Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2039
Views
10
Helpful
11
Replies

AIR-OEAP602I not registering with virtual wireless controller

Go to solution
indevcoIT
Level 1
Level 1

‎11-11-2014 05:56 AM - edited ‎07-05-2021 01:55 AM

Dears,

i was trying to connect the 602 office extend AP to a virtual wireless controller (ver 7.6.100) with no luck.

this is event log on the access point:

 

Nov 11 14:06:33.814: Build version 7.0.112.72 (compiled Feb  3 2012 at 01:56:39, [L]).
*Nov 11 14:06:37.491: CAPWAP State: Init.
*Nov 11 14:06:37.493: CAPWAP State: Discovery.
*Nov 11 14:06:37.519: Starting Discovery.
*Nov 11 14:06:37.520: CAPWAP State: Discovery.
*Nov 11 14:06:37.615: Discovery Request sent to 10.60.8.250 with discovery type set to 0
*Nov 11 14:06:37.616: Discovery Response from 10.60.8.250
*Nov 11 14:06:37.617: Dot11 binding decode: Discovery Response
*Nov 11 14:06:47.459: Selected MWAR 'LB-ZK-vWLC' (index 0).
*Nov 11 14:06:47.459: Ap mgr count=1
*Nov 11 14:06:47.459: Go join a capwap controller
*Nov 11 14:06:47.459: Choosing AP Mgr with index 0, IP = 10.60.8.250, load = 32..
*Nov 11 14:06:47.459: Synchronizing time with AC time.
*Nov 11 14:06:48.000: CAPWAP State: DTLS Setup.
*Nov 11 14:06:48.037: Certificate verification failed!
*Nov 11 14:06:48.037: Received packet caused DTLS to close connection
*Nov 11 14:07:47.998: Wait DTLS timer has expired
*Nov 11 14:07:47.998: Dtls session establishment failed
*Nov 11 14:07:47.999: CAPWAP State: DTLS Teardown.
*Nov 11 14:07:52.998: DTLS session cleanup completed. Restarting capwap state machine.
*Nov 11 14:07:52.998: Previous CAPWAP state was DTLS Setup,numOfCapwapDiscoveryResp = 1.
*Nov 11 14:07:52.999:
Lost connection to the controller, going to re-start evora...

 

any idea what may be the problemm ??

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Thomas Harlow
Level 1
Level 1
In response to Thomas Harlow

‎08-26-2016 02:12 PM

Finally this is fixed. I heard back from TAC (who had been working with the devs) and they had a solution. Here is the email I received from TAC:

"So the development team wanted to know if you could load a new OVA image 8.0 for your vWLC and CTVM of 8.2? 

 

There was an openssl upgrade and the OEAP600 only uses the old one.  So with the OVA 8.0 image and CTVM 8.2 it should resolve the issue.

 

Make sure to save your config just in case.

 

The process is:

Download OVA 8.0.135.0 from cisco.com

load it

Download AES 8.2.121.0 (which you already have)

load it

Then test a 600 and see if that works."

Yes this means deploying your vWLC again, which isn't ideal...but it works.

A couple caveats, after I did this it didn't work right away. I received an error on the SOHO that said "Failed to delete database entry." This message was a different one than I was getting before. A quick look on the Cisco forums and I saw other people had ran into this too. The solution was to deactivate and reactivate the evaluation license I had on the vWLC. This was installed while I upgraded the controller. After I did that, the access point joined. I imagine just installing your actual license would work as well.

I hope this helps.

View solution in original post

11 Replies 11

Go to solution
Dhiresh Yadav
Cisco Employee
Cisco Employee

‎11-11-2014 09:38 AM

Hi,

 

*Nov 11 14:06:48.037: Certificate verification failed!

What is the time on the controller ? Go to commands>set time to set the correct time. It should not be outside the validity interval of the Certificate. By the way , If possible go to 7.6.130.0 as 7.6.100.0 has many issues.

Regards

Dhiresh

**Please rate helpful posts**

0 Helpful

Go to solution
indevcoIT
Level 1
Level 1
In response to Dhiresh Yadav

‎11-12-2014 03:06 AM

the controller time is the current time now, and the DTLS certificate i installed 2 days ago from Cisco website but i could not find in the drop down list virtual controller so i installed the one of 2500 series.

do i need to install another certificate?! if yes what are the steps ?

 

thank you for your assistance

0 Helpful

Go to solution
edeloscobos
Level 1
Level 1
In response to indevcoIT

‎12-10-2014 09:33 PM

Hello,

 

The issue with the OEAP 600 and Virtual WLC is a software (firmware) related process. 

First, which software version have your OEAP 600? Is default-fabric version? Mostly have 7.0 from Cisco.

Depends on your vWLC software version, for 7.5 and above (I can see you have 7.6.100), you need first join the OEAP in a physical WLC (2500, 5500, 7500, WISM2, etc) with at least 7.5 software version. Those WLC uses MIC certificates, and can join the OEAP without any problem. vWLC uses SSC certificates to do this.

Once the OEAP has been registered to the physical WLC, and upgraded with a 7.5 (or superior) software, now you can try to join it at vWLC.

Previous step about the accurate time on the controller are important, because this is a certificate related process.

Try and tell me if you have any problem.

Regards.

 

0 Helpful

Go to solution
Thomas Harlow
Level 1
Level 1

‎08-05-2016 09:00 AM

Did you ever find a solution to this problem? I have the exact same thing going on. My OEAP602s won't join to my vWLC. I get the same "Certificate verification failed!" error.

I'm running 8.3.102.0 code on the vWLC now but I've tried everything from 7.4 to 8.0 to 8.1 to 8.2. I've also attached the 602 to our physical 5508 and then pointed it back to our vWLC. I've disabled the ssc hash check. And I've disabled the certificate expiration check (both ssc and mic). All with no luck. I do have a TAC case open but we seem to be hitting a wall with them too.

So if you have any insight it would be much appreciated.

0 Helpful

Go to solution
Shiyan Wang
Cisco Employee
Cisco Employee
In response to Thomas Harlow

‎08-11-2016 03:59 AM

I also have the exact same problem. My OEAP602 won't join my vWLC.

Also the same error "Certificate verification failed".

I am running 8.3.102.0 on vWLC too but tried 8.0\8.1\8.2. All have the same problem.

I also tried to connect OEAP to my physical 2504(8.3.102.0) and then connect it back to vWLC. I disabled the ssc hash check.

No luck at all.

0 Helpful

Go to solution
edeloscobos
Level 1
Level 1
In response to Shiyan Wang

‎08-11-2016 08:48 AM

Did you check time on vWLC? Are you using NTP?

Once you have the OEAP registered on a physical WLC you must be able to register it on a vWLC.

0 Helpful

Go to solution
Shiyan Wang
Cisco Employee
Cisco Employee
In response to edeloscobos

‎08-11-2016 09:57 PM

Yes. I checked the time on vWLC and I make sure that the time and timezone is correct. Also I am using NTP.

Can you advise some debug command on vWLC so that I can provide more information?

0 Helpful

Go to solution
Thomas Harlow
Level 1
Level 1
In response to Shiyan Wang

‎08-15-2016 07:19 AM

We are using NTP as well and our time and timezone is correct. I'm working with Cisco TAC and the engineer I was working with couldn't find a reason why this wouldn't work. We really tried everything. He escalated it and it's now sitting with the developers. They were able to recreate the issue, so that's a positive. And they have now created a bug, CSCva80355 (my first Cisco bug). Hopefully they will have some news and (or) a workaround sooner rather than later. I will keep you posted on what they find.

0 Helpful

Go to solution
Thomas Harlow
Level 1
Level 1
In response to Thomas Harlow

‎08-26-2016 02:12 PM

Finally this is fixed. I heard back from TAC (who had been working with the devs) and they had a solution. Here is the email I received from TAC:

"So the development team wanted to know if you could load a new OVA image 8.0 for your vWLC and CTVM of 8.2? 

 

There was an openssl upgrade and the OEAP600 only uses the old one.  So with the OVA 8.0 image and CTVM 8.2 it should resolve the issue.

 

Make sure to save your config just in case.

 

The process is:

Download OVA 8.0.135.0 from cisco.com

load it

Download AES 8.2.121.0 (which you already have)

load it

Then test a 600 and see if that works."

Yes this means deploying your vWLC again, which isn't ideal...but it works.

A couple caveats, after I did this it didn't work right away. I received an error on the SOHO that said "Failed to delete database entry." This message was a different one than I was getting before. A quick look on the Cisco forums and I saw other people had ran into this too. The solution was to deactivate and reactivate the evaluation license I had on the vWLC. This was installed while I upgraded the controller. After I did that, the access point joined. I imagine just installing your actual license would work as well.

I hope this helps.

Go to solution
Thomas Harlow
Level 1
Level 1
In response to Thomas Harlow

‎08-30-2016 05:43 AM

One last thing. You will need to manually add the data encryption feature for the tunnels to come up. This is basically a RTU (right to use) license after 8.0. To do this, jump into the CLI and run the command:

license add feature data_encryption

The tunnels should come up and you should be set.

0 Helpful

Go to solution
Shiyan Wang
Cisco Employee
Cisco Employee
In response to Thomas Harlow

‎09-01-2016 07:15 AM

Thank you very much!

Verified and your solution can work for me!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card