cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
722
Views
0
Helpful
4
Replies
Gunter
Beginner

APs dosen't want to establish DTLS tunnel with WLC

Hi

 

I have a problem with establish DTLS tunnel between WLC and APs. In my setup I have 2 WLCs. First one (WLC0001) is a primary one and all APs doesn’t have any problem to connect to this controller, second one (WLC0002) is able to connect some APs but most of them cannot establish DTLS tunnel. This is what I get on the AP console:

 

*Nov 13 11:23:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: WLC0002 peer_port: 5246
*Nov 13 11:23:55.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Nov 13 11:24:25.180: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:2017 Max retransmission count reached!
*Nov 13 11:24:25.180: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for WLC0002 is reached.
*Nov 13 11:24:55.050: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to WLC0002:5246
*Nov 13 11:23:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: WLC0002 peer_port: 5246
*Nov 13 11:24:25.182: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:2017 Max retransmission count reached!
*Nov 13 11:24:25.182: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for WLC0002 is reached.
*Nov 13 11:24:55.049: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to WLC0002:5246

 

Because I have old APs connected to this WLC I cannot upgrade it with the code higher than 7.0.x. I decide to upgrade faulty WLC0002 using software 7.0.252.0 to check if I don't have problem with the BUG: CSCuq19142 - LAP/WLC MIC or SSC lifetime expiration causes DTLS failure

Unfortunately this make no difference.

 

WLC: AIR-CT5508-K9

(WLC0002) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.252.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS

Configured Country............................... Multiple Countries:BR,TW

 

one of the AP model I have problem with: AIR-LAP1242AG-T-K9

Can anyone is able to help me resolve this case? Ill be appreciated of any help.

Gunter

4 REPLIES 4
Not applicable

Hello Gunter,

I have exactly the same issue but with different accee point - AP AIR-AP1252AG-A-K9. After upgrade of 2nd WLC to 7.0.252.0 nothing have changed. 

Have you been able to figure out the solution? In my case certificate have expired on WLC like an year ago and issues started recently...

Thanks a lot,

-Viktor 

create a new thread...

and paste the output of these commands:

from WLC: sh sysinfo

from AP: sh version

By default, if an AP and/or WLC certificate has expired, then the DTLS connection will fail. In order to allow the APs to join a WLC after the certificate expiration, upgrade to the fixed software version, and then use the appropriate command for your specific version.

For Version 7.0.252.0, use this command:

(WLC)>config ap lifetime-check mic enable 

More info: http://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

Regards

Dont forget to rate helpful posts

Hello Sandeep,

thanks for your comments and answer. I still want to continue this thread since I found someone who might help me :) Thanks again for your quick reply, below you can find requested information:

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.252.0
RTOS Version..................................... 7.0.252.0
Bootloader Version............................... 7.0.252.0
Emergency Image Version.......................... 7.0.252.0
Build Type....................................... DATA + WPS

System Name...................................... WLC-STG
System Location.................................. STG
System Contact................................... 
System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3
IP Address....................................... 192.168.63.48
System Up Time................................... 3 days 1 hrs 5 mins 49 secs
System Timezone Location......................... (GMT +1:00) Amsterdam, Berlin, Rome, Vienna

Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +43 C


--More-- or (q)uit
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 4
Number of Active Clients......................... 0

Burned-in MAC Address............................ 00:19:AA:71:A8:00
Crypto Accelerator 1............................. Absent
Crypto Accelerator 2............................. Absent
Power Supply 1................................... Present, OK
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 12

AP-STG-57>sh version
Cisco IOS Software, C1250 Software (C1250-RCVK9W8-M), Version 12.4(21a)JA2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 02-Nov-09 19:03 by prod_rel_team

ROM: Bootstrap program is C1250 boot loader
BOOTLDR: C1250 Boot Loader (C1250-BOOT-M) Version 12.4(10b)JA, RELEASE SOFTWARE (fc2)

AP-STG-57 uptime is 1 minute
System returned to ROM by power-on
System image file is "flash:/c1250-rcvk9w8-mx/c1250-rcvk9w8-mx"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-AP1252AG-A-K9 (PowerPC 8349) processor (revision A0) with 49142K/16384K bytes of memory.
Processor board ID FTX123992BU
PowerPC 8349 CPU at 533Mhz, revision number 0x0031
Last reset from power-on
LWAPP image version 3.0.51.0
1 Gigabit Ethernet interface

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:23:33:39:A4:F2
Part Number : 73-10425-05
PCA Assembly Number : 800-27630-05
PCA Revision Number : A0
PCB Serial Number : FOC12362GZL
Top Assembly Part Number : 800-29039-02
Top Assembly Serial Number : FTX123992BU
Top Revision Number : A0
Product/Model Number : AIR-AP1252AG-A-K9

Configuration register is 0xF


----------------------------------


flashfs[0]: 16 files, 3 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31868928
flashfs[0]: Bytes used: 8740352
flashfs[0]: Bytes available: 23128576
flashfs[0]: flashfs fsck took 18 seconds.
Reading cookie from flash parameter block...done.
Base Ethernet MAC address: 00:23:33:39:a4:f2
Loading "flash:/c1250-rcvk9w8-mx/c1250-rcvk9w8-mx"...#############################################################################################################

File "flash:/c1250-rcvk9w8-mx/c1250-rcvk9w8-mx" uncompressed and installed, entry point: 0x3000
executing...

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

Cisco IOS Software, C1250 Software (C1250-RCVK9W8-M), Version 12.4(21a)JA2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 02-Nov-09 19:03 by prod_rel_team


Proceeding with system init

Proceeding to unmask interrupts


cisco AIR-AP1252AG-A-K9 (PowerPC 8349) processor (revision A0) with 49142K/16384K bytes of memory.
Processor board ID FTX123992BU
PowerPC 8349 CPU at 533Mhz, revision number 0x0031
Last reset from power-on
LWAPP image version 3.0.51.0
1 Gigabit Ethernet interface

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:23:33:39:A4:F2
Part Number : 73-10425-05
PCA Assembly Number : 800-27630-05
PCA Revision Number : A0
PCB Serial Number : FOC12362GZL
Top Assembly Part Number : 800-29039-02
Top Assembly Serial Number : FTX123992BU
Top Revision Number : A0
Product/Model Number : AIR-AP1252AG-A-K9
% Please define a domain-name first.

Errors from AP:

*Mar 1 00:01:01.915: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*May 22 13:14:52.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.63.49 peer_port: 5246
*May 22 13:14:52.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 22 13:14:52.091: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 351EC910000000070BF6) has expired. Validity period ended on 18:32:13 UTC Nov 27 2016
*May 22 13:14:52.091: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*May 22 13:14:52.091: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*May 22 13:14:52.091: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:326 Certificate verified failed!
*May 22 13:14:52.091: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.63.49
*May 22 13:14:52.091: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.63.49:5246
*May 22 13:14:52.091: %DTLS-3-BAD_RECORD: Erroneous record received from 192.168.63.49: Malformed Certificate

Not applicable

Dear Sandeep,

I've created new thread here per your recommendations:

https://supportforums.cisco.com/discussion/13300311/wlc-4402-certificate-have-expired-and-i-cant-join-aps

Please feel free to respond there.

Thank you,

-Viktor 

Content for Community-Ad