11-13-2015 03:52 AM - edited 07-05-2021 04:13 AM
Hi
I have a problem with establish DTLS tunnel between WLC and APs. In my setup I have 2 WLCs. First one (WLC0001) is a primary one and all APs doesn’t have any problem to connect to this controller, second one (WLC0002) is able to connect some APs but most of them cannot establish DTLS tunnel. This is what I get on the AP console:
*Nov 13 11:23:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: WLC0002 peer_port: 5246
*Nov 13 11:23:55.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Nov 13 11:24:25.180: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:2017 Max retransmission count reached!
*Nov 13 11:24:25.180: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for WLC0002 is reached.
*Nov 13 11:24:55.050: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to WLC0002:5246
*Nov 13 11:23:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: WLC0002 peer_port: 5246
*Nov 13 11:24:25.182: DTLS_CLIENT_ERROR: ../dtls/dtls_connection_db.c:2017 Max retransmission count reached!
*Nov 13 11:24:25.182: %DTLS-3-HANDSHAKE_RETRANSMIT: Max retransmit count for WLC0002 is reached.
*Nov 13 11:24:55.049: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to WLC0002:5246
Because I have old APs connected to this WLC I cannot upgrade it with the code higher than 7.0.x. I decide to upgrade faulty WLC0002 using software 7.0.252.0 to check if I don't have problem with the BUG: CSCuq19142 - LAP/WLC MIC or SSC lifetime expiration causes DTLS failure
Unfortunately this make no difference.
WLC: AIR-CT5508-K9
(WLC0002) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.252.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS
Configured Country............................... Multiple Countries:BR,TW
one of the AP model I have problem with: AIR-LAP1242AG-T-K9
Can anyone is able to help me resolve this case? Ill be appreciated of any help.
Gunter
05-22-2017 05:14 AM
Hello Gunter,
I have exactly the same issue but with different accee point - AP AIR-AP1252AG-A-K9. After upgrade of 2nd WLC to 7.0.252.0 nothing have changed.
Have you been able to figure out the solution? In my case certificate have expired on WLC like an year ago and issues started recently...
Thanks a lot,
-Viktor
05-22-2017 05:26 AM
create a new thread...
and paste the output of these commands:
from WLC: sh sysinfo
from AP: sh version
By default, if an AP and/or WLC certificate has expired, then the DTLS connection will fail. In order to allow the APs to join a WLC after the certificate expiration, upgrade to the fixed software version, and then use the appropriate command for your specific version.
For Version 7.0.252.0, use this command:
(WLC)>config ap lifetime-check mic enable
More info: http://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html
Regards
Dont forget to rate helpful posts
05-22-2017 06:20 AM
Hello Sandeep,
thanks for your comments and answer. I still want to continue this thread since I found someone who might help me :) Thanks again for your quick reply, below you can find requested information:
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.252.0
RTOS Version..................................... 7.0.252.0
Bootloader Version............................... 7.0.252.0
Emergency Image Version.......................... 7.0.252.0
Build Type....................................... DATA + WPS
System Name...................................... WLC-STG
System Location.................................. STG
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3
IP Address....................................... 192.168.63.48
System Up Time................................... 3 days 1 hrs 5 mins 49 secs
System Timezone Location......................... (GMT +1:00) Amsterdam, Berlin, Rome, Vienna
Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +43 C
--More-- or (q)uit
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 4
Number of Active Clients......................... 0
Burned-in MAC Address............................ 00:19:AA:71:A8:00
Crypto Accelerator 1............................. Absent
Crypto Accelerator 2............................. Absent
Power Supply 1................................... Present, OK
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 12
AP-STG-57>sh version
Cisco IOS Software, C1250 Software (C1250-RCVK9W8-M), Version 12.4(21a)JA2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 02-Nov-09 19:03 by prod_rel_team
ROM: Bootstrap program is C1250 boot loader
BOOTLDR: C1250 Boot Loader (C1250-BOOT-M) Version 12.4(10b)JA, RELEASE SOFTWARE (fc2)
AP-STG-57 uptime is 1 minute
System returned to ROM by power-on
System image file is "flash:/c1250-rcvk9w8-mx/c1250-rcvk9w8-mx"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco AIR-AP1252AG-A-K9 (PowerPC 8349) processor (revision A0) with 49142K/16384K bytes of memory.
Processor board ID FTX123992BU
PowerPC 8349 CPU at 533Mhz, revision number 0x0031
Last reset from power-on
LWAPP image version 3.0.51.0
1 Gigabit Ethernet interface
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:23:33:39:A4:F2
Part Number : 73-10425-05
PCA Assembly Number : 800-27630-05
PCA Revision Number : A0
PCB Serial Number : FOC12362GZL
Top Assembly Part Number : 800-29039-02
Top Assembly Serial Number : FTX123992BU
Top Revision Number : A0
Product/Model Number : AIR-AP1252AG-A-K9
Configuration register is 0xF
----------------------------------
flashfs[0]: 16 files, 3 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31868928
flashfs[0]: Bytes used: 8740352
flashfs[0]: Bytes available: 23128576
flashfs[0]: flashfs fsck took 18 seconds.
Reading cookie from flash parameter block...done.
Base Ethernet MAC address: 00:23:33:39:a4:f2
Loading "flash:/c1250-rcvk9w8-mx/c1250-rcvk9w8-mx"...#############################################################################################################
File "flash:/c1250-rcvk9w8-mx/c1250-rcvk9w8-mx" uncompressed and installed, entry point: 0x3000
executing...
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, C1250 Software (C1250-RCVK9W8-M), Version 12.4(21a)JA2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 02-Nov-09 19:03 by prod_rel_team
Proceeding with system init
Proceeding to unmask interrupts
cisco AIR-AP1252AG-A-K9 (PowerPC 8349) processor (revision A0) with 49142K/16384K bytes of memory.
Processor board ID FTX123992BU
PowerPC 8349 CPU at 533Mhz, revision number 0x0031
Last reset from power-on
LWAPP image version 3.0.51.0
1 Gigabit Ethernet interface
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:23:33:39:A4:F2
Part Number : 73-10425-05
PCA Assembly Number : 800-27630-05
PCA Revision Number : A0
PCB Serial Number : FOC12362GZL
Top Assembly Part Number : 800-29039-02
Top Assembly Serial Number : FTX123992BU
Top Revision Number : A0
Product/Model Number : AIR-AP1252AG-A-K9
% Please define a domain-name first.
Errors from AP:
*Mar 1 00:01:01.915: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*May 22 13:14:52.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.63.49 peer_port: 5246
*May 22 13:14:52.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*May 22 13:14:52.091: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 351EC910000000070BF6) has expired. Validity period ended on 18:32:13 UTC Nov 27 2016
*May 22 13:14:52.091: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*May 22 13:14:52.091: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*May 22 13:14:52.091: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:326 Certificate verified failed!
*May 22 13:14:52.091: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.63.49
*May 22 13:14:52.091: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.63.49:5246
*May 22 13:14:52.091: %DTLS-3-BAD_RECORD: Erroneous record received from 192.168.63.49: Malformed Certificate
05-22-2017 06:29 AM
Dear Sandeep,
I've created new thread here per your recommendations:
Please feel free to respond there.
Thank you,
-Viktor
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide