cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4111
Views
0
Helpful
11
Replies

Access point fails to connect to WLC

I did a factory reset of a cisco AIR-LAP1131AG-N-K9.  I is now failing to connect to our 2504 WLC.  It had been connected in the past.  The console is looping with the following:

*Sep 20 11:58:21.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.221 peer_port: 5246
*Sep 20 11:58:21.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Sep 20 11:58:22.544: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 192.168.1.221
*Sep 20 11:58:22.544: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Sep 20 11:58:22.545: %DTLS-5-PEER_DISCONNECT: Peer 192.168.1.221 has closed connection.
*Sep 20 11:58:22.545: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.221:5246
*Sep 20 11:58:22.546: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

I can ping the WLC from the AP.  The traps log on the WLC shows no attempt to connect from AP.

Any suggestions?

11 Replies 11

Pawan Raut
Level 4
Level 4

Tell the AP the controller to join-

AP#capwap ap controller ip address <WLC IP address>

then show the o/p

AP#sh capwap ip config

tried your suggestion and still receiving the same output

checked the regulatory domains, enabled the accept self signed certificate in the AP policies.

see the link how t add self signed certificate

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/70341-manual-add-ssc.html

GUI Configuration

Complete these steps from the GUI:

  1. Choose Security > AP Policies and click Enabled beside Accept Self Signed Certificate.

    manual_add_ssc1.gif

  2. Select SSC from the Certificate Type drop-down menu.

    manual_add_ssc2.gif

  3. Enter the MAC address of the AP and the hash key, and click Add.

CLI Configuration

Complete these steps from the CLI:

  1. Enable Accept Self Signed Certificate on the WLC.

    The command is config auth-list ap-policy ssc enable.

    (Cisco Controller) >config auth-list ap-policy ssc enable
    
  2. Add the AP MAC address and hash key to the authorization list.

    The command is config auth-list add ssc AP_MAC AP_key .

    (Cisco Controller) >config auth-list add ssc 00:0e:84:32:04:f0 
    9e4ddd8dfcdd8458ba7b273fc37284b31a384eb9
    
    !--- This command should be on one line.

So the AP is AIR-AP1131AG-N-K9 and my controller was only set to use -A.  I have followed the steps to add the -N regulatory domain.  The AP still wouldn't connect.  I then followed the SSC steps you have kindly included.  To obtain the hash key I followed this:

https://supportforums.cisco.com/document/27971/how-recover-hash-key-access-point-and-import-it-controller

However I not able to obtain the hash key.  I get this instead on the controller.

*spamApTask5: Sep 22 15:30:43.044: sshpmGetIssuerHandles: Current time outside AP cert validity interval: make sure the controller time is set.

on the AP:

AP0016.c7a0.b6de#sh clock
*15:32:04.858 UTC Thu Sep 22 2016

on the WLC:

(Cisco Controller) >show time

Time............................................. Thu Sep 22 15:32:48 2016

Timezone delta................................... 0:0
Timezone location................................

NTP Servers
    NTP Polling Interval.........................     86400

     Index     NTP Key Index                  NTP Server                  NTP Msg Auth Status
    -------  ----------------------------------------------------------------------------------
       1              0                               192.168.1.201       AUTH DISABLED

The two devices seem to have the same time.  I'm not sure why it would error out with a time issue?

What is the serial number of the AP and post the complete output to the WLC command of "sh sysinfo".

Hello Leo

AP0013.c3de.980a#show version
Cisco IOS Software, C1130 Software (C1130-K9W8-M), Experimental Version 12.4(20150326:115131) [wnbubld 104]
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Thu 26-Mar-15 04:52 by wnbubld

ROM: Bootstrap program is C1130 boot loader
BOOTLDR: C1130 Boot Loader (C1130-BOOT-M) Version 12.3(2)JA3, RELEASE SOFTWARE (fc2)

AP0013.c3de.980a uptime is 38 minutes
System returned to ROM by power-on
System image file is "flash:/c1130-k9w8-mx.ap_o_v12t_esc.201503260444/c1130-k9w8-mx.a"

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:13:C3:DE:98:0A
Part Number : 73-8962-07
PCA Assembly Number : 800-24818-06
PCA Revision Number : C0
PCB Serial Number : FOC091735HH
Top Assembly Part Number : 800-25544-01
Top Assembly Serial Number : FCZ0922Q0NV
Top Revision Number : A0
Product/Model Number : AIR-AP1131AG-E-K9

Configuration register is 0xF


(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.0.140.0
RTOS Version..................................... 8.0.140.0
Bootloader Version............................... 8.3.15.96
Emergency Image Version.......................... 8.0.140.0

Build Type....................................... DATA + WPS

System Name...................................... vWLC001
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1631
IP Address....................................... 10.0.1.5
IPv6 Address..................................... ::
System Up Time................................... 0 days 0 hrs 57 mins 23 secs
System Timezone Location......................... (GMT +1:00) Amsterdam, Berlin, Rome, Vienna
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

Configured Country............................... BE - Belgium

--More-- or (q)uit

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 0

Burned-in MAC Address............................ 00:0C:29:40:14:07
Maximum number of APs supported.................. 200
System Nas-Id....................................
WLC MIC Certificate Types........................ SHA1

rasmus.elmholt
Level 7
Level 7

Try these:

  • Delete the AP from the controller
  • Delete the certificate on the flash of the AP if it exists
  • Make sure the AP has a correct time.

Some links for you amusement:

https://learningnetwork.cisco.com/thread/80084

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/119286-lap-notjoin-wlc-tshoot.html


After running into the same type of issue at a different location, I am now attempting to overcome the "LAP/WLC MIC or SSC lifetime expiration causes DTLS failure" CSCuq19142
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuq19142/?referring_site=bugquickviewredir

At the other location I upgraded the product version to 8.0.140.0, set the date of the WLC to prior to the expired MIC of the downed AP's and all of the ap's updated their code as expected.
However, resetting the WLC to use the correct date and rebooting an AP causes the AP not to join again.

Following:
https://supportforums.cisco.com/document/12453081/lightweight-ap-fail-create-capwaplwapp-connection-due-certificate-expiration
I don't have the commands on my controller so I cannot enable/disable expired certificate checking.

***correction code version 8.0.140.0 does have the command built in and after running it, devices with expired MIC's do connect again.***

RESOLVED

The steps above resolved the issue which appears to have actually been expired certificates on the AP's.

Unfortunately the option to select "correct answer" is not available on my own comments.??

Thanks everyone that contributed.

Jeremy

Hi folks,

Understand this is quite old thread, however I just encountered same problem because of having to use some old spare APs. So just want to share my trick :-)

I was kind of lazy to fix MIC thing, so I temporarily changed the time of controller back to 2012, and immediately these old APs were associated to the controller. Once APs registered, I changed the time back, everything works like charm.

Roger

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: