Need help with the following:
Cisco Aironet 1832l AP, refusses to connect to vWLC.
I got the following:
[*11/22/2018 10:15:00.7485] CAPWAP State: Discovery
[*11/22/2018 10:15:00.7685] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*11/22/2018 10:15:00.7685] Discovery Response from 10.19.1.1
[*11/22/2018 10:15:10.0000] CAPWAP State: DTLS Setup
[*11/22/2018 10:15:10.0299] ** X509_V_ERR_CERT_HAS_EXPIRED
[*11/22/2018 10:15:10.0299] Cert Verification FAILED with error 10 (certificate has expired) at 1 depth...
[*11/22/2018 10:15:10.0299] /C=US/ST=California/L=San Jose/O=Cisco Virtual Wireless LAN Controller/CN=CA-vWLC-AIR-CTVM-K9-0050569F3A0A/emailAddressfirstname.lastname@example.org
[*11/22/2018 10:15:10.0899] CAPWAP State: Join
[*11/22/2018 10:15:10.0899] Sending Join request to 10.19.1.1 through port 5272
[*11/22/2018 10:15:10.0999] DTLS: Received packet 0x1d66000 caused DTLS to close connection
[*11/22/2018 10:15:10.0999] Lost connection to the controller, going to restart CAPWAP...
When i try to manually configure the CONTROLLER ip, or trying to configure an IP manually, i get the following:
Capwap process not ready yet. Try after few moments.
CAPWAP socket is not ready, save static IP addr to config file".
Cisco Aironet 1832l-l-K9
Processor board ID KWC212202OU
AP Running Image : 18.104.22.168
Primary Boot Image : 22.214.171.124
Backup Boot Image : 0.0.0.0
2 Gigabit Ethernet interfaces
2 802.11 Radios
Radio FW version : ee27b5094d5b8602d2d973ea084d5cf4
NSS FW version : NSS.AK.1.0.c10-00017-E_custC-1.67978.1
I've had similar issues, in one case the access points where so new the certificate hadn't started be valid. With that said, make sure the clock is correct on the vWLC, you could also try moving it a bit into the future if it's the same problem.
My main problem though is when... well I have no clue what actually wrong but I was told by cisco tac to clear the capwap certificate by running:
clear capwap private-config
test capwap erase
test capwap restart
In my scenario I also had to specify the WLC IP address in the console
capwap ap controller ip address <x.x.x.x>
Hope one of the tips can resolve your problem.
/C=US/ST=California/L=San Jose/O=Cisco Virtual Wireless LAN Controller/CN=CA-vWLC-AIR-CTVM-K9-0050569F3A0A/emailAddressemail@example.com
refers to the vWLC certificate
as in previous post: check time synchronization between vWLC and AP first!
login into the vWLC -> Check certificate!
and generate a new , or renew the current self-signed certificate.
That's pretty much what all certificates say, but there was no date stamped in what you saw there and I don't know off the top of my head how you see that particular information. What I wrote is essentially what's in your reply however I specified the commands you need to do it as well (renew the current self-signed certificate). Also make sure the WLC allow self-signed certs.
sorry Peter, I do not agree,
you specify the AP-side commands, not the controller commands!
above CN=CA-vWLC-AIR-CTVM-K9 refers to the controller certificate as expired (vWLC = virtual wireless controller),
so my suggestion is to renew the certificate at the controller not at the AP.