AP fail to join controller

jean-christophe.valiere · ‎08-25-2020

Hi Guys,

I'm trying to add an AP 1142N to a vWLC.

AP is running firmware: c1140-k9w7-tar.153-3.JD16

vWLC is running version: 8.3.121.0

Once the AP has booted, I got this error:

Aug 26 06:18:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.224.126 peer_port: 5246
Aug 26 06:18:23.487: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.10.224.126 peer_port: 5246
Aug 26 06:18:23.488: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.224.126
Aug 26 06:18:23.490: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.10.224.126
Aug 26 06:18:23.490: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.224.126:5246
Aug 26 06:18:23.491: %CAPWAP-3-ERRORLOG: Go join a capwap controller
Aug 26 06:18:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.224.126 peer_port: 5246
Aug 26 06:18:23.003: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:90 First fragment for seq 2 is missing
Aug 26 06:18:23.003: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:90 First fragment for seq 2 is missing
Aug 26 06:18:23.484: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.10.224.126 peer_port: 5246
Aug 26 06:18:23.485: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.224.126
Aug 26 06:18:23.486: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.10.224.126

I found this bug report from cisco: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCul08933/?rfs=iqvred, but have doubt that I'm falling in as my vWLC version is not that old.

Also, I added the AP Mac address in the AP Authorization List.

Any ideas, where the problem could come from ?

Thanks for your help.

Cheers,

JC

Sandeep Choudhary · ‎08-25-2020

Hi,

Please post the output to the following commands:

WLC: sh sysinfo;
WLC: sh time;
AP: sh version;

Regards

Dont forget to rate helpful posts

jean-christophe.valiere · ‎08-26-2020

Hi,

Below are the requested info:

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.3.121.0
RTOS Version..................................... 8.3.121.0
Bootloader Version............................... 8.1.102.0
Emergency Image Version.......................... 8.1.102.0

OUI File Update Time............................. Sun Sep 07 10:44:07 IST 2014

Build Type....................................... DATA + WPS

System Name...................................... wlc-01
System Location.................................. SafeHost - Wifi- Controller
System Contact................................... SafeHost Support
System ObjectID.................................. 1.3.6.1.4.1.9.1.1631
IP Address....................................... 10.10.224.126
IPv6 Address..................................... ::
System Up Time................................... 128 days 12 hrs 15 mins 56 secs
System Timezone Location......................... (GMT +1:00) Amsterdam, Berlin, Rome, Vienna
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

--More or (q)uit current module or <ctrl-z> to abort

Configured Country............................... CH - Switzerland

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 4
Number of Active Clients......................... 18

OUI Classification Failure Count................. 3090

Burned-in MAC Address............................ 00:50:56:94:13:30
Maximum number of APs supported.................. 200
System Nas-Id.................................... wlc-01
WLC MIC Certificate Types........................ SHA1
Licensing Type................................... RTU
vWLC config...................................... Small

(Cisco Controller) >show time

Time............................................. Wed Aug 26 08:59:34 2020

Timezone delta................................... 0:0
Timezone location................................ (GMT +1:00) Amsterdam, Berlin, Rome, Vienna

NTP Servers
NTP Polling Interval......................... 3600

Index NTP Key Index NTP Server Status NTP Msg Auth Status
------- ----------------------------------------------------------------------------------------------
1 0 80.80.227.5 In Sync AUTH DISABLED
2 0 80.80.227.53 In Sync AUTH DISABLED

AP1cdf.0f94.a6bb>show version
Cisco IOS Software, C1140 Software (C1140-RCVK9W8-M), Version 15.2(4)JB5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 01-May-14 23:16 by prod_rel_team

ROM: Bootstrap program is C1140 boot loader
BOOTLDR: C1140 Boot Loader (C1140-BOOT-M) Version 12.4(18a)JA3, RELEASE SOFTWARE (fc1)

AP1cdf.0f94.a6bb uptime is 0 minutes
System returned to ROM by power-on
System image file is "flash:/c1140-rcvk9w8-tar.152-4.JB5.d/c1140-rcvk9w8-mx/c1140-rcv"
Last reload reason:

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-LAP1142N-E-K9 (PowerPC405ex) processor (revision B0) with 90102K/40960K bytes of memory.
Processor board ID FCZ1446W34K
PowerPC405ex CPU at 586MHz, revision number 0x147E
Last reset from power-on
LWAPP image version 7.6.100.0
1 Gigabit Ethernet interface

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 1C:DF:0F:94:A6:BB
Part Number : 73-11451-08
PCA Assembly Number : 800-30554-06
PCA Revision Number : A0
PCB Serial Number : FOC14435BRW
Top Assembly Part Number : 800-31273-04
Top Assembly Serial Number : FCZ1446W34K
Top Revision Number : A0
Product/Model Number : AIR-LAP1142N-E-K9

Configuration register is 0xF

Regards,

JC

Leo Laohoo · ‎08-26-2020

@jean-christophe.valiere wrote:

Product Version.................................. 8.3.121.0

Read FN - 63942 - Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP/LWAPP Connections Due to Certificate Expiration - Software Upgrade Recommended

8.3.121.0 is affected by this bug.

jean-christophe.valiere · ‎08-26-2020

Hi Leo,

Thanks for your answer.

Just had a look at the FN.

I don't think I'm affected by this bug as:

On my LAP:

Certificate
Status: Available
Certificate Serial Number (hex): 1719A0F3000000014FD4
Certificate Usage: General Purpose
Issuer:
cn=Cisco Manufacturing CA
o=Cisco Systems
Subject:
Name: C1140-1cdf0f94a6bb
e=support@cisco.com
cn=C1140-1cdf0f94a6bb
o=Cisco Systems
l=San Jose
st=California
c=US
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/cmca.crl
Validity Date:
start date: 16:50:43 UTC Nov 1 2010
end date: 17:00:43 UTC Nov 1 2020
Associated Trustpoints: Cisco_IOS_MIC_cert
Storage:

On my WLC:

Certificate Name: Cisco SHA1 device cert

--More or (q)uit current module or <ctrl-z> to abort

Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Virtual Wireless LAN Controller, CN=DEVICE-vWLC-AIR-CTVM-K9-00505694382E, emailAddress=support@vwlc.com
Issuer Name :
C=US, ST=California, L=San Jose, O=Cisco Virtual Wireless LAN Controller, CN=CA-vWLC-AIR-CTVM-K9-00505694382E, emailAddress=support@vwlc.com
Serial Number (Hex):
1000
Validity :
Start : May 22 16:15:52 2014 GMT
End : Mar 30 16:15:52 2024 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : 90:d1:ae:e3:25:d9:94:45:7f:f3:c1:d4:23:c9:5c:b5:e0:93:a2:5e
SHA256 Fingerprint : 39:c7:61:99:7f:a3:e4:96:16:90:e4:44:74:7d:0d:54:7b:94:f0:10:a4:60:64:e3:2f:f4:a2:48:85:53:97:98

Both certificates are still valid (but I'm running out of time for my LAP).

Also I don't see any certificate issues when the LAP tries to connect to the WLC.

Regards,

Jean-Christophe

Leo Laohoo · ‎08-26-2020

Look at the AP. The AP is running on RCV firmware. That is nothing.
The issue is the AP not being able to join the controller. Now look at the FN and then compare the list of affected versions against the version running on the WLC.