Solved: Re: APs 1602 not associated in vWLC

micordoba · ‎08-13-2019

We have a vWLC with 8.5.140.0 and 357 AP (1602 and 1700).

In some branch offices we have one or two APs that works ok and others with IP but not associatted with WLC.

We can see traffic from AP's to WLC but in controller we can see:

%DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:978 Failed to complete DTLS handshake with peer ....

We tried to change WLC time and

WLC)>config ap cert-expiry-ignore {mic|ssc} enable

but we have the same problem.

All AP's was associatted to other WLC.

Regards

micordoba · ‎08-19-2019

Finally I have been able to access to AP's and I have seen in console that there is a problem with SSC and MIC certificate. I reset all AP's to default and join to WLC.

It´s neccesary have this command:

config ap cert-expiry-ignore {mic|ssc} enable

Thanks for all.

View solution in original post

R M C · ‎08-13-2019

Hi

I had a similar issue when upgrading from 8.3.143.0 to 8.5.140.0. It turned out to be the MIC certificate being SHA-1, I wasn't able to upgrade this to a SHA-2 cert. Changing the ciper to RSA-AES128-SHA fixed the issue for me. I also tried the ignore cert-expiry but that didn't work for me either.

You can check serial numbers of affected APs here

http://serialnumbervalidation.com/63916/cgi-bin/index.cgi

micordoba · ‎08-13-2019

Thanks, but I already have RSA-AES128-SHA Cipher.

R M C · ‎08-14-2019

Are you allowing all DTLS versions?

micordoba · ‎08-14-2019

Yes, all

balaji.bandi · ‎08-13-2019

try

config ap lifetime-check mic enable

config ap lifetime-check ssc enable

https://community.cisco.com/t5/wireless-mobility-documents/lightweight-ap-fail-to-create-capwap-lwapp-connection-due-to/ta-p/3155111

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

micordoba · ‎08-13-2019

I have WLC with software version 8.5.140.0, I think that those commands are For 7.0.252.0 or earlier (in my WLC I don't have those commands).

I tried with config ap cert-expiry-ignore {mic|ssc} enable but not results.

Leo Laohoo · ‎08-14-2019

Post the complete output to the following commands:
1. WLC: sh sysinfo;
2. WLC: sh time;
3. AP: sh version; and
4. AP: sh ip interface brief

micordoba · ‎08-15-2019

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Build Info....................................... Engineering Special
Product Version.................................. 8.5.140.0
RTOS Version..................................... 8.5.140.0
Bootloader Version............................... 8.5.1.85
Emergency Image Version.......................... 8.5.140.0

OUI File Last Update Time........................ Sun Sep 07 10:44:07 IST 2014

Build Type....................................... DATA + WPS

System Name...................................... ciscowireless
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1631
IP Address....................................... 10.99.255.250
IPv6 Address..................................... ::
System Up Time................................... 160 days 19 hrs 37 mins 5 secs
System Timezone Location.........................

--More-- or (q)uit
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

Configured Country............................... PT - Portugal

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 5
Number of Active Clients......................... 319

OUI Classification Failure Count................. 208922

Memory Current Usage............................. 49
Memory Average Usage............................. 49
CPU Current Usage................................ 2
CPU Average Usage................................ 2

Flash Type....................................... Compact Flash Card
Flash Size....................................... 1073741824

Burned-in MAC Address............................ 00:50:56:BD:42:7D
Maximum number of APs supported.................. 3000
System Nas-Id....................................

--More-- or (q)uit
WLC MIC Certificate Types........................ SHA1
Licensing Type................................... RTU
vWLC config...................................... Large

(Cisco Controller) >show time

Time............................................. Thu Aug 15 07:55:52 2019

Timezone delta................................... 0:0
Timezone location................................

NTP Servers
NTP Version.................................. 3
NTP Polling Interval......................... 7200

Index NTP Key Index NTP Server Status NTP Msg Auth Status
------- ---------------------------------------------------------------------
1 0 10.23.0.12 In Sync AUTH DISABLED

To AP now I don't have access, I think tomorrow or Monday.

micordoba · ‎08-19-2019

Finally I have been able to access to AP's and I have seen in console that there is a problem with SSC and MIC certificate. I reset all AP's to default and join to WLC.

It´s neccesary have this command:

config ap cert-expiry-ignore {mic|ssc} enable

Thanks for all.