Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1200
Views
30
Helpful
13
Replies

Some APs no longer showing on WLC but can still ping the devices

Go to solution
g.ghir
Level 1
Level 1

‎05-01-2022 08:38 AM

Dear Community,

 

I have been running a network over a number of years (remotely) which has a Cisco 2504 WLC with LAP1042N-E Access Points (x5) and one AP (CAP1602I-E).  The users have reported a problem of poor connectivity, once we have investigated the issue we are not seeing 3 of the 6 APs on the WLC.  Strange thing is that we can ping all 6 APs???

Not sure what is going on.  Happy to provide logs/dumps etc but I am working remotely however I have had one of thWLC, AP1042N,e (faulty) APs shipped to my house.  

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎05-01-2022 04:04 PM

Read this:  FN - 63942 - Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP Connections Due to Certificate Expiration

I suspect the WLC is running a fairly old firmware, probably early 8.0, and the APs have rebooted or crashed. 

View solution in original post

13 Replies 13

Go to solution
Flavio Miranda
VIP
VIP

‎05-01-2022 09:25 AM

You may see AP on the network but not on the WLC. And you may see AP on the WLC but not propagating wireless signal. 

Make sure the AP is properly configured on the switch. Check vlan and port mode. 

 Access the AP remotely and try to Ping the wlc

 

 

0 Helpful

Go to solution
g.ghir
Level 1
Level 1
In response to Flavio Miranda

‎05-02-2022 12:12 PM

Thanks, but it used to work and nothing has changed on the switch, the other 3 APs are continuing to work.  

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-01-2022 09:33 AM

check if AP join WLC, 
check AP Certificate may be it expire.

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎05-01-2022 04:04 PM

Read this:  FN - 63942 - Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP Connections Due to Certificate Expiration

I suspect the WLC is running a fairly old firmware, probably early 8.0, and the APs have rebooted or crashed. 

Go to solution
g.ghir
Level 1
Level 1
In response to Leo Laohoo

‎05-02-2022 12:41 PM

Hi Leo, yes the Software Version is 7.6.100.0.  What version would be recommended to fix this issue please?

0 Helpful

Go to solution
g.ghir
Level 1
Level 1
In response to g.ghir

‎05-02-2022 01:14 PM

In doing some more digging you seem to be correct (although I have not fixed this yet).  Once I set the clock back in time on my Wireless Controller the APs started to come back.  I am working remotely so I am not sure if I need to console into the APs to apply a permanent fix.  Exploring further...

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to g.ghir

‎05-02-2022 01:26 PM

As I mention in first my comment, the issue is certificate
other workaround is using 

ap cert-expiry-ignore mic enable

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to g.ghir

‎05-02-2022 03:56 PM - edited ‎05-02-2022 03:56 PM

@g.ghir wrote:

Hi Leo, yes the Software Version is 7.6.100.0.  What version would be recommended to fix this issue please?

What APs are there?

1042 and 1600.  Any other models?

0 Helpful

Go to solution
Haydn Andrews
VIP Alumni
VIP Alumni
In response to Leo Laohoo

‎05-02-2022 05:19 PM

If just the 1042 and 1600 then the highest version you can run is

8.3.150.0

As per the wireless compatibility matrix

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

 

Then:

You will need to follow these steps:

Solution for Expired WLC Certificates

Situation: The WLC does not run a fixed software version and some APs cannot join.

  1. Upgrade to a fixed version of the software.
  2. Enter the config ap cert-expiry-ignore {mic|ssc} enable command.
  3. If any of the APs that cannot join have not downloaded the fixed software:
    1. Disable NTP.
    2. Set the clock back to a time before the WLC certificate expired (might keep newer APs from joining).
    3. Have all APs join the WLC, download new software, and rejoin.
    4. Set the clock to the correct time and re-enable NTP.

Situation: The WLC runs fixed software, but some APs cannot join.

  1. Enter the config ap cert-expiry-ignore mic enable command.
  2. If any of the APs that cannot join have not downloaded the fixed software:
    1. Disable NTP.
    2. Set the clock back to a time before the WLC certificate expired (might keep newer APs from joining).
    3. Have all APs join the WLC, download new software, and rejoin.
    4. Set the clock to the correct time and re-enable NTP.

Alternatively as a work around before the upgrade you can roll the WLC clock manually back to before the certificate expired

Further details here: https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html 

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Go to solution
g.ghir
Level 1
Level 1
In response to Leo Laohoo

‎05-03-2022 02:37 AM

1x AIR-CAP1602I-E-K9
5x AIR-LAP1042N-E-K9

Kind thx
0 Helpful

Go to solution
Haydn Andrews
VIP Alumni
VIP Alumni

‎05-01-2022 04:19 PM

agree with @Leo Laohoo more than likely APs hitting MIC certificate expiry

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Go to solution
g.ghir
Level 1
Level 1
In response to Haydn Andrews

‎05-02-2022 12:44 PM

Thanks Haydn, 

I looked at the article but I have not worked on controllers so I need to do a bit more study.  When I look at the logs I notice this error:

*spamApTask2: May 02 18:03:29.307: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:698 Failed to complete DTLS handshake with peer

 

Does this have something to do with the issue?

0 Helpful

Go to solution
Rich R
VIP
VIP

‎05-07-2022 05:21 AM

Yes - the field notice tells you exactly what to do and @Haydn Andrews has even summarised that for you above.

You need to upgrade the WLC to a version with the fix/workaround (8.3.150.0 as Hayden suggested) and then apply the correct config as per the instructions.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card