cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

391
Views
0
Helpful
27
Replies
Beginner

Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

*Sep 9 20:51:22.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.31.56.241 peer_port: 5246
*Sep 9 20:51:22.999: %DTLS-5-ALERT: Received FATAL : Protocol version alert from 172.31.56.241
*Sep 9 20:51:22.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.31.56.241:5246
*Sep 9 20:52:26.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

 

I came in Monday morning to following DTLS fatal being generated at all of my access points.   Seems there is DTLS protocol version alert.   Is there anyway to determine what the problem maybe?   I'm running a Cisco 5508 8.5.135 is the version number of software loaded on the WLC.  I have a variety of access points 3702, 3800, 2800 and others all were not connected on Monday morning.   I tried rebooting the controller, loading the firmware again.   Nothing seemed to

27 REPLIES 27
Highlighted

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Can you send the following output:

sh sysinfo from WLC

sh version from AP

 

Also, make sure the time on WLC and AP are in sync.

Beginner

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Posted sysinfo...   from WLC, I see that SHA1 certs are used on the WLC but the AP is using sha2?   Anyway the access points are being used right now.   Will get the time info and other AP information in the next 2 hours. 

Hall of Fame Community Legend

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Post the output to the WLC command of "sh time".
Beginner

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

DTLS Errors from WLC side on console:

 

*spamApTask5: Sep 11 15:00:02.751: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:988 Failed to complete DTLS handshake with peer 172.31.56.32

*spamApTask5: Sep 11 15:00:02.751: %CCAUDIT-3-CC_MSG: openssl_dtls.c:991 WLC - User ID: NA - SSL_ERROR_SYSCALL error:wrong version number while communicating with peer 172.31.56.32

 

 

Hall of Fame Community Legend

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Can you try upgrading to 8.5.151.0 and try again?
Beginner

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Yes, I re-flashed the software on 5508 and the same problem remains.    The strange thing is that problem occurred during normal running during a weekend.   At first I though maybe a power problem caused something in the image to be corrupted.  It is very strange that the controller is insisting that the DTLS version is incorrect.   

Hall of Fame Community Legend

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Console into the AP and reboot the AP.
Post the entire boot-up process.
Beginner

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Time............................................. Wed Sep 11 10:04:27 2019

Timezone delta................................... 0:0
Timezone location................................ (GMT -8:00) Pacific Time (US and Canada)

NTP Servers
NTP Version.................................. 3
NTP Polling Interval......................... 3600

Index NTP Key Index NTP Server Status NTP Msg Auth Status
------- ---------------------------------------------------------------------
1 0 199.62.251.50 In Sync AUTH DISABLED

Beginner

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

The 5508 suddenly disconnected from the access points over the weekend.   Had been connected for nearly a year with version 8.5.135.   I connected a Cisco 2504 with the same version of software and all of the access points connected and where functioning. 

Beginner

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.5.135.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
OUI File Last Update Time........................ Sun Sep 07 10:44:07 IST 2014


Build Type....................................... DATA + WPS

System Name...................................... Glacier_Bear
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. Disabled
IP Address....................................... 172.31.56.241
IPv6 Address..................................... ::
Last Reset....................................... Software reset
System Up Time................................... 1 days 3 hrs 19 mins 29 secs
System Timezone Location......................... (GMT -8:00) Pacific Time (US and Canada)

--More-- or (q)uit
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +38 C
External Temperature............................. +27 C
Fan Status....................................... OK

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 18
Number of Active Clients......................... 0

OUI Classification Failure Count................. 0

Burned-in MAC Address............................ 44:D3:CA:B7:74:C0
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 500
System Nas-Id.................................... Glacier_Bear
WLC MIC Certificate Types........................ SHA1

Beginner

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

AP5897.bd13.cc18-Chamber-ROAM2#show clock
*21:49:59.079 UTC Wed Sep 11 2019

 

Time on access point

Cisco Employee

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Hello, try to use config ap dtls-version dtls_all command and check if the APs are able to connect to the WLC again. 

Beginner

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

3702 Log on boot up....

 

*Sep 25 22:09:08.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Sep 25 22:09:09.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.31.56.242 peer_port: 5246
*Sep 25 22:09:09.000: %DTLS-5-ALERT: Received FATAL : Protocol version alert from 172.31.56.242
*Sep 25 22:09:09.000: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.31.56.242:5246
IOS Bootloader - Starting system.
flash is writable
Tide XL MB - 40MB of flash
Xmodem file system is available.
flashfs[0]: 77 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 41158656
flashfs[0]: Bytes used: 20898304
flashfs[0]: Bytes available: 20260352
flashfs[0]: flashfs fsck took 15 seconds.
Base Ethernet MAC address: 58:97:bd:13:cc:18
Ethernet speed is 1000 Mb - FULL Duplex
Loading "flash:/ap3g2-k9w8-mx.153-3.JF8/ap3g2-k9w8-mx.153-3.JF8"...#########################

File "flash:/ap3g2-k9w8-mx.153-3.JF8/ap3g2-k9w8-mx.153-3.JF8" uncompressed and installed, entry point: 0x2003000
executing...

Secondary Bootloader - Starting system.
Montserrat Board
40MB format
Tide XL MB - 40MB of flash
Xmodem file system is available.
flashfs[0]: 77 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 41158656
flashfs[0]: Bytes used: 20898304
flashfs[0]: Bytes available: 20260352
flashfs[0]: flashfs fsck took 16 seconds.
flashfs[1]: 0 files, 1 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 12257280
flashfs[1]: Bytes used: 1024
flashfs[1]: Bytes available: 12256256
flashfs[1]: flashfs fsck took 0 seconds.
Base Ethernet MAC address: 58:97:bd:13:cc:18
Boot CMD: 'boot flash:/ap3g2-k9w8-mx.153-3.JF8/ap3g2-k9w8-xx.153-3.JF8;flash:/ap3g2-rcvk9w8-mx/ap3g2-rcvk9w8-xx'
Loading "flash:/ap3g2-k9w8-mx.153-3.JF8/ap3g2-k9w8-xx.153-3.JF8"...#################################################
File "flash:/ap3g2-k9w8-mx.153-3.JF8/ap3g2-k9w8-xx.153-3.JF8" uncompressed and installed, entry point: 0x1003000
executing...

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

 

Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JF8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Fri 20-Jul-18 22:19 by prod_rel_team

Montserrat Board
40MB format
Tide XL MB - 40MB of flash
Initializing flashfs...

flashfs[2]: 77 files, 9 directories
flashfs[2]: 0 orphaned files, 0 orphaned directories
flashfs[2]: Total bytes: 40900608
flashfs[2]: Bytes used: 20898304
flashfs[2]: Bytes available: 20002304
flashfs[2]: flashfs fsck took 15 seconds.
flashfs[2]: Initialization complete.
flashfs[4]: 0 files, 1 directories
flashfs[4]: 0 orphaned files, 0 orphaned directories
flashfs[4]: Total bytes: 11999232
flashfs[4]: Bytes used: 1024
flashfs[4]: Bytes available: 11998208
flashfs[4]: flashfs fsck took 1 seconds.
flashfs[4]: Initialization complete.
Copying radio files from flash: to ram:
Copy in progress...CCCCC
Copy in progress...CCC
Copy in progress...CCCC
Copy in progress...CCCC
Copy in progress...CC
Copy in progress...CC
Copy in progress...CCCC
Copy in progress...CC
Copy in progress...CCCCCCCC
Copy in progress...CCCC
Copy in progress...CC
Copy in progress...C
Uncompressing radio files...
...done Initializing flashfs.

Radio0 present 8764 8000 0 A8000000 A8010000 0
Rate table has 650 entries (20 legacy/224 11n/406 11ac)

POWER TABLE FILENAME = ram:/R2.bin

Radio1 present 8864 8000 0 80000000 80100000 4
POWER TABLE FILENAME = ram:/R5.bin

Radio2 not present 0 0 0 0 0 8
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-CAP3702E-A-K9 (PowerPC) processor (revision A0) with 376814K/134656K bytes of memory.
Processor board ID FTX1929S295
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 8.5.135.0
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 58:97:BD:13:CC:18
Part Number : 73-15397-01
PCB Serial Number : FOC19273HN8
Top Assembly Part Number : 068-05055-05
Top Assembly Serial Number : FTX1929S295
Top Revision Number : A0
Product/Model Number : AIR-CAP3702E-A-K9
% Please define a domain-name first.


Press RETURN to get started!


*Mar 1 00:00:20.479: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed (15)
*Mar 1 00:00:20.943: Registering HW DTLS

*Mar 1 00:00:24.111: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:26.611: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 (4)
*Mar 1 00:00:26.727: loading Power Tables from ram:/R2.bin. Class = A
*Mar 1 00:00:26.727: record size of 3ss: 1168 read_ptr: 5D7728E

*Mar 1 00:00:31.923: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 (4)
*Mar 1 00:00:31.967: loading Power Tables from ram:/R5.bin. Class = A
*Mar 1 00:00:32.003: record size of vht: 2904 read_ptr: 5D7728E
APAVC Registering AVC licences on the AP to make sure we enable advanced PP

*Mar 1 00:00:33.443: SCHED: Ethernet Bridge Process: install watched boolean System Initialized(5D5F4CC), os:1 ah:0APAVC Protocol list already initialized.

*Mar 1 00:00:33.443: Start STILE Activation
APAVC: Succeeded to activate all the STILE protocols.
APAVC: Registering with CFT

*Mar 1 00:00:33.687: APAVC: CFT registration of delete callback succeeded
APAVC: Reattaching Original Buffer pool for system use

*Mar 1 00:00:35.375: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Mar 1 00:00:36.371: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to hostname change
*Mar 1 00:00:36.371: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to hostname change
*Mar 1 00:00:36.383: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JF8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Fri 20-Jul-18 22:19 by prod_rel_team
*Mar 1 00:00:36.383: %SNMP-5-COLDSTART: SNMP agent on host AP5897.bd13.cc18-Chamber-ROAM2 is undergoing a cold start
*Mar 1 00:00:36.839: SCHED: Ethernet Bridge Process: remove watched boolean System Initialized(5D5F4CC)
*Mar 1 00:00:36.839: SCHED: Ethernet Bridge Process: install watched queue Soap BVI input queue(CCDC3C8), os:0 ah:0
*Mar 1 00:00:38.043: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar 1 00:00:38.955: %CAPWAP-5-AP_EASYADMIN_INFO: AP Easy Admin information - EASY_ADMIN is not set, turn off easy admin service!

*Mar 1 00:00:38.955: %CAPWAP-5-AP_EASYADMIN_INFO: AP Easy Admin information - Easy Admin is not enabled, turn it off!

*Mar 1 00:00:38.967: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to hostname change
*Mar 1 00:00:38.967: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to hostname change
*Mar 1 00:00:38.991: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to interface resetlwapp_crypto_init: MIC Present and Parsed Successfully

*Mar 1 00:00:39.155: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar 1 00:00:39.155: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:00:40.155: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:00:44.739: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed (2-16)
*Mar 1 00:00:44.739: DPAA Initialization Complete
*Mar 1 00:00:44.739: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited
*Mar 1 00:00:44.791: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:48.079: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 172.31.59.247, mask 255.255.255.0, hostname AP5897.bd13.cc18-Chamber-ROAM2

*Mar 1 00:00:54.731: Currently running a Release Image

*Mar 1 00:00:54.755: Using SHA-2 signed certificate for image signing validation.%Default route without gateway, if not a point-to-point interface, may impact performance
*Mar 1 00:01:02.359: AP image integrity check PASSED

*Mar 1 00:01:02.367: Non-recovery image. PNP Not required.

*Mar 1 00:01:02.379: Cert ISSUER (39): cn=Cisco Manufacturing CA SHA2,o=Cisco

*Mar 1 00:01:02.399: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:01:02.399: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:01:03.399: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar 1 00:01:12.499: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 0 CLI Request Triggered%No matching route to delete
Translating "CISCO-CAPWAP-CONTROLLER.honeywell.com"...domain server (10.192.2.45)

*Mar 1 00:01:24.315: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to interface reset
*Mar 1 00:01:24.315: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to interface reset
*Mar 1 00:01:24.315: %CDP_PD-4-POWER_OK: 15.4 W power - NEGOTIATED inline power source
*Mar 1 00:01:25.423: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:01:26.423: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:01:26.655: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:01:27.655: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Mar 1 00:01:33.671: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Sep 25 22:11:59.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.31.56.242 peer_port: 5246
*Sep 25 22:11:59.000: %DTLS-5-ALERT: Received FATAL : Protocol version alert from 172.31.56.242
*Sep 25 22:11:59.000: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.31.56.242:5246
*Sep 25 22:12:49.655: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to interface reset
*Sep 25 22:12:49.655: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to interface reset
*Sep 25 22:12:49.655: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Sep 25 22:12:49.659: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Sep 25 22:12:49.667: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Sep 25 22:12:50.659: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Sep 25 22:12:50.695: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Sep 25 22:12:50.703: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Sep 25 22:12:50.711: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Sep 25 22:12:51.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Sep 25 22:12:51.703: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Sep 25 22:12:51.763: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Sep 25 22:12:52.763: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Sep 25 22:13:03.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Sep 25 22:13:05.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.31.56.242 peer_port: 5246
*Sep 25 22:13:05.000: %DTLS-5-ALERT: Received FATAL : Protocol version alert from 172.31.56.242
*Sep 25 22:13:05.000: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.31.56.242:5246

Beginner

Re: Cisco WLC 5508 will not allow access points to connect do to a DTLS failure.

Does anyone know how to display the version of SSL on the WLC and the LWAPP access point.   I keep getting a SSL version version error on the WLC.   You can see the error near the end of the bootup log that I just posted.

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards