topic Re: AP certificate validation error between 2 9800 WLCs cluster in Wireless

AP certificate validation error between 2 9800 WLCs cluster

Clem58 — Fri, 09 Dec 2022 16:21:39 GMT

Hello,

I'm testing 2 WLCs clusters, same versions 17.3.6. WLC01 and WLC02

I have 2 APs, one 3801I and one 3702E, when I move the APs from WLC01 to WLC02, using primary and secondary in High Availibility parameters, it's working perfectly.

But when I do the return, WLC02 to WLC01, the both APs cannot join, in the log we see :

SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed

The only way to have them joining back WLC01 is to clear capwap private-config on 3702 and reset the 3802 with mode button.

As we want to have N+1 WLCs cluster (remote) at the final state, in production, I don't want to have to manually reset all the APs when they will failover back to the initial WLCs.

Is it anything you already faced ?

Re: AP certificate validation error between 2 9800 WLCs cluster

Mark Elsen — Fri, 09 Dec 2022 17:23:04 GMT

- Could you run the configuration of both controllers through WirlessAnalyzer with the procedure mentioned below, look for differences in advisories (or configuration) which may be indicative :
Use the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer.

Re: AP certificate validation error between 2 9800 WLCs cluster

balaji.bandi — Fri, 09 Dec 2022 17:36:48 GMT

can you post the output

>show certificate ssc

i think there is a bug on this i dont have in hand but will post later when i get chance.

Re: AP certificate validation error between 2 9800 WLCs cluster

Leo Laohoo — Fri, 09 Dec 2022 23:24:03 GMT

The 3702 has a tiny flash space and can only accommodate one CAPWAP image.

To go from AireOS to IOS-XE (and back) means the AP will need to download the IOS every time it crosses over.

Finally, the 2702/3702 are affected by FN - 72524 - During Software Upgrade/Downgrade, Cisco IOS APs Might Remain in Downloading State After December 4, 2022 Due to Certificate Expiration.

Re: AP certificate validation error between 2 9800 WLCs cluster

Rich R — Sat, 10 Dec 2022 17:32:58 GMT

What model of 9800 are you using - 9800-CL?

This sounds suspiciously similar to a well known problem with vWLC on AireOS!
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva69352
You can try the "Alternative workaround" from that? (if it's even possible on 9800)
Either way I think you'll need to open a TAC case for it because I don't see any bugs open for it on 9800.
Presume you have configured (and verified) mobility between the WLCs with the hash configured as per https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_vewlc_mobility.html ?

Re: AP certificate validation error between 2 9800 WLCs cluster

Clem58 — Sat, 10 Dec 2022 15:39:09 GMT

For Balaji
"show certificate ssc" does not exist

For Leo
It's not the recent bug with 3702, as we have the same issue with 3802 AP.

For Rich
There are different mobility groups, as the 2 clusters are in different sites (remote) so we don't have same mobility group, we don't need the 2 WLCs to share any RF data and so on. Anyway the migration from WLC01 to WLC02 is working, but not the inverse.

Re: AP certificate validation error between 2 9800 WLCs cluster

Rich R — Sat, 10 Dec 2022 17:35:04 GMT

@Clem58 - yes I understand that but I think it may still fix this problem for you - it might actually be necessary to have this working as you intend. So TRY IT and see if it helps?

Re: AP certificate validation error between 2 9800 WLCs cluster

Clem58 — Sat, 10 Dec 2022 17:37:41 GMT

Ok that's a good point, I will try to set same mobility group name next
week and let you know if it's improving anything.

Thanks !

Re: AP certificate validation error between 2 9800 WLCs cluster

Rich R — Sat, 10 Dec 2022 17:51:21 GMT

It's not just setting the mobility group name.

You need the working mobility connection between the WLCs so that they share hashes with each other and the APs store both WLC's hashes.

Re: AP certificate validation error between 2 9800 WLCs cluster

Clem58 — Sun, 11 Dec 2022 08:20:41 GMT

Yes of course I will add the peer WLCs into the mobility group.

Re: AP certificate validation error between 2 9800 WLCs cluster

Clem58 — Mon, 12 Dec 2022 14:39:26 GMT

So my problem is solved, actually even with mobility enabled and peers added and UP, I still had this issue with SSC certificate validation.

After double checked the configs, I noticed a setting I left, on both WLCs, when I was tshooting the issue with 3702 AP (recent bug with certificate expiration), so I had added : wireless management certificate ssc auth-token 0 password

After removing this settings, the APs can migrate from a WLC to another without any issue !

Re: AP certificate validation error between 2 9800 WLCs cluster

Rich R — Mon, 12 Dec 2022 16:12:51 GMT

Ah well glad you worked it out!