cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
5787
Views
20
Helpful
7
Replies

Wlan accesspoint dtls problem

Some of my access point will not join WLC right away.

If i reboot an access point it will take 5minutes to 1 hour to join again.

It does not affect all APs

Get this error on access point:

mostly  AIR-LAP1142N and AIR-CAP2702I-E-K9

WLC AIR-CT5508-K9   Software Version 8.2.102                      


*Apr 13 08:30:27.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.1.41 peer_port: 5246
*Apr 13 08:30:33.011: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:394 BD is not of DTLS Change Cipher Spec type
*Apr 13 08:30:33.011: %DTLS-5-SEND_ALERT: Send FATAL : Internal error Alert to 10.1.1.41:5246
*Apr 13 08:30:33.011: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.1.1.41:5246
*Apr 13 08:31:31.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Apr 13 08:31:32.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.1.41 peer_port: 5246
*Apr 13 08:31:32.000: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:929 Unexpected message received while expecting HelloVerifyRequest
*Apr 13 08:31:32.000: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to 10.1.1.41:5246
*Apr 13 08:31:32.000: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.1.1.41:5246
*Apr 13 08:32:46.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Apr 13 08:32:47.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.1.42 peer_port: 5246
*Apr 13 08:32:53.011: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:394 BD is not of DTLS Change Cipher Spec type
*Apr 13 08:32:53.011: %DTLS-5-SEND_ALERT: Send FATAL : Internal error Alert to 10.1.1.42:5246
*Apr 13 08:32:53.011: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.1.1.42:5246
*Apr 13 08:33:51.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Apr 13 08:33:52.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.1.42 peer_port: 5246
*Apr 13 08:33:52.000: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:929 Unexpected message received while expecting HelloVerifyRequest
*Apr 13 08:33:52.000: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to 10.1.1.42:5246
*Apr 13 08:33:52.000: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.1.1.42:5246
*Apr 13 08:34:56.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Apr 13 08:34:57.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.1.43 peer_port: 5246
*Apr 13 08:35:03.011: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:394 BD is not of DTLS Change Cipher Spec type
*Apr 13 08:35:03.011: %DTLS-5-SEND_ALERT: Send FATAL : Internal error Alert to 10.1.1.43:5246
*Apr 13 08:35:03.011: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.1.1.43:5246
*Apr 13 08:36:01.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Apr 13 08:36:02.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.1.43 peer_port: 5246
*Apr 13 08:36:02.000: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:929 Unexpected message received while expecting HelloVerifyRequest
*Apr 13 08:36:02.000: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to 10.1.1.43:5246
*Apr 13 08:36:02.000: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.1.1.43:5246
*Apr 13 08:37:06.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Apr 13 08:37:07.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.1.41 peer_port: 5246
*Apr 13 08:37:13.011: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:394 BD is not of DTLS Change Cipher Spec type
*Apr 13 08:37:13.011: %DTLS-5-SEND_ALERT: Send FATAL : Internal error Alert to 10.1.1.41:5246
*Apr 13 08:37:13.011: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.1.1.41:5246
*Apr 13 08:38:11.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Apr 13 08:38:12.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.1.41 peer_port: 5246
*Apr 13 08:38:12.000: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:929 Unexpected message received while expecting HelloVerifyRequest
*Apr 13 08:38:12.000: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to 10.1.1.41:5246
*Apr 13 08:38:12.000: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.1.1.41:5246

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Hello,

The problem was in the core switches on the route to WLC. We got 10gig to 1gig fiber and the QoS que was to small for handeling the Capwap traffic. We gave port 5246 och udp 5247  better QoS .

7 REPLIES 7
Enthusiast

Sounds like the APs were not

Sounds like the APs were not added to the controller's database

give this a try

•Log into your Wireless LAN Controller.
•Select the Security tab.
•Expand AAA and select AP Policies.
•Click the Add button in the far right.
•Under Add AP to Authorization List enter the MAC Address of the Access Point in the MAC Address text box.(The MAC Address can be found either on the bottom of the Access Point
•Click the Add button.
•Click the Apply button.
•Click the Wireless tab.
•Under the Wireless>All APs the select  then  go to  General tab, click the AP Mode drop down box and select Local.

David

I agree with David that is

I agree with David that is one place to look. 

Also in the GUI monitor screen there is a button on the side statistics. Then click on ap join you might see a bit more info.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Beginner

Apr 13 08:30:33.011: DTLS

Apr 13 08:30:33.011: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:394 BD is not of DTLS Change Cipher Spec type

Had seen this issue before what it means is that the received DTLS message is not a change cipher spec which is the message that the AP is excepting to receive from the WLC


This is a bug on the WLC/AP  and it recovers on it own , there is a already a TAC case on this . Call up the TAC and mention the above error message and they should be able to reference with an already existing bug/case

Beginner

Re: Sounds like the APs were not

thanks for sharing David. this fixed the issue :)

Participant

Hello,

Hello,

Looks like you have to generate a DTLS certificate through the license product portal.

You can try to download it through the following :

- Go to the management licenses

- Choose IPS, crypto, other

- Choose DTLS license and download it for your 5508 WLC (you will need your PID and SN)

You may have to reboot the WLC for the DTLS license to take effect.

Re: Hello,

The problem was in the core switches on the route to WLC. We got 10gig to 1gig fiber and the QoS que was to small for handeling the Capwap traffic. We gave port 5246 och udp 5247  better QoS .

Beginner

Re: Hello,

TL:DR

APs not joining? Before moving to versions 8.3 and above, Check you have "data_encryption" listed in the licenses section (Management\Software Activation\Licenses).

Add your device against your Cisco profile in the product license registration section of the Cisco.com site after you have logged in.

Select Get licenses\IPS, Crypto,other

Product family Wireless \ Cisco Wireless Controllers DTLS License

(Hint, if you cannot see anything on the right hand side use Internet Explorer or Edge (I had been using Firefox, and was not seeing anything on the right hand pane))

 

Select Product type, provide UDI and UDI Serial (found under Controller \ Inventory via the GUI on the WLC)

Click next,

fill in email, name and agree to license agreement.

Install licence from Management\Sofware Activation\Commands

Select Action "Install licence"

get your tftp server up and running and use the following path format

tftp://<ip address x.x.x.x>/<name of licence file>.lic

after installing the new licence, reboot. After this you should be able to move to a versions 8.3 and above.

 

 

Background and some Error Detail

I had been trying to upgrade the software on my controller for a few months now. I have upgraded and downgraded more times that I can count, I have literally wasted days before I found this. Any WLC IOS version pre 8.3 was fine (the last one I tried was AIR-CT2500-K9-8-2-170-0). Wireless APs in the 8.2 versions would associate with the controller, but as soon as I moved a minor revision up 8.3 or 8.5 none of the wireless APs would come back online.

 

local console output from APs would be like:-

*Jun  9 05:35:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: x.x.x.x peer_port: 5246
*Jun  9 05:35:23.307: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: x.x.x.x peer_port: 5246
*Jun  9 05:35:23.307: %CAPWAP-5-SENDJOIN: sending Join Request to x.x.x.x
*Jun  9 05:35:23.307: %DTLS-5-ALERT: Received WARNING : Close notify alert from x.x.x.x
*Jun  9 05:35:23.307: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to x.x.x.x:5246

or other messages like this

*Jun  9 11:28:53.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.
*Jun  9 11:28:54.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: x.x.x.x peer_port: 5246Peer certificate verification failed FFFFFFFF
*Jun  9 11:28:54.007: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:509 Certificate verified failed!
*Jun  9 11:28:54.007: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to x.x.x.x:5246
*Jun  9 11:28:54.007: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to x.x.x.x:5246
*Jun  9 11:30:08.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.
*Jun  9 11:30:09.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: x.x.x.x peer_port: 5246
*Jun  9 11:30:14.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:929 Unexpected message received while expecting HelloVerifyRequest
*Jun  9 11:30:14.999: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to x.x.x.x:5246
*Jun  9 11:30:14.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to x.x.x.x:5246
*Jun  9 11:31:23.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

 

Other Credits and links

 

Another Wireless Blog

Ref: WLC controller debug commands debug capwap errors enable and debug pm pki enable

 

 

 

 

 

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.