Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2703
Views
25
Helpful
10
Replies

AIR-CAP3502I-A-K9 | Mar 19 03:35:36.011: %PKI-3-CERTIFICATE_INVALID_EX

Ibrahim Jamil
Level 6
Level 6

‎03-23-2022 04:23 AM

Hi Guys

 

I m getting the Below for this AP Product/Model Number : AIR-CAP3502I-A-K9

 

it Does Works/Joined WLC after i changed the WLC-2504 clock time to 1 March 2022 but the Radio of the APs keeps up and Down , how to i fix that issue??

 

thanks

 

*Mar 19 03:35:22.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.105 peer_port: 5246
*Mar 19 03:35:36.011: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 4C977E00000008D0D0) has expired. Validity period ended on 01:01:55 UTC Mar 16 2022Peer certificate verification failed 001A

*Mar 19 03:35:36.011: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:509 Certificate verified failed!
*Mar 19 03:35:36.011: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.100.105:5246
*Mar 19 03:35:36.011: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.100.105:5246
*Mar 19 03:36:45.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.105 peer_port: 5246
*Mar 19 03:36:45.000: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:929 Unexpected message received while expecting HelloVerifyRequest
*Mar 19 03:36:45.000: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to 192.168.100.105:5246
*Mar 19 03:36:45.000: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.100.105:5246

User Access Verification

Username:
Username:
Password:
*Mar 19 03:37:50.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.105 peer_port: 5246
*Mar 19 03:37:52.000: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:929 Unexpected message received while expecting HelloVerifyRequest

*Mar 19 03:37:52.000: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to 192.168.100.105:5246
*Mar 19 03:37:52.000: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.100.105:5246
% Authentication failed

Username: Cisco
Password:

AP>
AP>
AP>
AP>
AP>
AP>
AP>en
Password:
% Access denied

AP>
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)

*Mar 19 03:39:03.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.105 peer_port: 5246
*Mar 19 03:39:03.009: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 4C977E00000008D0D0) has expired. Validity period ended on 01:01:55 UTC Mar 16 2022Peer certificate verification failed 001A

*Mar 19 03:39:03.009: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:509 Certificate verified failed!
*Mar 19 03:39:03.009: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.100.105:5246
*Mar 19 03:39:03.009: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.100.105:5246
AP>
AP>


Product/Model Number : AIR-CAP3502I-A-K9

Labels:
0 Helpful
10 Replies 10

Leo Laohoo
Hall of Fame
Hall of Fame

‎03-23-2022 04:26 AM

Post the complete output to the WLC command of "sh sysinfo".

Ibrahim Jamil
Level 6
Level 6
In response to Leo Laohoo

‎03-23-2022 07:55 AM

Hello Leo

 

Here you go my freind

 

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.5.110.0
Bootloader Version............................... 1.0.16
Field Recovery Image Version..................... 1.0.0
Firmware Version................................. PIC 16.0


OUI File Last Update Time........................ Sun Sep 07 10:44:07 IST 2014


Build Type....................................... DATA + WPS

System Name...................................... WLC
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1279
IP Address....................................... 192.168.100.105
IPv6 Address..................................... ::
Last Reset....................................... Power on reset
System Up Time................................... 0 days 0 hrs 2 mins 35 secs

--More-- or (q)uit
System Timezone Location.........................
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +11 C
External Temperature............................. +15 C
Fan Status....................................... 3500 rpm

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 2
Number of Active Clients......................... 0

OUI Classification Failure Count................. 0

Burned-in MAC Address............................ 40:C4:AA:BB:CC:00
Maximum number of APs supported.................. 75
System Nas-Id....................................
WLC MIC Certificate Types........................ SHA1

MHM Cisco World
VIP
VIP
In response to Ibrahim Jamil

‎03-23-2022 12:09 PM

AP_CLI#show crypto pki certificates

CA Certificate

Status: Available...

...

Certificate

Status: Available

Certificate Serial Number: 728AF4350000001E4C89

Certificate Usage: General Purpose

Issuer:

cn=Cisco Manufacturing CA

o=Cisco Systems

Subject:

Name: C1130-001c58b5b3a4

ea=support@cisco.com

cn=C1130-001c58b5b3a4

o=Cisco Systems

l=San Jose

st=California

c=US

CRL Distribution Points:

http://www.cisco.com/security/crl/cmca.crl

Validity Date:

start date: 04:22:10 UTC Jul 11 2007

end date: 04:32:10 UTC Jul 11 2017

Associated Trustpoints: Cisco_IOS_MIC_cert

 

check the date if it end then, config NTP to be before that Date and it will join.
other workaround is 

config ap cert-expiry-ignore {mic|ssc} enable

 

Ibrahim Jamil
Level 6
Level 6
In response to MHM Cisco World

‎03-23-2022 11:56 PM

Hi MHM

I played with time to be 2 weeks Back , but the Wireless IP-Phone (7921) no longer able to register to CUCM 11.5 SU10 :((( coz AP Radio keeps up and down while AP joined the WLC

 

Thanks

MHM Cisco World
VIP
VIP
In response to Ibrahim Jamil

‎03-24-2022 12:50 AM

Did you try cert ignore?

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Ibrahim Jamil

‎03-23-2022 02:31 PM

@Ibrahim Jamil wrote:

Product Version.................................. 8.5.110.0

Upgrade the firmware.  

0 Helpful

Ibrahim Jamil
Level 6
Level 6
In response to Leo Laohoo

‎03-23-2022 11:12 PM

Hello leo My Freind

Shall i go with below version

AIR-CTVM-K9-8-10-171-0.aes

 

thanks

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Ibrahim Jamil

‎03-24-2022 12:00 AM

@Ibrahim Jamil wrote:

Shall i go with below version AIR-CTVM-K9-8-10-171-0.aes

No because the last train to support 3500 is 8.5.X.X.  

0 Helpful

Rich R
VIP
VIP

‎03-23-2022 07:11 AM

And make sure you have read and carefully followed all the steps in https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

Refer to https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html for latest build of AireOS you should be using subject to support for all your APs.

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html#ctr-ap_support

 

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Ibrahim Jamil
Level 6
Level 6
In response to Rich R

‎03-23-2022 07:58 AM

Thanks rrudling

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card