cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
375
Views
5
Helpful
8
Replies
Highlighted

AP2802 cannot join to VWLC due to spamCheck_valid_vWLC_X509: SSC Hash not allowed

Hi Community.

I have this issue joining APs to vWLC 8.5.150.0: 

AP-28>show inventory
NAME: AP2800, DESCR: Cisco Aironet 2800 Series (IEEE 802.11ac) Access Point
PID: AIR-AP2802I-E-K9 , VID: V03, SN: FCW2329PHEZ

Validity for SHA 1: 
Not Before: Jul 19 19:00:00 2019 GMT
Not After : May 14 20:25:42 2029 GMT

Validity for SHA 2:

Validity
Not Before: Jul 19 19:00:36 2019 GMT
Not After : Nov 12 13:00:17 2037 GMT

Not other cert in AP.

 

LOG in AP:

 

[*07/15/2020 12:50:49.2905] Discovery Response from 192.168.9.228
[*07/15/2020 12:50:45.0000]
[*07/15/2020 12:50:45.0000] CAPWAP State: DTLS Setup
[*07/15/2020 12:50:45.0006] dtls_connectionDB_add_connection: Number of DTLS connections exceeded two
[*07/15/2020 12:50:45.3936] spamCheck_valid_vWLC_X509: SSC Hash not allowed
[*07/15/2020 12:50:45.3936]
[*07/15/2020 12:50:45.4061] display_verify_cert_status: Verify Cert: FAILED at 1 depth: self signed certificate in certificate chain
[*07/15/2020 12:50:45.4082] dtls_verify_con_cert: Controller certificate verification error
[*07/15/2020 12:50:45.4085] dtls_process_packet: Controller certificate verification failed
[*07/15/2020 12:50:45.4092] sendPacketToDtls: DTLS: Closing connection 0xe8aa00.
[*07/15/2020 12:50:45.4094] Restarting CAPWAP State Machine.
[*07/15/2020 12:50:45.5141]
[*07/15/2020 12:50:45.5141] CAPWAP State: DTLS Teardown

 

vWLC side:

SSC Validity :
Start : Jul 13 04:23:03 2020 GMT
End : May 22 04:23:03 2030 GMT

 

Changing time to July 2019 or Dec 2019 doesnt work.

Disabling NTP doesnt work.

 

I folowed this FN https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html but my APs cannot join to vWLC.

 

Please help me to solve this issue.

 

Regards.

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

I don't think either of those FNs apply. I wouldn't expect setting the date earlier to help but WLC must be synced to NTP.
Jorge can you provide "show certificate summary", "show certificate ssc" & "show certificate all" from the WLC?
I can't see anything about this in docs so might be heading towards a TAC case ...

View solution in original post

Highlighted

Few things just to try: 1. factory reset the ap by using the mode button. Hold for >20 seconds until the led flashes red 2. log into the ap and delete the config: clear capwap private-config then reboot the ap 3. maybe disable the hash: config certificate ssc hash validation disable
-Scott
*** Please rate helpful posts ***

View solution in original post

8 REPLIES 8
Highlighted
VIP Advocate

 

 - Check AP-model verus controller-model/software version compliance with :

             https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

 M.

Highlighted
Hall of Fame Community Legend

Highlighted

I don't think either of those FNs apply. I wouldn't expect setting the date earlier to help but WLC must be synced to NTP.
Jorge can you provide "show certificate summary", "show certificate ssc" & "show certificate all" from the WLC?
I can't see anything about this in docs so might be heading towards a TAC case ...

View solution in original post

Highlighted

HI rruding.

Please find attached the outputs requested.

 

Thanks a lot for your help.

Highlighted

Few things just to try: 1. factory reset the ap by using the mode button. Hold for >20 seconds until the led flashes red 2. log into the ap and delete the config: clear capwap private-config then reboot the ap 3. maybe disable the hash: config certificate ssc hash validation disable
-Scott
*** Please rate helpful posts ***

View solution in original post

Highlighted

Thanks a lot all of you for your help.

Reset to factory default work well to solve this issue.

Highlighted

Just keep that in mind… if the ap drops off and fails to join again, factory reset it. I know its a pain, but that is my way of recovering an ap when it doesn’t join again.
-Scott
*** Please rate helpful posts ***
Highlighted

Nothing obviously wrong with the outputs but I think Scott got the right answers there ^^^.
Been looking back through other previous posts and this seems to happen when an AP has previously been joined to another vWLC - it stores the hash and then expects to see the same hash in future.
https://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_Virtual_Wireless_LAN_Controller_Deployment_Guide_8-2.html#concept_D01C165C662E42AEA3D829A1285272D4 says:
"Note When an AP moves from one vWLC to another, it may refuse to join the second vWLC. It occurs when the server hardware fails, or a new instance of vWLCs are created. It is recommended to implement server mirroring scheme at the VMware level such as vMotion or some orchestrator. It is highly recommended to retain a snapshot of the VM instance, one from the mobility domain to which access points have joined previously. Then use the snapshot to start the vWLC instance. Access points then join the vWLC. This method can be also be used for priming access points instead of a physical controller. "
Clearing the AP config and disabling hash check is the workaround for that.
Sort of documented in https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuf38985 and the doc link it provides - every vWLC the AP connects to must contain the hashes of every other vWLC the AP connects to and they must be in the same mobility group. If you can't do that you'll have to use the workaround.
I've not played with vWLC myself so apologies if I got any of this wrong - it's just what I've pieced together from other posts and docs.