Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1977
Views
3
Helpful
5
Replies

Unable to Run the Ignore Certificate Command on WLC

Go to solution
sleepless swan
Level 1
Level 1

‎05-15-2023 04:05 AM

I have been receiving these error messages while I'm trying to join a LWAP to the WLC. I tried running the command config ap cert-expiry-ignore mic enable on the WLC, but it won't work.

WLC software version is 7.6.100.0.

AP model AIR-CAP3502I-E-K9

AP image /ap3g1-k9w8

 

 

*May 15 01:55:53.128: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*May 15 01:55:53.132: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:467 Certificate verified failed!
*May 15 01:55:53.132: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.10.6:5246
*May 15 01:55:53.132: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.10.6:5246
*May 15 01:55:53.132: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
*May 15 01:56:58.003: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*May 15 01:55:53.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.10.6 peer_port: 5246
*May 15 01:56:23.007: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2176 Max retransmission count reached!
*May 15 01:56:53.001: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.10.6:5246
*May 15 01:56:53.051: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*May 15 01:56:53.073: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*May 15 01:56:53.073: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP

‎05-15-2023 05:07 AM

Hello,

  7.6 is pretty old verion. This AP 3502 started with  8.1.122.0

Check the compatibility matrix:

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

with this version you can join 1700 , 2700 ,3700 

 

 

View solution in original post

Go to solution
Rich R
VIP
VIP
In response to sleepless swan

‎05-15-2023 09:14 AM - edited ‎05-15-2023 09:20 AM

Yes so then 8.5.182.7 (link below) and make sure all your AP models will still be supported.
3502 will be ok.

Review https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn85mr8.html#software-rel-types-and-recommendations_85mr8 for any gotchas when upgrading across so many different releases.
Also see https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn80mr5.html#pgfId-1373277 for going from 7.6 to 8.x

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

5 Replies 5

Go to solution
Flavio Miranda
VIP
VIP

‎05-15-2023 05:07 AM

Hello,

  7.6 is pretty old verion. This AP 3502 started with  8.1.122.0

Check the compatibility matrix:

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

with this version you can join 1700 , 2700 ,3700 

 

 

Go to solution
Rich R
VIP
VIP

‎05-15-2023 08:29 AM

Read field notice 63942 (below) slowly, carefully and thoroughly!

AireOS 7.6.x does NOT have the fix/workaround capability for that command.  That was added in 7.0.252.0, 7.4.140.0 & 8.1.102.0 so your only option is to upgrade to a recent 8.x release.  Also take note of the other field notices below which may be relevant to you.  You did not bother to mention what model of WLC you're using so I cannot make any more specific recommendations but you'll likely need to use 8.5.182.7 (link below) depending on what other APs you need to support - refer to the compatibility matrix (below and as linked by Flavio above).

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
sleepless swan
Level 1
Level 1
In response to Rich R

‎05-15-2023 08:48 AM - edited ‎05-15-2023 08:50 AM

yeah, I forgot to add the model to the original post. My bad.  It's 5508. I think it requires 8.5 as far as I could understand. 

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to sleepless swan

‎05-15-2023 09:14 AM - edited ‎05-15-2023 09:20 AM

Yes so then 8.5.182.7 (link below) and make sure all your AP models will still be supported.
3502 will be ok.

Review https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn85mr8.html#software-rel-types-and-recommendations_85mr8 for any gotchas when upgrading across so many different releases.
Also see https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn80mr5.html#pgfId-1373277 for going from 7.6 to 8.x

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
marce1000
VIP
VIP

‎05-15-2023 08:42 AM

 

 - If I recall correctly the minimum version to start with (supporting) that command is 8.3.x

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card