06-06-2013 06:05 AM - edited 07-04-2021 12:11 AM
Hi,
I have a hard time geting a AP to connect to a vWLC. I get certificate error on the AP, he dose'nt trust the vWLC's selfsigned certificate.
I know about the requirement for the AP, to have 7.3 code on before connecting to a vWLC. This AP were connected to another demo-license vWLC before, 4 months ago. But now, when I did a reinstall of vWLC, my AP dose'nt connect.
I have done recovery on the AP with all 15.2.2 images for the AP (3502I)
ap3g1-rcvk9w8-tar.152-2.JA.tar
ap3g1-rcvk9w8-tar.152-2.JA1.tar
ap3g1-rcvk9w8-tar.152-2.JB.tar
I have tried to reinstall and change version of the vWLC. (and tried the diffrent images)
AIR-CTVM-7-3-112-0.ova
AIR-CTVM-7-3-101-0.ova
I do see that the right code is on the AP for example:
cisco AIR-CAP3502I-E-K9 (PowerPC460exr) processor (revision A0) with 81910K/49152K bytes of memory.
Processor board ID FCZ1544W0N1
PowerPC460exr CPU at 666Mhz, revision number 0x18A8
Last reset from power-on
LWAPP image version 7.3.1.73
1 Gigabit Ethernet interface
I have checked the time on the vWLC vs AP for missmatch but they are spot on.
Still only get this on the AP:
*Jun 5 23:43:09.012: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Jun 5 23:43:09.012: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!
*Jun 5 23:43:09.012: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.50.227:5246
*Jun 5 23:43:09.012: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.50.227:5246
*Jun 5 23:43:09.012: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
*Jun 5 23:44:14.003: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jun 5 23:43:09.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.50.227 peer_port: 5246
*Jun 5 23:43:09.009: %CAPWAP-3-ERRORLOG: Failed to authorize controller using trust config.
*Jun 5 23:43:09.009: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF
A good tip on how to get this working would be nice.
Can I clear the AP from rommon in some way?
Cheer
06-06-2013 06:15 AM
Try to disable the hash
config certificate ssc hash validation disable
http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml#hash
Sent from Cisco Technical Support iPhone App
06-06-2013 02:00 PM
Disable hash validation on the wlc but it did not work.
And I tried, from rommon, the 'sscoff' but coulde'nt see any results. Do you now what that command does?
In the link you sent there was commands to clear the capwap settings on the AP
'test capwap erase'
'test capwap restart'
After these commands I got another error in tha AP log:
PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID
When I look at the WLC I see that the self signed certificate is valid from to day, 6/6?
I configured the NTP server during setup yesterday so I dont understand how date could be a problem/be wrong on the ssc? I checked time and date an both AP abd vWLC but I did'nt check start date on the certificate...
The AP is on UTC and the WLC on GMT+1 so I'll have to wait 2 hours to see if that was the problem :-)
(tried to set the clock on the AP but It keeps changing back?)
(Cisco Controller) >show certificate ssc
SSC Hash validation.............................. Disabled.
SSC Device Certificate details:
Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Virtual Wireless LAN Controller,
CN=DEVICE-vWLC-AIR-CTVM-K9-000C29E255EE, MAILTO=support@vwlc.com
Validity :
Start : 2013 Jun 6th, 22:49:27 GMT
End : 2023 Apr 15th, 22:49:27 GMT
Hash key : 2d56a1c88e549e8ce66b67770aff8539c4f85cd2
(Cisco Controller) >show time
Time............................................. Thu Jun 6 22:22:41 2013
Timezone delta................................... 0:0
Timezone location................................ (GMT +1:00) Amsterdam, Berlin, Rome, Vienna
NTP Servers
NTP Polling Interval......................... 84000
Index NTP Key Index NTP Server NTP Msg Auth Status
------- ---------------------------------------------------------------
1 0 193.11.166.36 AUTH DISABLED
Cheers
06-06-2013 03:20 PM
Post the output to the following commands:
1. WLC: sh sysinfo
2. WLC: sh time
3. AP: sh version
4. AP: sh inventory
06-07-2013 01:14 AM
My AP did join the WLC after 2 hours so probelm solved.
But why did the SSC get the wrong date and why did that log message not show up until I did
'test capwap erase' ? I'll think about that next time.
Cheers
06-07-2013 05:05 AM
No clue... I have had AP's join after a few hours also and also had AP's take like 2 hours to download images. It's rare, but it does happen:)
Sent from Cisco Technical Support iPhone App
02-19-2015 07:04 AM
Hi,
From AP's CLI try clear capwap private-config
and reboot the AP
For me work.
Source: http://www.madari.co.il/2015/01/problem-capwap-1-ssccertauthfailed.html
07-19-2015 05:46 AM
clear capwap private-config
and reboot the AP
Also work for me
10-25-2016 12:38 AM
i was having the exact same issue with my 3502i LAP, and this command worked like a charm. thanks for the post. :P
05-28-2019 04:34 PM
Resolved the issue w/ 1242AG. Thanks for the solution!
04-03-2018 07:33 PM
Tengo APs 1142 en una controladora 2504 con software 7.0.252 con licencia de certificados DTLS, depues los registre en una controladora igual pero con version 7.6.110 con licencia de certificados DTLS, despues los registre en una controladora virtual vWLC version 8.0.110 tambien con certificados DTLS y al final los pase a una controladora vWLC 8.0.152 donde originalmente no se registraban y agregue la licencia que se descarga de CISCO registrando el UID de la vWLC y se instala la licencia archivo .lic para los DTLS y adicionalmente borre la configuracion de los APs (clear capwap private-config) antes de registrar en la ultima controladora (o tambien borrando la configuracion vi GUI en la controladora donde fueron registrando la ultima vez, version 8.0.110). Fue un verdader viacrusis, pero al final lo logre.
Otro dato importante es que sesde el principo del registro en la controladora 2504 se deben poner en modo FLEXCONNECT, ya que la vWLC no soporta modo LOCAL.
Espero esta info sirva a alguien para que pueda continuar con su red WIFI.
email: hugosantana7r@gmail.com
Saludos
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: