XX园区无线AP型号老旧自签名证书MIC/SSC过期，导致无法注册上WLC

Pengfei Yu · ‎02-15-2016

XX园区无线AP型号老旧自签名证书MIC/SSC过期，导致无法注册上WLC。LOG信息及简要分析。

一、简介

20160214XX园区无线网络AP设备无法正常注册至主用WLC Z02-WLC-4402-01（无线控制器），导致园区内大面积无线登录异常。

故障原因是园区正在使用的AP型号较老（为思科1131及1231型号），AP所使用的“自签名证书（SSC）”及“制造商安装的证书（MIC）”出厂时间戳到期，导致AP证书检测失败，无法注册至WLC。建议尽快替换较老型号的无线设备WLC 4402及AP 1131&1231！

收集到相关日志信息如下：

AP输出如下：

“

Reading cookie from flash parameter block...done.

Base ethernet MAC Address: 00:16:9d:6c:af:6c

Initializing ethernet port 0...

Reset ethernet port 0...

Reset done!

ethernet link up, 100 mbps, full-duplex

Ethernet port 0 initialized: link is up

Loading "flash:/c1200-k9w8-mx.124-21a.JHB/c1200-k9w8-mx.124-21a.JHB"...#############################################################################################################################################################################################################################################################################################

File "flash:/c1200-k9w8-mx.124-21a.JHB/c1200-k9w8-mx.124-21a.JHB" uncompressed and installed, entry point: 0x3000

executing...

Restricted Rights Legend

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

(c) of the Commercial Computer Software - Restricted

Rights clause at FAR sec. 52.227-19 and subparagraph

(c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.

170 West Tasman Drive

San Jose, California 95134-1706

Cisco IOS Software, C1200 Software (C1200-K9W8-M), Version 12.4(21a)JHB, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Tue 06-Jul-10 14:15 by prod_rel_team

Proceeding with system init

Proceeding to unmask interrupts

Initializing flashfs...

flashfs[1]: WARNING -Unable to allocate backup blocks.

Please free some space on the flash file system.

flashfs[1]: 11 files, 3 directories

flashfs[1]: 0 orphaned files, 0 orphaned directories

flashfs[1]: Total bytes: 7741440

flashfs[1]: Bytes used: 5343232

flashfs[1]: Bytes available: 2398208

flashfs[1]: flashfs fsck took 3 seconds.

flashfs[1]: Initialization complete....done Initializing flashfs.

Radio0 present A506 5100 E8000000 A0000000 80000000 3

Radio1 not present 0 0 0 0 0 2

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

cisco AIR-AP1231G-E-K9 (PowerPC405GP) processor (revision A0) with 15038K/1336K bytes of memory.

Processor board ID FHK.......T

PowerPC405GP CPU at 196Mhz, revision number 0x0145

Last reset from power-on

LWAPP image version 6.0.199.0

1 FastEthernet interface

1 802.11 Radio(s)

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:00:00:00:00:00

Part Number : 73-8704-11

PCA Assembly Number : 800-23211-12

PCA Revision Number : A0

PCB Serial Number : FOC......40

Top Assembly Part Number : 800-23304-13

Top Assembly Serial Number : FHK......8T

Top Revision Number : A0

Product/Model Number : AIR-AP1231G-E-K9

% Please define a domain-name first.

no ip http server

^

% Invalid input detected at '^' marker.

Press RETURN to get started!

*Mar 1 00:00:05.008: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed

*Mar 1 00:00:06.283: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0

*Mar 1 00:00:06.408: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 1024 messages)

*Mar 1 00:00:07.462: STUB Called : crypto_ssl_init

*Mar 1 00:00:08.502: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up

*Mar 1 00:00:08.565: %SYS-5-RESTART: System restarted --

Cisco IOS Software, C1200 Software (C1200-K9W8-M), Version 12.4(21a)JHB, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Tue 06-Jul-10 14:15 by prod_rel_team

*Mar 1 00:00:08.651: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Mar 1 00:00:08.652: bsnInitRcbSlot: slot 1 has NO radio

*Mar 1 00:00:08.826: %SSH-5-ENABLED: SSH 2.0 has been enabled

*Mar 1 00:00:08.826: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up

*Mar 1 00:00:09.100: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset

*Mar 1 00:00:09.506: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up

*Mar 1 00:00:09.822: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up

*Mar 1 00:00:09.836: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

*Mar 1 00:00:16.953: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 10.115.55.147, mask 255.255.255.0, hostname Z02-KFAP-1202-02 <<<<AP已自动获得IP地址，确认IP网络正常；

*Mar 1 00:00:27.557: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset

*Mar 1 00:00:27.569: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up

*Mar 1 00:00:27.944: Logging LWAPP message to 255.255.255.255.

*Mar 1 00:00:28.000: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)

*Mar 1 00:00:38.559: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)

*Mar 1 00:00:47.559: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER

*Mar 1 00:00:56.560: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER

*Mar 1 00:01:08.561: %CAPWAP-3-ERRORLOG: Selected MWAR 'XXXXXX-4402-01'(index 0).

<<<<通过AP NVRAM存储WLC地址，申请注册至WLC；

*Mar 1 00:01:08.561: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Feb 14 04:30:43.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.115.55.4 peer_port: 5246

*Feb 14 04:30:44.001: %CAPWAP-5-CHANGED: CAPWAP changed state to <<<<正常注册流程；

*Feb 14 04:30:45.718: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.115.55.4

*Feb 14 04:30:45.719: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.

<<<<因时间戳不匹配，导致证书校验失败；注册失效；

*Feb 14 04:30:45.719: %DTLS-5-PEER_DISCONNECT: Peer 10.115.55.4 has closed connection.

*Feb 14 04:30:45.719: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 10.115.55.4:5246

*Feb 14 04:30:45.720: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

”

WLC输出如下：

“

... ...

*Feb 14 14:00:37.031: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:617 Failed to complete DTLS handshake with peer 10.115.55.152

*Feb 14 14:00:37.031: %DTLS-4-BAD_CERT: openssl_dtls.c:1050 Certificate verification failed. Peer IP: 10.115.55.152

*Feb 14 14:00:37.030: %SSHPM-4-AP_CERT_EXPIRED: sshpmPkiApi.c:2448 AP certificate time 2006/02/02/06:11:38 - 2016/02/02/06:21:38 is not valid.

... ...

”所以，从LOG来看，可以确认是因AP时间戳过期，导致证书校验失败，无法正常注册至WLC。

###查看AP证书情况；
AP#show crypto pki
Issuer:
cn=Cisco Manufacturing CA
o=Cisco Systems
Subject:
Name:

Validity Date:
start date: 04:22:10 UTC Jul 11 2007
end date: 04:32:10 UTC Jul 11 2017
Associated Trustpoints: Cisco_IOS_MIC_cert