01-21-2020 08:15 PM - edited 07-05-2021 11:34 AM
Hi Guys,
Suddenly I have been reported one of our AP is not connecting to WLC. Looks like the AP is getting an IP, but it cannot associate with WLC. Previously I have config ap cert-expiry-ignore {mic|ssc} enable, it fixed all old APs joining issues. But this one AP I am not sure what to do......was thinking to tick "Accept Self Signed Certificate (SSC)" under Security AAA - AP policies, but I am not sure if it will cause other connection issues?
The log I got from AP:
*Mar 1 00:00:09.122: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:09.168: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1140 Software (C1140-RCVK9W8-M), Version 12.4(18a)JA, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 21-Nov-08 01:28 by prod_rel_team
*Mar 1 00:00:09.196: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 1 00:00:10.122: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:18.265: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.8.44.57, mask 255.255.254.0, hostname Gym
*Mar 1 00:00:28.101: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!
*Mar 1 00:00:28.223: Logging LWAPP message to 255.255.255.255.
*Mar 1 00:00:32.233: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED WS-C3750X-24P (2894.0f34.ed2e)
Translating "CISCO-LWAPP-CONTROLLER.school.com"...domain server (10.8.2.42) [OK]
*Mar 1 00:00:38.173: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Jan 22 04:01:52.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.8.46.2 peer_port: 5246
*Jan 22 04:01:52.821: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.8.46.2
*Jan 22 04:01:52.821: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Jan 22 04:01:52.821: %DTLS-5-PEER_DISCONNECT: Peer 10.8.46.2 has closed connection.
*Jan 22 04:01:52.822: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
Thanks a lot for help.
Mang
01-21-2020 08:28 PM
@manly009 wrote:
*Jan 22 04:01:52.821: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
What firmware is the controller running on?
01-21-2020 08:36 PM
It is C1140. version 12.4 (18a) JA.
Thanks
01-21-2020 09:48 PM
01-22-2020 12:07 AM - edited 01-22-2020 12:10 AM
That AP version correlate to WLC version 5.2.193.0 which won’t work with the cert expiry issue.
You need atleast version 7.0.252.0 or higher in order to ignore the certificates.
Your AP can support up to version 8.3 on the WLC.
https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
<<< Pls remember to rate all useful responses >>>
01-22-2020 03:02 PM
01-22-2020 03:44 PM
01-22-2020 03:53 PM
Sorry actually WLC's software version is on: 8.0.140.0
We would think AP should talk to WLC? All the other 1142N N K9 still works?
Any other suggestions? Should I tick "Accept Self Signed Certificate (SSC)" on WLC? would this effect something else?
Thanks
Mang
01-22-2020 03:59 PM
the actual log from AP:
Please advise:
::▒8▒`ttT▒::8?ᩱ▒<:84xT▒n0▒▒
▒▒<44▒484P:<0|T::▒8▒`ttT▒::8?ᩱ▒<:84xT▒n0▒▒
▒▒<44▒484P:<0|T::▒8▒`ttT▒::8?ᩱ▒<:84xT▒n0▒▒
▒▒<44▒484P:<
IOS Bootloader - Starting system.
Xmodem file system is available.
DDR values used from system serial eeprom.
WRDTR,CLKTR: 0x86000800, 0x40000000
RQDC, RFDC : 0x8000003d, 0x00000216
PCIE0: link is up.
PCIE0: VC0 is active
PCIE1: link is up.
PCIE1: VC0 is active
PCIEx: initialization done
flashfs[0]: 67 files, 15 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 32385024
flashfs[0]: Bytes used: 20049408
flashfs[0]: Bytes available: 12335616
flashfs[0]: flashfs fsck took 22 seconds.
Reading cookie from system serial eeprom...Done
Base Ethernet MAC address: 00:22:bd:1a:39:50
Ethernet speed is 1000 Mb - FULL duplex
Loading "flash:/c1140-rcvk9w8-mx/c1140-rcvk9w8-mx"...#############################################################################################################################################################################################################################
File "flash:/c1140-rcvk9w8-mx/c1140-rcvk9w8-mx" uncompressed and installed, entry point: 0x4000
executing...
enet halted
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, C1140 Software (C1140-RCVK9W8-M), Version 12.4(18a)JA, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 21-Nov-08 01:28 by prod_rel_team
Image text-base: 0x00004000, data-base: 0x00430000
Proceeding with system init
Proceeding to unmask interrupts
Initializing flashfs...
flashfs[1]: 67 files, 15 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 32385024
flashfs[1]: Bytes used: 20049408
flashfs[1]: Bytes available: 12335616
flashfs[1]: flashfs fsck took 5 seconds.
flashfs[1]: Initialization complete....done Initializing flashfs.
Ethernet speed is 1000 Mb - FULL duplex
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco AIR-LAP1142N-N-K9 (PowerPC405ex) processor (revision A0) with 98294K/32768K bytes of memory.
Processor board ID FCW1336S029
PowerPC405ex CPU at 586Mhz, revision number 0x147E
Last reset from power-on
LWAPP image version 3.0.51.0
1 Gigabit Ethernet interface
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:22:BD:1A:39:50
Part Number : 73-11451-06
PCA Assembly Number : 800-30554-03
PCA Revision Number : A0
PCB Serial Number : FOC13331VKX
Top Assembly Part Number : 800-31273-01
Top Assembly Serial Number : FCW1336S029
Top Revision Number : A0
Product/Model Number : AIR-LAP1142N-N-K9
% Please define a domain-name first.
ip ssh version 2
^
% Invalid input detected at '^' marker.
transport input ssh
^
% Invalid input detected at '^' marker.
aaa new-model
^
% Invalid input detected at '^' marker.
aaa authentication login default local
^
% Invalid input detected at '^' marker.
login authentication default
^
% Invalid input detected at '^' marker.
transport input ssh
^
% Invalid input detected at '^' marker.
RS
Press RETURN to get started!
SI IDB null
RSSI IDB null
*Mar 1 00:00:06.866: *** CRASH_LOG = YES
Base Ethernet MAC address: 00:22:BD:1A:39:50
*Mar 1 00:00:07.071: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 1024 messages)
*Mar 1 00:00:09.121: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:09.167: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1140 Software (C1140-RCVK9W8-M), Version 12.4(18a)JA, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 21-Nov-08 01:28 by prod_rel_team
*Mar 1 00:00:09.195: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Mar 1 00:00:10.122: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:18.035: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.8.44.57, mask 255.255.254.0, hostname Gym
logging origin-id string AP:0022.bd1a.3950
^
% Invalid input detected at '^' marker.
logging 255.255.255.255
^
% Invalid input detected at '^' marker.
logging trap 3
^
% Invalid input detected at '^' marker.
*Mar 1 00:00:28.099: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!
*Mar 1 00:00:28.222: Logging LWAPP message to 255.255.255.255.
*Mar 1 00:00:31.599: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED WS-C3750X-24P (2894.0f34.ed2e)
Translating "CISCO-LWAPP-CONTROLLER.mercedes.catholic.edu.au"...domain server (10.8.2.42) [OK]
*Mar 1 00:00:38.168: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Jan 22 23:56:34.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.8.46.2 peer_port: 5246
*Jan 22 23:56:34.820: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.8.46.2
*Jan 22 23:56:34.821: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Jan 22 23:56:34.821: %DTLS-5-PEER_DISCONNECT: Peer 10.8.46.2 has closed connection.
*Jan 22 23:56:34.821: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
*Jan 22 23:57:17.419: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED WS-C3750X-24P (2894.0f34.ed2e)
transport input ssh
^
% Invalid input detected at '^' marker.
RSSI IDB null
RSSI IDB null
*Jan 22 23:57:39.077: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Jan 22 23:57:49.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.8.46.2 peer_port: 5246
*Jan 22 23:57:49.822: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.8.46.2
*Jan 22 23:57:49.823: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Jan 22 23:57:49.823: %DTLS-5-PEER_DISCONNECT: Peer 10.8.46.2 has closed connection.
*Jan 22 23:57:49.823: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
01-22-2020 05:25 PM - edited 01-22-2020 06:02 PM
AP is booting up the RCV firmware.
This means the AP has never joined a controller before.
Post the complete output to the following commands:
1. WLC: sh sysinfo;
2. WLC: sh time; &
3. AP: dir
The controller is running the firmware that fixes the FN, HOWEVER, the AP is running a very, very, very old RCV. This particular version, 12.4(18a)JA, DOES NOT HAVE THE FIX.
The only way to get the AP to join the controller is manually upgrade the firmware of the AP. In order to do this, you'll need to do the following (in order):
1. Go HERE and download the filename "c1140-rcvk9w8-tar.153-3.JD17.tar";
2. Push the firmware to the AP using the command "archive download-sw /over tftp://<TFTP IP Address>/c1140-rcvk9w8-tar.153-3.JD17.tar"
3. Reboot the AP
01-22-2020 06:50 PM
01-22-2020 07:31 PM
File "c1140-rcvk9w8-tar.153-3.JD17.tar" is still available and requires a valid Service Contract.
Send an email to TAC and ask them to publish it for you.
01-23-2020 03:12 AM
01-28-2020 09:36 PM
01-28-2020 10:35 PM
Did you apply the workaround config *after* both WLC and AP were running updated software with the fix? You may need to manually set the WLC time back to before cert expiry (and disable NTP) initially as per the field notice. Once all hardware is running updated software, with fix applied, then it should work.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: