Troubleshooting DTLS Handshake Error Joining Cisco 2702i Access Point to 9800 Wireless Controller

Recently I tried to join a Cisco 2702i access point to a 9800-CL wireless controller but found an issue that needed to be fixed prior to it joining successfully. I also recently joined a Catalyst 9115 access point right out of the box and experienced no issue at all, so my theory is that the 2702i had config still on it from when it was previously joined to a 5508 WLC. In this post I’ll go through the few steps I took to fix the issue and successfully join the 2702i to the 9800-CL.

After booting the AP, I saw the 2702i’s LED eventually settle in a solid green state, but the SSIDs I configured on the 9800-CL were not visible. I checked the WLC and saw everything was fine with the config, so I went to the logs. The access point wasn’t joining the controller.

So far, I’ve found debugs lacking with the 9800 WLC. I haven’t found too much documentation for CLI commands for the various debugs I’ve come to rely on with the old AireOS platform. However, there are a couple spots to check, and there’s always the access point itself if you have SSH or console access to it.

When first logging in to the 9800-CL, you’ll see the Dashboard, in this case with no APs and no Clients. In the left menu under “Wireless” you’ll find “AP Statistics.”

AP stats

In the AP Statistics menu you can see joined APs and Join Statistics for successfully joined APs and APs trying to join (or failed to join). This is a good place to start, but it doesn’t always have sufficient information, and I’ve also found that sometimes the information from an AP not able to join the WLC doesn’t even show up here.

Also log into the CLI of the WLC while attempting to join the access point. This should provide some helpful information as well.

WLC cap

 

I also like to have console messages and debugs scrolling on the access point itself. In my case I had the AP sitting next to me, so I was able to console in. The output below wasn’t unfamiliar to me.

cli screenshot

Certificate validation failed after DTLS connection request. I’ve seen this before when joining APs from one controller to a new one. To confirm, I looked at the Troubleshooting tab on the wireless controller and selected Syslog.

Syslog 2

 

The messages referred to a DTLS Handshake error:

Aug  6 06:14:01.706: %CAPWAPAC_SMGR_TRACE_MESSAGE-3-EWLC_GEN_ERR: Chassis 1 R0/0: wncd: Error in Session-IP:192.168.1.189[57256] CAPWAP DTLS session closed for AP, cause: DTLS handshake error

 

What I did first was make sure there was no certificate trustpoint issue on the WLC by simply re-creating it and reloading. In hindsight I don’t know if this was necessary, but it’s the first thing I did in this process.

Navigate to the 9800 command line and issue the following command:

WLC# wireless config vwlc-ssc key-size 2048 signature-algo sha256 password [password]

 

Make sure your password is sufficiently long and complex or this will fail. Unfortunately, you don’t get much of a warning or failure message when it fails, but you do get some lovely output when it succeeds which is enough to know it worked.

Unfortunately, this didn’t fix the issue, so the next thing I did was to check the time. As much as this could be an issue with production WLCs, I’ve never had the time be a problem in a lab environment. In any case, I checked to make sure it was correct.

Next I cleared the private-config on the access point. This is what I would normally do first when troubleshooting a previously used access point not joining a new controller, but for whatever reason I did it a few steps in.

This is often enough to fix many issues when moving APs from one WLC to another, so keep the command in the back of your mind for future tshooting.  SSH/Console into the access point (default creds are Cisco/Cisco if you haven’t changed them) and issue the following command:

AccessPoint# clear lwapp private-config

 

Almost immediately the access point downloaded a new image and joined the 9800-CL wireless controller.

You can take a look at the Troubleshooting menu to see the Syslog messages, and you can look at the AP Statistics menu where you’ll see the AP under both the General tab and Join Statistics tab.

Join stats OK

 

On the Dashboard you will now see the access point.

Capture

 

It’s likely that all I needed to do was clear the private-config on the access point, so in your own troubleshooting I’d start with that since it’s so quick and non-disruptive to any other access points you have joined.

Also always make sure to check the Cisco Wireless Solutions Software Compatibility Matrix. In it you’ll find all the interoperability tables for code versions, access points, and WLC platforms.

Thanks,

Phil

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑