Solved: Cisco AP AIR-AP2802E-E-K9 Join Issues with WLC 8500

Faresnani · ‎10-15-2024

Dear Community,

We are experiencing an issue with over 50 of our APs (model: AIR-AP2802E-E-K9) suddenly stopping appearing in the WLC (model: 8500 Series). These APs previously functioned correctly within our environment but are no longer showing up in the controller.

Please note the following:

We do not have access to the APs' CLI, as the credentials are unavailable so we are unable to get some logs. We would be grateful if anyone could provide the default credentials so we can try
These APs are located approximately 340 kilometers away from our office, so accessing the console directly is not an option.
In terms of reachability, the Wireless LAN Controller (WLC-8500) can reach the access points (APs), with DHCP functioning correctly, and both Option 43 and DNS configurations in place.

(Cisco Controller) >ping 10.128.91.1

Send count=3, Receive count=3 from 10.128.91.1

WLC-8500 EOL and EOS we can not open case support with Cisco
We attempted to add APs to our new WLC 9800 as a workaround, and while they are appearing successfully, we currently do not have sufficient licenses to support the number of APs.

We would greatly appreciate any assistance or guidance in resolving this issue. Below are some relevant logs and system information for reference:

Debug Logs from WLC (debug capwap error enable)

*spamApTask3: Oct 15 16:04:42.694: [PA] 00:5d:73:e6:db:e0 Could not find image version of bundled AP(apType: 55)!!!
*spamApTask3: Oct 15 16:04:42.694: [PA] 00:5d:73:e6:db:e0 Unable to get AP Bundled Version. Using Controller Version!!!

*spamApTask6: Oct 15 16:04:42.764: [PA] 28:ac:9e:73:58:40 DTLS connection was closed
*spamApTask7: Oct 15 16:04:42.783: [PA] 28:ac:9e:73:58:40 DTLS connection was closed
u*spamApTask6: Oct 15 16:04:42.828: [PA] 28:ac:9e:73:58:40 DTLS connection was closed
*spamApTask0: Oct 15 16:04:42.846: [PA] 00:5d:73:e6:56:40 ApModel: AIR-AP2802E-E-K9

*spamApTask0: Oct 15 16:04:42.846: [PA] 00:5d:73:e6:56:40 Could not find image version of bundled AP(apType: 55)!!!
*spamApTask0: Oct 15 16:04:42.846: [PA] 00:5d:73:e6:56:40 Unable to get AP Bundled Version. Using Controller Version!!!

----------------------------------------------------------------------------------------------------------------

WLC System Information (show sysinfo)

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.3.150.0
RTOS Version..................................... 8.3.150.0
Bootloader Version............................... 7.5.102.0
Emergency Image Version.......................... 7.5.102.0

OUI File Update Time............................. Sun Sep 07 10:44:07 IST 2014

Build Type....................................... DATA + WPS

System Name...................................... SAU-AKH-DC-WLC-1
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1615
Redundancy Mode.................................. SSO
IP Address....................................... 10.98.216.10
IPv6 Address..................................... ::
System Up Time................................... 172 days 4 hrs 16 mins 1 secs
System Timezone Location.........................
System Stats Realtime Interval................... 5

--More-- or (q)uit
System Stats Normal Interval..................... 180

Configured Country............................... SA - Saudi Arabia
Operating Environment............................ Commercial (10 to 35 C)
Internal Temp Alarm Limits....................... 10 to 38 C
Internal Temperature............................. +17 C
Fan Status....................................... OK

RAID Volume Status
Drive 0.......................................... Good
Drive 1.......................................... Good

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 15
Number of Active Clients......................... 1803

OUI Classification Failure Count................. 108716591

Burned-in MAC Address............................ F8:72:EA:67:3C:80
Power Supply 1................................... Present, OK
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 6000

--More-- or (q)uit
System Nas-Id.................................... SAU-AKH-DC-WLC-1
WLC MIC Certificate Types........................ SHA1
Licensing Type................................... RTU

---------------------------------------------------------------------------------------------------------------

(Cisco Controller) >show license summary

Feature name: ap_count (base)
License type: Permanent
License state: Active, In-use
RTU License Count: 1000

Feature name: ap_count
License type: Evaluation
License Eula: Not Accepted
Evaluation total period: 12 weeks 6 days
License state: Inactive, Not-In-Use
RTU License Count: 6000

Feature name: ap_count (adder)
License type: Permanent
License state: Active, In-use
RTU License Count: 400

Faresnani · ‎10-16-2024

@jagan.chowdam @marce1000 @Flavio Miranda

Thank you for your support

The issue has been resolved

We identify that certificate expiry issue on the WLC.
We checked which certificate is used by WLC for establishing DTLS connection with APs and the cert was "Cisco SHA1 device cert" The certificate on the WLC was valid till 13th Aug 2024 as below:

Certificate Name: Cisco SHA1 device cert

--More-- or (q)uit

Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT8510-K9-f872ea673c80, emailAddress=support@cisco.com
Issuer Name :
O=Cisco Systems, CN=Cisco Manufacturing CA
Serial Number (Hex):
76AAC0ED000000053C77
Validity :
Start : Aug 13 15:41:13 2014 GMT
End : Aug 13 15:51:13 2024 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : 2f:b2:1d:e1:97:d6:30:59:7e:8e:ed:30:aa:2c:c8:28:42:b2:2c:5a
SHA256 Fingerprint : 82:2f:d7:ba:10:3f:8b:b2:44:80:82:f4:e2:87:09:cc:c4:8c:0d:22:ee:bb:63:1d:ee:a2:88:4a:2c:28:d6:93

We removed the NTP server and reverted the WLC time to Aug 1st, 2024.
The APs started to join the WLC.
We readded the NTP server. the APs were stable on the WLC, and clients connected.
The behavior is documented for AP-COS APs in Cisco bug ID CSCvb93909 which has fix in AireOS 8.5 and later.

WLC with the issue persisting:

WLC After Resolving the issue:

View solution in original post

Flavio Miranda · ‎10-15-2024

@Faresnani

The good news is, if the AP successfully joined the 9800 WLC, the problem is not on the AP side.

Can you share the command on the 8500

show ap bundle primary

Faresnani · ‎10-15-2024

@Flavio Miranda

Thanks for replying, please find the output below:

(Cisco Controller) >show ap bundle primary

Primary AP Image Size Supported AP's
---------------- ---- ------------
ap1g1 13120 AP700
ap1g2 13080 AP1600
ap1g3 15160 AP1530
ap1g4 22680 AP1850/1810
ap1g5 18444 AP1815
ap3g1 9948 AP3500
ap3g2 14980 AP2600,3600,1700,2700,3700
ap3g3 27532 AP2800,3800,1560
ap801 8396 AP801
ap802 9896 AP802
c1140 8848 AP1140
c1520 7492 AP1550
c1550 10868 AP1550
c1570 12900 AP1570
c602i 3864 AP600

Flavio Miranda · ‎10-15-2024

@Faresnani

The error is "spamApTask0: Oct 15 16:04:42.846: [PA] 00:5d:73:e6:56:40 Could not find image version of bundled AP(apType: 55)!!!
*spamApTask0: Oct 15 16:04:42.846: [PA] 00:5d:73:e6:56:40 Unable to get AP Bundled Version. Using Controller Version!!!"

But, as per the show command, the WLC have the appropriate bundle:

ap3g3 27532 AP2800,3800,1560

This is not something simple to troubleshooting and would be suitable for a TAC case but, as this WLC is not elegible for TAC anymore, I would try to reload the WLC firstly and if not fix, upgrade to another code version.

marce1000 · ‎10-15-2024

>... upgrade to another code version.
- I would affirm that opinion , note that any older aireos controller should these days run the last supported release made
for it ; considering https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html

That comes down to https://software.cisco.com/download/specialrelease/9a6a7cf84f9fdf04b95c76e2ac7820e7
(choose correct model)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Faresnani · ‎10-15-2024

@marce1000 Thank you for your prompt response and for sharing the relevant links. We will certainly consider them.

Faresnani · ‎10-15-2024

@Flavio Miranda

Thank you for your prompt response. and for your suggestion, we will thoroughly evaluate its feasibility and assess the potential risks involved, as this will affect 3k users and there is no rollback

marce1000 · ‎10-15-2024

- You should get someone over there , take a snapshot of the boot process when the AP tries to join the 8500 and provide it to you
The controller software version is very old , you should use : https://software.cisco.com/download/specialrelease/9a6a7cf84f9fdf04b95c76e2ac7820e7

- Usually these sudden death from APs come from https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html
hence the reason there would be no problem on the 9800 , use ap cert-expiry-ignore {mic|ssc} enable
on the WLC anyway , though I suspect the problem is something else in this case

Therefore you should get the boot process as mentioned by coordinating with remote contacts,
(and or provide that here too)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Faresnani · ‎10-15-2024

@marce1000

Thank you for your prompt response.

we will certainly arrange for a site visit. However, we cannot proceed with upgrading the WLC due to a previous issue that required an RMA. The current WLC supports over 1K APs and serves more than 3K users, but many of these APs are not compatible with the WLC 9800. We are currently undertaking a project to replace all APs with models compatible with the WLC 9800.

Regarding your last point about using the command ap cert-expiry-ignore {mic|ssc} enable, could you please clarify the potential impact? Will this affect the remaining APs that are currently operational?

Thank you for your assistance.

marce1000 · ‎10-15-2024

>..due to a previous issue that required an RMA.
- Following standard upgrade procedures will not lead to an RMA

>...but many of these APs are not compatible with the WLC 9800.
- The Wave1 APs such as 2800 will be supported on the 9800 till 17.14.x , for exact info's :
https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

>... the command ap cert-expiry-ignore {mic|ssc} enable, could you please clarify the potential impact?
It has no impact at all and is designed to let APs join , once a certificate on them got expired , yet it seems
you have another problem (but use it anyway , and test)

But as stated , to get a clear insight ; have someone provide the boot process of one of those remote APs
(doing on site)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Faresnani · ‎10-15-2024

@marce1000 Thank you for the useful information and suggestion

Unfortunately, we currently have only 50 APs model 2800 in our environment, while over 1K other models are not compatible with the WLC9800 (Sad Story)

. We will do our best to test the scenario involving expired certificates. Additionally, I will ensure that the boot process for one of the APs shared here

marce1000 · ‎10-15-2024

- Ok , as you are already indicating ; it will become more and more important in the near future to be able to migrate to the 9800 controller platform(s) , also because Cisco support does no longer spend time for resolving and fixing issues on aireos.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Faresnani · ‎10-16-2024

@marce1000 @jagan.chowdam @Flavio Miranda please find below the logs from the AP AIR-AP2802E-E-K9 console

Q: Which Cetifcate WLC will be used to establish a DTLS connection with AP???

[*10/16/2024 07:32:50.7686] CAPWAP State: Discovery
[*10/16/2024 07:32:50.7689] Got WLC address 10.98.216.10 from DHCP.
[*10/16/2024 07:32:50.7734] Discovery Request sent to 10.98.216.10, discovery type DHCP(2)
[*10/16/2024 07:32:50.7743] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*10/16/2024 07:32:50.7744] Discovery Response from 10.98.216.10
[*10/16/2024 07:33:01.0000]
[*10/16/2024 07:33:01.0000] CAPWAP State: DTLS Setup
[*10/16/2024 07:33:01.0004] dtls_connectionDB_add_connection: Number of DTLS connections exceeded two
[*10/16/2024 07:33:01.0306] dtls_load_ca_certs: LSC Root Certificate not present
[*10/16/2024 07:33:01.0306]
[*10/16/2024 07:33:01.0333] dtls_verify_con_cert: Controller certificate verification error
[*10/16/2024 07:33:01.0333] dtls_process_packet: controller cert verification failed
[*10/16/2024 07:33:01.0336] DTLS: Received packet 0xd5d000 caused DTLS to close connection
[*10/16/2024 07:33:01.0337] sendPacketToDtls: DTLS: Closing connection 0xd15000.
[*10/16/2024 07:33:01.0337]
[*10/16/2024 07:33:01.0337] Lost connection to the controller, going to restart CAPWAP...
[*10/16/2024 07:33:01.0337]
[*10/16/2024 07:33:01.0338] Restarting CAPWAP State Machine.
[*10/16/2024 07:33:01.0384] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Setup(3).
[*10/16/2024 07:33:01.0391] Failed to disconnect DTLS-CTRL session.
[*10/16/2024 07:33:01.0391]
[*10/16/2024 07:33:01.0391] CAPWAP State: DTLS Teardown

--------------------------------------------------------------------------------------------------------------

Also show certificate all on WLC-8500

Cisco Controller) show> certificate all

--------------- Verification Certificates ---------------
Certificate Name: ACT2 EC CA cert

Subject Name :
O=Cisco, CN=ACT2 ECC SUDI CA
Issuer Name :
O=Cisco, CN=Cisco ECC Root CA
Serial Number (Hex):
02
Validity :
Start : Apr 4 08:26:13 2013 GMT
End : Apr 4 08:15:43.704 2053 GMT
Signature Algorithm :
ecdsa-with-SHA384
Hash key :
SHA1 Fingerprint : 32:78:95:b8:c4:e0:3c:ec:14:ae:d9:70:ef:99:c8:d9:34:0b:80:e6
SHA256 Fingerprint : f2:a3:92:57:1e:33:54:9a:b4:36:93:ef:55:67:fb:e6:07:8b:98:28:05:71:0c:26:fe:f6:d8:4a:c6:e8:4b:db

----------------------------

Certificate Name: ACT2 EC ROOT CA cert

--More-- or (q)uit

Subject Name :
O=Cisco, CN=Cisco ECC Root CA
Issuer Name :
O=Cisco, CN=Cisco ECC Root CA
Serial Number (Hex):
01
Validity :
Start : Apr 4 08:15:44 2013 GMT
End : Apr 4 08:15:44.704 2053 GMT
Signature Algorithm :
ecdsa-with-SHA384
Hash key :
SHA1 Fingerprint : 52:ec:7d:bb:5c:65:11:dd:c1:c5:46:db:bc:29:49:b5:ab:e9:d0:ee
SHA256 Fingerprint : 8d:b4:9f:4b:13:ee:ad:89:c5:cc:a2:9e:c0:33:72:59:14:45:86:5b:7a:fd:e8:2c:33:76:0f:1c:94:7f:3b:fe

----------------------------

Certificate Name: ACT2 RSA CA cert

Subject Name :
O=Cisco, CN=ACT2 SUDI CA
Issuer Name :

--More-- or (q)uit
O=Cisco Systems, CN=Cisco Root CA 2048
Serial Number (Hex):
61096E7D00000000000C
Validity :
Start : Jun 30 17:56:57 2011 GMT
End : May 14 20:25:42 2029 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : f6:96:9b:bd:48:e5:f6:12:5b:93:4d:01:e7:1f:e9:c2:7c:6f:54:7e
SHA256 Fingerprint : 65:fa:b0:4a:ef:29:8b:e3:b9:42:e6:0e:1a:94:17:b9:c0:c6:a1:8e:e0:45:f2:d1:11:4d:55:67:42:65:83:fb

----------------------------

Certificate Name: Cisco Manufacturing CA SHA2 cert

Subject Name :
O=Cisco, CN=Cisco Manufacturing CA SHA2
Issuer Name :
O=Cisco, CN=Cisco Root CA M2
Serial Number (Hex):
02
Validity :

--More-- or (q)uit
Start : Nov 12 13:50:58 2012 GMT
End : Nov 12 13:00:17 2037 GMT
Signature Algorithm :
sha256WithRSAEncryption
Hash key :
SHA1 Fingerprint : 90:b2:e0:6b:7a:d5:da:ff:cf:d4:31:87:29:09:f3:81:37:47:1b:f8
SHA256 Fingerprint : 95:a0:e5:8a:99:8e:80:2a:c7:7a:d5:29:b9:ad:d8:e5:b4:0c:f9:0a:f3:9a:85:6d:b5:14:a3:63:46:50:1e:c5

----------------------------

Certificate Name: Cisco Root CA SHA2 cert

Subject Name :
O=Cisco, CN=Cisco Root CA M2
Issuer Name :
O=Cisco, CN=Cisco Root CA M2
Serial Number (Hex):
01
Validity :
Start : Nov 12 13:00:18 2012 GMT
End : Nov 12 13:00:18 2037 GMT
Signature Algorithm :
sha256WithRSAEncryption

--More-- or (q)uit
Hash key :
SHA1 Fingerprint : 93:3d:63:3a:4e:84:0d:a4:c2:8e:89:5d:90:0f:d3:11:88:86:f7:a3
SHA256 Fingerprint : cd:85:16:7b:39:35:e2:7b:cc:3b:0f:5f:a2:4c:84:57:88:2d:0b:b9:94:f8:82:69:a7:f7:28:29:d9:57:ea:e9

----------------------------

Certificate Name: Cisco Manufacturing CA SHA1 cert

Subject Name :
O=Cisco Systems, CN=Cisco Manufacturing CA
Issuer Name :
O=Cisco Systems, CN=Cisco Root CA 2048
Serial Number (Hex):
6A6967B3000000000003
Validity :
Start : Jun 10 22:16:01 2005 GMT
End : May 14 20:25:42 2029 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : e3:e7:83:d3:cc:9c:30:ae:de:ff:cd:eb:5e:cf:ee:08:ff:8f:16:84
SHA256 Fingerprint : c7:4d:4b:4a:14:51:9d:d0:65:19:1d:96:84:5e:8d:4e:c8:51:43:6b:c5:59:c4:a4:5e:24:ca:5c:7c:01:fc:d3

--More-- or (q)uit
----------------------------

Certificate Name: Cisco Root CA SHA1 cert

Subject Name :
O=Cisco Systems, CN=Cisco Root CA 2048
Issuer Name :
O=Cisco Systems, CN=Cisco Root CA 2048
Serial Number (Hex):
5FF87B282B54DC8D42A315B568C9ADFF
Validity :
Start : May 14 20:17:12 2004 GMT
End : May 14 20:25:42 2029 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : de:99:0c:ed:99:e0:43:1f:60:ed:c3:93:7e:7c:d5:bf:0e:d9:e5:fa
SHA256 Fingerprint : 83:27:bc:8c:9d:69:94:7b:3d:e3:c2:75:11:53:72:67:f5:9c:21:b9:fa:7b:61:3f:af:bc:cd:53:b7:02:40:00

----------------------------

Certificate Name: Airespace Build CA cert

--More-- or (q)uit
Subject Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Build CA, emailAddress=support@bstormnetworks.com
Issuer Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Root CA, emailAddress=support@airespace.com
Serial Number (Hex):
01
Validity :
Start : Jul 31 13:41:31 2003 GMT
End : Apr 29 13:41:31 2013 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :
SHA1 Fingerprint : e3:50:2f:94:f5:54:b9:e4:c2:b3:cb:3c:f8:5c:6b:ca:86:0f:5f:8d
SHA256 Fingerprint : e6:50:49:d6:d5:c7:f2:3c:e7:e9:f6:5e:48:32:5d:f1:39:82:60:06:f7:61:41:a2:60:89:37:cc:53:b6:90:76

----------------------------

Certificate Name: Airspace device CA cert

Subject Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Device CA, emailAddress=support@airespace.com
Issuer Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Root CA, emailAddress=support@airespace.com

--More-- or (q)uit
Serial Number (Hex):
03
Validity :
Start : Apr 28 22:37:13 2005 GMT
End : Jan 26 22:37:13 2015 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :
SHA1 Fingerprint : ae:25:ff:04:12:8a:62:f0:f8:4a:e8:76:b1:fe:c3:0d:78:dd:c6:1b
SHA256 Fingerprint : 92:09:e5:a9:e3:97:5c:6c:56:bc:9c:11:d4:8b:b1:c0:a4:c5:10:97:e7:0b:02:51:ee:bd:07:61:48:f5:fb:79

----------------------------

Certificate Name: Airespace Root CA cert

Subject Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Root CA, emailAddress=support@airespace.com
Issuer Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Root CA, emailAddress=support@airespace.com
Serial Number (Hex):
0
Validity :
Start : Jul 31 13:41:22 2003 GMT

--More-- or (q)uit
End : Apr 29 13:41:22 2013 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :
SHA1 Fingerprint : 94:ec:7d:ba:e4:e6:fb:f1:e0:44:03:81:cb:ed:ef:32:79:c9:90:b5
SHA256 Fingerprint : 92:62:22:3e:92:a6:48:07:0c:86:54:c4:6f:1b:04:af:5b:1d:58:c5:7a:f2:bc:b8:76:db:41:5b:5e:7b:07:60

----------------------------

Certificate Name: Old Airespace CA cert

Subject Name :
C=US, ST=California, L=San Jose, O=airespace Inc, OU=none, CN=ca, emailAddress=support@airespace.com
Issuer Name :
C=US, ST=California, L=San Jose, O=airespace Inc, OU=none, CN=ca, emailAddress=support@airespace.com
Serial Number (Hex):
0
Validity :
Start : Feb 12 23:38:55 2003 GMT
End : Nov 11 23:38:55 2012 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :

--More-- or (q)uit
SHA1 Fingerprint : 05:87:eb:cc:ab:55:a3:67:56:f4:59:75:cb:b1:65:47:45:6d:84:9c
SHA256 Fingerprint : 96:b4:a7:47:1e:50:d8:38:4c:4d:4f:49:e3:53:61:f6:50:7c:a4:8f:78:07:7b:0f:9c:8c:40:6c:5b:94:40:f3

----------------------------

-------------- Identification Certificates --------------
Certificate Name: Cert for Web Authentication

Subject Name :
C=US, O=Cisco Systems Inc., OU=DeviceSSL (WebAuth), CN=5.5.5.5
Issuer Name :
C=US, O=Cisco Systems Inc., OU=DeviceSSL (WebAuth), CN=5.5.5.5
Serial Number (Hex):
EA673C81
Validity :
Start : Oct 19 00:00:01 2014 GMT
End : Oct 19 00:00:01 2024 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : 5a:fe:50:41:e8:af:db:9e:15:5c:2a:9e:c8:2d:fd:89:20:4c:e2:03
SHA256 Fingerprint : 8a:6d:14:74:a3:a1:0c:fe:5c:91:cc:1f:4d:e7:94:11:e5:1c:af:de:c6:3b:23:30:c4:2f:6b:85:19:fc:37:db

--More-- or (q)uit

----------------------------

Certificate Name: Cert for Web Admin

Subject Name :
C=US, O=Cisco Systems Inc., OU=DeviceSSL (WebAdmin), CN=169.254.1.1
Issuer Name :
C=US, O=Cisco Systems Inc., OU=DeviceSSL (WebAdmin), CN=169.254.1.1
Serial Number (Hex):
EA673C80
Validity :
Start : Aug 13 00:00:01 2014 GMT
End : Aug 13 00:00:01 2024 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : 52:9c:9b:2a:f7:85:f9:10:98:69:fd:32:1d:1d:52:50:cf:ed:ee:5e
SHA256 Fingerprint : 34:47:06:39:5d:ad:cf:36:e2:57:b2:e3:15:0c:e0:20:ad:19:0c:b6:ed:32:5f:59:8c:e9:d2:6d:d7:46:0f:89

----------------------------

Certificate Name: Cisco SHA1 device cert

--More-- or (q)uit

Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT8510-K9-f872ea673c80, emailAddress=support@cisco.com
Issuer Name :
O=Cisco Systems, CN=Cisco Manufacturing CA
Serial Number (Hex):
76AAC0ED000000053C77
Validity :
Start : Aug 13 15:41:13 2014 GMT
End : Aug 13 15:51:13 2024 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : 2f:b2:1d:e1:97:d6:30:59:7e:8e:ed:30:aa:2c:c8:28:42:b2:2c:5a
SHA256 Fingerprint : 82:2f:d7:ba:10:3f:8b:b2:44:80:82:f4:e2:87:09:cc:c4:8c:0d:22:ee:bb:63:1d:ee:a2:88:4a:2c:28:d6:93

----------------------------

Certificate Name: Airespace Id cert

Subject Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=MWAR Device, CN=000b85236d90, emailAddress=support@airespace.com
Issuer Name :

--More-- or (q)uit
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Device CA, emailAddress=support@airespace.com
Serial Number (Hex):
04EB8E
Validity :
Start : Mar 13 02:07:09 2006 GMT
End : Mar 10 02:07:09 2016 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :
SHA1 Fingerprint : e3:68:a6:0f:89:46:b5:6b:37:eb:11:8c:d0:67:2e:51:e1:d8:5e:59
SHA256 Fingerprint : f1:21:a6:ef:a6:c3:67:06:73:90:12:55:1a:a3:49:e6:09:fa:8a:b6:22:2e:85:2f:48:b3:40:49:aa:97:c5:50

----------------------------

Certificate Name: Old Airespace Id cert

Subject Name :
C=US, ST=California, L=San Jose, O=airespace Inc, CN=000b85236d90, emailAddress=support@airespace.com
Issuer Name :
C=US, ST=California, L=San Jose, O=airespace Inc, OU=none, CN=ca, emailAddress=support@airespace.com
Serial Number (Hex):
04C88C
Validity :

--More-- or (q)uit
Start : Mar 13 02:07:12 2006 GMT
End : Dec 11 02:07:12 2015 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :
SHA1 Fingerprint : 51:0c:17:6d:94:2c:cf:e4:eb:66:ba:4b:26:0b:ed:11:26:99:3c:b1
SHA256 Fingerprint : 9b:ec:a6:03:6b:7b:60:fe:17:e1:0e:4f:b4:2d:f3:b9:f6:c5:07:bb:97:6d:db:1b:3e:7f:80:f0:d3:86:1a:20

-----------------------------------------------------------------------------------------------------------

the current time of WLC-8500

(Cisco Controller) show> time

Time............................................. Wed Oct 16 07:41:08 2024

Timezone delta................................... 0:0
Timezone location................................

NTP Servers
NTP Polling Interval......................... 3600

Index NTP Key Index NTP Server Status NTP Msg Auth Status
------- -------------- ----------- ----------- ----------------------
1 0 10.98.192.1 In Sync AUTH DISABLED

------------------------------------------------------------------------------------------------------

marce1000 · ‎10-16-2024

  @Faresnani >...please find below the logs from the AP AIR-AP2802E-E-K9 console
If not yet done , then on the controller (CLI) use :
   ap cert-expiry-ignore ssc enable
  ap cert-expiry-ignore mic enable

(reboot the test AP again or other APs for that matter)

M,

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Faresnani · ‎10-16-2024

@marce1000 the command is already applied but the issue still persists