Solved: Re: Wireless Controller 2504 - Joining 2800 Series AP ISSUE**

eeebbunee · ‎10-06-2022

Dear Professionals,

I'm having an issue to managing WLC and it happens sudden, I need your opinions.

WLC Sysinfo>>

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.3.143.0
Bootloader Version............................... 1.0.16
Field Recovery Image Version..................... 1.0.0
Firmware Version................................. PIC 16.0

OUI File Update Time............................. Sun Sep 07 10:44:07 IST 2014

Build Type....................................... DATA + WPS

System Name...................................... ////_2504_WLC_01
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1279
IP Address....................................... 172.28.23.12
IPv6 Address..................................... ::
Last Reset....................................... Power on reset
System Up Time................................... 1437 days 23 hrs 37 mins 16 secs
System Timezone Location......................... (GMT -5:00) Eastern Time (US and Canada)

--More-- or (q)uit
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +30 C
External Temperature............................. +35 C
Fan Status....................................... 5100 rpm

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 4
Number of Active Clients......................... 201

OUI Classification Failure Count................. 0

Burned-in MAC Address............................ F4:7F:35:B6:54:80
Maximum number of APs supported.................. 75
System Nas-Id....................................
WLC MIC Certificate Types........................ SHA1

Two weeks ago, few of 2800 series APs are suddenly lost controller connections and never keeps failing to re-joining.

Those failed APs were I bought pretty newly, and same AP model. (2802E)

It gives me an 'DTLS failed' error, handshake failed because of certificates.

The certificate has correct validation period with WLC, so I am not sure which part was an issue.

- I had to change controller's Date/time to be 3 months past,

then AP started joining. Once it has correct mobility images for current and backup, then I need to correct date/time again.

Yesterday, I need to replace old AP to new one, same model (2802E) and issue happened again.

Joining keeps failed, and I had to change date/time again in order to join.

What is this happened? We have many 2802E APs but it just happened only for newly purchased.

Is this about Certificate type issue or just bug?

I appreciate your comments.

Leo Laohoo · ‎10-06-2022

@eeebbunee wrote:
I have no subscription for the maintenance contract.. I have only hardware support contract.... but thank you though..!

Read and understand the below steps to download the software legally:

1. The last-and-final firmware release for the 5508/WiSM-2/2504 is 8.5.182.0. It is vital to note down the filename and the location of the download link.
2. Read this: Cisco Wireless LAN Controller AireOS Software FIPS Mode Denial of Service Vulnerability
3. Scroll down to the "Customers Without Service Contracts" section and read that carefully. Take note:

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC.

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

4. Contact Cisco TAC using email only -- Never contact Cisco TAC on the phone.
5. Provide TAC the firmware filename and the location of the download link (Step 1).

View solution in original post

Jeza-925 · ‎10-06-2022

Hello,

Based on your description and workaround, it seems you are having known problem with expired certificates. You can find more information on this link: https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

Basically you need to configure your WLC to ignore those certificates > config ap cert-expiry-ignore {mic|ssc} enable

(Cisco Controller) >show certificate summary
Web Administration Certificate................... 3rd Party
Web Authentication Certificate................... 3rd Party
Certificate compatibility mode:.................. off
Lifetime Check Ignore for MIC ................... Enable
Lifetime Check Ignore for SSC ................... Enable

eeebbunee · ‎10-06-2022

Hello, Thank you for your comment.

When I checked the config of WLC, those are already enabled.

(Cisco Controller) >show certificate sum
Web Administration Certificate................... 3rd Party
Web Authentication Certificate................... Locally Generated
Certificate compatibility mode:.................. off
Lifetime Check Ignore for MIC ................... Enable
Lifetime Check Ignore for SSC ................... Enable

Thank you.

Jeza-925 · ‎10-06-2022

Well not sure then what could be the problem... Can you post WLC error logs and also logs from AP? 8.3.143.0 is older version, did you consider upgrading to 8.5.171.0 / 8.5.182.0 ?

eeebbunee · ‎10-06-2022

I have no subscription for the maintenance contract.. I have only hardware support contract.... but thank you though..!

Leo Laohoo · ‎10-06-2022

@eeebbunee wrote:
I have no subscription for the maintenance contract.. I have only hardware support contract.... but thank you though..!

Read and understand the below steps to download the software legally:

1. The last-and-final firmware release for the 5508/WiSM-2/2504 is 8.5.182.0. It is vital to note down the filename and the location of the download link.
2. Read this: Cisco Wireless LAN Controller AireOS Software FIPS Mode Denial of Service Vulnerability
3. Scroll down to the "Customers Without Service Contracts" section and read that carefully. Take note:

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC.

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

4. Contact Cisco TAC using email only -- Never contact Cisco TAC on the phone.
5. Provide TAC the firmware filename and the location of the download link (Step 1).

Haydn Andrews · ‎10-06-2022

Agree you have hit that field notice:

AP-COS APs can be fixed via Cisco bug ID CSCvb93909 in AireOS 8.5 and later.

You need to upgrade to 8.5.160.0 or above to permenantly fix this issue (this will also fix the SHA-2 Expiry on some IOS based APs)

The 2504 is EOL so it is also recommended to plan to upgrade the WLC

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***