04-09-2019 05:34 AM - edited 07-05-2021 10:13 AM
Cisco AP AIR-LAP1141N can not join vWLC 8.3.140.0, but successfully join and working WLC-4402. I was trying to move all AP AIR-LAP1141N to new controller vWLC, but I received error message in console. From GUI old controller I reset AP by "clear All config" and tried to move it to new vWLC by changing DHCP option. I tried a few AP but result was the same every time. Other AP AIR-CAP1702I-E-K9 are successfully working on new vWLC 8.3.140.0
Console output can be seen in attached file.
04-09-2019 06:24 AM - edited 04-09-2019 06:24 AM
The certificate on the AP has expired. As per https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuq19142
Two options:
make the time on the vWLC in the past.
Apply following to vWLC via CLI:
config ap cert-expiry-ignore {mic|ssc} enable
04-15-2019 05:58 AM
I tried to perform both
I turned time to 10 year past - no luck
next I performed 2 command
config ap cert-expiry-ignore mic enable
config ap cert-expiry-ignore ssc enable
but there are no changes, I still receive error message
*Mar 1 00:07:34.998: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.2.25.14 obtained through DHCP
*Apr 15 11:14:10.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.2.25.14 peer_port: 5246
*Apr 15 11:14:10.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Apr 15 11:14:10.006: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Apr 15 11:14:10.006: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Apr 15 11:14:10.006: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed!
*Apr 15 11:14:10.006: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 10.2.25.14
*Apr 15 11:14:10.006: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.2.25.14:5246
*Apr 15 11:14:10.007: %DTLS-3-BAD_RECORD: Erroneous record received from 10.2.25.14: Malformed Certificate
*Apr 15 11:14:10.007: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.2.25.14:5246
*Apr 15 11:14:10.007: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
04-15-2019 10:48 AM
Have you checked the country code on the WLC and try to keep the time same as 4400 series WLC ?
04-15-2019 11:40 AM
Can you please share the output of te command "show crypto pki certificates"
Check the end date is September 26 2016 you can change the date of your vWLC to Sep 25 2016 and the AP will be Join. Try with this commands:
config ap lifetime-check {mic|ssc} enable
config ap cert-expiry-ignore {mic|ssc} enable
Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**
*Tu reconocimiento nos alienta a seguir participando en los foros *
04-15-2019 08:52 PM
Hi,Daniel
AP0022.bd19.0a9e#sh crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number: 00
Certificate Usage: General Purpose
Issuer:
cn=ca
ou=none
o=airespace Inc
l=San Jose
st=California
c=US
Subject:
cn=ca
ou=none
o=airespace Inc
l=San Jose
st=California
c=US
Validity Date:
start date: 23:38:55 UTC Feb 12 2003
end date: 23:38:55 UTC Nov 11 2012
Associated Trustpoints: airespace-old-root-cert
CA Certificate
Status: Available
Certificate Serial Number: 00
Certificate Usage: Signature
Issuer:
cn=Airespace Root CA
ou=Engineering
o=Airespace Inc.
l=San Jose
st=California
c=US
Subject:
cn=Airespace Root CA
ou=Engineering
o=Airespace Inc.
l=San Jose
st=California
c=US
Validity Date:
start date: 13:41:22 UTC Jul 31 2003
end date: 13:41:22 UTC Apr 29 2013
Associated Trustpoints: airespace-new-root-cert
CA Certificate
Status: Available
Certificate Serial Number: 03
Certificate Usage: General Purpose
Issuer:
cn=Airespace Root CA
ou=Engineering
o=Airespace Inc.
l=San Jose
st=California
c=US
Subject:
cn=Airespace Device CA
ou=Engineering
o=Airespace Inc.
l=San Jose
st=California
c=US
Validity Date:
start date: 22:37:13 UTC Apr 28 2005
end date: 22:37:13 UTC Jan 26 2015
Associated Trustpoints: airespace-device-root-cert
CA Certificate
Status: Available
Certificate Serial Number: 5FF87B282B54DC8D42A315B568C9ADFF
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2048
o=Cisco Systems
Subject:
cn=Cisco Root CA 2048
o=Cisco Systems
Validity Date:
start date: 20:17:12 UTC May 14 2004
end date: 20:25:42 UTC May 14 2029
Associated Trustpoints: cisco-root-cert
Certificate
Status: Available
Certificate Serial Number: 3B34ACDD0000000EA64A
Certificate Usage: General Purpose
Issuer:
cn=Cisco Manufacturing CA
o=Cisco Systems
Subject:
Name: C1140-0022bd190a9e
cn=C1140-0022bd190a9e
o=Cisco Systems
l=San Jose
st=California
c=US
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/cmca.crl
Validity Date:
start date: 13:11:28 UTC Jul 17 2009
end date: 13:21:28 UTC Jul 17 2019
Associated Trustpoints: Cisco_IOS_MIC_cert
CA Certificate
Status: Available
Certificate Serial Number: 6A6967B3000000000003
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2048
o=Cisco Systems
Subject:
cn=Cisco Manufacturing CA
o=Cisco Systems
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2048.crl
Validity Date:
start date: 22:16:01 UTC Jun 10 2005
end date: 20:25:42 UTC May 14 2029
Associated Trustpoints: Cisco_IOS_MIC_cert
04-15-2019 09:17 PM
(Cisco Controller) >config ap cert-expiry-ignore ssc enable
Expire SSC Mode allow is already configured.
(Cisco Controller) >config ap cert-expiry-ignore mic enable
Expire MIC Mode allow is already configured.
(Cisco Controller) >config ap lifetime-check mic enable
Incorrect usage. Use the '?' or <TAB> key to list commands.
(Cisco Controller) >config ap lifetime-check ssc enable
Incorrect usage. Use the '?' or <TAB> key to list commands.
(Cisco Controller) >
On my version I do not have this command - config ap lifetime-check
But I tried to apply one more command - (Cisco Controller) >config certificate ssc hash validation disable
There are still no results.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide