Re: AP AIR-LAP1141N can not join vWLC 8.3.140.0

Kazkommertsbank · ‎04-09-2019

Cisco AP AIR-LAP1141N can not join vWLC 8.3.140.0, but successfully join and working WLC-4402. I was trying to move all AP AIR-LAP1141N to new controller vWLC, but I received error message in console. From GUI old controller I reset AP by "clear All config" and tried to move it to new vWLC by changing DHCP option. I tried a few AP but result was the same every time. Other AP AIR-CAP1702I-E-K9 are successfully working on new vWLC 8.3.140.0

Console output can be seen in attached file.

Haydn Andrews · ‎04-09-2019

The certificate on the AP has expired. As per https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuq19142

Two options:

make the time on the vWLC in the past.

Apply following to vWLC via CLI:

config ap cert-expiry-ignore {mic|ssc} enable

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Kazkommertsbank · ‎04-15-2019

I tried to perform both

I turned time to 10 year past - no luck

next I performed 2 command

config ap cert-expiry-ignore mic enable

config ap cert-expiry-ignore ssc enable

but there are no changes, I still receive error message

*Mar 1 00:07:34.998: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.2.25.14 obtained through DHCP

*Apr 15 11:14:10.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.2.25.14 peer_port: 5246

*Apr 15 11:14:10.000: %CAPWAP-5-CHANGED: CAPWAP changed state to

*Apr 15 11:14:10.006: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed

*Apr 15 11:14:10.006: %CAPWAP-3-ERRORLOG: Certificate verification failed!

*Apr 15 11:14:10.006: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed!

*Apr 15 11:14:10.006: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 10.2.25.14

*Apr 15 11:14:10.006: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.2.25.14:5246

*Apr 15 11:14:10.007: %DTLS-3-BAD_RECORD: Erroneous record received from 10.2.25.14: Malformed Certificate

*Apr 15 11:14:10.007: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.2.25.14:5246

*Apr 15 11:14:10.007: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

Sathiyanarayanan Ravindran · ‎04-15-2019

Have you checked the country code on the WLC and try to keep the time same as 4400 series WLC ?

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

Daniel Ordóñez Flores · ‎04-15-2019

Hi @Kazkommertsbank

Can you please share the output of te command "show crypto pki certificates"

Check the end date is September 26 2016 you can change the date of your vWLC to Sep 25 2016 and the AP will be Join. Try with this commands:

config ap lifetime-check {mic|ssc} enable

config ap cert-expiry-ignore {mic|ssc} enable

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"

**Please rate the answer if this information was useful***

**Por favor si la información fue util marca esta respuesta como correcta**

*Tu reconocimiento nos alienta a seguir participando en los foros *

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

Kazkommertsbank · ‎04-15-2019

Hi,Daniel

AP0022.bd19.0a9e#sh crypto pki certificates

CA Certificate

Status: Available

Certificate Serial Number: 00

Certificate Usage: General Purpose

Issuer:

ea=support@airespace.com

cn=ca

ou=none

o=airespace Inc

l=San Jose

st=California

c=US

Subject:

ea=support@airespace.com

cn=ca

ou=none

o=airespace Inc

l=San Jose

st=California

c=US

Validity Date:

start date: 23:38:55 UTC Feb 12 2003

end date: 23:38:55 UTC Nov 11 2012

Associated Trustpoints: airespace-old-root-cert

CA Certificate

Status: Available

Certificate Serial Number: 00

Certificate Usage: Signature

Issuer:

ea=support@airespace.com

cn=Airespace Root CA

ou=Engineering

o=Airespace Inc.

l=San Jose

st=California

c=US

Subject:

ea=support@airespace.com

cn=Airespace Root CA

ou=Engineering

o=Airespace Inc.

l=San Jose

st=California

c=US

Validity Date:

start date: 13:41:22 UTC Jul 31 2003

end date: 13:41:22 UTC Apr 29 2013

Associated Trustpoints: airespace-new-root-cert

CA Certificate

Status: Available

Certificate Serial Number: 03

Certificate Usage: General Purpose

Issuer:

ea=support@airespace.com

cn=Airespace Root CA

ou=Engineering

o=Airespace Inc.

l=San Jose

st=California

c=US

Subject:

ea=support@airespace.com

cn=Airespace Device CA

ou=Engineering

o=Airespace Inc.

l=San Jose

st=California

c=US

Validity Date:

start date: 22:37:13 UTC Apr 28 2005

end date: 22:37:13 UTC Jan 26 2015

Associated Trustpoints: airespace-device-root-cert

CA Certificate

Status: Available

Certificate Serial Number: 5FF87B282B54DC8D42A315B568C9ADFF

Certificate Usage: Signature

Issuer:

cn=Cisco Root CA 2048

o=Cisco Systems

Subject:

cn=Cisco Root CA 2048

o=Cisco Systems

Validity Date:

start date: 20:17:12 UTC May 14 2004

end date: 20:25:42 UTC May 14 2029

Associated Trustpoints: cisco-root-cert

Certificate

Status: Available

Certificate Serial Number: 3B34ACDD0000000EA64A

Certificate Usage: General Purpose

Issuer:

cn=Cisco Manufacturing CA

o=Cisco Systems

Subject:

Name: C1140-0022bd190a9e

ea=support@cisco.com

cn=C1140-0022bd190a9e

o=Cisco Systems

l=San Jose

st=California

c=US

CRL Distribution Points:

http://www.cisco.com/security/pki/crl/cmca.crl

Validity Date:

start date: 13:11:28 UTC Jul 17 2009

end date: 13:21:28 UTC Jul 17 2019

Associated Trustpoints: Cisco_IOS_MIC_cert

CA Certificate

Status: Available

Certificate Serial Number: 6A6967B3000000000003

Certificate Usage: Signature

Issuer:

cn=Cisco Root CA 2048

o=Cisco Systems

Subject:

cn=Cisco Manufacturing CA

o=Cisco Systems

CRL Distribution Points:

http://www.cisco.com/security/pki/crl/crca2048.crl

Validity Date:

start date: 22:16:01 UTC Jun 10 2005

end date: 20:25:42 UTC May 14 2029

Associated Trustpoints: Cisco_IOS_MIC_cert

Kazkommertsbank · ‎04-15-2019

(Cisco Controller) >config ap cert-expiry-ignore ssc enable
Expire SSC Mode allow is already configured.

(Cisco Controller) >config ap cert-expiry-ignore mic enable
Expire MIC Mode allow is already configured.

(Cisco Controller) >config ap lifetime-check mic enable

Incorrect usage. Use the '?' or <TAB> key to list commands.

(Cisco Controller) >config ap lifetime-check ssc enable

Incorrect usage. Use the '?' or <TAB> key to list commands.

(Cisco Controller) >

On my version I do not have this command - config ap lifetime-check

But I tried to apply one more command - (Cisco Controller) >config certificate ssc hash validation disable

There are still no results.