AP fails to join controller

Answered Question
Apr 13th, 2010

I have a 4402 controller and I am trying to add a 1200 series AP as the first AP. 


The controller has version 5.2.178 version of code and the AP was just converted from autonomous to lwapp.


I verified the date and time of both units and they are within a few minutes of each other.


Here is what the AP is showing when it is booting up and fails to join.


*Apr 13 16:48:04.012: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Apr 13 16:48:04.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.3 peer_port: 5246
*Apr 13 16:48:04.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Apr 13 16:48:05.715: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 192.168.1.3
*Apr 13 16:48:05.715: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Apr 13 16:48:05.715: %DTLS-5-PEER_DISCONNECT: Peer 192.168.1.3 has closed connection.
*Apr 13 16:48:05.716: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.1.3:5246
*Apr 13 16:48:05.717: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.


Seth

Correct Answer by gabrielsagredo about 6 years 10 months ago

Did you use the Cisco Aironet to LWAPP conversion tool.


if Yes.


Check the directory where the upgrade tool is installed and see if it created a file (.csv) that contains the SSC for the AP. Then manually add that into the WLC under Security and then AP policies link.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
gabrielsagredo Tue, 04/13/2010 - 19:40

Did you use the Cisco Aironet to LWAPP conversion tool.


if Yes.


Check the directory where the upgrade tool is installed and see if it created a file (.csv) that contains the SSC for the AP. Then manually add that into the WLC under Security and then AP policies link.

manzeel Wed, 11/25/2015 - 03:13

Hi,

i have this issue log while connection between AP and wlc,

can anyone help to sort this out


*Nov 25 11:08:35.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.12.100 peer_port: 5246
*Nov 25 11:09:26.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0x8717754!

*Nov 25 11:09:34.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.12.100:5246
*Nov 25 11:09:59.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Nov 25 11:10:00.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.12.100 peer_port: 5246
*Nov 25 11:10:51.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0x8717754!

*Nov 25 11:10:59.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.12.100:5246
*Nov 25 11:11:24.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Nov 25 11:11:25.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.12.100 peer_port: 5246

Sandeep Choudhary Wed, 11/25/2015 - 03:31

HI Majil,

Create a new thread and paste this info:

sh sysinfo from WLC

sh version from AP Regards

sewlcomau Sun, 09/11/2016 - 22:11

Seeing absolutely identical circumstances here Manjil - did you ever obtain a fix?

Leo Laohoo Mon, 09/12/2016 - 19:15

Seeing absolutely identical circumstances here Manjil - did you ever obtain a fix?

This is a very, very old thread.  Kindly create a new thread so we can have a look.

manzeel Mon, 09/12/2016 - 21:50

Leo i have changed  regulatory domain-country code and restarted the device and issue has been resolved.

jwinters99 Fri, 03/25/2011 - 08:55

I am having the same problem just different hardware.


WISM running 6.0.199.4


AP is a 1231 that was converted from Autonomous to lightweight.


The error codes I am getting are exactly what this thread has listed.  The APs came up already and were talking to the controller.  I took the ap off and now when I plug it back in I get the error.  I have take the sha1 key from the upgrade tool and added it to the controller under security/ap policy and the ap still will not come up.  Any ideas as to what else I can try?

gabrielsagredo Fri, 03/25/2011 - 09:15

If you've configured both controllers on the WiSM make sure you've added the SSC (the SHA key) to both controllers.


can you post the error you're receiving to verify the issue is the same?

jwinters99 Fri, 03/25/2011 - 09:26

Yes I have added it to both controllers.  Actually we have 12 wisms split between 2 mobility groups.    Here is the error.


*Mar 25 16:14:07.718: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Mar 25 16:14:07.719: %DTLS-5-PEER_DISCONNECT: Peer 192.168.251.234 has closed connection.
*Mar 25 16:14:07.719: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.251
.234:5246
*Mar 25 16:14:07.720: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
*Mar 25 16:15:11.129: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 25 16:15:11.130: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 25 16:15:11.130: bsnInitRcbSlot: slot 1 has NO radio
*Mar 25 16:15:11.145: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administrat
ively down
*Mar 25 16:15:11.165: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 25 16:15:11.167: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 25 16:15:11.179: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 25 16:15:11.185: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 25 16:15:11.197: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 25 16:15:21.164: %CAPWAP-3-ERRORLOG: Selected MWAR 'c6509-2-wism-8-2'(index 0).
*Mar 25 16:15:21.164: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Mar 25 16:15:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168
.251.184 peer_port: 5246
*Mar 25 16:15:23.002: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Mar 25 16:15:24.804: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip:
192.168.251.184 peer_port: 5246
*Mar 25 16:15:24.806: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.251.184
*Mar 25 16:15:24.807: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Mar 25 16:15:24.811: %DTLS-5-ALERT: Received WARNING : Close notify alert from 192.168.25
1.184
*Mar 25 16:15:24.811: %DTLS-5-PEER_DISCONNECT: Peer 192.168.251.184 has closed connection.
*Mar 25 16:15:24.811: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.251
.184:5246
*Mar 25 16:15:24.813: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Mar 25 16:15:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168
.251.234 peer_port: 5246
*Mar 25 16:15:23.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Mar 25 16:15:24.710: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 192.1
68.251.234
*Mar 25 16:15:24.711: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Mar 25 16:15:24.711: %DTLS-5-PEER_DISCONNECT: Peer 192.168.251.234 has closed connection.
*Mar 25 16:15:24.711: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.251
.234:5246
*Mar 25 16:15:24.713: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.


Do I need to add to all WLC in the Mobility group?  I have set via cli of the ap its primary controller so it seems that the other controllers should not come into play.  it tries to come up on the controller i have defined.  and yes there is room for the ap to join.  I only have 26 aps on that controller.  Whats bothering me is that these aps already up and working after i upgraded them.  i have them sitting here on my bench.  so they have not been on any other network other than the one that i used to upgrade.  there is connectivty to  the WLC so its not a routing or switching issue.

gabrielsagredo Wed, 03/30/2011 - 09:59

When you say they were working prior to upgrade... do you mean they worked as Autonomous or they were on an older version of LWAPP code and have now been upgraded to a newer LWAPP/CAPWAP version?


On the WLC the AP is trying to join... Can you verify that the WLC is set too accept SSC from APs?


Login to WLC --->Security--->[LeftPane] click AAA --->AP Policies....


is the "Accept Self Signed Certificates (SSC)" checked?

jwinters99 Wed, 03/30/2011 - 11:25

They were running on another WISM that is at a 5.x version as lightweight.  They were moved over to a new WISM running 6.0.199.4 and they worked fine for about a week.  Then they just stopped.  When i console into them I get the error that I previously posted.  The first thing I did was go to the controller that they are trying to associate to and made sure under security/ap policies that accept SSC was enabled.  Which it was.  After fighting with it for a while I decided to take it back down to Autonomous and then reupgrade it.  I did this using the Cisco upgrade tool.  Everything went like it should have.  The ap converted and downloaded the image, rebooted and loaded the new image and joined the controller.  It ran fine for 20-30 minutes with no issues.  I took it offline (unplugged it) and set it on my desk.  2 days later when I went to install it, it was right back to where it was at giving me the certificate error.  Before I took it out into the field to install it I brought it back up on the same exact port I used to upgrade it.   Since I used the upgrade tool I had the SSC so I added it to the controller manually.  Still I get the same error.  I am stuck.  I have 5 of these that are acting this way out of 14 that were moved over originally.  It makes no sense.  They were all running the same code and came from the same controller.  I have 9 that are still up and functioning and 5 that are not.  Any ideas?

roberthillcoat Thu, 03/10/2011 - 08:43

I too am having the same problem but this is a brand new WLC and AP out the box.


WLC 2106

3502i AP


any suggestions on what i should do

dmantill Thu, 03/10/2011 - 19:37

According to release notes, you only the WLC version 7  is the one that support APs from the 3500 series.

If running lower version perform an upgrade.If not check the regulatory domain and country code configured.

chris.humphries Tue, 08/02/2011 - 19:46

I had the same issue - Had a bunch of brand new AP's starting up in Mesh mode.

Had to factory default and delete private-multiple-fs & env_vars

Then reset AP

amr_abdelmohsen Fri, 08/22/2014 - 08:55

I have a problem appears in the following log, anyone has any idea concerning this issue :

*Aug 18 03:29:30.303: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.18perform archive download capwap:/ap1g2 tar file

*Aug 18 03:29:30.307: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloadin!

 

Extracting files...

ap1g2-k9w8-mx.152-4.JB5h/ (directory) 0 (bytes)

extracting ap1g2-k9w8-mx.152-4.JB5h/file_hashes (3734 bytes)

extracting ap1g2-k9w8-mx.152-4.JB5h/K5.bin (81620 bytes)!!!

*Aug 18 03:38:03.466: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Aug 18 03:38:03.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.18 peer_port: 5246

*Aug 18 03:38:03.003: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down

*Aug 18 03:38:03.207: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset

*Aug 18 03:38:03.299: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.!!!

extracting ap1g2-k9w8-mx.152-4.JB5h/S2.bin (13992 bytes)!

extracting ap1g2-k9w8-mx.152-4.JB5h/img_sign_rel_sha2.cert (1371 bytes)!

extracting ap1g2-k9w8-mx.152-4.JB5h/S5.bin (111936 bytes)!!!100.18 peer_port: 5246

*Aug 18 03:38:03.299: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.18 perform archive download capwap:/ap1g2 tar file

*Aug 18 03:38:03.307: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.

*Aug 18 03:38:03.311: Loading file /ap1g2...

 

ERROR: Problem extracting files from archive.

Download image failed, notify controller!!! From:7.5.1.73 to 10.1.130.0, FailureCode:3

Actions

This Discussion