Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1792
Views
0
Helpful
10
Replies

WLC 5508 Problem - Need Help ASAP

talbottdt@gchks.org
Level 1
Level 1

‎01-21-2019 09:04 AM - edited ‎07-05-2021 09:43 AM

I am a Computer Technician at a Hospital in Kansas. We are currently running on a Cisco 5508 WLC and have 57 Cisco Aironet 1240AG AP's. Somehow today our wireless controller crashed. After about 10 mins it came back online but only 36 of the 57 AP's were showing online. I went through the logs and found:

*spamApTask6: Jan 21 11:00:36.290: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:698 Failed to complete DTLS handshake with peer

on all of the missing AP's.

 

Most of our Clinics run off a clinical wlan that is setup in the WLC. Can anyone help?

Labels:
0 Helpful
10 Replies 10

superego
Level 1
Level 1

‎01-21-2019 09:28 AM

Most probably it's the AP cert expired for 1240 models.

 

on CLI:

 

For WLC Code 7.4.140.0 and later:

config ap cert-expiry-ignore ssc enable 

config ap cert-expiry-ignore mic enable 

 

For 7.0.252.0:

config ap lifetime-check ssc enable

config ap lifetime-check mic enable

 

***Please mark as an acceptable solution/rate helpful posts

0 Helpful

talbottdt@gchks.org
Level 1
Level 1
In response to superego

‎01-21-2019 09:57 AM

I was following a few other posts about the error that we are getting and they offered the same advice with the commands. I ssh'd into the WLC and it doesnt recognize either of those commands. So, I do not know where to go from there.

0 Helpful

bojarskic
Level 1
Level 1
In response to talbottdt@gchks.org

‎01-21-2019 10:00 AM

You have to console into the access point and deploy that command with the IP address of the WLC.  If you haven't configured a global un/pw for those APs the default is Cisco/Cisco.

0 Helpful

talbottdt@gchks.org
Level 1
Level 1
In response to bojarskic

‎01-21-2019 10:03 AM

Ah, wasnt reading right, Apologies. Ill try and give this a go. All of these AP's are unnamed and in lock boxes in the panels for some reason. Hopefully I can get this fixed soon!

0 Helpful

bojarskic
Level 1
Level 1

‎01-21-2019 09:39 AM

Do you have Option 43 configured for your controller on those subnets where the APs are located?  Sounds like they cannot find the controller.  Maybe try to login to one of the access points and use the command "lwapp ap controller ip address" to point it to the controller. 

0 Helpful

talbottdt@gchks.org
Level 1
Level 1
In response to bojarskic

‎01-21-2019 10:01 AM

I have no clue as to where to find the Option 43. Do you have a general idea of where to look for. As for the AP's, I have been at this hospital for going on 2 months. I dont have a lot of information to go off of because most of the people here havent ever messed with them before. I tried to ssh and telnet into the missing AP's and even the online AP's and it wont work. I do have ssh and telnet access allowed through the WLC

0 Helpful

bojarskic
Level 1
Level 1
In response to talbottdt@gchks.org

‎01-21-2019 10:07 AM

What is your DHCP solution?  ie..Infoblox, BT Diamond, etc?  This is where you have to enter the option 43 under those subnets which contain access points.

 

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/97066-dhcp-option-43-00.html

 

Setup is pretty easy and will allow your access points to find the WLCs automatically when they get an IP via DHCP in the event something like this happens again.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎01-21-2019 10:43 AM

Did you verify the cert on the ap like the other’s mentioned? I would assume that this is why some of your ax’s are not joining. Those ap’s are very old and only have a 10 year certificate. Most likely, the others that stayed up might have issues if there is any power related issues or connectivity issues to the wld.
-Scott
*** Please rate helpful posts ***
0 Helpful

Prakash M
Level 1
Level 1

‎01-22-2019 03:07 AM

Try adding the "MAC address / Serial number of Access point with option  MIC under security tab ---AP policies option.

Try Associating  the Access point manually to controller by using below command :

 

"capwap ap controller ip address A.B.C.D" 

in order to wirte the above command  controllers should be  running with 7.6 or later releases  and the access point must be running Cisco IOS Release 12.3(11)JX1 or later releases.

0 Helpful

patoberli
VIP Alumni
VIP Alumni

‎01-22-2019 07:01 AM

Besides the many suggestions you have already received, is the clock correct on the WLC?
Asking because the time on your log message (11:00) seems to be in the future of your post (09:04).

Can you check the currently installed software on the WLC with show version or by logging into the web gui? If the software is to old, then those listed commands will not work for the certificate expiration. You require at least 7.0.252.0 on the WLC for this to be working, but before you upgrade, make sure your old APs are still supported on a newer code.
Source for the certificate issue: https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html
Release notes for newer software releases: https://www.cisco.com/c/en/us/support/wireless/5500-series-wireless-controllers/products-release-notes-list.html (version 8.0.x is still supporting your 1240 APs).
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card