Hi,

I have the famous " %DTLS-5-SEND_ALERT: Send FATAL" error on an AP.  Impossible to join the WLC.

I read a lot of comments on this but no solution for this case. Any idea ??

You can find the tests done on a 2504 and a 3504 on my lab:

My Devices:

- 1 WLC 2504 (firmware 8.5.131) 

- 2 WLC 3504 (firmware 8.5.131)  HA SSO 

- 1 AP 2702I

TEST 1  -  Option DHCP 43  => WLC 2504

On the AP, I have:

*Mar  1 00:01:39.611: %CAPWAP-5-DHCP_OPTION_43: Controller address 192.33.50.250 obtained through DHCP

*Jan  1 00:49:37.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.33.50.250 peer_port: 5246

*Jan  1 00:49:37.207: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 192.33.50.250

*Jan  1 00:49:37.207: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.33.50.250:5246

I just Set the Time on the WLC to fix this issue.  The AP was then able to join the WLC-2504. Fine

TEST 2 - Option DHCP 43  => WLC 3504

*Mar  1 00:01:26.667: %CAPWAP-5-DHCP_OPTION_43: Controller address 192.33.50.240 obtained through DHCP

*Mar 22 13:58:05.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.33.50.240 peer_port: 5246

*Mar 22 13:58:05.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.33.50.240 peer_port: 5246

*Mar 22 13:58:05.223: %CAPWAP-5-SENDJOIN: sending Join Request to 192.33.50.240

*Mar 22 13:58:10.223: %CAPWAP-5-SENDJOIN: sending Join Request to 192.33.50.240

*Mar 22 13:59:04.683: %DTLS-5-ALERT: Received WARNING : Close notify alert from 192.33.50.240

*Mar 22 13:59:04.683: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.33.50.240:5246

Impossible  for the AP to join the WLCs. I've spent hours on this issue.

I also tried with one WLC-3504 (standalone).

Herve