cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
164
Views
0
Helpful
9
Replies
Beginner

APs 1602 not associated in vWLC

We have a vWLC with 8.5.140.0 and 357 AP (1602 and 1700).

In some branch offices we have one or two APs that works ok and others with IP but not associatted with WLC.

We can see traffic from AP's to WLC but in controller we can see:

%DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:978 Failed to complete DTLS handshake with peer ....

We tried to change WLC time and

WLC)>config ap cert-expiry-ignore {mic|ssc} enable

 

but we have the same problem.

All AP's was associatted to other WLC.

 

Regards

 

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: APs 1602 not associated in vWLC

Finally I have been able to access to AP's and I have seen in console that there is a problem with SSC and MIC certificate. I reset all AP's to default and join to WLC.

 

It´s neccesary have this command:

config ap cert-expiry-ignore {mic|ssc} enable

 

Thanks for all.

9 REPLIES 9
Beginner

Re: APs 1602 not associated in vWLC

Hi

 

I had a similar issue when upgrading from 8.3.143.0 to 8.5.140.0.  It turned out to be the MIC certificate being SHA-1, I wasn't able to upgrade this to a SHA-2 cert.  Changing the ciper to RSA-AES128-SHA fixed the issue for me.  I also tried the ignore cert-expiry but that didn't work for me either.

 

You can check serial numbers of affected APs here

http://serialnumbervalidation.com/63916/cgi-bin/index.cgi

 

 

Beginner

Re: APs 1602 not associated in vWLC

Thanks, but I already have RSA-AES128-SHA Cipher.

Beginner

Re: APs 1602 not associated in vWLC

Are you allowing all DTLS versions?
Beginner

Re: APs 1602 not associated in vWLC

Yes, all

VIP Advisor

Re: APs 1602 not associated in vWLC

try

 

config ap lifetime-check mic enable

config ap lifetime-check ssc enable

 

https://community.cisco.com/t5/wireless-mobility-documents/lightweight-ap-fail-to-create-capwap-lwapp-connection-due-to/ta-p/3155111

 

 

BB
*** Rate All Helpful Responses ***
Beginner

Re: APs 1602 not associated in vWLC

I have WLC with  software version 8.5.140.0,  I think that those commands are  For 7.0.252.0 or earlier (in my WLC I don't have those commands).

I tried with config ap cert-expiry-ignore {mic|ssc} enable but not results.

 

 

Highlighted
Hall of Fame Community Legend

Re: APs 1602 not associated in vWLC

Post the complete output to the following commands:
1. WLC: sh sysinfo;
2. WLC: sh time;
3. AP: sh version; and
4. AP: sh ip interface brief
Beginner

Re: APs 1602 not associated in vWLC

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Build Info....................................... Engineering Special
Product Version.................................. 8.5.140.0
RTOS Version..................................... 8.5.140.0
Bootloader Version............................... 8.5.1.85
Emergency Image Version.......................... 8.5.140.0

OUI File Last Update Time........................ Sun Sep 07 10:44:07 IST 2014


Build Type....................................... DATA + WPS

System Name...................................... ciscowireless
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1631
IP Address....................................... 10.99.255.250
IPv6 Address..................................... ::
System Up Time................................... 160 days 19 hrs 37 mins 5 secs
System Timezone Location.........................

--More-- or (q)uit
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

Configured Country............................... PT - Portugal

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 5
Number of Active Clients......................... 319

OUI Classification Failure Count................. 208922

Memory Current Usage............................. 49
Memory Average Usage............................. 49
CPU Current Usage................................ 2
CPU Average Usage................................ 2

Flash Type....................................... Compact Flash Card
Flash Size....................................... 1073741824

Burned-in MAC Address............................ 00:50:56:BD:42:7D
Maximum number of APs supported.................. 3000
System Nas-Id....................................

--More-- or (q)uit
WLC MIC Certificate Types........................ SHA1
Licensing Type................................... RTU
vWLC config...................................... Large

(Cisco Controller) >show time

Time............................................. Thu Aug 15 07:55:52 2019

Timezone delta................................... 0:0
Timezone location................................

NTP Servers
NTP Version.................................. 3
NTP Polling Interval......................... 7200

Index NTP Key Index NTP Server Status NTP Msg Auth Status
------- ---------------------------------------------------------------------
1 0 10.23.0.12 In Sync AUTH DISABLED

 

To AP now I don't have access, I think tomorrow or Monday.

Beginner

Re: APs 1602 not associated in vWLC

Finally I have been able to access to AP's and I have seen in console that there is a problem with SSC and MIC certificate. I reset all AP's to default and join to WLC.

 

It´s neccesary have this command:

config ap cert-expiry-ignore {mic|ssc} enable

 

Thanks for all.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards