Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
701
Views
10
Helpful
3
Replies

AIR-CAP3602I not joining WLC2504

Go to solution
ralfzlm
Level 1
Level 1

‎08-17-2022 10:07 PM

Hi there, 

I am trying to join a few WAP to a 2504WLC, and one of the first I tried is just not working. AP model is 3602I, WLC is 2504 running on 8.0.115.0. I won't be able to upgrade the firmware as I also have some LAP1131 and LAP1142 that need to join the same WLC.

From the logs on both side I can tell there is something wrong with a certificate, but just can't figure out is it the AP's or the WLC's certificate is in question. Attaching logs below.

Appreciate any help Thanks. 

-------------------

Logs from the WLC:

*spamApTask4: Aug 18 12:50:58.709: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:823 Failed to complete DTLS handshake with peer 172.16.44.247

 

*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 Buffer length 133, alloc_len 137

*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 record=Handshake epoch=0 seq=4

*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 con->rx_seq_valid 255 con->rx_epoch 0 epoch 0

*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 con rx_seq_valid 255 rx_seq 3 rx_epoch 0

*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46   msg=Certificate len=1146 seq=2 frag_off=1038 frag_len=108

*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 Rcvd Certificate in connStatus 0

*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 Received unknown(11) in connStatus 0. processing...

*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 Certificate can be processed

*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 local_openssl_dtls_handshake_replay_detection:

*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46   msg_seq:2,msg_len:1146,frag_len:108,frag_off: 1038

*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 Allow: Certificate in status 0

*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 Received Certificate in connStatus 0.

*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 record length 120

*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 Calling BIO_write! 0x1846cfd8, buflen 133

 

*spamApTask4: Aug 18 12:18:16.522: cc:ed:4d:b8:b0:46 Certificate verification - failed!

*spamApTask4: Aug 18 12:18:16.524: cc:ed:4d:b8:b0:46 SSL_do_handshake: SSL_ERROR_SSL while communicating with 172.16.44.247 : no certificate returned

*spamApTask4: Aug 18 12:18:16.524: cc:ed:4d:b8:b0:46  Requested by openssl_dtls_process_packet

*spamApTask4: Aug 18 12:18:16.524: dtls_conn_hash_delete: Deleting hash for Local 172.16.41.21:5246  Peer 172.16.44.247:57581

--------------------------------------

Log from the AP:

*Aug 18 05:01:24.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.41.21 peer_port: 5246
*Aug 18 05:01:24.363: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 172.16.41.21
*Aug 18 05:01:24.363: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.41.21:5246
*Aug 18 05:02:47.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.41.21 peer_port: 5246
*Aug 18 05:02:47.371: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 172.16.41.21
*Aug 18 05:02:47.371: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.41.21:5246
*Aug 18 05:03:52.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.41.21 peer_port: 5246
*Aug 18 05:03:52.371: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 172.16.41.21
*Aug 18 05:03:52.371: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.41.21:5246

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions
3 Replies 3

Go to solution
ralfzlm
Level 1
Level 1

‎08-17-2022 10:34 PM

Just found out it is indeed the AP cert that has expired. But this command "config ap cert-expiry-ignore mic enable" is not available on the 2504WLC. I ended up changing the date of the WLC to before the AP cert expiry date.

Now I can see the AP associated on the 2504WLC and downloading image at the moment. 

 

Does anyone know a permanent fix for expired AP cert associating with 2504?

 

0 Helpful

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to ralfzlm

‎08-18-2022 12:45 AM

Although you can't go for 8.1 or later (I think, haven't checked the compatibility list), you can still upgrade to the latest 8.0.x release which I suggest to you. As per Leos link, there is a workaround included in 8.0.120.0 and later.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card