10-06-2022 07:53 AM
Dear Professionals,
I'm having an issue to managing WLC and it happens sudden, I need your opinions.
WLC Sysinfo>>
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.3.143.0
Bootloader Version............................... 1.0.16
Field Recovery Image Version..................... 1.0.0
Firmware Version................................. PIC 16.0
OUI File Update Time............................. Sun Sep 07 10:44:07 IST 2014
Build Type....................................... DATA + WPS
System Name...................................... ////_2504_WLC_01
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1279
IP Address....................................... 172.28.23.12
IPv6 Address..................................... ::
Last Reset....................................... Power on reset
System Up Time................................... 1437 days 23 hrs 37 mins 16 secs
System Timezone Location......................... (GMT -5:00) Eastern Time (US and Canada)
--More-- or (q)uit
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +30 C
External Temperature............................. +35 C
Fan Status....................................... 5100 rpm
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 4
Number of Active Clients......................... 201
OUI Classification Failure Count................. 0
Burned-in MAC Address............................ F4:7F:35:B6:54:80
Maximum number of APs supported.................. 75
System Nas-Id....................................
WLC MIC Certificate Types........................ SHA1
Two weeks ago, few of 2800 series APs are suddenly lost controller connections and never keeps failing to re-joining.
Those failed APs were I bought pretty newly, and same AP model. (2802E)
It gives me an 'DTLS failed' error, handshake failed because of certificates.
The certificate has correct validation period with WLC, so I am not sure which part was an issue.
- I had to change controller's Date/time to be 3 months past,
then AP started joining. Once it has correct mobility images for current and backup, then I need to correct date/time again.
Yesterday, I need to replace old AP to new one, same model (2802E) and issue happened again.
Joining keeps failed, and I had to change date/time again in order to join.
What is this happened? We have many 2802E APs but it just happened only for newly purchased.
Is this about Certificate type issue or just bug?
I appreciate your comments.
Solved! Go to Solution.
10-06-2022 03:24 PM - edited 10-06-2022 03:25 PM
@eeebbunee wrote:
I have no subscription for the maintenance contract.. I have only hardware support contract.... but thank you though..!
Read and understand the below steps to download the software legally:
1. The last-and-final firmware release for the 5508/WiSM-2/2504 is 8.5.182.0. It is vital to note down the filename and the location of the download link.
2. Read this: Cisco Wireless LAN Controller AireOS Software FIPS Mode Denial of Service Vulnerability
3. Scroll down to the "Customers Without Service Contracts" section and read that carefully. Take note:
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC.
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
4. Contact Cisco TAC using email only -- Never contact Cisco TAC on the phone.
5. Provide TAC the firmware filename and the location of the download link (Step 1).
10-06-2022 09:30 AM
Hello,
Based on your description and workaround, it seems you are having known problem with expired certificates. You can find more information on this link: https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html
Basically you need to configure your WLC to ignore those certificates > config ap cert-expiry-ignore {mic|ssc} enable
(Cisco Controller) >show certificate summary
Web Administration Certificate................... 3rd Party
Web Authentication Certificate................... 3rd Party
Certificate compatibility mode:.................. off
Lifetime Check Ignore for MIC ................... Enable
Lifetime Check Ignore for SSC ................... Enable
10-06-2022 09:38 AM
Hello, Thank you for your comment.
When I checked the config of WLC, those are already enabled.
(Cisco Controller) >show certificate sum
Web Administration Certificate................... 3rd Party
Web Authentication Certificate................... Locally Generated
Certificate compatibility mode:.................. off
Lifetime Check Ignore for MIC ................... Enable
Lifetime Check Ignore for SSC ................... Enable
Thank you.
10-06-2022 10:04 AM
Well not sure then what could be the problem... Can you post WLC error logs and also logs from AP? 8.3.143.0 is older version, did you consider upgrading to 8.5.171.0 / 8.5.182.0 ?
10-06-2022 02:31 PM
I have no subscription for the maintenance contract.. I have only hardware support contract.... but thank you though..!
10-06-2022 03:24 PM - edited 10-06-2022 03:25 PM
@eeebbunee wrote:
I have no subscription for the maintenance contract.. I have only hardware support contract.... but thank you though..!
Read and understand the below steps to download the software legally:
1. The last-and-final firmware release for the 5508/WiSM-2/2504 is 8.5.182.0. It is vital to note down the filename and the location of the download link.
2. Read this: Cisco Wireless LAN Controller AireOS Software FIPS Mode Denial of Service Vulnerability
3. Scroll down to the "Customers Without Service Contracts" section and read that carefully. Take note:
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC.
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
4. Contact Cisco TAC using email only -- Never contact Cisco TAC on the phone.
5. Provide TAC the firmware filename and the location of the download link (Step 1).
10-06-2022 02:21 PM
Agree you have hit that field notice:
You need to upgrade to 8.5.160.0 or above to permenantly fix this issue (this will also fix the SHA-2 Expiry on some IOS based APs)
The 2504 is EOL so it is also recommended to plan to upgrade the WLC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide