Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17728
Views
39
Helpful
10
Replies

An other AP not joining vWLC

Mikael Gustafsson
Level 5
Level 5

‎06-06-2013 06:05 AM - edited ‎07-04-2021 12:11 AM

Hi,

I have a hard time geting a AP to connect to a vWLC. I get certificate error on the AP, he dose'nt trust the vWLC's selfsigned certificate.

I know about the requirement for the AP, to have 7.3 code on before connecting to a vWLC. This AP were connected to another demo-license vWLC before, 4 months ago. But now, when I did a reinstall of vWLC, my AP dose'nt connect.

I have done recovery on the AP with all 15.2.2 images for the AP (3502I)

ap3g1-rcvk9w8-tar.152-2.JA.tar

ap3g1-rcvk9w8-tar.152-2.JA1.tar

ap3g1-rcvk9w8-tar.152-2.JB.tar

I have tried to reinstall and change version of the vWLC. (and tried the diffrent images)

AIR-CTVM-7-3-112-0.ova

AIR-CTVM-7-3-101-0.ova

I do see that the right code is on the AP for example:

cisco AIR-CAP3502I-E-K9    (PowerPC460exr) processor (revision A0) with 81910K/49152K bytes of memory.

Processor board ID FCZ1544W0N1

PowerPC460exr CPU at 666Mhz, revision number 0x18A8

Last reset from power-on

LWAPP image version 7.3.1.73

1 Gigabit Ethernet interface

I have checked the time on the vWLC vs AP for missmatch but they are spot on.

Still only get this on the AP:

*Jun  5 23:43:09.012: %CAPWAP-3-ERRORLOG: Certificate verification failed!

*Jun  5 23:43:09.012: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!

*Jun  5 23:43:09.012: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.50.227:5246

*Jun  5 23:43:09.012: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.50.227:5246

*Jun  5 23:43:09.012: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

*Jun  5 23:44:14.003: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Jun  5 23:43:09.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.50.227 peer_port: 5246

*Jun  5 23:43:09.009: %CAPWAP-3-ERRORLOG: Failed to authorize controller using trust config.

*Jun  5 23:43:09.009: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF

A good tip on how to get this working would be nice.

Can I clear the AP from rommon in some way?

Cheer    

4 people had this problem
Labels:
0 Helpful
10 Replies 10

Scott Fella
Hall of Fame
Hall of Fame

‎06-06-2013 06:15 AM

Try to disable the hash

config certificate ssc hash validation disable

http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml#hash

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Mikael Gustafsson
Level 5
Level 5
In response to Scott Fella

‎06-06-2013 02:00 PM

Disable hash validation on the wlc but it did not work.

And I tried, from rommon, the 'sscoff' but coulde'nt see any results. Do you now what that command does?

In the link you sent there was commands to clear the capwap settings on the AP

'test capwap erase'

'test capwap restart'

After these commands I got another error in tha AP log:

PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID

When I look at the WLC I see that the self signed certificate is valid from to day, 6/6?

I configured the NTP server during setup yesterday so I dont understand how date could be a problem/be wrong on the ssc? I checked time and date an both AP abd vWLC but I did'nt check start date on the certificate...

The AP is on UTC and the WLC on GMT+1 so I'll have to wait 2 hours to see if that was the problem :-)

(tried to set the clock on the AP but It keeps changing back?)

(Cisco Controller) >show certificate ssc

SSC Hash validation.............................. Disabled.

SSC Device Certificate details:

         Subject Name :

                 C=US, ST=California, L=San Jose, O=Cisco Virtual Wireless LAN Controller,

                 CN=DEVICE-vWLC-AIR-CTVM-K9-000C29E255EE, MAILTO=support@vwlc.com

         Validity :

                 Start : 2013 Jun  6th, 22:49:27 GMT

                 End   : 2023 Apr 15th, 22:49:27 GMT

         Hash key : 2d56a1c88e549e8ce66b67770aff8539c4f85cd2

(Cisco Controller) >show time

Time............................................. Thu Jun  6 22:22:41 2013

Timezone delta................................... 0:0

Timezone location................................ (GMT +1:00) Amsterdam, Berlin, Rome, Vienna

NTP Servers

    NTP Polling Interval.........................     84000

     Index     NTP Key Index     NTP Server      NTP Msg Auth Status

    -------  ---------------------------------------------------------------

       1              0       193.11.166.36       AUTH DISABLED

Cheers

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Mikael Gustafsson

‎06-06-2013 03:20 PM

Post the output to the following commands:

1.  WLC:  sh sysinfo

2.  WLC:  sh time

3.  AP:  sh version

4.  AP:  sh inventory

0 Helpful

Mikael Gustafsson
Level 5
Level 5

‎06-07-2013 01:14 AM

My AP did join the WLC after 2 hours so probelm solved.

But why did the SSC get the wrong date and why did that log message not show up until I did

'test capwap erase' ?  I'll think about that next time.

Cheers

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Mikael Gustafsson

‎06-07-2013 05:05 AM

No clue... I have had AP's join after a few hours also and also had AP's take like 2 hours to download images. It's rare, but it does happen:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Jhon Fredy Herrera Osorno
Level 1
Level 1

‎02-19-2015 07:04 AM

Hi,

From AP's CLI try clear capwap private-config

and reboot the AP

For me work.

Source: http://www.madari.co.il/2015/01/problem-capwap-1-ssccertauthfailed.html

n.poongsawad
Level 1
Level 1
In response to Jhon Fredy Herrera Osorno

‎07-19-2015 05:46 AM

 clear capwap private-config

and reboot the AP

 

Also work for me

Jia Jian Lu
Level 1
Level 1
In response to n.poongsawad

‎10-25-2016 12:38 AM

i was having the exact same issue with my 3502i LAP, and this command worked like a charm. thanks for the post. :P

0 Helpful

Roman Polyachkov
Level 1
Level 1
In response to n.poongsawad

‎05-28-2019 04:34 PM

Resolved the issue w/ 1242AG. Thanks for the solution!

0 Helpful

osantana
Level 1
Level 1

‎04-03-2018 07:33 PM

Tengo APs 1142 en una controladora 2504 con software 7.0.252 con licencia de certificados DTLS, depues los registre en una controladora igual pero con version 7.6.110 con licencia de certificados DTLS, despues los registre en una controladora virtual vWLC version 8.0.110 tambien con certificados DTLS y  al final los pase a una controladora vWLC 8.0.152 donde originalmente no se registraban y agregue la licencia que se descarga de CISCO registrando el UID de la vWLC y se instala la licencia archivo .lic para los DTLS y  adicionalmente borre la configuracion de los APs (clear capwap private-config) antes de registrar en la ultima controladora (o tambien borrando la configuracion vi GUI en la controladora donde fueron registrando la ultima vez, version 8.0.110). Fue un verdader viacrusis,  pero al final lo logre.

Otro dato importante es que sesde el principo del registro en la controladora 2504 se deben poner en modo FLEXCONNECT,  ya que la vWLC  no soporta modo LOCAL.

Espero esta info sirva a alguien para que pueda continuar con su red WIFI.

email: hugosantana7r@gmail.com

Saludos

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card