
*spamApTask4: Oct 26 11:52:46.695: [PA] sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.695: [PA] sshpmGetSshPrivateKeyFromCID: called to get key for CID 123a156c
*spamApTask4: Oct 26 11:52:46.695: [PA] sshpmGetSshPrivateKeyFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.695: [PA] sshpmGetSshPrivateKeyFromCID: comparing to row 1, certname >bsnDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.695: [PA] sshpmGetSshPrivateKeyFromCID: comparing to row 2, certname >cscoDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.695: [PA] sshpmGetSshPrivateKeyFromCID: match in row 2
*spamApTask4: Oct 26 11:52:46.813: [PA] sshpmGetCID: called to evaluate <cscoDefaultIdCert>
*spamApTask4: Oct 26 11:52:46.813: [PA] sshpmGetCID: comparing to row 4, ID cert >bsnSslWebauthCert<
*spamApTask4: Oct 26 11:52:46.813: [PA] sshpmGetCID: comparing to row 3, ID cert >bsnSslWebadminCert<
*spamApTask4: Oct 26 11:52:46.813: [PA] sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.813: [PA] sshpmGetCertFromCID: called to get cert for CID 123a156c
*spamApTask4: Oct 26 11:52:46.814: [PA] sshpmGetCertFromCID: comparing to row 4, certname >bsnSslWebauthCert<
*spamApTask4: Oct 26 11:52:46.814: [PA] sshpmGetCertFromCID: comparing to row 3, certname >bsnSslWebadminCert<
*spamApTask4: Oct 26 11:52:46.814: [PA] sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.814: [PA] sshpmGetCID: called to evaluate <cscoDefaultIdCert>
*spamApTask4: Oct 26 11:52:46.814: [PA] sshpmGetCID: comparing to row 4, ID cert >bsnSslWebauthCert<
*spamApTask4: Oct 26 11:52:46.814: [PA] sshpmGetCID: comparing to row 3, ID cert >bsnSslWebadminCert<
*spamApTask4: Oct 26 11:52:46.814: [PA] sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.814: [PA] sshpmGetSshPrivateKeyFromCID: called to get key for CID 123a156c
*spamApTask4: Oct 26 11:52:46.815: [PA] sshpmGetSshPrivateKeyFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.815: [PA] sshpmGetSshPrivateKeyFromCID: comparing to row 1, certname >bsnDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.815: [PA] sshpmGetSshPrivateKeyFromCID: comparing to row 2, certname >cscoDefaultIdCert<
*spamApTask4: Oct 26 11:52:46.815: [PA] sshpmGetSshPrivateKeyFromCID: match in row 2
*spamApTask4: Oct 26 11:52:47.127: [PA] sshpmGetIssuerHandles: locking ca cert table
*spamApTask4: Oct 26 11:52:47.127: [PA] sshpmGetIssuerHandles: calling x509_alloc() for user cert
*spamApTask4: Oct 26 11:52:47.127: [PA] sshpmGetIssuerHandles: calling x509_decode()
*spamApTask4: Oct 26 11:52:47.131: [PA] sshpmGetIssuerHandles: <subject> C=US, ST=California, L=San Jose, O=Cisco Systems, CN=C1140-44d3caaf0828, MAILTO=support@cisco.com
*spamApTask4: Oct 26 11:52:47.131: [PA] sshpmGetIssuerHandles: <issuer> O=Cisco Systems, CN=Cisco Manufacturing CA
*spamApTask4: Oct 26 11:52:47.131: [PA] sshpmGetIssuerHandles: Mac Address in subject is 11:22:33:44:55:66
*spamApTask4: Oct 26 11:52:47.131: [PA] sshpmGetIssuerHandles: Cert Name in subject is C1140-44d3caaf0828
*spamApTask4: Oct 26 11:52:47.131: [PA] sshpmGetIssuerHandles: Extracted cert issuer from subject name.
*spamApTask4: Oct 26 11:52:47.131: [PA] sshpmGetIssuerHandles: Cert is issued by Cisco Systems.
*spamApTask4: Oct 26 11:52:47.131: [PA] sshpmGetCID: called to evaluate <cscoDefaultMfgCaCert>
*spamApTask4: Oct 26 11:52:47.131: [PA] sshpmGetCID: comparing to row 7, CA cert >cscoMfgSha2CaCert<
*spamApTask4: Oct 26 11:52:47.131: [PA] sshpmGetCID: comparing to row 6, CA cert >cscoRootSha2CaCert<
*spamApTask4: Oct 26 11:52:47.131: [PA] sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
*spamApTask4: Oct 26 11:52:47.131: [PA] sshpmGetCertFromCID: called to get cert for CID 28a5679a
*spamApTask4: Oct 26 11:52:47.131: [PA] sshpmGetCertFromCID: comparing to row 7, certname >cscoMfgSha2CaCert<
*spamApTask4: Oct 26 11:52:47.131: [PA] sshpmGetCertFromCID: comparing to row 6, certname >cscoRootSha2CaCert<
*spamApTask4: Oct 26 11:52:47.131: [PA] sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<
*spamApTask4: Oct 26 11:52:47.131: [PA] ssphmUserCertVerify: calling x509_decode()
*spamApTask4: Oct 26 11:52:47.142: [PA] ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<
*spamApTask4: Oct 26 11:52:47.142: [PA] sshpmGetIssuerHandles: ValidityString (current): 2017/10/26/09:52:47
*spamApTask4: Oct 26 11:52:47.142: [PA] sshpmGetIssuerHandles: ValidityString (NotBefore): 2011/07/19/04:33:42
*spamApTask4: Oct 26 11:52:47.142: [PA] sshpmGetIssuerHandles: ValidityString (NotAfter): 2021/07/19/04:43:42
*spamApTask4: Oct 26 11:52:47.142: [PA] sshpmGetIssuerHandles: Signature Algorithm is rsa-pkcs1-sha1
*spamApTask4: Oct 26 11:52:47.142: [PA] sshpmGetIssuerHandles: getting cisco ID cert handle...
*spamApTask4: Oct 26 11:52:47.142: [PA] sshpmGetCID: called to evaluate <cscoDefaultIdCert>
*spamApTask4: Oct 26 11:52:47.142: [PA] sshpmGetCID: comparing to row 4, ID cert >bsnSslWebauthCert<
*spamApTask4: Oct 26 11:52:47.142: [PA] sshpmGetCID: comparing to row 3, ID cert >bsnSslWebadminCert<
*spamApTask4: Oct 26 11:52:47.142: [PA] sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
*spamApTask4: Oct 26 11:52:47.143: [PA] sshpmFreePublicKeyHandle: called with 0x19ce28c0
*spamApTask4: Oct 26 11:52:47.143: [PA] sshpmFreePublicKeyHandle: freeing public key
*spamApTask4: Oct 26 11:52:47.465: [PA] 11:22:33:44:55:66 acDtlsPlumbControlPlaneKeys: lrad:10.130.11.201(61571) mwar:10.130.0.28(5246)
*spamApTask4: Oct 26 11:52:47.465: [PA] 11:22:33:44:55:66 Allocated index from main list, Index: 1
*spamApTask4: Oct 26 11:52:47.465: [PA] 11:22:33:44:55:66 Using CipherSuite AES128-SHA
*spamApTask4: Oct 26 11:52:47.465: [PA] 11:22:33:44:55:66 DTLS keys for Control Plane are plumbed successfully for AP 10.130.11.201. Index 2
*spamApTask7: Oct 26 11:52:47.465: [PA] 11:22:33:44:55:66 DTLS Session established server (10.130.0.28:5246), client (10.130.11.201:61571)
*spamApTask7: Oct 26 11:52:47.465: [PA] 11:22:33:44:55:66 Starting wait join timer for AP: 10.130.11.201:61571
*spamApTask4: Oct 26 11:52:47.468: [PA] 11:22:33:44:55:66 Deleting AP entry 10.130.11.201:61571 from temporary database.
10-26-2017 03:40 AM - edited 10-26-2017 03:42 AM
Hello @rasmus.elmholt
On the WLC Security tab and under AP Policy verify if LSC and SSC is checked.
This can be also certificate expired on the Access Points.
Time and data could be a problem as well but as you said you have more AP on the WLC, this is not an issue probably.
-If I helped you somehow, please, rate it as useful.-
10-26-2017 03:56 AM
10-26-2017 04:08 AM
Can you run 'sh crypto pki certificates' on the AP ?
10-26-2017 04:20 AM
10-30-2017 09:14 AM
10-31-2017 04:13 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide