08-13-2019 09:34 AM - edited 07-05-2021 10:51 AM
We have a vWLC with 8.5.140.0 and 357 AP (1602 and 1700).
In some branch offices we have one or two APs that works ok and others with IP but not associatted with WLC.
We can see traffic from AP's to WLC but in controller we can see:
%DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:978 Failed to complete DTLS handshake with peer ....
We tried to change WLC time and
WLC)>config ap cert-expiry-ignore {mic|ssc} enable
but we have the same problem.
All AP's was associatted to other WLC.
Regards
Solved! Go to Solution.
08-19-2019 04:48 AM
Finally I have been able to access to AP's and I have seen in console that there is a problem with SSC and MIC certificate. I reset all AP's to default and join to WLC.
It´s neccesary have this command:
config ap cert-expiry-ignore {mic|ssc} enable
Thanks for all.
08-13-2019 10:14 AM
Hi
I had a similar issue when upgrading from 8.3.143.0 to 8.5.140.0. It turned out to be the MIC certificate being SHA-1, I wasn't able to upgrade this to a SHA-2 cert. Changing the ciper to RSA-AES128-SHA fixed the issue for me. I also tried the ignore cert-expiry but that didn't work for me either.
You can check serial numbers of affected APs here
http://serialnumbervalidation.com/63916/cgi-bin/index.cgi
08-13-2019 11:16 AM
Thanks, but I already have RSA-AES128-SHA Cipher.
08-14-2019 04:47 AM
08-14-2019 06:43 AM
Yes, all
08-13-2019 11:39 AM
try
config ap lifetime-check mic enable
config ap lifetime-check ssc enable
08-13-2019 02:01 PM
I have WLC with software version 8.5.140.0, I think that those commands are For 7.0.252.0 or earlier (in my WLC I don't have those commands).
I tried with config ap cert-expiry-ignore {mic|ssc} enable but not results.
08-14-2019 12:32 AM
08-15-2019 12:59 AM
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Build Info....................................... Engineering Special
Product Version.................................. 8.5.140.0
RTOS Version..................................... 8.5.140.0
Bootloader Version............................... 8.5.1.85
Emergency Image Version.......................... 8.5.140.0
OUI File Last Update Time........................ Sun Sep 07 10:44:07 IST 2014
Build Type....................................... DATA + WPS
System Name...................................... ciscowireless
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1631
IP Address....................................... 10.99.255.250
IPv6 Address..................................... ::
System Up Time................................... 160 days 19 hrs 37 mins 5 secs
System Timezone Location.........................
--More-- or (q)uit
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... PT - Portugal
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 5
Number of Active Clients......................... 319
OUI Classification Failure Count................. 208922
Memory Current Usage............................. 49
Memory Average Usage............................. 49
CPU Current Usage................................ 2
CPU Average Usage................................ 2
Flash Type....................................... Compact Flash Card
Flash Size....................................... 1073741824
Burned-in MAC Address............................ 00:50:56:BD:42:7D
Maximum number of APs supported.................. 3000
System Nas-Id....................................
--More-- or (q)uit
WLC MIC Certificate Types........................ SHA1
Licensing Type................................... RTU
vWLC config...................................... Large
(Cisco Controller) >show time
Time............................................. Thu Aug 15 07:55:52 2019
Timezone delta................................... 0:0
Timezone location................................
NTP Servers
NTP Version.................................. 3
NTP Polling Interval......................... 7200
Index NTP Key Index NTP Server Status NTP Msg Auth Status
------- ---------------------------------------------------------------------
1 0 10.23.0.12 In Sync AUTH DISABLED
To AP now I don't have access, I think tomorrow or Monday.
08-19-2019 04:48 AM
Finally I have been able to access to AP's and I have seen in console that there is a problem with SSC and MIC certificate. I reset all AP's to default and join to WLC.
It´s neccesary have this command:
config ap cert-expiry-ignore {mic|ssc} enable
Thanks for all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide