由于无线ap1131出厂设置证书时间为10年,超过时间后无法与wlc建立隧道连接,导致业务无法正常运行,故障如下
*Mar 1 00:01:01.270: %CAPWAP-3-ERRORLOG: Could Notresolve CISCO-CAPWAP-CONTROLLER
*Mar 1 00:01:12.272: %CAPWAP-3-ERRORLOG: Go join acapwap controller
*Nov 4 06:08:53.000: %CAPWAP-5-DTLSREQSEND: DTLSconnection request sent peer_ip: 10.10.16.4 peer_port: 5246
*Nov 4 06:08:54.588: %DTLS-5-ALERT: Received FATAL: Certificate unknown alert from 10.10.16.4
*Nov 4 06:08:54.588: %CAPWAP-3-ERRORLOG: Badcertificate alert received from peer.
*Nov 4 06:08:54.588: %DTLS-5-SEND_ALERT: SendFATAL : Close notify Alert to 10.10.16.4:5246
*Nov 4 06:08:54.589: %CAPWAP-3-ERRORLOG: Invalidevent 38 & state 3 combination.
GX-AP-808#showlogg
经过分析,只有老型号1131出现过,较新的型号1142证书到2020年到期,为了正常使用,打开wlc的证书过期忽略功能才能继续使用
cisco官网说明如下:
- Cisco Lightweight Access Points that were manufactured over 10 years ago may fail to create a CAPWAP or LWAPP connection due to certificate expiration. You may allow the Access Points with Manufactured Installed Certificates (MICs) or Self-signed Certificates (SSCs) beyond their expiration date to associate with Cisco WLC.
On Cisco WLCs,the AP lifetime-check parameter is enabled by default. After upgrading, werecommend that you configure the Cisco WLC to ignore the expiration date on theAPs’ MICs and SSCs by entering thiscommand:
(Cisco Controller) >config ap cert-expiry-ignore {mic | ssc}enable
When the config ap cert-expiry-ignore { mic | ssc } enable command is entered, Cisco WLC ignores the expiration date on theAPs' MICs or SSCs, allowing APs or Cisco WLCs with certificates that are morethan 10 years old to connect with each other. The AP lifetime-check parametermust remain enabled as long as APs with expired MICs or SSCs are managed bythis Cisco WLC.
You can see theconfiguration state by entering this command:
(Cisco Controller) >show certificate summary
Web Administration Certificate................... 3rd Party
Web Authentication Certificate................... LocallyGenerated
Certificate compatibility mode:.................. off
Lifetime Check for MIC.......................... Enable
Lifetime Check for SSC.......................... Enable
http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn80mr2.html
