02-09-2014 07:22 AM - edited 07-05-2021 12:07 AM
Hi all,
we have a bunch of APs (c1140, c1240, 1600, 3500) joined to a vWLC 7.5.102. It was a pain to bring them there from a 7.0 WiSM (we have no other physical controller so we had to do an "archive download" of 7.5-ible recovery software to each of them), plus we are experiencing many issues with 7.5 (clients suddenly drop, clients cannot connect anymore, and so on...). During a MTE at the recent CLEUR the Cisco Engineer suggested to move to 7.6. I don't want to upgrade my production vWLC from 7.5 to 7.6 as I have PI 2.0... would like to test it first and see what I lose with the "7.6 not supported on PI2.0" infamous problem. So i took my second vWLC 7.5, licensed and all but without any APs registered to it, upgraded it to 7.6 and tried to move a c1140 and later a 1600 to it.
Sadly, I wasn't successful at all:
*Feb 9 15:05:49.871: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Feb 9 15:05:40.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.4.75.201 peer_port: 5246
*Feb 9 15:05:40.011: %CAPWAP-3-ERRORLOG: Failed to authorize controller using trust config.
*Feb 9 15:05:40.011: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF
*Feb 9 15:05:40.011: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Feb 9 15:05:40.011: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:467 Certificate verified failed!
*Feb 9 15:05:40.011: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.4.75.201:5246
*Feb 9 15:05:40.011: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.4.75.201:5246
*Feb 9 15:05:40.011: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
The SSC on the second vWLC is actually different from the SSC on the first one.
What I tried so far:
- reboot the vWLC to secondary 7.5.102 - same error. The SSC btw stays the same as in 7.6
- upload rcv software to the 1140 - still the same
- disable SSC hash check
Any suggestions?
Given 7.6 might not be what I'm looking for, I could downgrade the vWLC to 7.4 - but can I ? Or I'll have to make a new VA and relicense the WLC and stuff? And is 7.4 actually better than 7.5?
On a general standpoint it looks to me that the vWLC might not be as mature as a product as it should be... any experiences?
thanks
02-09-2014 08:24 PM
v7.4 is the main code beside v7.0 which is the stable version in the v7.x train. The issue with v7.0 is the support for newer hardware requirements. v7.4 is the code to be on and if you require features, v7.6. v7.3 and v7.5 will be deferred soon so just understand that. You should be able to downgrade/upgrade without having to change any of the licensing in the vWLC. Why your having bad luck with it, I don't know. Downgrade your test vWLC to v7.4.121.0 and see how it goes.
Sent from Cisco Technical Support iPhone App
02-09-2014 08:31 PM
Please post the following outputs:
1. vWLC: sh sysinfo;
2. vWLC: sh time;
3. AP: sh version;
4. AP: sh ip interface brief;
5. AP: Post the entire bootup sequence.
02-09-2014 10:57 PM
HI Paolo,
Try to disable the hash
config certificate ssc hash validation disable
Also Use these commands:
'test capwap erase' and 'test capwap restart'
After doing this, paste the output of these commands from WLC
show certificate ssc
show time
*** Note: Some time AP take more then 1-2 hours to join WLC
Check this link:
http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml#hash
Regards
Dont forget to rate helpful posts
02-10-2014 05:24 AM
Hi all,
thank you for the replies.
I have achieved some degree of success now erasing the private configs on the APs and they happily joined to vWLC02 (the one with 7.6); I then downgraded vWLC02 to 7.4.121 as suggested to test it for at least a week before downgrading vWLC01 (the one with 7.5) to 7.4 too.
Will report later.
11-26-2014 02:49 PM
Much later, sorry.
Ended up getting two 5508's in HA as it turned out vWLC can't support TrustSec.
OTOH 5508 works a blast.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide