Re: WLC 2106-k9 with AIR-CAP1702I-E-K9 - Page 2

hcardoso · ‎10-23-2024

Hey Guys,

Have a wlc 2106-k9 controller and 6 APs air-cap1702i-e-k9, they can work together?

The AP's appear in the Statistics but with status "not joined".

The wlc software is 7.0.98.0

The aircap1702i software is LWAPP image version 8.2.100.0

im connected via console to the AP and it shows me:

*Mar 1 00:15:17.795: %LWAPP-4-CLIENTEVENTLOG: Invoking capwap discovery
Not in Bound state.
Not in Bound state.
*Mar 1 00:17:13.795: %LWAPP-4-CLIENTEVENTLOG: Invoking capwap discovery
AP00a2.eeba.e1a0>
Not in Bound state.
Not in Bound state.

Can you help?

Thank you

Rich R · ‎10-24-2024

AP has no built in real time clock so it can only get time from WLC or NTP after booting, that's normal.
Even though AP cert may not have expired, the WLC cert will definitely have expired.
You need the workaround and fix applied as per Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration but that means you need at least version 7-0-252-0 software which you will not be able to download anymore.

So your ONLY option is to keep the date on the WLC prior to expiration of the WLC cert. But that will likely be before 2016 which will be before the AP cert start date which will make the AP cert invalid so you are probably battling an unsolvable situation with this prehistoric antique WLC.
That said I don't think your WLC even has CAPWAP enabled correctly because I don't think it is responding to the AP at all?
LWAPP was the previous Cisco AP standard so it might still be doing LWAPP?
Also there is a large difference between 8.2.100.0 and 7.0.98.0 so they may not understand each other at all.
You probably need to find the oldest possible image for the AP to have some tiny chance of compatibility with the WLC.

But honestly you're better off finding a more modern WLC than trying to get that one working.

ps. I'd recommend:
- A wave 2 AP running Mobility Express 8.10.196.0
https://www.cisco.com/c/en/us/td/docs/wireless/access_point/mob_exp/810/release_notes/b_ME_RN_810.html#me-supp-ap

- or if you want a full featured WLC then C9800-CL (virtual) up to version 17.12 (1702 AP is not supported after 17.12 because it's end of support)
https://software.cisco.com/download/home/286322605/type/282046477/release/Dublin-17.12.4

You'll need to load the correct version of software directly onto the AP as per the compatibility matrix (link below)
For 8.10.196.0: https://software.cisco.com/download/home/286281141/type/280775090/release/15.3.3-JK11
For 17.12.4: https://software.cisco.com/download/home/286281141/type/280775090/release/15.3.3-JPQ3

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

hcardoso · ‎10-24-2024

Is this the right certificate of WLC?

Cisco Controller) show>local-auth certificates

Certificates available for Local EAP authentication:

Certificate issuer .............................. vendor
CA certificate:
Not installed.
Device certificate:
Not installed.

Certificate issuer .............................. cisco
CA certificate:
Subject: O=Cisco Systems, CN=Cisco Manufacturing CA
Issuer: O=Cisco Systems, CN=Cisco Root CA 2048
Valid: 2005 Jun 10th, 22:16:01 GMT to 2029 May 14th, 20:25:42 GMT
Device certificate:
Subject: C=US, ST=California, L=San Jose, O=Cisco Systems
CN=AIR-WLC2106-K9-0023044904a0, MAILTO=support@cisco.com
Issuer: O=Cisco Systems, CN=Cisco Manufacturing CA
Valid: 2008 Oct 3rd, 00:31:56 GMT to 2018 Oct 3rd, 00:41:56 GMT

(Cisco Controller) show>

Rich R · ‎10-24-2024

Possibly but if you had read the Field Notice you would have seen:

If you run AireOS Version 8.0 or later, then in order to determine when the WLC certificate expires, enter this command and look for the Cisco SHA1 device cert entry:

WLC_CLI: show certificate all

Note: This command is not available in AireOS releases earlier than Version 8.0. There is no similarly straightforward command that can be used in order to derive this date in earlier AireOS releases. As an alternate method, use the WLC SNs in order to determine the earliest possible MIC expiration date.

Derive Manufactured Date from the Product SN

The SN format is LLLYYWWSSSS. The YY is the year of manufacture, and the WW is the week of manufacture. The date code can be found in the four middle digits of the SN.

The Manufacturing Year Codes are:

01 = 1997
02 = 1998
03 = 1999
04 = 2000
05 = 2001
06 = 2002
07 = 2003
08 = 2004
09 = 2005
10 = 2006
11 = 2007
12 = 2008
13 = 2009
14 = 2010
15 = 2011
16 = 2012
17 = 2013
18 = 2014

The Manufacturing Week Codes are:

01-05 = January
06-09 = February
10-14 = March
15-18 = April
19-22 = May
23-27 = June
28-31 = July
32-35 = August
36-40 = September
41-44 = October
45-48 = November
49-52 = December

For example, the SN FCZ1128Q0PE has a Manufacturing Year Code of 11, which means that it was manufactured in the year 2007. The week code is 28, which means that it was manufactured in July of that year.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

hcardoso · ‎10-25-2024

So,

My WLC is from September 2008 and certificate expired in 2018 but if i use the date maybe 2017 on both WLC and AP they should join, right?

Cause the other guy said my AP Manufactured in 2016...

But still not joining the WLC, firmware discrepancy?

Rich R · ‎10-25-2024

Even the last release of 7.0 (7.0.252.0) does not support the 1700 APs:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn70mr7.html#pgfId-784122

As per https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html support for 1700 series only started in 7.6.100.0 software.

2100 series WLC was not supported in 7.6.x.x software
https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn76.html#pgfId-1142576
because it was already end of life
https://www.cisco.com/c/en/us/obsolete/wireless/cisco-2100-series-wireless-lan-controllers.html

So there is no version of software which is compatible with both 2106 WLC and 1702 AP - it will be impossible to make those APs work with that WLC.

Back to what I said earlier - get a newer WLC.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390