Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5810
Views
6
Helpful
11
Replies

AP certificate validation error between 2 9800 WLCs cluster

Clem58
Level 6
Level 6

‎12-09-2022 08:21 AM - edited ‎12-09-2022 08:21 AM

Hello,

I'm testing 2 WLCs clusters, same versions 17.3.6. WLC01 and WLC02

I have 2 APs, one 3801I and one 3702E, when I move the APs from WLC01 to WLC02, using primary and secondary in High Availibility parameters, it's working perfectly.

But when I do the return, WLC02 to WLC01, the both APs cannot join, in the log we see :

SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed

The only way to have them joining back WLC01 is to clear capwap private-config on 3702 and reset the 3802 with mode button.

As we want to have N+1 WLCs cluster (remote) at the final state, in production, I don't want to have to manually reset all the APs when they will failover back to the initial WLCs.

Is it anything you already faced ?

Labels:
0 Helpful
11 Replies 11

Mark Elsen
Hall of Fame
Hall of Fame

‎12-09-2022 09:23 AM

 

 - Could you run the configuration of  both controllers through WirlessAnalyzer with the procedure mentioned below, look for differences in advisories (or configuration) which may be indicative :
           Use the CLI command : show  tech   wireless , have the output analyzed by  https://cway.cisco.com/tools/WirelessAnalyzer/  , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer.              

 M.
   



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎12-09-2022 09:36 AM

 can you post the output

>show certificate ssc

i think there is a bug on this i dont have in hand but will post later when i get chance.

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎12-09-2022 03:24 PM

The 3702 has a tiny flash space and can only accommodate one CAPWAP image.  

To go from AireOS to IOS-XE (and back) means the AP will need to download the IOS every time it crosses over.

Finally, the 2702/3702 are affected by FN - 72524 - During Software Upgrade/Downgrade, Cisco IOS APs Might Remain in Downloading State After December 4, 2022 Due to Certificate Expiration.

0 Helpful

Rich R
VIP
VIP

‎12-10-2022 06:58 AM - edited ‎12-10-2022 09:32 AM

What model of 9800 are you using - 9800-CL?

This sounds suspiciously similar to a well known problem with vWLC on AireOS!
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva69352
You can try the "Alternative workaround" from that? (if it's even possible on 9800)
Either way I think you'll need to open a TAC case for it because I don't see any bugs open for it on 9800.
Presume you have configured (and verified) mobility between the WLCs with the hash configured as per https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_vewlc_mobility.html ?

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Clem58
Level 6
Level 6
In response to Rich R

‎12-10-2022 07:38 AM - edited ‎12-10-2022 07:39 AM

For Balaji
"show certificate ssc" does not exist

For Leo
It's not the recent bug with 3702, as we have the same issue with 3802 AP.

For Rich
There are different mobility groups, as the 2 clusters are in different sites (remote) so we don't have same mobility group, we don't need the 2 WLCs to share any RF data and so on. Anyway the migration from WLC01 to WLC02 is working, but not the inverse.

0 Helpful

Rich R
VIP
VIP

‎12-10-2022 09:35 AM

@Clem58 - yes I understand that but I think it may still fix this problem for you - it might actually be necessary to have this working as you intend.  So TRY IT and see if it helps?

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Clem58
Level 6
Level 6
In response to Rich R

‎12-10-2022 09:37 AM

Ok that's a good point, I will try to set same mobility group name next
week and let you know if it's improving anything.

Thanks !
0 Helpful

Rich R
VIP
VIP

‎12-10-2022 09:51 AM

It's not just setting the mobility group name.

You need the working mobility connection between the WLCs so that they share hashes with each other and the APs store both WLC's hashes.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Clem58
Level 6
Level 6
In response to Rich R

‎12-11-2022 12:20 AM

Yes of course I will add the peer WLCs into the mobility group.
0 Helpful

Clem58
Level 6
Level 6
In response to Clem58

‎12-12-2022 06:38 AM - edited ‎12-12-2022 06:39 AM

So my problem is solved, actually even with mobility enabled and peers added and UP, I still had this issue with SSC certificate validation.

After double checked the configs, I noticed a setting I left, on both WLCs, when I was tshooting the issue with 3702 AP (recent bug with certificate expiration), so I had added : wireless management certificate ssc auth-token 0 password

After removing this settings, the APs can migrate from a WLC to another without any issue !

Rich R
VIP
VIP

‎12-12-2022 08:12 AM

Ah well glad you worked it out!

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card