取消
显示结果 
搜索替代 
您的意思是: 
cancel
6475
查看次数
0
有帮助
2
回复

无线AP证书过期,导致ap无法与wlc建立隧道的故障处理

dml444988615
Level 1
Level 1
由于无线ap1131出厂设置证书时间为10年,超过时间后无法与wlc建立隧道连接,导致业务无法正常运行,故障如下
*Mar 1 00:01:01.270: %CAPWAP-3-ERRORLOG: Could Notresolve CISCO-CAPWAP-CONTROLLER
*Mar 1 00:01:12.272: %CAPWAP-3-ERRORLOG: Go join acapwap controller
*Nov 4 06:08:53.000: %CAPWAP-5-DTLSREQSEND: DTLSconnection request sent peer_ip: 10.10.16.4 peer_port: 5246
*Nov 4 06:08:54.588: %DTLS-5-ALERT: Received FATAL: Certificate unknown alert from 10.10.16.4
*Nov 4 06:08:54.588: %CAPWAP-3-ERRORLOG: Badcertificate alert received from peer.
*Nov 4 06:08:54.588: %DTLS-5-SEND_ALERT: SendFATAL : Close notify Alert to 10.10.16.4:5246
*Nov 4 06:08:54.589: %CAPWAP-3-ERRORLOG: Invalidevent 38 & state 3 combination.
GX-AP-808#showlogg

经过分析,只有老型号1131出现过,较新的型号1142证书到2020年到期,为了正常使用,打开wlc的证书过期忽略功能才能继续使用

cisco官网说明如下:

  • Cisco Lightweight Access Points that were manufactured over 10 years ago may fail to create a CAPWAP or LWAPP connection due to certificate expiration. You may allow the Access Points with Manufactured Installed Certificates (MICs) or Self-signed Certificates (SSCs) beyond their expiration date to associate with Cisco WLC.
On Cisco WLCs,the AP lifetime-check parameter is enabled by default. After upgrading, werecommend that you configure the Cisco WLC to ignore the expiration date on theAPs’ MICs and SSCs by entering thiscommand:
(Cisco Controller) >config ap cert-expiry-ignore {mic | ssc}enable

When the config ap cert-expiry-ignore { mic | ssc } enable command is entered, Cisco WLC ignores the expiration date on theAPs' MICs or SSCs, allowing APs or Cisco WLCs with certificates that are morethan 10 years old to connect with each other. The AP lifetime-check parametermust remain enabled as long as APs with expired MICs or SSCs are managed bythis Cisco WLC.
You can see theconfiguration state by entering this command:
(Cisco Controller) >show certificate summary

Web Administration Certificate................... 3rd Party
Web Authentication Certificate................... LocallyGenerated
Certificate compatibility mode:.................. off
Lifetime Check for MIC.......................... Enable
Lifetime Check for SSC.......................... Enable

http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn80mr2.html

2 条回复2

one-time
Level 13
Level 13
感谢您的提问,会有小伙伴为您解答的!:):handshake

suzhouxiaoniu
Spotlight
Spotlight
感谢分享。。。。。
快捷链接