Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4020
Views
10
Helpful
7
Replies

Wireless Access points wont join controller due to date/time

Jas4
Visitor

‎01-20-2022 10:21 PM

Hi All,

 

Having issues with my 2500 series controller.

 

Access points will disconnect from the controller and not re-connect until I set the controller date to be within the set period that the access point seems to have set on it.

 

Example debugging log.

 

*spamApTask5: Jan 21 15:29:35.758: sshpmGetIssuerHandles: ValidityString (current): 2016/01/21/04:59:35

*spamApTask5: Jan 21 15:29:35.758: sshpmGetIssuerHandles: ValidityString (NotBefore): 2018/06/12/13:15:18

*spamApTask5: Jan 21 15:29:35.758: sshpmGetIssuerHandles: ValidityString (NotAfter): 2037

 

 

Is there some kind of way I can get ALL my ap's to join the controller regardless of the date/time?

 

This is an issue because some of my ap's seem to stop at 2018, and some only start working at 2018 so I always seem to be having to constantly adjust this date/time to keep the majority of them connected.

 

Thanks

 

Jason

0 Helpful
7 Replies 7

Leo Laohoo
Hall of Fame
Hall of Fame

‎01-20-2022 10:40 PM

@Jas4 wrote:

Is there some kind of way I can get ALL my ap's to join the controller regardless of the date/time?

Time and date has to be correct because APs have an SSC.

0 Helpful

JPavonM
VIP Alumni
VIP Alumni

‎01-20-2022 11:34 PM

@Jas4 wrote:

This is an issue because some of my ap's seem to stop at 2018, and some only start working at 2018.

As @Leo Laohoo said APs have a certificate that should be valid so the only way to fix that is to generate new certificates for all APs.

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/110141-loc-sig-cert.html

 

 

0 Helpful

Rich R
VIP
VIP

‎01-21-2022 07:43 AM

What version of code?

What AP models?

Either way the answer is likely to be obvious once you've had a long slow read and re-read of https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html and followed all the steps in the right order.

Importantly you need code version with the fix/workaround and the config applied.

Then you may need to play with date to get them joined.

Once you've got them joined they can update fixed code version and config and once they're all done you should be able to sync to NTP again.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Scott Fella
Hall of Fame
Hall of Fame

‎01-21-2022 07:49 AM

Helpful tip... next time, post the ap model and controller firmware.  Also, the output from the ap via the console helps with troubleshooting when an access point fails to join.  It does seem like you might have old ap's that the cert has expired (10 years for manufactured date).

-Scott
*** Please rate helpful posts ***
0 Helpful

Jas4
Visitor
In response to Scott Fella

‎01-22-2022 10:27 PM

Thanks for the replies guys.

I will have to read through those documents.

 

Software Version of controller is 8.0.133.0

 

We have a number of AP models.

 

AIR-LAP1142N-N-K9's

AIR-CAP1532E-E-K9's

And

AIR-CAP1532I-Z-K9's

 

0 Helpful

Rich R
VIP
VIP

‎01-23-2022 04:29 AM

So the field notice definitely applies. You should get on to the last 8.3 release  8.3.150.0:

https://software.cisco.com/download/home/283848165/type/280926587/release/8.3.150.0

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html#ctr-ap_support

It's out of support but the last release that will support your 1142 APs.

And then apply the config for ignoring the expired certs, get the APs joined (by turning back the date) then they'll download the new code and config workaround and then you can set time back to normal and the rest should join and update.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Scott Fella
Hall of Fame
Hall of Fame
In response to Rich R

‎01-24-2022 07:51 AM

Take a look at what @Rich R posted.  The issue that you will have is obtaining the software if you don't have support.  You can reach out to TAC to see if they can provide the image to you per this document.  Also search the forum for "ap certificate expiration" and see what the others have done to fix the issue.

Lightweight AP - Fail to create CAPWAP/LWAPP connection due to certificate expiration - Cisco Community

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card