topic Re: 2504 Fallback has suddenly stopped working - Help needed in Wireless

2504 Fallback has suddenly stopped working - Help needed

Cormac Champion — Thu, 29 Jul 2021 10:09:31 GMT

Hi all,

I have a pair of 2504's running sucessfully for the past 3 years as a HA N+1 with 4 x 2602 AP's. Both 2504's have dual uplinks to a pair of 3560 switches (so they would be Active / Passive uplinks). One uplink on the primary controller stopped working due to dirty pins on the interface, so I powered off the primary 2504 and the AP's moved across to the secondary 2504 as they should.

However, when I powered the primary 2504 back on again, the AP's left the secondary but never arrived onto the primary, went back to the secondary controller, and again tried to go to the primary and kept repeating this over and over until I shut the LAN uplinks to the primary controller from each of the two 3560's. The controllers are both running 8.2.160.0 and have been for quite a long time.

Within the Mobility Group, both members show correctly as up, and if I do the "show redundancy summary", I can see the controllers correctly identified as primary and secondary.

I'm at a total loss as to how this has suddenly happened that the AP's won't settle back to the primary controller.

Re: 2504 Fallback has suddenly stopped working - Help needed

Arshad Safrulla — Thu, 29 Jul 2021 11:24:27 GMT

Do you have AP fallback enabled on both controllers?

Re: 2504 Fallback has suddenly stopped working - Help needed

Cormac Champion — Thu, 29 Jul 2021 19:11:11 GMT

Yes, enabled on both, with HK SKU set on the secondary unit only. The primary and secondary controllers are listed against under High Availability on each of the AP's

Re: 2504 Fallback has suddenly stopped working - Help needed

Arshad Safrulla — Thu, 29 Jul 2021 19:37:16 GMT

Can you check the certificate validity in ur WLC and AP's.

In WLC - sh certificate all

In AP - sh crypto pki certificates

If it is expired please find the below FN. Follow the workaround as per the below FN.

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

If not please provide the below outputs

debug capwap events enable

debug pm pki enable

Re: 2504 Fallback has suddenly stopped working - Help needed

Cormac Champion — Fri, 30 Jul 2021 08:10:09 GMT

Thanks for that

I'm a bit confused because, am I readi g correctly, that both certs are still valid ? I see the following

Controller 1

Certificate Name: Cisco SHA1 device cert

Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT2504-K9-ccd8c1411a20, emailAddress=support@cisco.com
Issuer Name :

--More-- or (q)uit
O=Cisco Systems, CN=Cisco Manufacturing CA
Serial Number :
47B2852E000000282DE1
Validity :
Start : Oct 24 01:51:39 2014 GMT
End : Oct 24 02:01:39 2024 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : f1:3b:72:fc:8e:9d:2b:75:51:be:ae:85:e1:4e:7a:d6:fe:ca:7b:5e
MD5 Fingerprint : d1:13:aa:f0:c8:da:d9:85:a1:0c:19:38:f6:d2:43:ea

Controller 2

Certificate Name: Cisco SHA1 device cert

Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT2504-K9-00562be283c0, emailAddress=support@cisco.com
Issuer Name :

--More-- or (q)uit
O=Cisco Systems, CN=Cisco Manufacturing CA
Serial Number :
53934C5C0000000A6D13
Validity :
Start : Jul 29 01:48:53 2016 GMT
End : Jul 29 01:58:53 2026 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : 59:c0:83:27:24:87:28:8c:01:2e:84:99:b1:dd:2e:94:36:e8:d7:23
MD5 Fingerprint : 54:e0:64:1b:6d:d1:52:d1:c7:73:4a:86:88:de:01:8c

But I am indeed getting Cert Expiry Messages

(Cisco Controller) >debug capwap events enable

(Cisco Controller) >*spamApTask6: Jan 06 12:35:21.981: 00:f6:63:01:ac:e1 DTLS connection not found, creating new connection for 10:10:5:102 (6863) 10:10:5:253 (5246)

*spamApTask6: Jan 06 12:35:21.982: sshpmGetCID: called to evaluate <cscoSha2IdCert>

*spamApTask6: Jan 06 12:35:21.982: sshpmGetCID: Found matching ID cert cscoSha2IdCert in row 3
*spamApTask6: Jan 06 12:35:21.982: GetIDCert: Using SHA2 Id cert on WLC

*spamApTask6: Jan 06 12:35:21.982: Get Cert from CID: For CID 1ef531f1 certType 1
*spamApTask6: Jan 06 12:35:21.982: Get Cert from CID: Found match of ID Cert in row 3
*spamApTask6: Jan 06 12:35:21.982: sshpmGetCID: called to evaluate <cscoSha2IdCert>

*spamApTask6: Jan 06 12:35:21.982: sshpmGetCID: Found matching ID cert cscoSha2IdCert in row 3
*spamApTask6: Jan 06 12:35:21.982: GetDERIDKey: Using SHA2 Id cert Private Keys on WLC

*spamApTask6: Jan 06 12:35:21.982: GetPrivateKey: called to get key for CID 1ef531f1

*spamApTask6: Jan 06 12:35:21.982: Private Key found row 3 KeyBufLen 2048 Keylen 1191 PrivateKeyPtr 0x2cea8478

*spamApTask6: Jan 06 12:35:22.191: OpenSSL Get Issuer Handles: locking ca cert table

*spamApTask6: Jan 06 12:35:22.192: OpenSSL Get Issuer Handles: x509 subject_name /C=US/ST=California/L=San Jose/O=Cisco Systems/CN=AP3G2-00f66301ace1/emailAddress=support@cisco.com

*spamApTask6: Jan 06 12:35:22.192: OpenSSL Get Issuer Handles: issuer_name /O=Cisco/CN=Cisco Manufacturing CA SHA2

*spamApTask6: Jan 06 12:35:22.192: OpenSSL Get Issuer Handles: CN AP3G2-00f66301ace1

*spamApTask6: Jan 06 12:35:22.192: OpenSSL Get Issuer Handles: issuerCertCN Cisco Manufacturing CA SHA2

*spamApTask6: Jan 06 12:35:22.192: GetMac: MAC: 00f6.6301.ace1

*spamApTask6: Jan 06 12:35:22.192: OpenSSL Get Issuer Handles: openssl Mac Address in subject is 00:f6:63:01:ac:e1

*spamApTask6: Jan 06 12:35:22.192: OpenSSL Get Issuer Handles: Cert Name in subject is AP3G2-00f66301ace1

*spamApTask6: Jan 06 12:35:22.192: OpenSSL Get Issuer Handles: Extracted cert issuer from subject name.

*spamApTask6: Jan 06 12:35:22.192: NMSP:: Algo name matched SHA256

*spamApTask6: Jan 06 12:35:22.192: OpenSSL Get Issuer Handles: Cert is issued by Cisco Systems.

*spamApTask6: Jan 06 12:35:22.193: Retrieving x509 cert for CertName cscoMfgSha2CaCert

*spamApTask6: Jan 06 12:35:22.193: sshpmGetCID: called to evaluate <cscoMfgSha2CaCert>

*spamApTask6: Jan 06 12:35:22.193: sshpmGetCID: Found matching CA cert cscoMfgSha2CaCert in row 7
*spamApTask6: Jan 06 12:35:22.193: Found CID 26000445 for certname cscoMfgSha2CaCert

*spamApTask6: Jan 06 12:35:22.193: CACertTable: Found matching CID cscoMfgSha2CaCert in row 7 x509 0x2be3d328
*spamApTask6: Jan 06 12:35:22.193: Retrieving x509 cert for CertName cscoRootSha2CaCert

*spamApTask6: Jan 06 12:35:22.193: sshpmGetCID: called to evaluate <cscoRootSha2CaCert>

*spamApTask6: Jan 06 12:35:22.193: sshpmGetCID: Found matching CA cert cscoRootSha2CaCert in row 6
*spamApTask6: Jan 06 12:35:22.193: Found CID 2f6c24df for certname cscoRootSha2CaCert

*spamApTask6: Jan 06 12:35:22.193: CACertTable: Found matching CID cscoRootSha2CaCert in row 6 x509 0x2be3d3dc
*spamApTask6: Jan 06 12:35:22.193: Verify User Certificate: X509 Cert Verification return code: 0
*spamApTask6: Jan 06 12:35:22.193: Verify User Certificate: X509 Cert Verification result text: certificate is not yet valid
*spamApTask6: Jan 06 12:35:22.193: Verify User Certificate: Error in X509 Cert Verification at 2 depth: certificate is not yet valid
*spamApTask6: Jan 06 12:35:22.193: X509 OpenSSL Errors...

*spamApTask6: Jan 06 12:35:22.193: NONE

*spamApTask6: Jan 06 12:35:22.193: OpenSSL Get Issuer Handles: CISCO CERT, start verify with LSC

*spamApTask6: Jan 06 12:35:22.193: Retrieving x509 cert for CertName othSslLscCaCert

*spamApTask6: Jan 06 12:35:22.193: sshpmGetCID: called to evaluate <othSslLscCaCert>

*spamApTask6: Jan 06 12:35:22.193: sshpmGetCID: failed to find matching cert name othSslLscCaCert

*spamApTask6: Jan 06 12:35:22.193: Cert >othSslLscCaCert< not found.

*spamApTask6: Jan 06 12:35:22.193: Verify User Certificate: can't load cert othSslLscCaCert(?!)

*spamApTask6: Jan 06 12:35:22.193: OpenSSL Get Issuer Handles: CSCO user cert not verified by Cisco Roots ...

*spamApTask6: Jan 06 12:35:22.194: acDtlsPlumbControlPlaneKeys: lrad:10.10.5.102(6863) mwar:10.10.5.253(5246)

*spamApTask6: Jan 06 12:35:22.195: 00:f6:63:01:ac:e1 DTLS connection closed event receivedserver (10.10.5.253/5246) client (10.10.5.102/6863)
*spamApTask6: Jan 06 12:35:22.195: 00:f6:63:01:ac:e1 No entry exists for AP (10.10.5.102/6863)
*spamApTask6: Jan 06 12:35:22.195: 00:f6:63:01:ac:e1 No AP entry exist in temporary database for 10.10.5.102:6863
*spamApTask3: Jan 06 12:35:44.241: b8:38:61:ba:82:c3 DTLS Handshake Timeout server (10.10.5.253:5246), client (10.10.5.104:43054)
*spamApTask3: Jan 06 12:35:44.241: acDtlsPlumbControlPlaneKeys: lrad:10.10.5.104(43054) mwar:10.10.5.253(5246)

*spamApTask3: Jan 06 12:35:44.241: b8:38:61:ba:82:c3 DTLS connection closed event receivedserver (10.10.5.253/5246) client (10.10.5.104/43054)
*spamApTask3: Jan 06 12:35:44.241: b8:38:61:ba:82:c3 No entry exists for AP (10.10.5.104/43054)
*spamApTask3: Jan 06 12:35:44.241: b8:38:61:ba:82:c3 No AP entry exist in temporary database for 10.10.5.104:43054
*spamApTask0: Jan 06 12:35:48.441: c0:67:af:f0:fa:54 DTLS Handshake Timeout server (10.10.5.253:5246), client (10.10.5.101:4007)
*spamApTask0: Jan 06 12:35:48.441: acDtlsPlumbControlPlaneKeys: lrad:10.10.5.101(4007) mwar:10.10.5.253(5246)

*spamApTask0: Jan 06 12:35:48.441: c0:67:af:f0:fa:54 DTLS connection closed event receivedserver (10.10.5.253/5246) client (10.10.5.101/4007)
*spamApTask0: Jan 06 12:35:48.441: c0:67:af:f0:fa:54 No entry exists for AP (10.10.5.101/4007)
*spamApTask0: Jan 06 12:35:48.441: c0:67:af:f0:fa:54 No AP entry exist in temporary database for 10.10.5.101:4007
*spamApTask3: Jan 06 12:36:09.411: b8:38:61:ba:82:c3 DTLS connection not found, creating new connection for 10:10:5:104 (43054) 10:10:5:253 (5246)

*spamApTask3: Jan 06 12:36:09.411: sshpmGetCID: called to evaluate <cscoSha2IdCert>

*spamApTask3: Jan 06 12:36:09.411: sshpmGetCID: Found matching ID cert cscoSha2IdCert in row 3
*spamApTask3: Jan 06 12:36:09.411: GetIDCert: Using SHA2 Id cert on WLC

*spamApTask3: Jan 06 12:36:09.411: Get Cert from CID: For CID 1ef531f1 certType 1
*spamApTask3: Jan 06 12:36:09.411: Get Cert from CID: Found match of ID Cert in row 3
*spamApTask3: Jan 06 12:36:09.411: sshpmGetCID: called to evaluate <cscoSha2IdCert>

*spamApTask3: Jan 06 12:36:09.411: sshpmGetCID: Found matching ID cert cscoSha2IdCert in row 3
*spamApTask3: Jan 06 12:36:09.411: GetDERIDKey: Using SHA2 Id cert Private Keys on WLC

*spamApTask3: Jan 06 12:36:09.411: GetPrivateKey: called to get key for CID 1ef531f1

*spamApTask3: Jan 06 12:36:09.411: Private Key found row 3 KeyBufLen 2048 Keylen 1191 PrivateKeyPtr 0x2cea8478

*spamApTask0: Jan 06 12:36:13.468: c0:67:af:f0:fa:54 DTLS connection not found, creating new connection for 10:10:5:101 (4007) 10:10:5:253 (5246)

*spamApTask0: Jan 06 12:36:13.469: sshpmGetCID: called to evaluate <cscoSha2IdCert>

*spamApTask0: Jan 06 12:36:13.469: sshpmGetCID: Found matching ID cert cscoSha2IdCert in row 3
*spamApTask0: Jan 06 12:36:13.469: GetIDCert: Using SHA2 Id cert on WLC

*spamApTask0: Jan 06 12:36:13.469: Get Cert from CID: For CID 1ef531f1 certType 1
*spamApTask0: Jan 06 12:36:13.469: Get Cert from CID: Found match of ID Cert in row 3
*spamApTask0: Jan 06 12:36:13.469: sshpmGetCID: called to evaluate <cscoSha2IdCert>

*spamApTask0: Jan 06 12:36:13.469: sshpmGetCID: Found matching ID cert cscoSha2IdCert in row 3
*spamApTask0: Jan 06 12:36:13.469: GetDERIDKey: Using SHA2 Id cert Private Keys on WLC

*spamApTask0: Jan 06 12:36:13.469: GetPrivateKey: called to get key for CID 1ef531f1

*spamApTask0: Jan 06 12:36:13.469: Private Key found row 3 KeyBufLen 2048 Keylen 1191 PrivateKeyPtr 0x2cea8478

*spamApTask6: Jan 06 12:36:26.975: 00:f6:63:01:ac:e1 DTLS connection not found, creating new connection for 10:10:5:102 (6863) 10:10:5:253 (5246)

*spamApTask6: Jan 06 12:36:26.975: sshpmGetCID: called to evaluate <cscoSha2IdCert>

*spamApTask6: Jan 06 12:36:26.975: sshpmGetCID: Found matching ID cert cscoSha2IdCert in row 3
*spamApTask6: Jan 06 12:36:26.975: GetIDCert: Using SHA2 Id cert on WLC

*spamApTask6: Jan 06 12:36:26.975: Get Cert from CID: For CID 1ef531f1 certType 1
*spamApTask6: Jan 06 12:36:26.975: Get Cert from CID: Found match of ID Cert in row 3
*spamApTask6: Jan 06 12:36:26.975: sshpmGetCID: called to evaluate <cscoSha2IdCert>

*spamApTask6: Jan 06 12:36:26.975: sshpmGetCID: Found matching ID cert cscoSha2IdCert in row 3
*spamApTask6: Jan 06 12:36:26.975: GetDERIDKey: Using SHA2 Id cert Private Keys on WLC

*spamApTask6: Jan 06 12:36:26.975: GetPrivateKey: called to get key for CID 1ef531f1

*spamApTask6: Jan 06 12:36:26.975: Private Key found row 3 KeyBufLen 2048 Keylen 1191 PrivateKeyPtr 0x2cea8478

*spamApTask6: Jan 06 12:36:27.185: OpenSSL Get Issuer Handles: locking ca cert table

*spamApTask6: Jan 06 12:36:27.186: OpenSSL Get Issuer Handles: x509 subject_name /C=US/ST=California/L=San Jose/O=Cisco Systems/CN=AP3G2-00f66301ace1/emailAddress=support@cisco.com

*spamApTask6: Jan 06 12:36:27.186: OpenSSL Get Issuer Handles: issuer_name /O=Cisco/CN=Cisco Manufacturing CA SHA2

*spamApTask6: Jan 06 12:36:27.186: OpenSSL Get Issuer Handles: CN AP3G2-00f66301ace1

*spamApTask6: Jan 06 12:36:27.186: OpenSSL Get Issuer Handles: issuerCertCN Cisco Manufacturing CA SHA2

*spamApTask6: Jan 06 12:36:27.186: GetMac: MAC: 00f6.6301.ace1

*spamApTask6: Jan 06 12:36:27.186: OpenSSL Get Issuer Handles: openssl Mac Address in subject is 00:f6:63:01:ac:e1

*spamApTask6: Jan 06 12:36:27.186: OpenSSL Get Issuer Handles: Cert Name in subject is AP3G2-00f66301ace1

*spamApTask6: Jan 06 12:36:27.186: OpenSSL Get Issuer Handles: Extracted cert issuer from subject name.

*spamApTask6: Jan 06 12:36:27.186: NMSP:: Algo name matched SHA256

*spamApTask6: Jan 06 12:36:27.186: OpenSSL Get Issuer Handles: Cert is issued by Cisco Systems.

*spamApTask6: Jan 06 12:36:27.186: Retrieving x509 cert for CertName cscoMfgSha2CaCert

*spamApTask6: Jan 06 12:36:27.186: sshpmGetCID: called to evaluate <cscoMfgSha2CaCert>

*spamApTask6: Jan 06 12:36:27.186: sshpmGetCID: Found matching CA cert cscoMfgSha2CaCert in row 7
*spamApTask6: Jan 06 12:36:27.186: Found CID 26000445 for certname cscoMfgSha2CaCert

*spamApTask6: Jan 06 12:36:27.186: CACertTable: Found matching CID cscoMfgSha2CaCert in row 7 x509 0x2be3d328
*spamApTask6: Jan 06 12:36:27.186: Retrieving x509 cert for CertName cscoRootSha2CaCert

*spamApTask6: Jan 06 12:36:27.186: sshpmGetCID: called to evaluate <cscoRootSha2CaCert>

*spamApTask6: Jan 06 12:36:27.186: sshpmGetCID: Found matching CA cert cscoRootSha2CaCert in row 6
*spamApTask6: Jan 06 12:36:27.186: Found CID 2f6c24df for certname cscoRootSha2CaCert

*spamApTask6: Jan 06 12:36:27.186: CACertTable: Found matching CID cscoRootSha2CaCert in row 6 x509 0x2be3d3dc
*spamApTask6: Jan 06 12:36:27.186: Verify User Certificate: X509 Cert Verification return code: 0
*spamApTask6: Jan 06 12:36:27.186: Verify User Certificate: X509 Cert Verification result text: certificate is not yet valid
*spamApTask6: Jan 06 12:36:27.186: Verify User Certificate: Error in X509 Cert Verification at 2 depth: certificate is not yet valid
*spamApTask6: Jan 06 12:36:27.186: X509 OpenSSL Errors...

*spamApTask6: Jan 06 12:36:27.186: NONE

*spamApTask6: Jan 06 12:36:27.187: OpenSSL Get Issuer Handles: CISCO CERT, start verify with LSC

*spamApTask6: Jan 06 12:36:27.187: Retrieving x509 cert for CertName othSslLscCaCert

*spamApTask6: Jan 06 12:36:27.187: sshpmGetCID: called to evaluate <othSslLscCaCert>

*spamApTask6: Jan 06 12:36:27.187: sshpmGetCID: failed to find matching cert name othSslLscCaCert

*spamApTask6: Jan 06 12:36:27.187: Cert >othSslLscCaCert< not found.

*spamApTask6: Jan 06 12:36:27.187: Verify User Certificate: can't load cert othSslLscCaCert(?!)

*spamApTask6: Jan 06 12:36:27.187: OpenSSL Get Issuer Handles: CSCO user cert not verified by Cisco Roots ...

*spamApTask6: Jan 06 12:36:27.187: acDtlsPlumbControlPlaneKeys: lrad:10.10.5.102(6863) mwar:10.10.5.253(5246)

*spamApTask6: Jan 06 12:36:27.188: 00:f6:63:01:ac:e1 DTLS connection closed event receivedserver (10.10.5.253/5246) client (10.10.5.102/6863)
*spamApTask6: Jan 06 12:36:27.188: 00:f6:63:01:ac:e1 No entry exists for AP (10.10.5.102/6863)
*spamApTask6: Jan 06 12:36:27.188: 00:f6:63:01:ac:e1 No AP entry exist in temporary database for 10.10.5.102:6863

(Cisco Controller) >debug disable-all

And then

(Cisco Controller) >debug pm pki enable

(Cisco Controller) >*spamApTask1: Jan 06 12:39:51.212: 00:a2:89:e8:13:10 Discovery Response sent to 10.10.5.102:6864

*spamApTask1: Jan 06 12:41:06.202: sshpmGetCID: called to evaluate <cscoSha2IdCert>

*spamApTask1: Jan 06 12:41:06.412: OpenSSL Get Issuer Handles: locking ca cert table

*spamApTask1: Jan 06 12:41:06.413: OpenSSL Get Issuer Handles: x509 subject_name /C=US/ST=California/L=San Jose/O=Cisco Systems/CN=AP3G2-00f66301ace1/emailAddress=support@cisco.com

*spamApTask1: Jan 06 12:41:06.413: OpenSSL Get Issuer Handles: issuer_name /O=Cisco/CN=Cisco Manufacturing CA SHA2

*spamApTask1: Jan 06 12:41:06.413: OpenSSL Get Issuer Handles: CN AP3G2-00f66301ace1

*spamApTask1: Jan 06 12:41:06.413: OpenSSL Get Issuer Handles: issuerCertCN Cisco Manufacturing CA SHA2

*spamApTask1: Jan 06 12:41:06.413: GetMac: MAC: 00f6.6301.ace1

*spamApTask1: Jan 06 12:41:06.413: OpenSSL Get Issuer Handles: openssl Mac Address in subject is 00:f6:63:01:ac:e1

*spamApTask1: Jan 06 12:41:06.413: OpenSSL Get Issuer Handles: Cert Name in subject is AP3G2-00f66301ace1

*spamApTask1: Jan 06 12:41:06.413: OpenSSL Get Issuer Handles: Extracted cert issuer from subject name.

*spamApTask1: Jan 06 12:41:06.413: NMSP:: Algo name matched SHA256

*spamApTask1: Jan 06 12:41:06.413: OpenSSL Get Issuer Handles: Cert is issued by Cisco Systems.

*spamApTask1: Jan 06 12:41:06.413: Retrieving x509 cert for CertName cscoMfgSha2CaCert

*spamApTask1: Jan 06 12:41:06.413: sshpmGetCID: called to evaluate <cscoMfgSha2CaCert>

*spamApTask1: Jan 06 12:41:06.413: sshpmGetCID: Found matching CA cert cscoMfgSha2CaCert in row 7
*spamApTask1: Jan 06 12:41:06.413: Found CID 26000445 for certname cscoMfgSha2CaCert

*spamApTask1: Jan 06 12:41:06.413: CACertTable: Found matching CID cscoMfgSha2CaCert in row 7 x509 0x2be3d328
*spamApTask1: Jan 06 12:41:06.413: Retrieving x509 cert for CertName cscoRootSha2CaCert

*spamApTask1: Jan 06 12:41:06.413: sshpmGetCID: called to evaluate <cscoRootSha2CaCert>

*spamApTask1: Jan 06 12:41:06.413: sshpmGetCID: Found matching CA cert cscoRootSha2CaCert in row 6
*spamApTask1: Jan 06 12:41:06.413: Found CID 2f6c24df for certname cscoRootSha2CaCert

*spamApTask1: Jan 06 12:41:06.413: CACertTable: Found matching CID cscoRootSha2CaCert in row 6 x509 0x2be3d3dc
*spamApTask1: Jan 06 12:41:06.414: Verify User Certificate: X509 Cert Verification return code: 0
*spamApTask1: Jan 06 12:41:06.414: Verify User Certificate: X509 Cert Verification result text: certificate is not yet valid
*spamApTask1: Jan 06 12:41:06.414: Verify User Certificate: Error in X509 Cert Verification at 2 depth: certificate is not yet valid
*spamApTask1: Jan 06 12:41:06.414: X509 OpenSSL Errors...

*spamApTask1: Jan 06 12:41:06.414: NONE

*spamApTask1: Jan 06 12:41:06.414: OpenSSL Get Issuer Handles: CISCO CERT, start verify with LSC

*spamApTask1: Jan 06 12:41:06.414: Retrieving x509 cert for CertName othSslLscCaCert

*spamApTask1: Jan 06 12:41:06.414: sshpmGetCID: called to evaluate <othSslLscCaCert>

*spamApTask1: Jan 06 12:41:06.414: sshpmGetCID: failed to find matching cert name othSslLscCaCert

*spamApTask1: Jan 06 12:41:06.414: Cert >othSslLscCaCert< not found.

*spamApTask1: Jan 06 12:41:06.414: Verify User Certificate: can't load cert othSslLscCaCert(?!)

(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >debug disable-all

Re: 2504 Fallback has suddenly stopped working - Help needed

Arshad Safrulla — Fri, 30 Jul 2021 10:35:05 GMT

Can you check NTP and time for both AP and WLC. You may advertise option 42 for AP’s if reqd

Re: 2504 Fallback has suddenly stopped working - Help needed

Rich R — Fri, 30 Jul 2021 14:29:20 GMT

You didn't provide the requested "sh crypto pki certificates" output from the APs?

That will clearly show the certs on the APs.

Either way you're almost definitely going to need to follow the field notice to fix the problem.

Read it carefully twice to make sure you understand it and then follow the steps in the right order. There are a number of posts about this on the forums already and I summarised it a few days ago on one of them. You will need to upgrade from that very old code version.

Re: 2504 Fallback has suddenly stopped working - Help needed

Cormac Champion — Fri, 30 Jul 2021 21:25:33 GMT

Sorry - although I possibly didn't run it for long enough

I suppose I should just go ahead and install 8.5.131.0 - if I do, do I still need to do stuff like turning off NTP and turning the clock back ?