Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CAPWAP APs drop off the 7500 controller

I have a multiple 7500 flex controller deployed with over 2000 APs each on them and I notice that APs occasionally drop off.  When I find these APs I am able to telnet to them and I have found a fix for getting them back on the controller, but I want to know why this happens and if there is a way to avoid the problem.

Observed:

The APs have telnet enabled so I can get to the CLI.  Once in I do a dir command and see that there is little to no memory available (512 bytes to 0 bytes) in the flash memory.  I see that there are 5 large log files, file names are in the commands below.  When I do a show logging command I see the following over and over again

*Oct  3 20:31:44.102: %CAPWAP-3-ERRORLOG: Certificate verification failed!

*Oct  3 20:31:44.102: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!

*Oct  3 20:31:44.102: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.128.5.5:5246

*Oct  3 20:31:44.102: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.128.5.5:5246

*Oct  3 20:31:44.103: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

*Oct  3 20:32:48.999: %CAPWAP-3-ERRORLOG: Selected MWAR 'tc-cl-wlc01'(index 0).

*Oct  3 20:32:48.999: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Oct  3 20:31:44.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.128.5.5 peer_port: 5246

*Oct  3 20:31:44.125: CRYPTO_PKI: New CRL Not Valid - expired (router time not synched to CA?)

*Oct  3 20:31:44.125:  CRL expires: 05:29:39 UTC Mar 3 2012

*Oct  3 20:31:44.125:  Router time: 20:31:44 UTC Oct 3 2013

*Oct  3 20:31:44.125: %PKI-4-CRLINSERTFAIL: Trustpoint "Trustpool2" unknown (error 1804:E_VALIDITY : validity period start later than end)Peer certificate verification failed 0059

To resolve:

The working theory is that the flash gets filled up with log files and is unable to download the certificate from the controller during the join process.  I delete the logs with the commands below and then do a wr mem and a copy run start and then reload.  This will fix the problem every time.

delete /force flash:ap_log_r0_0.log

delete /force flash:ap_log_r1_0.log

delete /force flash:ap_log_r0_1.log

delete /force flash:ap_log_r0_2.log

delete /force flash:ap_log_r1_1.log

delete /force flash:ap_log_r1_2.log

Other info

- currently running an engineering code of 7.3.113.12 on one 7500 and 7.4.110 on another, both seem to be having this issue.  I do not have this issue on a 5508 running 7.5 code.  Currently getting 7.4 vetted for deployment.

Good luck with this one

2 REPLIES
Cisco Employee

CAPWAP APs drop off the 7500 controller

You may also try below steps if that helps:-

you may console into this AP and try the following commands.


delete flash:env_vars

delete flash:private-multiple-fs

Hall of Fame Super Silver

CAPWAP APs drop off the 7500 controller

I have seen this issue, but only with older model access points and it doesn't have to be flexconnect and it doesn't matter what WLC code version your running.  Problamatic access points, I always check the flash to verify if there are logs or not, and do delete them in order to get the AP back up.  Again, I have only seen this with older non-802.11n access points.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
492
Views
0
Helpful
2
Replies