cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1341
Views
5
Helpful
12
Replies

which Aironet models have a still valid certificate today?

Hi, I have few Cisco Aironet 3500i Access Points and realized that none of them have a valid certificate, already expired. And I read in the Field Notice: FN - 63942 that my AP's have a 10 years valid certificate according to the paragraph:

 

Prior to July 18, 2005, Cisco APs were not manufactured with MICs.

All Cisco wireless products that were manufactured between July 18, 2005, and mid-2017 have MICs that expire after 10 years.

Starting in 2017, Cisco manufactured all wireless devices with MICs that expire in 2037.

Starting in 2019, all 9800 WLCs and 9100 APs were manufactured with certificates that expire in 2099.

Other AP and WLC models continue to be manufactured with certificates that expire in 2037.

 

Until now I haven't find a way to have my Catalyst 3850 to ignore the expired cert of the AP's so I am considering to buy another model of aironets, but I am not sure how to choose them and I don't have the budget to just go ahead and shop for the latest model. So how can I determine if the AP's are manufactured after 2017 or 2019? is there a matrix for reference?

 

Thanks!!

2 Accepted Solutions

Accepted Solutions

no @Haydn Andrews that's an AireOS command - the 3850 is IOS-XE.

He seems to have got past that now anyway and instead has problems with DTLS?

Why use DTLS?

All CAPWAP control data is encrypted by default and clients should be encrypting anything sensitive themselves (https etc).

As we've already said converged access was abandoned by Cisco because of numerous problems and they moved on to the next generation (9800 series).  Maybe you should too?

Regarding cost maybe you should consider running EWC on a 9100 AP or if even that is too expensive for you then consider running a 9800-CL on a PC?

View solution in original post

No license required to run as a standalone solution.

If you want to manage it with DNA centre then you need a license.

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/nb-o6-embded-wrls-cont-ds-cte-en.html#Licensing

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/q-and-a-c67-743152.html#Licensingandordering

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/at-a-glance-c45-742857.html

 

View solution in original post

12 Replies 12

Leo Laohoo
Hall of Fame
Hall of Fame

No one should be using Unified Access wireless controller. 

3650/3850 has several design flaws and one of them is not enough CPU and not enough memory to do all the things promised.

Cisco has ditched this dumpster fire for version 2.0 (Catalyst 9k).  

Did somebody deleted my post when I was asking how to setup certificate expiry ignore in Catalyst 3850?

I understand that 9k catalyst series are better but even a used  model costs at least ten times what I paid for the 3850 (used as well).

 

So please let me ask again my two questions in this post since the other one was marked as duplicated:

 

1.- On the C3850 how can I setup certificate expiry ignore for the AP's?

2.- How can I determine if the AP that I am shopping for falls into 2017 or 2019 manufacturing date?

 

Thanks again!   

Note: I don't know who  deleted my other post but I wasn't point to another discussion where the solution was provided or a definitive answer was provided either.


Aldo.zavala@gmail.com wrote:

2.- How can I determine if the AP that I am shopping for falls into 2017 or 2019 manufacturing date?


Please read the FN properly.  How to determine the manufacturing date of a Cisco appliance based on the serial number can be found in the Derive Manufactured Date from the Product SN section.


Aldo.zavala@gmail.com wrote:

1.- On the C3850 how can I setup certificate expiry ignore for the AP's?


Please read the FN properly.  Have a look at the Solution for Expired AP Certificates and/or for Scenario of Encrypted Mobility Tunnels That Fail to Form section.

Hi, I applied the recommended solution of the FN for the revocation-check none setting accordingly, these are  my settings now:

 

crypto pki trustpoint TP-self-signed-1291928908
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1291928908
revocation-check none
rsakeypair TP-self-signed-1291928908
!
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check none
!
crypto pki trustpool policy
revocation-check none
match certificate map1 allow expired-certificate
!
!
!
crypto pki certificate map map1 1
issuer-name co cisco manufacturing ca
!
crypto pki certificate map map1 2
issuer-name co act2 sudi ca

 

But now, the catalyst says that cannot accept AP join based on certificate auth-policy, I don't remember setting any auth-policy, its not displaying the invalid certificate any more but now it says that still cannot join.

 

00:15:56: *%CAPWAP-6-DTLS_CLOSED_ERR:Switch 1 R0/0: wcm: 5835.d9d5.b530: DTLS connection closed forAP 192:168:9:2 (12267), Controller: 192:168:9:1 (5246) Cannot accept Join Request from MIC AP 58:35:d9:d5:b5:30 based on certificate auth-policy

00:15:56: *%LWAPP-3-AP_DB_ERR1:Switch 1 R0/0: wcm: Unable to find AP 5835.d9d5.b530 entry in the database, could not process delete request

 

 

 

Thanks in advance, I really appreciate the assistance and comments here

  1. Time and date of the switch is wrong. 
  2. What firmware is the controller running on? 
  3. Console into the AP and boot the AP.  Post the entire boot-up process of the AP.

The time on the switch is the correct:

C3850#show ntp associations
address ref clock st when poll reach delay offset disp
+~216.239.35.0 .GOOG. 1 18 64 377 64.000 -32.745 2.208
+~216.239.35.8 .GOOG. 1 16 64 377 75.000 -30.705 2.191
*~216.239.35.4 .GOOG. 1 14 64 377 74.000 -32.102 5.989
+~216.239.35.12 .GOOG. 1 65 64 7 69.000 -31.773 2.412
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

C3850#show clock
09:59:40.132 PST Sun Jan 16 2022

The controller is the switch itself and here is the sh ver output:

C3850#show ver
Cisco IOS Software [Denali], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.3.9, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Mon 29-Jul-19 13:16 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2019 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 4.68, RELEASE SOFTWARE (P)

C3850 uptime is 1 hour, 14 minutes
Uptime for this control processor is 1 hour, 17 minutes
System returned to ROM by Power Failure at 01:03:04 PST Sun Jan 16 2022
System restarted at 08:44:11 PST Sun Jan 16 2022
System image file is "flash:packages.conf"
Last reload reason: Power Failure



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

          
Technology Package License Information: 

-----------------------------------------------------------------
Technology-package                   Technology-package
Current             Type             Next reboot  
------------------------------------------------------------------
ipbasek9            Permanent        ipbasek9

cisco WS-C3850-48P (MIPS) processor (revision S0) with 865684K/6147K bytes of memory.
Processor board ID FCW1910D0V3
4 Virtual Ethernet interfaces
52 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
250456K bytes of Crash Files at crashinfo:.
1609272K bytes of Flash at flash:.
0K bytes of  at webui:.

Base Ethernet MAC Address          : 40:a6:e8:92:27:80
Motherboard Assembly Number        : 73-14442-10
Motherboard Serial Number          : FOC19095D00
Model Revision Number              : S0
Motherboard Revision Number        : A0
Model Number                       : WS-C3850-48P
System Serial Number               : FCW1910D0V3


Switch Ports Model              SW Version        SW Image              Mode   
------ ----- -----              ----------        ----------            ----   
*    1 56    WS-C3850-48P       16.3.9            CAT3K_CAA-UNIVERSALK9 INSTALL


Configuration register is 0x102

 

It have enough licenses and it supports this AP model:

C3850#show ap is-supported AIR-CAP3502I-A-K9
AP Support: Yes

C3850#show wireless ap summary 
Sub-Domain Access Point Summary

Maximum AP Limit              : 100
Total AP License Installed    : 5
Total AP License Available    : 5
Total AP Joined               : 0

 

This is the sh ver and sh inv of the AP itself:

AP0007.7d42.fe90#show version
Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 15.2(2)JN2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Wed 11-Sep-13 01:30 by prod_rel_team

ROM: Bootstrap program is C3500 boot loader
BOOTLDR: C3500 Boot Loader (AP3G1-BOOT-M), Version 12.4 [mpleso-ap_jmr3_esc_0514 125]

AP0007.7d42.fe90 uptime is 23 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g1-k9w8-mx.152-2.JN2/ap3g1-k9w8-xx.152-2.JN2"
Last reload reason: 



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-CAP3502I-A-K9    (PowerPC460exr) processor (revision A0) with 81910K/49152K bytes of memory.
Processor board ID FTX1522E5H3
PowerPC460exr CPU at 666Mhz, revision number 0x18A8
Last reset from power-on
LWAPP image version 10.0.120.0
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:07:7D:42:FE:90
Part Number                          : 73-12175-05
PCA Assembly Number                  : 800-32268-05
PCA Revision Number                  : A0
PCB Serial Number                    : FOC15194T8J
Top Assembly Part Number             : 800-32891-01
Top Assembly Serial Number           : FTX1522E5H3
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP3502I-A-K9   



Configuration register is 0xF



AP0007.7d42.fe90# show inventory 
NAME: "AP3500", DESCR: "Cisco Aironet 3500 Series (IEEE 802.11n) Access Point"
PID: AIR-CAP3502I-A-K9 , VID: V01, SN: FTX1522E5H3


AP0007.7d42.fe90#show hardware 
Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 15.2(2)JN2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Wed 11-Sep-13 01:30 by prod_rel_team

ROM: Bootstrap program is C3500 boot loader
BOOTLDR: C3500 Boot Loader (AP3G1-BOOT-M), Version 12.4 [mpleso-ap_jmr3_esc_0514 125]

AP0007.7d42.fe90 uptime is 23 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g1-k9w8-mx.152-2.JN2/ap3g1-k9w8-xx.152-2.JN2"
Last reload reason: 



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-CAP3502I-A-K9    (PowerPC460exr) processor (revision A0) with 81910K/49152K bytes of memory.
Processor board ID FTX1522E5H3
PowerPC460exr CPU at 666Mhz, revision number 0x18A8
Last reset from power-on
LWAPP image version 10.0.120.0
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:07:7D:42:FE:90
Part Number                          : 73-12175-05
PCA Assembly Number                  : 800-32268-05
PCA Revision Number                  : A0
PCB Serial Number                    : FOC15194T8J
Top Assembly Part Number             : 800-32891-01
Top Assembly Serial Number           : FTX1522E5H3
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP3502I-A-K9   



Configuration register is 0xF

 

Here is the console output from the switch (controller) at the time of connecting the AP physically:

00:44:08: %ILPOWER-7-DETECT: Interface Gi1/0/41: Power Device detected: IEEE PDex
00:44:09: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/41: Power grantedit
00:44:14: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/41, changed state to up
00:44:14: %LINK-3-UPDOWN: Interface Vlan9, changed state to up
00:44:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/41, changed state to up
00:44:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan9, changed state to up
00:47:12: *%CAPWAP-6-DTLS_CLOSED_ERR:Switch 1 R0/0: wcm:  5835.d9d5.b530:  DTLS connection closed forAP  192:168:9:2 (12267), Controller: 192:168:9:1 (5246) Cannot accept Join Request from MIC AP 58:35:d9:d5:b5:30 based on certificate auth-policy  
00:47:12: *%LWAPP-3-AP_DB_ERR1:Switch 1 R0/0: wcm:  Unable to find AP 5835.d9d5.b530 entry in the database, could not process delete request  
00:48:27: *%CAPWAP-6-DTLS_CLOSED_ERR:Switch 1 R0/0: wcm:  5835.d9d5.b530:  DTLS connection closed forAP  192:168:9:2 (12266), Controller: 192:168:9:1 (5246) Cannot accept Join Request from MIC AP 58:35:d9:d5:b5:30 based on certificate auth-policy  
00:48:27: *%LWAPP-3-AP_DB_ERR1:Switch 1 R0/0: wcm:  Unable to find AP 5835.d9d5.b530 entry in the database, could not process delete request  
00:49:42: *%CAPWAP-6-DTLS_CLOSED_ERR:Switch 1 R0/0: wcm:  5835.d9d5.b530:  DTLS connection closed forAP  192:168:9:2 (12267), Controller: 192:168:9:1 (5246) Cannot accept Join Request from MIC AP 58:35:d9:d5:b5:30 based on certificate auth-policy  
00:49:42: *%LWAPP-3-AP_DB_ERR1:Switch 1 R0/0: wcm:  Unable to find AP 5835.d9d5.b530 entry in the database, could not process delete request  

Here is the console output of the AP:

r WRDTR,CLKTR: 0x8200083f 0x40000000 
r RQDC ,RFDC : 0x80000034 0x00000218 

using  eeprom values

WRDTR,CLKTR: 0x8200083f 0x40000000 
RQDC ,RFDC : 0x80000034 0x00000218 

using MCNG ddr static values from serial eeprom
ddr init done

Running Normal Memtest...
Passed.
IOS Bootloader - Starting system.
FLASH CHIP:  Numonyx P33
Checking for Over Erased blocks
......................................................................................................................................................................................................................................................
Xmodem file system is available.

DDR values used from system serial eeprom.
WRDTR,CLKTR: 0x8200083f, 0x40000000
RQDC, RFDC : 0x80000034, 0x00000218

PCIE0: link is up.
PCIE0: VC0 is active
PCIE1: link is up.
PCIE1: VC0 is active
64bit PCIE devices
PCIEx: initialization done
flashfs[0]: 42 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31739904
flashfs[0]: Bytes used: 13940224
flashfs[0]: Bytes available: 17799680
flashfs[0]: flashfs fsck took 12 seconds.
Reading cookie from system serial eeprom...Done
Base Ethernet MAC address: 00:07:7d:42:fe:90
Ethernet speed is 1000 Mb - FULL duplex
Unable to get our ip address: no "IP_ADDR" variable set

The system has encountered an error initializing the
TFTP file system. The system is ignoring the error and
continuing to boot. If you abort the boot process,
the following commands will set IP_ADDR, DEFAULT_ROUTER
and NETMASK environment variables, initialize the tftp
system, and load the operating system software:

    set IP_ADDR
    set DEFAULT_ROUTER
    set NETMASK
    tftp_init
    boot

Loading "flash:/ap3g1-k9w8-mx.152-2.JN2/ap3g1-k9w8-mx.152-2.JN2"...################

File "flash:/ap3g1-k9w8-mx.152-2.JN2/ap3g1-k9w8-mx.152-2.JN2" uncompressed and installed, entry point: 0x4000
executing...
enet halted

IOS Secondary Bootloader - Starting system.
FLASH CHIP:  Numonyx P33
Checking for Over Erased blocks
......................................................................................................................................................................................................................................................
Xmodem file system is available.

DDR values used from system serial eeprom.
WRDTR,CLKTR: 0x8200083f, 0x40000000
RQDC, RFDC : 0x80000034, 0x00000218

PCIE0: link is up.
PCIE0: VC0 is active
PCIE1: link is up.
PCIE1: VC0 is active
64bit PCIE devices
PCIEx: initialization done
flashfs[0]: 42 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31739904
flashfs[0]: Bytes used: 13940224
flashfs[0]: Bytes available: 17799680
flashfs[0]: flashfs fsck took 10 seconds.
Reading cookie from system serial eeprom...Done
Base Ethernet MAC address: 00:07:7d:42:fe:90
Creating Test Kernel diagnostic commands
Radio 0 : Vendor 0x11AB, Device 0x8324
Radio 1 : Vendor 0x11AB, Device 0x8350
Radio 2 : Vendor 0x7914, Device 0x2062
Radio 3 : Vendor 0xDE73, Device 0x7279
******** AUTOMATIC DDR CALIBRATION UPGRADE LOGIC *********
=== 1. Is original FCS bootloader in BS:?  If not, skip upgrade ===
    ---> original FCS bootloader not detected -- skip upgrade
Boot CMD: 'boot  flash:/ap3g1-k9w8-mx.152-2.JN2/ap3g1-k9w8-xx.152-2.JN2;flash:/ap3g1-k9w8-mx.152-2.JN2/ap3g1-k9w8-mx.152-2.JN2'
Loading "flash:/ap3g1-k9w8-mx.152-2.JN2/ap3g1-k9w8-xx.152-2.JN2"...############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################

File "flash:/ap3g1-k9w8-mx.152-2.JN2/ap3g1-k9w8-xx.152-2.JN2" uncompressed and installed, entry point: 0x100000
executing...

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706



Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 15.2(2)JN2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Wed 11-Sep-13 01:30 by prod_rel_team

Initializing flashfs...
FLASH CHIP:  Numonyx P33
Checking for Over Erased blocks
......................................................................................................................................................................................................................................................

flashfs[3]: 42 files, 9 directories
flashfs[3]: 0 orphaned files, 0 orphaned directories
flashfs[3]: Total bytes: 31739904
flashfs[3]: Bytes used: 13940224
flashfs[3]: Bytes available: 17799680
flashfs[3]: flashfs fsck took 7 seconds.
flashfs[3]: Initialization complete.
flashfs[4]: 0 files, 1 directories
flashfs[4]: 0 orphaned files, 0 orphaned directories
flashfs[4]: Total bytes: 12257280
flashfs[4]: Bytes used: 1024
flashfs[4]: Bytes available: 12256256
flashfs[4]: flashfs fsck took 0 seconds.
flashfs[4]: Initialization complete....done Initializing flashfs.

Ethernet speed is 1000 Mb - FULL duplex

Radio0  present 8364B 8000 B8020000 0 B8030000 10
Rate table has 80 entries (32 SGI/4 BF variants)

Radio1  present 8364B 8000 B0020000 0 B0030000 C
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-CAP3502I-A-K9    (PowerPC460exr) processor (revision A0) with 81910K/49152K bytes of memory.
Processor board ID FTX1522E5H3
PowerPC460exr CPU at 666Mhz, revision number 0x18A8
Last reset from power-on
LWAPP image version 10.0.120.0
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:07:7D:42:FE:90
Part Number                          : 73-12175-05
PCA Assembly Number                  : 800-32268-05
PCA Revision Number                  : A0
PCB Serial Number                    : FOC15194T8J
Top Assembly Part Number             : 800-32891-01
Top Assembly Serial Number           : FTX1522E5H3
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP3502I-A-K9   
% Please define a domain-name first.


Press RETURN to get started!

*Mar  1 00:00:09.802: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
*Mar  1 00:00:09.802: *** CRASH_LOG = YES

*Mar  1 00:00:09.802: 64bit PCIE devicesSecurity Core found.
Base Ethernet MAC address: 00:07:7D:42:FE:90

*Mar  1 00:00:13.095: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar  1 00:00:14.294: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
*Mar  1 00:00:14.294: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar  1 00:00:17.594: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1
*Mar  1 00:00:20.283: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 15.2(2)JN2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Wed 11-Sep-13 01:30 by prod_rel_team
*Mar  1 00:00:20.283: %SNMP-5-COLDSTART: SNMP agent on host AP0007.7d42.fe90 is undergoing a cold start
*Mar  1 00:00:20.635: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar  1 00:00:20.635: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar  1 00:00:20.831: %SSH-5-ENABLED: SSH 2.0 has been enabledlwapp_crypto_init: MIC Present and Parsed Successfully

*Mar  1 00:00:21.315: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar  1 00:00:33.517: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar  1 00:00:34.606: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar  1 00:00:35.606: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar  1 00:00:35.697: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar  1 00:00:36.698: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up%Default route without gateway, if not a point-to-point interface, may impact performance
*Mar  1 00:00:49.004: Logging LWAPP message to 255.255.255.255.

*Mar  1 00:00:53.917: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.9.2, mask 255.255.255.248, hostname AP0007.7d42.fe90

*Mar  1 00:00:54.918: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 514 started - CLI initiated
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (1.1.1.1)
*Mar  1 00:01:04.905: %CAPWAP-5-DHCP_OPTION_43: Controller address 192.168.9.1 obtained through DHCP
*Mar  1 00:01:04.905: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP. (9.9.9.9)

*Mar  1 00:01:22.911: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Mar  1 00:01:32.912: %CAPWAP-3-ERRORLOG: Go join a capwap controller 
*Jan 16 17:27:58.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.9.1 peer_port: 5246
*Jan 16 17:27:58.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.9.1 peer_port: 5246
*Jan 16 17:27:58.223: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.9.1
*Jan 16 17:27:58.229: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Jan 16 17:27:58.229: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Jan 16 17:27:58.229: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Jan 16 17:27:58.229: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 192.168.9.1
*Jan 16 17:28:03.225: %CAPWAP-3-ERRORLOG: DTLS connection not found Failed to encrypt and send packet.
*Jan 16 17:28:03.225: %CAPWAP-3-ERRORLOG: Failed to encrypt and send packet.
*Jan 16 17:28:03.225: %CAPWAP-3-ERRORLOG: Failed to send Join request to 192.168.9.1
*Jan 16 17:29:03.056: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Jan 16 17:29:03.160: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Jan 16 17:29:03.160: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Jan 16 17:29:03.402: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 16 17:29:03.434: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jan 16 17:29:04.164: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jan 16 17:29:04.186: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Jan 16 17:29:04.192: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Jan 16 17:29:05.180: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jan 16 17:29:05.186: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Jan 16 17:29:05.208: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jan 16 17:29:05.214: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Jan 16 17:29:05.221: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Jan 16 17:29:06.208: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Jan 16 17:29:06.215: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jan 16 17:29:06.237: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 16 17:29:07.237: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jan 16 17:29:13.434: %CAPWAP-3-ERRORLOG: Go join a capwap controller 
*Jan 16 17:29:12.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.9.1 peer_port: 5246
*Jan 16 17:29:12.226: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.9.1 peer_port: 5246
*Jan 16 17:29:12.226: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.9.1
*Jan 16 17:29:12.229: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Jan 16 17:29:12.229: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Jan 16 17:29:12.229: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Jan 16 17:29:12.229: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 192.168.9.1
*Jan 16 17:29:17.228: %CAPWAP-3-ERRORLOG: DTLS connection not found Failed to encrypt and send packet.
*Jan 16 17:29:17.228: %CAPWAP-3-ERRORLOG: Failed to encrypt and send packet.
*Jan 16 17:29:17.228: %CAPWAP-3-ERRORLOG: Failed to send Join request to 192.168.9.1
*Jan 16 17:30:17.056: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Jan 16 17:30:17.160: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Jan 16 17:30:17.160: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Jan 16 17:30:17.396: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 16 17:30:17.418: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jan 16 17:30:18.170: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jan 16 17:30:18.186: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Jan 16 17:30:18.192: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Jan 16 17:30:19.180: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jan 16 17:30:19.186: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Jan 16 17:30:19.208: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jan 16 17:30:19.214: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Jan 16 17:30:19.221: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Jan 16 17:30:20.208: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Jan 16 17:30:20.215: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jan 16 17:30:20.237: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 16 17:30:21.237: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jan 16 17:30:27.418: %CAPWAP-3-ERRORLOG: Go join a capwap controller 
*Jan 16 17:30:27.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.9.1 peer_port: 5246
*Jan 16 17:30:27.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.9.1 peer_port: 5246
*Jan 16 17:30:27.223: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.9.1
*Jan 16 17:30:27.229: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
*Jan 16 17:30:27.229: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Jan 16 17:30:27.229: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Jan 16 17:30:27.229: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 192.168.9.1
*Jan 16 17:30:32.225: %CAPWAP-3-ERRORLOG: DTLS connection not found Failed to encrypt and send packet.
*Jan 16 17:30:32.225: %CAPWAP-3-ERRORLOG: Failed to encrypt and send packet.
*Jan 16 17:30:32.225: %CAPWAP-3-ERRORLOG: Failed to send Join request to 192.168.9.1

 

From the AP these five lines called my attention specially:


*Jan 16 17:27:58.229: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Jan 16 17:27:58.229: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Jan 16 17:27:58.229: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 192.168.9.1
*Jan 16 17:28:03.225: %CAPWAP-3-ERRORLOG: DTLS connection not found Failed to encrypt and send packet.
*Jan 16 17:28:03.225: %CAPWAP-3-ERRORLOG: Failed to encrypt and send packet.

 

So I checked if maybe I can disable the country code (it was previously setup to US) just in case the AP was for another country? (but I was unable to undo the country selection in the switch)

C3850#ap country US
C3850(config)#no ap country US
% Invalid input detected at '^' marker.

 

Also because I got a "failed to encrypt and send message" I disabled AP link encryption in the switch just in case but that didn't work either: (was right to ran these two next commands?)

no ap link-encryption
no ap dtls secure-cipher

 

Also, I havent find information on this:

Failed to process message type 10 state 5.


What does that means? what type 10 state 5 means?

 

Thanks in advance!!!!

I did post a reply with all the switch and AP console outputs but I no longer can see it (estrange)

Anyways, putting all these logs together helped me to understand that my catalyst didn't have any policy, so after this command:  ap auth-list ap-policy mic the AP successfully joined the C3850 (my bad to disable all policies as part of the troubleshoot earlier).

So first allowed the crypto map to ignore expired certs, and then set the ios-xe to allow "Authorization of APs with manufacturing-installed certificates"

 

AP is registered and stable at this point.

 

But new issues started now after I ran the commands:

ap link-encryption

ap dtls secure-cipher aES256_SHA2

or

ap dtls secure-cipher aES256_SHA1

 

The AP started to reboot over and over because it failed to receive data keep-alive after I enabled DTLS

 

*Jan 16 19:36:52.983: %CAPWAP-3-DATA_KEEPALIVE_ERR: Failed to receive data keep-alive
*Jan 16 19:36:52.983: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.9.1:5246
*Jan 16 19:36:52.983: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.9.1:5247
*Jan 16 19:36:53.065: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Jan 16 19:36:53.065: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Jan 16 19:36:53.068: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 16 19:36:53.093: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jan 16 19:36:54.071: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jan 16 19:36:54.093: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Jan 16 19:36:54.100: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Jan 16 19:36:55.087: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jan 16 19:36:55.094: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Jan 16 19:36:55.116: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jan 16 19:36:55.122: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Jan 16 19:36:55.128: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Jan 16 19:36:56.116: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Jan 16 19:36:56.122: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jan 16 19:36:56.148: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 16 19:36:57.148: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jan 16 19:37:03.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.9.1 peer_port: 5246
*Jan 16 19:37:03.245: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.9.1 peer_port: 5246
*Jan 16 19:37:03.245: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.9.1
Upstream QOS stats update is enabled
*Jan 16 19:37:04.720: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Jan 16 19:37:04.780: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Jan 16 19:37:04.793: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller C3850
*Jan 16 19:37:04.896: %CAPWAP-6-DATA_DTLS_START: Starting Data DTLS handshake. Wireless client traffic will be blocked until DTLS tunnel is established.
*Jan 16 19:37:04.900: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jan 16 19:37:04.969: Registering HW DTLS
DTLS keys are plumbed successfully. 

Now I have a restarting AP... I Tried to find a command to enable dtls-keep-alives but I can't find it... am I looking at the wrong direction maybe?

 

Thanks!

Like @Leo Laohoo said read the FN in full.

There will always be a default policy even if you didn't configure one.

I don't see any mention of you configuring "allow expired-certificate" as per the field notice or the config guide:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-9/configuration_guide/sec/b_169_sec_3850_cg/configuring_authorization_and_revocation_of_certificates_in_a_pki.html

And (as per the FN) you might also need to set the time back to make the certs appear valid in order to let the AP join to get updated software and config before allowing NTP to sync once it's been able to join and update.

Haydn Andrews
VIP Alumni
VIP Alumni

config ap cert-expiry-ignore mic enable works on the aireos WLCs you could try that.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

no @Haydn Andrews that's an AireOS command - the 3850 is IOS-XE.

He seems to have got past that now anyway and instead has problems with DTLS?

Why use DTLS?

All CAPWAP control data is encrypted by default and clients should be encrypting anything sensitive themselves (https etc).

As we've already said converged access was abandoned by Cisco because of numerous problems and they moved on to the next generation (9800 series).  Maybe you should too?

Regarding cost maybe you should consider running EWC on a 9100 AP or if even that is too expensive for you then consider running a 9800-CL on a PC?

Thanks for the advices, for now I will disable DTLS and will consider to get an ap 9000, do I need a separated license to run EWC on AP?

No license required to run as a standalone solution.

If you want to manage it with DNA centre then you need a license.

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/nb-o6-embded-wrls-cont-ds-cte-en.html#Licensing

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/q-and-a-c67-743152.html#Licensingandordering

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/at-a-glance-c45-742857.html

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: