Solved: Re: AP fails to join controller - Page 2

srosenthal · ‎04-13-2010

I have a 4402 controller and I am trying to add a 1200 series AP as the first AP.

The controller has version 5.2.178 version of code and the AP was just converted from autonomous to lwapp.

I verified the date and time of both units and they are within a few minutes of each other.

Here is what the AP is showing when it is booting up and fails to join.

*Apr 13 16:48:04.012: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Apr 13 16:48:04.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.3 peer_port: 5246
*Apr 13 16:48:04.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Apr 13 16:48:05.715: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 192.168.1.3
*Apr 13 16:48:05.715: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Apr 13 16:48:05.715: %DTLS-5-PEER_DISCONNECT: Peer 192.168.1.3 has closed connection.
*Apr 13 16:48:05.716: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.1.3:5246
*Apr 13 16:48:05.717: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

Seth

gabrielsagredo · ‎03-30-2011

Probably should of started this thread w/ the following link.

Link has several troubleshooting steps to figure out whats going on.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008072d9a1.shtml

roberthillcoat · ‎03-10-2011

I too am having the same problem but this is a brand new WLC and AP out the box.

WLC 2106

3502i AP

any suggestions on what i should do

gabrielsagredo · ‎03-10-2011

what version of Code is the WLC running?

dmantill · ‎03-10-2011

According to release notes, you only the WLC version 7 is the one that support APs from the 3500 series.

If running lower version perform an upgrade.If not check the regulatory domain and country code configured.

chris.humphries · ‎08-02-2011

I had the same issue - Had a bunch of brand new AP's starting up in Mesh mode.

Had to factory default and delete private-multiple-fs & env_vars

Then reset AP

Vinay Sharma · ‎08-31-2011

Some more troubleshooting Scenarios:-

https://supportforums.cisco.com/docs/DOC-17826

Thanks & Regards

Amr Abdel-mohsen · ‎08-22-2014

I have a problem appears in the following log, anyone has any idea concerning this issue :

*Aug 18 03:29:30.303: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.18perform archive download capwap:/ap1g2 tar file

*Aug 18 03:29:30.307: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloadin!

Extracting files...

ap1g2-k9w8-mx.152-4.JB5h/ (directory) 0 (bytes)

extracting ap1g2-k9w8-mx.152-4.JB5h/file_hashes (3734 bytes)

extracting ap1g2-k9w8-mx.152-4.JB5h/K5.bin (81620 bytes)!!!

*Aug 18 03:38:03.466: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Aug 18 03:38:03.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.18 peer_port: 5246

*Aug 18 03:38:03.003: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down

*Aug 18 03:38:03.207: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset

*Aug 18 03:38:03.299: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.!!!

extracting ap1g2-k9w8-mx.152-4.JB5h/S2.bin (13992 bytes)!

extracting ap1g2-k9w8-mx.152-4.JB5h/img_sign_rel_sha2.cert (1371 bytes)!

extracting ap1g2-k9w8-mx.152-4.JB5h/S5.bin (111936 bytes)!!!100.18 peer_port: 5246

*Aug 18 03:38:03.299: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.100.18 perform archive download capwap:/ap1g2 tar file

*Aug 18 03:38:03.307: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.

*Aug 18 03:38:03.311: Loading file /ap1g2...

ERROR: Problem extracting files from archive.

Download image failed, notify controller!!! From:7.5.1.73 to 10.1.130.0, FailureCode:3

Maciej Wlazlinski · ‎06-09-2017

*Jun 8 14:10:13.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.99.5.5:5246
*Jun 8 14:10:53.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0x4DDF14C!

This is happening because AP has actually joined controller but UDP session from some AP high random port (2551 in that case ) get broken and AP tries to reconnect the controller with the same 2251 port but WLC has that session already in its DTLS table and sees that request as a potential attack hence blocking AP capability to join the controller

(Cisco Controller) >show dtls connections
FAKENAMEAP1 Capwap_Ctrl 10.10.10.1 18526 TLS_RSA_WITH_AES_128_CBC_SHA
FAKENAMEAP2 Capwap_Ctrl 10.10.10.2 21330 TLS_RSA_WITH_AES_128_CBC_SHA
Capwap_Ctrl 192.168.5.5 2551 TLS_RSA_WITH_AES_128_CBC_SHA <---- this is what we are looking for (No name hanging session)

Last session shown here has IP address of affected AP but no AP name what indicates the problem.

Solution is to upgrade WLC to at least 8.0.140.0

8.0.140.0 - is a version train which still supports old AP like 1130 what make it safe for older environments

Workaround is to reboot an AP a couple of times from time to time it will join the WLC successfully

The only problem with that version is that after upgrade some of the AP would have to be reloaded manually to join the controller back. But it is not only the problem of that version.

There are a lot of cisco bugs partially referring to that problem but those two are most reliable
Cisco bug: CSCuz28501
Csico bug: CSCuu65672

frank.micciche · ‎08-28-2017

Go to: Security>AP Policies>Policy configuration Select "Accept Manufactured installed Certificate (MIC)" check box and select "Authorize lsc APs against auth-list"check box. Add the mac address of your AP you wish to accept and click Add to "AP Authorization list" and click Apply. This allowed me to bypass the certifcate and still accept the AP through DTLS (as seen by log messages on the AP and it also quickly joined the controller)

Also make sure you have "Set Time" on the WLC

Then reboot the AP, do not reboot the controller, my controller also wasn't holding the correct time when power cycled.

Try it out and Good luck.

Calin Cristea · ‎06-10-2020

Good job Maciej, thumbs up!

sasig · ‎08-03-2018

Check your clock and timezone on the controller. That could be also why cert auth fails.

Max5 · ‎10-09-2021

I have encountered exactly the same problem, and it has been solved.
Connect to the AP through the console line, then change the year of the time to the past on the WLC, and wait for the AP re-join process. If it still fails and there is a prompt for the certificate time, change it to the corresponding later period of time.
After the ap joined, the WLC time returns to normal.

My steps：

change WLC time 9-Oct-2021 to 9-Oct-2013

the console information display time about certificate at 9-Nov-2017

change WLC time 9-Oct-2013 to 9-Oct-2018

all is ok.