09-09-2022 08:07 AM
Hi,
I am facing the issue that 2702I AP is not joining C5508 controller. Initially all APs were not joining due to country code and certificate validity date. Then I resolved the country code issue and applied config ap cert-expiry-ignore {mic|ssc} enable. After that few APs have joined but still some APs facinf not joining problems. Below are APs and WLC logs
AP logs
*Sep 9 20:28:04.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.0.5 peer_port: 5246
*Sep 9 20:28:09.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:928 Unexpected message received while expecting HelloVerifyRequest
*Sep 9 20:28:09.999: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to 10.10.0.5:5246
*Sep 9 20:28:09.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.0.5:5246
*Sep 9 20:29:28.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.
AP188b.9d7b.3348#test pb display
------------------------------
Display of the Parameter Block
------------------------------
Total Number of Records : 5
Number of Certs : 4
Number of Keys : 1
-----------------------------------
Display of the SHA2 Parameter Block
-----------------------------------
Total Number of Records : 4
Number of Certs : 3
Number of Keys : 1
config ap lifetime-check mic ssc disable
AP188b.9d7b.3348#show crypto pki trustpoints | include SHA2
cn=Cisco Manufacturing CA SHA2
AP188b.9d7b.3348#
Controller
(Cisco Controller) >show certificate all ?
(Cisco Controller) >show certificate all
--------------- Verification Certificates ---------------
Certificate Name: ACT2 EC CA cert
Subject Name :
O=Cisco, CN=ACT2 ECC SUDI CA
Issuer Name :
O=Cisco, CN=Cisco ECC Root CA
Serial Number (Hex):
02
Validity :
Start : Apr 4 08:26:13 2013 GMT
End : Apr 4 08:15:43.704 2053 GMT
Signature Algorithm :
ecdsa-with-SHA384
Hash key :
SHA1 Fingerprint : 32:78:95:b8:c4:e0:3c:ec:14:ae:d9:70:ef:99:c8:d9:34:0b:80:e6
SHA256 Fingerprint : f2:a3:92:57:1e:33:54:9a:b4:36:93:ef:55:67:fb:e6:07:8b:98:28:05:71:0c:26:fe:f6:d8
----------------------------
Certificate Name: ACT2 EC ROOT CA cert
--More-- or (q)uit
Subject Name :
O=Cisco, CN=Cisco ECC Root CA
Issuer Name :
O=Cisco, CN=Cisco ECC Root CA
Serial Number (Hex):
01
Validity :
Start : Apr 4 08:15:44 2013 GMT
End : Apr 4 08:15:44.704 2053 GMT
Signature Algorithm :
ecdsa-with-SHA384
Hash key :
SHA1 Fingerprint : 52:ec:7d:bb:5c:65:11:dd:c1:c5:46:db:bc:29:49:b5:ab:e9:d0:ee
SHA256 Fingerprint : 8d:b4:9f:4b:13:ee:ad:89:c5:cc:a2:9e:c0:33:72:59:14:45:86:5b:7a:fd:e8:2c:33:76:0f
----------------------------
Certificate Name: ACT2 RSA CA cert
Subject Name :
O=Cisco, CN=ACT2 SUDI CA
Issuer Name :
--More-- or (q)uit
O=Cisco Systems, CN=Cisco Root CA 2048
Serial Number (Hex):
61096E7D00000000000C
Validity :
Start : Jun 30 17:56:57 2011 GMT
End : May 14 20:25:42 2029 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : f6:96:9b:bd:48:e5:f6:12:5b:93:4d:01:e7:1f:e9:c2:7c:6f:54:7e
SHA256 Fingerprint : 65:fa:b0:4a:ef:29:8b:e3:b9:42:e6:0e:1a:94:17:b9:c0:c6:a1:8e:e0:45:f2:d1:11:4d:55
----------------------------
Certificate Name: Cisco Manufacturing CA SHA2 cert
Subject Name :
O=Cisco, CN=Cisco Manufacturing CA SHA2
Issuer Name :
O=Cisco, CN=Cisco Root CA M2
Serial Number (Hex):
02
Validity :
--More-- or (q)uit
Start : Nov 12 13:50:58 2012 GMT
End : Nov 12 13:00:17 2037 GMT
Signature Algorithm :
sha256WithRSAEncryption
Hash key :
SHA1 Fingerprint : 90:b2:e0:6b:7a:d5:da:ff:cf:d4:31:87:29:09:f3:81:37:47:1b:f8
SHA256 Fingerprint : 95:a0:e5:8a:99:8e:80:2a:c7:7a:d5:29:b9:ad:d8:e5:b4:0c:f9:0a:f3:9a:85:6d:b5:14:a3
----------------------------
Certificate Name: Cisco Root CA SHA2 cert
Subject Name :
O=Cisco, CN=Cisco Root CA M2
Issuer Name :
O=Cisco, CN=Cisco Root CA M2
Serial Number (Hex):
01
Validity :
Start : Nov 12 13:00:18 2012 GMT
End : Nov 12 13:00:18 2037 GMT
Signature Algorithm :
sha256WithRSAEncryption
--More-- or (q)uit
Hash key :
SHA1 Fingerprint : 93:3d:63:3a:4e:84:0d:a4:c2:8e:89:5d:90:0f:d3:11:88:86:f7:a3
SHA256 Fingerprint : cd:85:16:7b:39:35:e2:7b:cc:3b:0f:5f:a2:4c:84:57:88:2d:0b:b9:94:f8:82:69:a7:f7:28
----------------------------
Certificate Name: Cisco Manufacturing CA SHA1 cert
Subject Name :
O=Cisco Systems, CN=Cisco Manufacturing CA
Issuer Name :
O=Cisco Systems, CN=Cisco Root CA 2048
Serial Number (Hex):
6A6967B3000000000003
Validity :
Start : Jun 10 22:16:01 2005 GMT
End : May 14 20:25:42 2029 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : e3:e7:83:d3:cc:9c:30:ae:de:ff:cd:eb:5e:cf:ee:08:ff:8f:16:84
SHA256 Fingerprint : c7:4d:4b:4a:14:51:9d:d0:65:19:1d:96:84:5e:8d:4e:c8:51:43:6b:c5:59:c4:a4:5e:24:ca
--More-- or (q)uit
----------------------------
Certificate Name: Cisco Root CA SHA1 cert
Subject Name :
O=Cisco Systems, CN=Cisco Root CA 2048
Issuer Name :
O=Cisco Systems, CN=Cisco Root CA 2048
Serial Number (Hex):
5FF87B282B54DC8D42A315B568C9ADFF
Validity :
Start : May 14 20:17:12 2004 GMT
End : May 14 20:25:42 2029 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : de:99:0c:ed:99:e0:43:1f:60:ed:c3:93:7e:7c:d5:bf:0e:d9:e5:fa
SHA256 Fingerprint : 83:27:bc:8c:9d:69:94:7b:3d:e3:c2:75:11:53:72:67:f5:9c:21:b9:fa:7b:61:3f:af:bc:cd
----------------------------
Certificate Name: Airespace Build CA cert
--More-- or (q)uit
Subject Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Build CA, emailAddress
Issuer Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Root CA, emailAddress=
Serial Number (Hex):
01
Validity :
Start : Jul 31 13:41:31 2003 GMT
End : Apr 29 13:41:31 2013 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :
SHA1 Fingerprint : e3:50:2f:94:f5:54:b9:e4:c2:b3:cb:3c:f8:5c:6b:ca:86:0f:5f:8d
SHA256 Fingerprint : e6:50:49:d6:d5:c7:f2:3c:e7:e9:f6:5e:48:32:5d:f1:39:82:60:06:f7:61:41:a2:60:89:37
----------------------------
Certificate Name: Airspace device CA cert
Subject Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Device CA, emailAddres
Issuer Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Root CA, emailAddress=
--More-- or (q)uit
Serial Number (Hex):
03
Validity :
Start : Apr 28 22:37:13 2005 GMT
End : Jan 26 22:37:13 2015 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :
SHA1 Fingerprint : ae:25:ff:04:12:8a:62:f0:f8:4a:e8:76:b1:fe:c3:0d:78:dd:c6:1b
SHA256 Fingerprint : 92:09:e5:a9:e3:97:5c:6c:56:bc:9c:11:d4:8b:b1:c0:a4:c5:10:97:e7:0b:02:51:ee:bd:07
----------------------------
Certificate Name: Airespace Root CA cert
Subject Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Root CA, emailAddress=
Issuer Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Root CA, emailAddress=
Serial Number (Hex):
0
Validity :
Start : Jul 31 13:41:22 2003 GMT
--More-- or (q)uit
End : Apr 29 13:41:22 2013 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :
SHA1 Fingerprint : 94:ec:7d:ba:e4:e6:fb:f1:e0:44:03:81:cb:ed:ef:32:79:c9:90:b5
SHA256 Fingerprint : 92:62:22:3e:92:a6:48:07:0c:86:54:c4:6f:1b:04:af:5b:1d:58:c5:7a:f2:bc:b8:76:db:41
----------------------------
Certificate Name: Old Airespace CA cert
Subject Name :
C=US, ST=California, L=San Jose, O=airespace Inc, OU=none, CN=ca, emailAddress=support@airespace.com
Issuer Name :
C=US, ST=California, L=San Jose, O=airespace Inc, OU=none, CN=ca, emailAddress=support@airespace.com
Serial Number (Hex):
0
Validity :
Start : Feb 12 23:38:55 2003 GMT
End : Nov 11 23:38:55 2012 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :
--More-- or (q)uit
SHA1 Fingerprint : 05:87:eb:cc:ab:55:a3:67:56:f4:59:75:cb:b1:65:47:45:6d:84:9c
SHA256 Fingerprint : 96:b4:a7:47:1e:50:d8:38:4c:4d:4f:49:e3:53:61:f6:50:7c:a4:8f:78:07:7b:0f:9c:8c:40
----------------------------
-------------- Identification Certificates --------------
Certificate Name: Cert for Web Authentication
Subject Name :
C=US, O=Cisco Systems Inc., OU=DeviceSSL (WebAuth), CN=1.1.1.1
Issuer Name :
C=US, O=Cisco Systems Inc., OU=DeviceSSL (WebAuth), CN=1.1.1.1
Serial Number (Hex):
0C40D980
Validity :
Start : Sep 2 19:00:01 2022 GMT
End : Sep 2 19:00:01 2032 GMT
Signature Algorithm :
sha256WithRSAEncryption
Hash key :
SHA1 Fingerprint : 6e:aa:26:46:c6:8d:c7:dd:da:d6:d0:a8:17:22:ca:13:1a:9f:29:0c
SHA256 Fingerprint : dc:a3:43:92:84:78:f7:24:32:0a:2e:bc:bf:8d:64:be:07:5e:f3:27:b8:ab:62:b7:9e:c1:db
--More-- or (q)uit
----------------------------
Certificate Name: Cert for Web Admin
Subject Name :
C=US, O=Cisco Systems Inc., OU=DeviceSSL (WebAdmin), CN=169.254.1.1
Issuer Name :
C=US, O=Cisco Systems Inc., OU=DeviceSSL (WebAdmin), CN=169.254.1.1
Serial Number (Hex):
0C40D980
Validity :
Start : Sep 3 00:00:01 2022 GMT
End : Sep 3 00:00:01 2032 GMT
Signature Algorithm :
sha256WithRSAEncryption
Hash key :
SHA1 Fingerprint : a7:a5:d4:dc:d2:dd:d0:9b:3d:e3:c2:6c:8c:30:d3:98:bf:e4:a3:d0
SHA256 Fingerprint : 81:d4:51:92:26:8a:6f:e3:a4:97:d8:6e:53:35:3c:8e:df:b2:f0:36:78:93:0f:b1:11:ac:19
----------------------------
Certificate Name: Cisco SHA1 device cert
--More-- or (q)uit
Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT5508-K9-649ef3bf2680, emailAddress=support@
Issuer Name :
O=Cisco Systems, CN=Cisco Manufacturing CA
Serial Number (Hex):
66A651E0000000123B8D
Validity :
Start : Dec 12 16:21:50 2011 GMT
End : Dec 12 16:31:50 2021 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : 4a:be:fd:a6:1d:5d:57:87:c0:a3:15:e0:3a:fb:05:0b:4b:d3:46:56
SHA256 Fingerprint : e7:49:e0:1e:6f:35:b2:84:f9:6a:2e:d1:35:78:2d:c7:12:24:70:4f:95:fc:d8:b2:0a:5f:e3
----------------------------
Certificate Name: Airespace Id cert
Subject Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=MWAR Device, CN=000b85236d90, emailAddress=suppo
Issuer Name :
--More-- or (q)uit
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Device CA, emailAddres
Serial Number (Hex):
04EB8E
Validity :
Start : Mar 13 02:07:09 2006 GMT
End : Mar 10 02:07:09 2016 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :
SHA1 Fingerprint : e3:68:a6:0f:89:46:b5:6b:37:eb:11:8c:d0:67:2e:51:e1:d8:5e:59
SHA256 Fingerprint : f1:21:a6:ef:a6:c3:67:06:73:90:12:55:1a:a3:49:e6:09:fa:8a:b6:22:2e:85:2f:48:b3:40
----------------------------
Certificate Name: Old Airespace Id cert
Subject Name :
C=US, ST=California, L=San Jose, O=airespace Inc, CN=000b85236d90, emailAddress=support@airespace.com
Issuer Name :
C=US, ST=California, L=San Jose, O=airespace Inc, OU=none, CN=ca, emailAddress=support@airespace.com
Serial Number (Hex):
04C88C
Validity :
--More-- or (q)uit
Start : Mar 13 02:07:12 2006 GMT
End : Dec 11 02:07:12 2015 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :
SHA1 Fingerprint : 51:0c:17:6d:94:2c:cf:e4:eb:66:ba:4b:26:0b:ed:11:26:99:3c:b1
SHA256 Fingerprint : 9b:ec:a6:03:6b:7b:60:fe:17:e1:0e:4f:b4:2d:f3:b9:f6:c5:07:bb:97:6d:db:1b:3e:7f:80
09-09-2022 09:26 AM
- Check this article : https://rscciew.wordpress.com/category/ap-joining-issues-to-wlc/
M.
09-09-2022 06:54 PM
Post the complete output to the following commands:
09-10-2022 06:15 AM - edited 09-10-2022 06:16 AM
Since Cisco SHA1 device cert was expired in WLC (can be seen in above wlc certificates) then I set year 2014 in controller, all aps started to download image and joined the WLC. The reason is MIC expired. What's the work around for MIC update? Because at the end it would be necessary to keep WLC in 2022.
09-10-2022 06:47 AM
09-10-2022 08:42 AM
>...config ap lifetime-check mic ssc disable
Note that according to : https://bst.cisco.com/bugsearch/bug/CSCut75441 . the particular command may have the reverse effect what is intended , have a try with >...config ap lifetime-check mic ssc enable
M.
09-11-2022 04:26 AM
@marce1000 he has already mentioned using the "fixed" version of the command.
@Adnan Jameel just make sure you follow ALL the instructions in the field notice closely.
https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html
Make sure you're running the latest version of code with all fixes (8.5.182.0) and with the config workarounds applied and after disabling NTP and changing the time (as you did) then all APs should be able to join, download new code and apply the config change and then should work when time goes back to NTP. If they still aren't joining it could be another problem or a faulty AP. Always remember to try doing a factory default reset on the AP and remember after default it can only join and pick up the config change while the time is "valid" according to the cert (because the config change is lost).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide