Solved: Re: Unable to join C9130 AP to C9800-CL, certificate error

david101011 · ‎08-18-2023

I get the following failure on the console of the AP when trying to join a C9800-CL WLC:

[*08/18/2023 17:25:10.9392] CAPWAP State: Discovery
[*08/18/2023 17:25:10.9417] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*08/18/2023 17:25:10.9435] Discovery Response from 10.1.1.1
[*08/18/2023 17:25:20.0001]
[*08/18/2023 17:25:20.0001] CAPWAP State: DTLS Setup
[*08/18/2023 17:25:20.0008] dtls_connectionDB_add_connection: Number of DTLS connections exceeded two
[*08/18/2023 17:25:20.3250] First connect to vWLC, accept vWLC by default
[*08/18/2023 17:25:20.3250]
[*08/18/2023 17:25:20.3312] display_verify_cert_status: Verify Cert: FAILED at 1 depth: certificate is not yet valid
[*08/18/2023 17:25:20.3312] X509 OpenSSL Errors...
[*08/18/2023 17:25:20.3312]
[*08/18/2023 17:25:20.3312] NONE
[*08/18/2023 17:25:20.3312]
[*08/18/2023 17:25:20.3312]
[*08/18/2023 17:25:20.3312] dtls_verify_con_cert: vWLC Certificate verification error
[*08/18/2023 17:25:20.3312] dtls_process_packet: Controller certificate verification failed
[*08/18/2023 17:25:20.3319] sendPacketToDtls: DTLS: Closing connection 0x557701fa00.
[*08/18/2023 17:25:20.3319]
[*08/18/2023 17:25:20.3319] Going to restart CAPWAP (reason : dtls_rc_connection_closed)...
[*08/18/2023 17:25:20.3319]
[*08/18/2023 17:25:20.3320] Restarting CAPWAP State Machine.
[*08/18/2023 17:25:20.3322] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Setup(3).
[*08/18/2023 17:25:20.3322] Failed to disconnect DTLS-CTRL session.
[*08/18/2023 17:25:20.3322] 
[*08/18/2023 17:25:20.3322] CAPWAP State: DTLS Teardown
[*08/18/2023 17:25:20.3473] Aborting image download(0x0): Dtls cleanup, ap1g6a
[*08/18/2023 17:25:20.4262] do ABORT, part1 is active part
[*08/18/2023 17:25:20.4592] upgrade.sh: Cleanup tmp files ...
[*08/18/2023 17:25:20.4820] DTLS: Error while processing DTLS packet 0x5577030000.
[*08/18/2023 17:25:24.9342] No more AP manager addresses remain..
[*08/18/2023 17:25:24.9342] No valid AP manager found for controller '' (ip: 10.1.1.1)
[*08/18/2023 17:25:24.9342] Failed to join controller .

The versions match. Both the AP and the WLC have software version 16.12.8 . It's getting the discovery response, but then it aborts without trying to do anything. It looks like a certificate error, but I don't know how to tell things to ignore those things. Any ideas?

Rasika Nayanajith · ‎08-18-2023

Did you check the time setup on WLC, below indicating time sync issue of your WLC

display_verify_cert_status: Verify Cert: FAILED at 1 depth: certificate is not yet valid

HTH
Rasika
*** Pls rate all useful responses ***

View solution in original post

Rasika Nayanajith · ‎08-18-2023

Did you check the time setup on WLC, below indicating time sync issue of your WLC

display_verify_cert_status: Verify Cert: FAILED at 1 depth: certificate is not yet valid

HTH
Rasika
*** Pls rate all useful responses ***

Leo Laohoo · ‎08-18-2023

Any operational reason(s) for the need to continue using a widely-known-to-be-buggy 16.12.X train?

Kasun Bandara · ‎08-18-2023

@david101011 Hi, check if the time of controller is correct.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Rich R · ‎08-19-2023

1. Check WLC NTP time is in sync as others have highlighted already.

2. Update the code version as per TAC recommended link below.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

david101011 · ‎08-19-2023

> Did you check the time setup on WLC, below indicating time sync issue of your WLC

I have checked it, but I'll check again. Maybe I put in daylight saving time wrong or something.

> Any operational reason(s) for the need to continue using a widely-known-to-be-buggy 16.12.X train?

Client requirement. They are unable to upgrade the WLC for various reasons, so I need to work with what I have.

Rich R · ‎08-19-2023

> I have checked it, but I'll check again. Maybe I put in daylight saving time wrong or something.
DST doesn't matter, as long as NTP is in sync.

> Client requirement. They are unable to upgrade the WLC for various reasons, so I need to work with what I have.
You should highlight a few things to the client:
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-16/eos-eol-notice-c51-744154.html
End of SW Maintenance Releases Date OS SW: February 17, 2022 - that's no more bug fixes since beginning of last year.
End of Vulnerability/Security Support OS SW: August 18, 2022 - that's no more security vulnerability fixes since a year ago!

Software advisories affecting this software:
https://software.cisco.com/download/advisories?fileName=C9800-CL-universalk9.16.12.08.SPA.bin&mdfid=286322605

And then refer to the TAC recommended link below...

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

david101011 · ‎08-21-2023

> DST doesn't matter, as long as NTP is in sync.

It seems that setting the time correctly doesn't matter, it needs to have a valid connection to a valid NTP server. Once that was set correctly (even to one running in my local test network), it seemed to work and I was able to join the AP to the WLC.

Thank you everyone for your help.

redistributeworld · ‎11-14-2024

It helped me, thank you