Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7464
Views
35
Helpful
10
Replies

AP2802 cannot join to VWLC due to spamCheck_valid_vWLC_X509: SSC Hash not allowed

Go to solution
Jorge Luis Covenas Chiroque
Level 1
Level 1

‎07-15-2020 07:24 AM - edited ‎07-05-2021 12:17 PM

Hi Community.

I have this issue joining APs to vWLC 8.5.150.0: 

AP-28>show inventory
NAME: AP2800, DESCR: Cisco Aironet 2800 Series (IEEE 802.11ac) Access Point
PID: AIR-AP2802I-E-K9 , VID: V03, SN: FCW2329PHEZ

Validity for SHA 1: 
Not Before: Jul 19 19:00:00 2019 GMT
Not After : May 14 20:25:42 2029 GMT

Validity for SHA 2:

Validity
Not Before: Jul 19 19:00:36 2019 GMT
Not After : Nov 12 13:00:17 2037 GMT

Not other cert in AP.

 

LOG in AP:

 

[*07/15/2020 12:50:49.2905] Discovery Response from 192.168.9.228
[*07/15/2020 12:50:45.0000]
[*07/15/2020 12:50:45.0000] CAPWAP State: DTLS Setup
[*07/15/2020 12:50:45.0006] dtls_connectionDB_add_connection: Number of DTLS connections exceeded two
[*07/15/2020 12:50:45.3936] spamCheck_valid_vWLC_X509: SSC Hash not allowed
[*07/15/2020 12:50:45.3936]
[*07/15/2020 12:50:45.4061] display_verify_cert_status: Verify Cert: FAILED at 1 depth: self signed certificate in certificate chain
[*07/15/2020 12:50:45.4082] dtls_verify_con_cert: Controller certificate verification error
[*07/15/2020 12:50:45.4085] dtls_process_packet: Controller certificate verification failed
[*07/15/2020 12:50:45.4092] sendPacketToDtls: DTLS: Closing connection 0xe8aa00.
[*07/15/2020 12:50:45.4094] Restarting CAPWAP State Machine.
[*07/15/2020 12:50:45.5141]
[*07/15/2020 12:50:45.5141] CAPWAP State: DTLS Teardown

 

vWLC side:

SSC Validity :
Start : Jul 13 04:23:03 2020 GMT
End : May 22 04:23:03 2030 GMT

 

Changing time to July 2019 or Dec 2019 doesnt work.

Disabling NTP doesnt work.

 

I folowed this FN https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html but my APs cannot join to vWLC.

 

Please help me to solve this issue.

 

Regards.

 

Preview file
3 KB
Preview file
203 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rich R
VIP
VIP
In response to Leo Laohoo

‎07-16-2020 05:52 AM

I don't think either of those FNs apply. I wouldn't expect setting the date earlier to help but WLC must be synced to NTP.
Jorge can you provide "show certificate summary", "show certificate ssc" & "show certificate all" from the WLC?
I can't see anything about this in docs so might be heading towards a TAC case ...
------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Jorge Luis Covenas Chiroque

‎07-16-2020 10:43 AM

Few things just to try: 1. factory reset the ap by using the mode button. Hold for >20 seconds until the led flashes red 2. log into the ap and delete the config: clear capwap private-config then reboot the ap 3. maybe disable the hash: config certificate ssc hash validation disable
-Scott
*** Please rate helpful posts ***

View solution in original post

10 Replies 10

Go to solution
marce1000
VIP
VIP

‎07-15-2020 09:46 AM

 

 - Check AP-model verus controller-model/software version compliance with :

             https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Rich R
VIP
VIP
In response to Leo Laohoo

‎07-16-2020 05:52 AM

I don't think either of those FNs apply. I wouldn't expect setting the date earlier to help but WLC must be synced to NTP.
Jorge can you provide "show certificate summary", "show certificate ssc" & "show certificate all" from the WLC?
I can't see anything about this in docs so might be heading towards a TAC case ...
------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
Jorge Luis Covenas Chiroque
Level 1
Level 1
In response to Rich R

‎07-16-2020 08:23 AM

HI rruding.

Please find attached the outputs requested.

 

Thanks a lot for your help.

Preview file
13 KB
0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Jorge Luis Covenas Chiroque

‎07-16-2020 10:43 AM

Few things just to try: 1. factory reset the ap by using the mode button. Hold for >20 seconds until the led flashes red 2. log into the ap and delete the config: clear capwap private-config then reboot the ap 3. maybe disable the hash: config certificate ssc hash validation disable
-Scott
*** Please rate helpful posts ***

Go to solution
Jorge Luis Covenas Chiroque
Level 1
Level 1
In response to Scott Fella

‎07-16-2020 03:24 PM

Thanks a lot all of you for your help.

Reset to factory default work well to solve this issue.

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Jorge Luis Covenas Chiroque

‎07-16-2020 04:09 PM

Just keep that in mind… if the ap drops off and fails to join again, factory reset it. I know its a pain, but that is my way of recovering an ap when it doesn’t join again.
-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Rich R
VIP
VIP
In response to Scott Fella

‎07-16-2020 03:52 PM

Nothing obviously wrong with the outputs but I think Scott got the right answers there ^^^.
Been looking back through other previous posts and this seems to happen when an AP has previously been joined to another vWLC - it stores the hash and then expects to see the same hash in future.
https://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_Virtual_Wireless_LAN_Controller_Deployment_Guide_8-2.html#concept_D01C165C662E42AEA3D829A1285272D4 says:
"Note When an AP moves from one vWLC to another, it may refuse to join the second vWLC. It occurs when the server hardware fails, or a new instance of vWLCs are created. It is recommended to implement server mirroring scheme at the VMware level such as vMotion or some orchestrator. It is highly recommended to retain a snapshot of the VM instance, one from the mobility domain to which access points have joined previously. Then use the snapshot to start the vWLC instance. Access points then join the vWLC. This method can be also be used for priming access points instead of a physical controller. "
Clearing the AP config and disabling hash check is the workaround for that.
Sort of documented in https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuf38985 and the doc link it provides - every vWLC the AP connects to must contain the hashes of every other vWLC the AP connects to and they must be in the same mobility group. If you can't do that you'll have to use the workaround.
I've not played with vWLC myself so apologies if I got any of this wrong - it's just what I've pieced together from other posts and docs.
------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
lallimander
Level 1
Level 1
In response to Rich R

‎02-17-2023 07:09 AM

We had a power outage and somehow APs tried to join the WLC not in mobility group and then won't join back to primary or backup WLCs. Just brought mobility up between them and they joined back instantly. They were giving same "controller verification failed" error earlier.

Go to solution
Balaji_50982
Level 1
Level 1
In response to Scott Fella

‎01-27-2023 09:49 AM

Thank a lot for sharing

This options fixed the issue for me " log into the ap and delete the config: clear capwap private-config then reboot the ap "

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card