Solved: Re: WLC 5508 - AP-1242 not joining

MarcP829 · ‎11-23-2020

Hey everyone,

recently changed the company I work for and had no hand over at all, from the former network engineer.

And now I have a problem, in this very old envirement, on joining Cisco Air-LAP1242AG (FW: 12.4(25e)JAP12) to a Cisco WLC 5508 running on 8.0.152.0

I don´t have a guess at all now...

Already set up a dhcp scope for the accepoint... It receives an IP but within the logfile I can´t see the LWAPP/CAPWAP request, from this AP...

The AP is in a remote location and I wasn´t able to get someone to connect a console cable to the "new" AP.

If anyone has a idea, I would be verry happy.

Leo Laohoo · ‎11-23-2020

FN - 63942 - Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP/LWAPP Connections Due to Certificate Expiration

View solution in original post

Leo Laohoo · ‎11-23-2020

FN - 63942 - Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP/LWAPP Connections Due to Certificate Expiration

MarcP829 · ‎11-23-2020

Thanks Leo, checked the WLCs Cert and is still valid. Any hint how to check the APs cert? I am now able to get a connection to it with putty...

Also, after raading the above article, I decided to let them reconnect another AP, which was initially reported as broken. This AP is at least shown in the WLCs logging, with following Message:

*spamApTask0: Nov 23 15:48:26.819: %LWAPP-3-RX_ERR3: spam_l2.c:441 The system has received LWAPP packet with invalid sequence number (got 4expected 5) - from AP 68:ef:bd:9c:07:16
*spamApTask0: Nov 23 15:48:24.483: %LWAPP-3-PAYLOAD_MISSING: spam_lrad.c:6774 Join request does not contain BOARD_DATA payload

Update after 5 min:

*spamApTask7: Nov 23 15:55:29.062: %DTLS-5-ESTABLISHED_TO_PEER: openssl_dtls.c:777 DTLS connection established to 192.168.186.102

*spamApTask7: Nov 23 15:57:29.091: %DTLS-5-PEER_DISCONNECT: openssl_dtls.c:901 DTLS peer 192.168.186.102 has closed connection.

marce1000 · ‎11-23-2020

- That is a pointer to compatibility-conflicts :

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

MarcP829 · ‎11-23-2020

ok, on the second controller there was this log entry:

*spamApTask7: Nov 23 16:06:44.708: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:852 Failed to complete DTLS handshake with peer 192.168.186.102
*spamApTask7: Nov 23 16:06:44.708: %DTLS-4-BAD_CERT: openssl_dtls.c:1326 Certificate verification failed. Peer IP: 192.168.186.102
*spamApTask7: Nov 23 16:06:44.708: %SSHPM-4-AP_CERT_EXPIRED: sshpmPkiApi.c:2528 AP certificate time 2010/03/22/14:53:54 - 2020/03/22/15:03:54 is not valid.

marce1000 · ‎11-23-2020

- That definitely includes Leo's remark :

FN - 63942 - Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP/LWAPP Connections Due to Certificate Expiration

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Scott Fella · ‎11-23-2020

Yeah… email notifications are way off, not getting all the threads. I reply from email, not the webpage. Hopefully that gets fixed one of these day’s.

-Scott
*** Please rate helpful posts ***

MHM Cisco World · ‎11-23-2020

friend just make sure the time/date in WLC is same as AP.

that is your issue here.

Scott Fella · ‎11-23-2020

That is a very old access point. Two things to look at and keep handy is to search for “Cisco WLC matrix” and “Cisco access point certificate expiring”. That should help you get started.

-Scott
*** Please rate helpful posts ***