Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unable to Join CIsco AP 2602i-AP on WLC 2504 version 8.0.100.0

Hello,

I just update my WLC 2504 version 8.0.100.0 but it is impossible to link to my WLC and 2602 AP.

AP configuration fixed IP here is the command line used:

AP1 :

CAPWAP ap ip address 10.253.21.200
CAPWAP ap controller ip address 10.253.21.4

and AP2 :

CAPWAP ap ip address 10.253.21.201
CAPWAP ap controller ip address 10.253.21.4

WLC: sh sysinfo

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.0.100.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.101.1
Firmware Version................................. PIC 16.0


Build Type....................................... DATA + WPS

System Name...................................... Inde_WLC-2504_SS_04
System Location.................................. Maison Inde
System Contact................................... INEO
System ObjectID.................................. 1.3.6.1.4.1.9.1.1279
IP Address....................................... 10.253.21.4
IPv6 Address..................................... ::
Last Reset....................................... Software reset
System Up Time................................... 0 days 0 hrs 32 mins 1 secs
System Timezone Location.........................
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

--More-- or (q)uit

Configured Country............................... FR  - France
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +30 C
External Temperature............................. +35 C
Fan Status....................................... 3600 rpm

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 0

Burned-in MAC Address............................ CC:D8:C1:40:CF:40
Maximum number of APs supported.................. 75
System Nas-Id.................................... Inde_WLC-2504_SS_04

 

AP: sh Version

 

Cisco IOS Software, C2600 Software (AP3G2-K9W8-M), Version 15.3(3)JA, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 15-Aug-14 12:22 by prod_rel_team

ROM: Bootstrap program is C2600 boot loader
BOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JAY, RELEASE SOFTWARE (fc1)

AP-Inde-201 uptime is 23 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g2-k9w8-mx.153-3.JA/ap3g2-k9w8-xx.153-3.JA"
Last reload reason:

 

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
 --More--
*Oct 31 14:38:59.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_connection_db.c:2214 Max retransmission count reached for Connection 0x87agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-CAP2602I-E-K9 (PowerPC) processor (revision A0) with 188394K/60928K bytes of memory.
Processor board ID FCZ1840D0UK
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 8.0.100.0
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 1C:6A:7A:12:1D:66
Part Number                          : 73-14588-03
PCA Assembly Number                  : 800-37899-01
PCA Revision Number                  : B0
PCB Serial Number                    : FOC18364THH
Top Assembly Part Number             : 800-38356-02
Top Assembly Serial Number           : FCZ1840D0UK
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP2602I-E-K9

 

Configuration register is 0xF

 

Ping AP WLC ok to good communication

Find enclosed (Cisco Controller)> debug enable CAPWAP events

I tested with a WLC Version 7.6.130 works perfectly

best regard,

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

Pls attach AP console output

Pls attach AP console output to see what's it look like from AP perspective.

HTH

Rasika

Cisco Employee

downgrade to 7.6.130.0

downgrade to 7.6.130.0

 

https://tools.cisco.com/bugsearch/bug/CSCur43050/?reffering_site=dumpcr

13 REPLIES
VIP Purple

Pls attach AP console output

Pls attach AP console output to see what's it look like from AP perspective.

HTH

Rasika

New Member

Hi,Find enclosed file debug

Hi,

Find enclosed file debug AP.

I noticed an error on the gateway but no need because I'm just with a L2 switch.

the AP test with the same configuration will work in version 7.6.130.

best regard,

 

Julien hernandez,

VIP Purple

Hi Julien,

Hi Julien,

I think below is the issue, may be 8.0 use SHA2 for MIC verification.

AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.
Peer certificate verification failed FFFFFFFF

*Nov  3 09:58:27.099: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:496 Certificate verified failed!

 

I have to research more how to fix this. Did you try to get TAC help on this, they may find a solution quickly
 

 

HTH

Rasika

**** Pls rate all useful responses ****

New Member

Hi,currently no case is

Hi,

currently no case is opened.

Tell me if need Elements

Thank you for quick return.

Julien.

VIP Purple

Hi,Yes, go for a TAC case,

Hi,

Yes, go for a TAC case, sometime it may be quicker. Since it is 8.0 (very latest code) related may be TAC is the best to help you.

Keep us posted if you get a fix from them

HTH

Rasika

New Member

not possible to open a case

not possible to open a case because no maintenance on the WLC.

I try find on my side a solution.

Cisco Employee

downgrade to 7.6.130.0

downgrade to 7.6.130.0

 

https://tools.cisco.com/bugsearch/bug/CSCur43050/?reffering_site=dumpcr

New Member

HI,Thank you for the answer.

HI,

Thank you for the answer.

New Member

Hi Julien,

Hi Julien,

Code 8.0.100.0 is impacted via bug id CSCur43050 and generates following error:  

AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.
Peer certificate verification failed FFFFFFFF

*Nov  3 09:58:27.099: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:496 Certificate verified failed!

In case of Layer 3 adoption, the Aps might also loose ip address.

Upgrading to 8.0.110.10 fixes the issue.

 

New Member

There is also a workaround

There is also a workaround for CSCur43050 in v8.0.110.0

You have to change the MIC certificate in SHA1 on the wlc ("config ap dtls-wlc-mic sha1"). After it, APs will join wlc.

New Member

I had a similiar problem. in

I had a similiar problem. in my case I started using a controller with version 8.0.115.0 and connect a LAP 1142 with image 12.2-2 and joined the WLC
 
then the WLC update the LAP image to 12.3(3)
 
after this "auto upgrade" the AP not join the WLC and generated similar syslog (that is the reason why i found this page)

I discard the option to downgrade the WLC, just because it seemed to me more complex to put a command. =)
and apply the command "config ap dtls-wlc-mic sha1"
and now works, the AP join the WLC
 
but i dont understand why that works. someone can give me a guide? thanks
 
 
 

I have 2 bridges 1570 and

I have 2 bridges 1570 and appers the same log:

AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

 

 

This command afects the other AP's registered in the WLC??  

This command affects the WLC performance or need to reboot?

 

Thanks!!!!

Cisco Employee

yes i also tested. the

yes i also tested. the firmware needs to be roll backed. Then it will work.

8609
Views
5
Helpful
13
Replies
CreatePlease login to create content