When relocating the Catalyst 9800-CL to a different environment, simply applying the existing configuration did not allow for HTTPS (GUI) or AP joins. Therefore, I am leaving the following notes. I will rewrite them neatly when I have time.
Cat9800-CL Maintenance Procedure: Recovery of HTTPS (GUI) / AP Join (CAPWAP-DTLS) (When SSC is Missing)
1. Purpose
To recover the following issues that are likely to occur after RMA/migration/configuration replication using only CLI:
- Cannot connect to GUI (HTTPS)
- AP cannot join (DTLS handshake failure)
This procedure particularly assumes issues caused by vWLC-SSC (SSC) not being generated/assigned, which is often overlooked in the 9800-CL.
2. Expected Symptoms of Issues
2.1 Symptoms of GUI (HTTPS) Failure
Unable to connect to the GUI via the browser
When executing
curl https://<WLC-IP>on the client, for example:TLS connect error: ... tlsv1 alert internal error
2.2 Symptoms of AP Join Failure (on WLC side)
Displayed as follows when running
show wireless stats ap join summary:Status: Not JoinedLast Failure Phase: Dtls-HandshakeLast Disconnect Reason: DTLS cert-chain not available
3. Cause (Essence of the Current Issue)
In RMA/configuration replication, the configuration remains, but the actual certificates and private keys may not exist in the new chassis (new VM).
Especially for AP Join (CAPWAP-DTLS) on the 9800-CL, a DTLS certificate chain (SSC/MIC) linked to the WMI (Wireless Management Interface) is required, and if this is missing, the AP cannot join.
If
show wireless management trustpointshows:Certificate Info : Not AvailablePrivate key Info : Not Available
Then the DTLS handshake will not be established.
4. Preconditions and Notes
4.1 Requirements
- Assuming the GUI is down, you must be able to access the WLC CLI via console/SSH, etc.
- During the work, AP Join may recover or become unstable, so ensure to secure an impact time frame.
4.2 Important Points for 9800-CL
- WMI (wireless management interface) must be correctly configured and in an up/up state If this is disrupted, the generation and assignment of SSC may not proceed as intended.
4.3 Password Caution (SSC Generation Command)
- In the command
wireless config vwlc-ssc ... password 0 <pw>, the<pw>should not be too short (recommended at least 8 characters) If it is too short, it may remain in the “Configuring…” state without transitioning to success/assignment. - Avoid strings that are prone to failure due to environmental dependencies, such as starting with symbols.
5. Current Status Investigation (Pre-Recovery Check)
5.1 Check the trustpoint referenced by the HTTPS server
show ip http server statusItems to check:
HTTP secure server status: EnabledHTTP secure server trustpoint: <TP name>
5.2 Check if the trustpoint exists (certificate/key)
show crypto pki trustpoints
show crypto pki certificates <TP name>
show crypto key mypubkey rsa | begin Key name: <TP name>5.3 DTLS (AP Join) Side: Existence of WMI trustpoint
show wireless management trustpoint- If it shows
Not Available, then the DTLS chain/key is missing.
5.4 Confirm the reason for AP Join failure
show wireless stats ap join summary- If
DTLS cert-chain not availableappears, it is highly likely that there is a lack of DTLS certificates on the WLC side.
6. Recovery Procedure (Recommended: SSC Generation → Assignment to WMI → Recovery of HTTPS/DTLS)
Step 1) Check if WMI (wireless management interface) is configured
show running-config | include ^wireless management interface
show ip interface briefExpected:
wireless management interface vlan <number>exists- The target
Vlan<number>isup/upand has an IP assigned
If it is not configured or incorrectly configured, correct the WMI according to the environment design (example):
conf t
wireless management interface vlan <WMI VLAN number>
endStep 2) Generate vWLC-SSC (SSC) (Blind Spot for 9800-CL)
Execute in EXEC mode (not within conf t).
wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 <password of at least 8 characters>After execution, confirm:
show crypto pki trustpoints
show wireless management trustpointExpected state:
show wireless management trustpointshows Trustpoint NameCertificate Info : AvailablePrivate key Info : Available
Note: Generating SSC typically creates a new trustpoint (e.g.,
ewlc-default-tp) that is assigned to the WMI. If you know the name of the generated trustpoint, explicitly assign it in Step 3.
Step 3) If the WMI trustpoint is still empty, perform manual assignment
If the Trustpoint Name in show wireless management trustpoint is empty, check the generated trustpoint and assign it manually.
- Confirm the name of the generated trustpoint
show crypto pki trustpoints- Assign to WMI (replace the trustpoint name with the one found above)
conf t
wireless management trustpoint <trustpoint name generated by SSC>
end- Confirm
show wireless management trustpointStep 4) Align the HTTPS (GUI) side with the same trustpoint (if the policy is “not to differentiate”)
Current policy: Do not differentiate trustpoints for HTTPS and DTLS → It is reliable to assign the trustpoint established for DTLS to HTTPS as well.
conf t
ip http secure-trustpoint <trustpoint name assigned to DTLS above>
end
write memoryIf necessary, bounce the HTTPS server (for reflection):
conf t
no ip http secure-server
ip http secure-server
endStep 5) Retry AP Join
While monitoring the status of the AP on the WLC side, restart the AP (or perform a capwap restart).
Check on the WLC side:
show wireless stats ap join summaryIf necessary, restart the AP (example):
ap name <AP name> reset7. Post-Recovery Confirmation (Pass Criteria)
7.1 DTLS/AP Join
show wireless management trustpoint
show wireless stats ap join summaryPass criteria:
show wireless management trustpointshows:- Trustpoint Name is not empty
- Certificate/Private key is Available
show wireless stats ap join summaryshows:Status: JoinedDTLS cert-chain not availableis gone
7.2 HTTPS (GUI)
show ip http server status | include secure|trustpointOn the client (recommended to use -k for self-signed certificates):
curl -vk https://<WLC-IP>/Pass criteria:
- TLS handshake is established, and an HTTP response is returned
8. Typical Patterns and Responses in Case of Failure
8.1 Trustpoint Name remains empty even after executing wireless config vwlc-ssc
Order of suspicion:
- WMI (wireless management interface) is not configured/Down
- Password is too short or fails due to string factors
- It is generated but not assigned → Manual assignment in Step 3
Confirmation commands:
show running-config | include ^wireless management interface
show ip interface brief
show crypto pki trustpoints
show wireless management trustpoint9. Work Log (Template)
To document in the procedure manual, attach the following after the work.
show ip http server status
show wireless management trustpoint
show wireless stats ap join summary
show crypto pki trustpoints10. Lessons Learned (Key Points from a Maintenance Perspective)
- In RMA/migration, if only the Config is replicated, PKI assets (certificates/keys) may be missing.
- In the recovery of AP Join for the 9800-CL, the generation/assignment of SSC (vWLC-SSC) is often a blind spot.
- If the reason for join failure shows
DTLS cert-chain not available, prioritize checking for the lack of WMI trustpoint existence.