Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
799
Views
2
Helpful
9
Replies

Unable to SSH to AP joined to 9800

pabloayalas
Level 1
Level 1

‎01-31-2024 07:35 PM

Hello,

I'm facing an issue with our 9800 where we can't SSH into any of our access points; even though we have it configured in the AP Join profile, we still can't SSH. This is the output from the policy profile:

WLC-1#show ap profile all-profiles

AP Profile Name : AP_PROFILE
Description : AP Profile
Country code : US
Stats Timer : 180
Link Latency : DISABLED
Data Encryption : DISABLED
LED State : ENABLED
NTP server : 0.0.0.0
NTP Authentication : DISABLED
Jumbo MTU : DISABLED
24ghz Report Interval : 90
5ghz Report Interval : 90
bssid stats status : DISABLED
bssid stats frqncy interval : 30
bssid neighbor stats status : DISABLED
bssid neighbor stats interval : 180
POE :
PreStandard 802.3af Switch : DISABLED
Power Injector State : DISABLED
Power Injector Selection : Unknown
Injector Switch Mac : Not Configured
Device Management :
Telnet : DISABLED
SSH : ENABLED
Serial Console : ENABLED
User Management :
Username : admin

As you can see, SSH is enabled and with an admin account we configured. Now, I'm showing an output from one of our access points:

WLC-1#show ap config general

Cisco AP Name : AP
=================================================

Cisco AP Identifier : ...
Country Code : US
Regulatory Domain Allowed by Country : 802.11bg:-A 802.11a:-AB 802.11 6GHz:-B
Radio Authority IDs : None
AP Country Code : US - United States
AP Regulatory Domain
802.11bg : -A
802.11a : -B
MAC Address : 002a.101e.e6d0
IP Address Configuration : DHCP
IP Address : IP_ADDRESS
IP Netmask : 255.255.255.0
Gateway IP Address : DEFAULT-GATEWAY
CAPWAP Path MTU : 1485
Capwap Active Window Size : 1
Telnet State : Disabled
CPU Type : ARMv7 Processor rev 1 (v7l)
Memory Type : DDR4
Memory Size : 1028096 KB
SSH State : Enabled
Serial Console State : Enabled
Cisco AP Location : default location

And, still we can't SSH. Finally if I run a remote command from any of our access points, you can see that SSH has been enabled to the remote AP:

Feb 1 03:16:15.671: %AP_LOG-6-WAP : Chassis 1 AP Name : WAP
Feb 1 03:16:15.671: %AP_LOG-6-WAP : Chassis 1 Admin State : Enabled
Feb 1 03:16:15.671: %AP_LOG-6-WAP : Chassis 1 AP Mode : Local
Feb 1 03:16:15.671: %AP_LOG-6-WAP : Chassis 1 AP Submode : AWIPS FORENSIC
Feb 1 03:16:15.671: %AP_LOG-6-WAP : Chassis 1 Location : default location
Feb 1 03:16:15.671: %AP_LOG-6-WAP : Chassis 1 Primary controller name : WLC-1
Feb 1 03:16:15.671: %AP_LOG-6-WAP : Chassis 1 Primary controller IP : IP_ADDRESS
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Secondary controller name :
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Tertiary controller name :
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Controller from DHCP offer : IP_ADDRESS
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Controller from DNS server : IP_ADDRESS
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 AP join priority : 1
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 IP Prefer-mode : IPv4
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 CAPWAP UDP-Lite : Unconfigured
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Last Joined Controller name: WLC-1
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 DTLS Encryption State : Disabled
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Discovery Timer : 10
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Heartbeat Timer : 30
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 CDP State : Enabled
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Watchdog monitoring : Enabled
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 IOX : Disabled
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 RRM State : Enabled
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 LSC State : Disabled
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 SSH State : Enabled
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 AP Username : admin
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Session Timeout : 300
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Extlog Host : 0.0.0.0
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Extlog Flags : 0
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Extlog Status Interval : 0
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Syslog Host : 255.255.255.255
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Syslog Facility : 0
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Syslog Level : informational
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Core Dump File Compression : Disabled
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Core Dump Filename :
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Client Trace Status : Disabled(All)
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Client Trace All Clients : Disabled
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Client Trace Filter : 0x00000000
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Client Trace Out ConsoleLog: Disabled
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 WLC Link LAG status : Disabled
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 AP Link LAG status : Disabled
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 AP WSA Mode : Enabled
Feb 1 03:16:15.672: %AP_LOG-6-WAP : Chassis 1 Auxiliary-client Interface : Disabled

And still, I can't get anything from the AP. If I try to SSH in verbose mode from my device, this is the output:

user@MAV ~ % ssh <IP_ADDRESS> -vvvv
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug3: kex names ok: [diffie-hellman-group1-sha1,diffie-hellman-group14-sha1]
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: /etc/ssh/ssh_config line 62: Applying options for *
debug2: resolve_canonicalize: hostname <IP_ADDRESS> is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/user/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/user/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: ssh_connect_direct: entering
debug1: Connecting to <IP_ADDRESS> [<IP_ADDRESS>] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /Users/user/.ssh/id_rsa type -1
debug1: identity file /Users/user/.ssh/id_rsa-cert type -1
debug1: identity file /Users/user/.ssh/id_ecdsa type -1
debug1: identity file /Users/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/user/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/user/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/user/.ssh/id_ed25519 type -1
debug1: identity file /Users/user/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/user/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/user/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/user/.ssh/id_xmss type -1
debug1: identity file /Users/user/.ssh/id_xmss-cert type -1
debug1: identity file /Users/user/.ssh/id_dsa type -1
debug1: identity file /Users/user/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
kex_exchange_identification: Connection closed by remote host
Connection closed by IP_ADDRESS port 22

Any idea where the issue might be?

Thanks 

0 Helpful
9 Replies 9

marce1000
VIP
VIP

‎01-31-2024 11:10 PM

 

               - Reboot the AP and check if that can help , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

pabloayalas
Level 1
Level 1
In response to marce1000

‎02-01-2024 07:40 AM

I have already tried multiple times with the same result. I bounced the port (these are PoE), but still, there was no SSH after the AP restored connectivity. This is very strange; I already have a TAC case; however, there is no path forward.

0 Helpful

marce1000
VIP
VIP
In response to pabloayalas

‎02-01-2024 07:56 AM

 

          >... I already have a TAC case; however, there is no path forward.
 - Check software version being used on the controller , go for an advisory release such as 17.9.4a and check if that can help , 

   Also have an overall checkup of the 9800 configuration with the CLI command show tech wireless ; and feed the output into 
                                                                                                                       Wireless Config Analyzer

  Note that GUI changes are translated into the running config ; you may want to take diffs after subsequent GUI actions and compare the changes as seen in the running config. Further proceeding by then on using the CLI with the running configuration only may sometimes need to better results ,

 M,

  



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

David Ritter
Level 4
Level 4

‎02-01-2024 07:26 AM

Screenshot 2024-02-01 072337.png

That's where I do it..

0 Helpful

pabloayalas
Level 1
Level 1
In response to David Ritter

‎02-01-2024 07:40 AM

That's what I have configured, and it's still the same.

0 Helpful

Rich R
VIP
VIP

‎02-01-2024 09:14 AM

1. What version of software are you using?
2. Can you ping the AP?
3. Are there any ACLs or firewalls between your PC and the AP?
4. Have you tried the SSH from a directly connected router or switch in the same subnet?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

pabloayalas
Level 1
Level 1
In response to Rich R

‎02-01-2024 03:41 PM

Pfff, I figure this out. I was pushing a dACL from ISE, this was the dACL:

remark - Allow DHCP
permit udp any eq bootpc any eq bootps
remark - Allow DNS
permit udp any any eq domain
remark - Allow ICMP
permit icmp any any
remark permit ssh
permit tcp any any eq 22
remark permit CAPWAP (control channel)
permit udp any any eq 5246
remark permit CAPWAP (data channel)
permit udp any any eq 5247
remark permit CAPWAP (Mcast channel)
permit udp any any eq 5248
deny ip any any

I remove entirely the dACL and worked. Thanks everyone for your help and support! 

Rich R
VIP
VIP
In response to pabloayalas

‎02-01-2024 04:46 PM

The old shooting yourself in the foot trick <smile>

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

pabloayalas
Level 1
Level 1
In response to Rich R

‎02-01-2024 07:27 PM

hahahahaha yep!!! 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card