08-17-2022 10:07 PM
Hi there,
I am trying to join a few WAP to a 2504WLC, and one of the first I tried is just not working. AP model is 3602I, WLC is 2504 running on 8.0.115.0. I won't be able to upgrade the firmware as I also have some LAP1131 and LAP1142 that need to join the same WLC.
From the logs on both side I can tell there is something wrong with a certificate, but just can't figure out is it the AP's or the WLC's certificate is in question. Attaching logs below.
Appreciate any help Thanks.
-------------------
Logs from the WLC:
*spamApTask4: Aug 18 12:50:58.709: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:823 Failed to complete DTLS handshake with peer 172.16.44.247
*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 Buffer length 133, alloc_len 137
*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 record=Handshake epoch=0 seq=4
*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 con->rx_seq_valid 255 con->rx_epoch 0 epoch 0
*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 con rx_seq_valid 255 rx_seq 3 rx_epoch 0
*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 msg=Certificate len=1146 seq=2 frag_off=1038 frag_len=108
*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 Rcvd Certificate in connStatus 0
*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 Received unknown(11) in connStatus 0. processing...
*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 Certificate can be processed
*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 local_openssl_dtls_handshake_replay_detection:
*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 msg_seq:2,msg_len:1146,frag_len:108,frag_off: 1038
*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 Allow: Certificate in status 0
*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 Received Certificate in connStatus 0.
*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 record length 120
*spamApTask4: Aug 18 12:18:16.504: cc:ed:4d:b8:b0:46 Calling BIO_write! 0x1846cfd8, buflen 133
*spamApTask4: Aug 18 12:18:16.522: cc:ed:4d:b8:b0:46 Certificate verification - failed!
*spamApTask4: Aug 18 12:18:16.524: cc:ed:4d:b8:b0:46 SSL_do_handshake: SSL_ERROR_SSL while communicating with 172.16.44.247 : no certificate returned
*spamApTask4: Aug 18 12:18:16.524: cc:ed:4d:b8:b0:46 Requested by openssl_dtls_process_packet
*spamApTask4: Aug 18 12:18:16.524: dtls_conn_hash_delete: Deleting hash for Local 172.16.41.21:5246 Peer 172.16.44.247:57581
--------------------------------------
Log from the AP:
*Aug 18 05:01:24.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.41.21 peer_port: 5246
*Aug 18 05:01:24.363: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 172.16.41.21
*Aug 18 05:01:24.363: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.41.21:5246
*Aug 18 05:02:47.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.41.21 peer_port: 5246
*Aug 18 05:02:47.371: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 172.16.41.21
*Aug 18 05:02:47.371: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.41.21:5246
*Aug 18 05:03:52.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.41.21 peer_port: 5246
*Aug 18 05:03:52.371: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 172.16.41.21
*Aug 18 05:03:52.371: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.41.21:5246
Solved! Go to Solution.
08-17-2022 10:36 PM
08-17-2022 10:34 PM
Just found out it is indeed the AP cert that has expired. But this command "config ap cert-expiry-ignore mic enable" is not available on the 2504WLC. I ended up changing the date of the WLC to before the AP cert expiry date.
Now I can see the AP associated on the 2504WLC and downloading image at the moment.
Does anyone know a permanent fix for expired AP cert associating with 2504?
08-18-2022 12:45 AM
Although you can't go for 8.1 or later (I think, haven't checked the compatibility list), you can still upgrade to the latest 8.0.x release which I suggest to you. As per Leos link, there is a workaround included in 8.0.120.0 and later.
08-17-2022 10:36 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide