Wireless AP 3802 not joining WLC

alalli2002 · ‎02-16-2022

Good Day All,

I have a 3802 AP running 8.3.143 that will not join a 5508 controller with 8.5.171.

Unable to join controller "root certificate is not present" error. Partial logs below

Any tips, please?

thanks in advance

Regards

Amanda

CAPWAP State: DTLS Setup
[*02/17/2022 02:09:57.0002] dtls_new_connection: Connection 0xc21400 is already there for this server port 5246, Deleting it. Number of connections: 17
[*02/17/2022 02:09:57.0002]
[*02/17/2022 02:09:57.0004] dtls_connectionDB_add_connection: Number of DTLS connections exceeded two
[*02/17/2022 02:09:57.2457] dtls_load_ca_certs: LSC Root Certificate not present
[*02/17/2022 02:09:57.2457]
[*02/17/2022 02:09:57.2484] dtls_verify_con_cert: Controller certificate verification error
[*02/17/2022 02:09:57.2484] dtls_process_packet: controller cert verification failed
[*02/17/2022 02:09:57.2487] DTLS: Received packet 0xc67000 caused DTLS to close connection
[*02/17/2022 02:09:57.2487] sendPacketToDtls: DTLS: Closing connection 0xc21400.
[*02/17/2022 02:09:57.2487]
[*02/17/2022 02:09:57.2488] Lost connection to the controller, going to restart CAPWAP...
[*02/17/2022 02:09:57.2488]
[*02/17/2022 02:09:57.2489] Restarting CAPWAP State Machine.
[*02/17/2022 02:09:57.2534] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Setup(3).
[*02/17/2022 02:09:57.2542] Failed to disconnect DTLS-CTRL session.
[*02/17/2022 02:09:57.2542]
[*02/17/2022 02:09:57.2542] CAPWAP State: DTLS Teardown
[*02/17/2022 02:09:57.2595] DTLS: Error while processing DTLS packet 0xc7f000.
[*02/17/2022 02:10:01.9417]
[*02/17/2022 02:10:01.9417] CAPWAP State: Discovery
[*02/17/2022 02:10:01.9420] Got WLC address x.x.x.x from DHCP.
[*02/17/2022 02:10:01.9434] Discovery Request sent to x.x.x.x, discovery type DHCP(2)
[*02/17/2022 02:10:01.9444] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*02/17/2022 02:10:01.9445] Discovery Response from x.x.x.x
[*02/17/2022 02:10:21.0002] Discovery Response from x.x.x.x

[*02/17/2022 02:10:21.0000] CAPWAP State: DTLS Setup
[*02/17/2022 02:10:21.0005] dtls_connectionDB_add_connection: Number of DTLS connections exceeded two
[*02/17/2022 02:10:21.2469] dtls_load_ca_certs: LSC Root Certificate not present
[*02/17/2022 02:10:21.2469]
[*02/17/2022 02:10:21.2496] dtls_verify_con_cert: Controller certificate verification error
[*02/17/2022 02:10:21.2496] dtls_process_packet: controller cert verification failed
[*02/17/2022 02:10:21.2500] DTLS: Received packet 0xc7d000 caused DTLS to close connection
[*02/17/2022 02:10:21.2500] sendPacketToDtls: DTLS: Closing connection 0xc21000.
[*02/17/2022 02:10:21.2500]
[*02/17/2022 02:10:21.2500] Lost connection to the controller, going to restart CAPWAP...
[*02/17/2022 02:10:21.2500]
[*02/17/2022 02:10:21.2501] Restarting CAPWAP State Machine.
[*02/17/2022 02:10:21.2547] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Setup(3).
[*02/17/2022 02:10:21.2553] Failed to disconnect DTLS-CTRL session.
[*02/17/2022 02:10:21.2553]

Scott Fella · ‎02-16-2022

Few more questions:

Is this a new install or do you have existing ap's that are joined?
What model ap's are currently joined
You have enough license
Your country code matches that of the AP
NTP is configured
Post the complete output so we can review

-Scott
*** Please rate helpful posts ***

alalli2002 · ‎02-16-2022

Thanks for the reply Scott.

Is this a new install or do you have existing ap's that are joined?
1. This is an existing install. We are building the 9800 CL controllers now.
2. I am reticent to make changes on the single 5508 controller, but once I have one of the 9800s up... I can make the suggested change on one of those.
What model ap's are currently joined. AP 3802
You have enough license- yes we have enough licenses.
Your country code matches that of the AP- country code matches.
NTP is configured- NTP is configured.
Post the complete output so we can review. I will post output to the 9800 when it becomes available.

thanks so much

Regards

Amanda

Leo Laohoo · ‎02-16-2022

@alalli2002 wrote:

[*02/17/2022 02:10:21.2469] dtls_load_ca_certs: LSC Root Certificate not present
[*02/17/2022 02:10:21.2496] dtls_verify_con_cert: Controller certificate verification error
[*02/17/2022 02:10:21.2496] dtls_process_packet: controller cert verification failed

FN - 63942 - Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP Connections Due to Certificate Expiration

alalli2002 · ‎02-16-2022

Thank you Leo,

I appreciate the help. Would you happen to know if there is a way that I can load the software directly onto the access-point itself?

regards

Amanda

Leo Laohoo · ‎02-16-2022

@alalli2002 wrote:

Would you happen to know if there is a way that I can load the software directly onto the access-point itself?

What for?
The AP boots the new firmware, joins the controller. The controller sees the AP with a different firmware and forces to AP to downgrade/download the firmware.

AP reboots and it is back to square one.

The main issue is an expired certificate in the controller (and not in the AP). Read the FN. It says there in plain language -- Software upgrade required.