cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
247
Views
0
Helpful
12
Replies
Highlighted
Beginner

Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

*Sep 9 20:51:22.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.31.56.241 peer_port: 5246
*Sep 9 20:51:22.999: %DTLS-5-ALERT: Received FATAL : Protocol version alert from 172.31.56.241
*Sep 9 20:51:22.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.31.56.241:5246
*Sep 9 20:52:26.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

 

I came in Monday morning to following DTLS fatal being generated at all of my access points.   Seems there is DTLS protocol version alert.   Is there anyway to determine what the problem maybe?   I'm running a Cisco 5508 8.5.135 is the version number of software loaded on the WLC.  I have a variety of access points 3702, 3800, 2800 and others all were not connected on Monday morning.   I tried rebooting the controller, loading the firmware again.   Nothing seemed to

12 REPLIES 12

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Can you send the following output:

sh sysinfo from WLC

sh version from AP

 

Also, make sure the time on WLC and AP are in sync.

Beginner

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Posted sysinfo...   from WLC, I see that SHA1 certs are used on the WLC but the AP is using sha2?   Anyway the access points are being used right now.   Will get the time info and other AP information in the next 2 hours. 

Hall of Fame Community Legend

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Post the output to the WLC command of "sh time".
Beginner

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

DTLS Errors from WLC side on console:

 

*spamApTask5: Sep 11 15:00:02.751: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:988 Failed to complete DTLS handshake with peer 172.31.56.32

*spamApTask5: Sep 11 15:00:02.751: %CCAUDIT-3-CC_MSG: openssl_dtls.c:991 WLC - User ID: NA - SSL_ERROR_SYSCALL error:wrong version number while communicating with peer 172.31.56.32

 

 

Hall of Fame Community Legend

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Can you try upgrading to 8.5.151.0 and try again?
Beginner

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Yes, I re-flashed the software on 5508 and the same problem remains.    The strange thing is that problem occurred during normal running during a weekend.   At first I though maybe a power problem caused something in the image to be corrupted.  It is very strange that the controller is insisting that the DTLS version is incorrect.   

Hall of Fame Community Legend

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Console into the AP and reboot the AP.
Post the entire boot-up process.
Beginner

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Time............................................. Wed Sep 11 10:04:27 2019

Timezone delta................................... 0:0
Timezone location................................ (GMT -8:00) Pacific Time (US and Canada)

NTP Servers
NTP Version.................................. 3
NTP Polling Interval......................... 3600

Index NTP Key Index NTP Server Status NTP Msg Auth Status
------- ---------------------------------------------------------------------
1 0 199.62.251.50 In Sync AUTH DISABLED

Beginner

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

The 5508 suddenly disconnected from the access points over the weekend.   Had been connected for nearly a year with version 8.5.135.   I connected a Cisco 2504 with the same version of software and all of the access points connected and where functioning. 

Beginner

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.5.135.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
OUI File Last Update Time........................ Sun Sep 07 10:44:07 IST 2014


Build Type....................................... DATA + WPS

System Name...................................... Glacier_Bear
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. Disabled
IP Address....................................... 172.31.56.241
IPv6 Address..................................... ::
Last Reset....................................... Software reset
System Up Time................................... 1 days 3 hrs 19 mins 29 secs
System Timezone Location......................... (GMT -8:00) Pacific Time (US and Canada)

--More-- or (q)uit
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +38 C
External Temperature............................. +27 C
Fan Status....................................... OK

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 18
Number of Active Clients......................... 0

OUI Classification Failure Count................. 0

Burned-in MAC Address............................ 44:D3:CA:B7:74:C0
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 500
System Nas-Id.................................... Glacier_Bear
WLC MIC Certificate Types........................ SHA1

Beginner

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

AP5897.bd13.cc18-Chamber-ROAM2#show clock
*21:49:59.079 UTC Wed Sep 11 2019

 

Time on access point

Cisco Employee

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Hello, try to use config ap dtls-version dtls_all command and check if the APs are able to connect to the WLC again. 

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards