cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1184
Views
0
Helpful
5
Replies

APs joined to vWLC 7.5 doesn't move to 7.6

pmarchiroi
Level 1
Level 1

Hi all,

we have a bunch of APs (c1140, c1240, 1600, 3500) joined to a vWLC 7.5.102. It was a pain to bring them there from a 7.0 WiSM (we have no other physical controller so we had to do an "archive download" of 7.5-ible recovery software to each of them), plus we are experiencing many issues with 7.5 (clients suddenly drop, clients cannot connect anymore, and so on...). During a MTE at the recent CLEUR the Cisco Engineer suggested to move to 7.6. I don't want to upgrade my production vWLC from 7.5 to 7.6 as I have PI 2.0... would like to test it first and see what I lose with the "7.6 not supported on PI2.0" infamous problem. So i took my second vWLC 7.5, licensed and all but without any APs registered to it, upgraded it to 7.6 and tried to move a c1140 and later a 1600 to it.

Sadly, I wasn't successful at all:

*Feb  9 15:05:49.871: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Feb  9 15:05:40.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.4.75.201 peer_port: 5246

*Feb  9 15:05:40.011: %CAPWAP-3-ERRORLOG: Failed to authorize controller using trust config.

*Feb  9 15:05:40.011: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF

*Feb  9 15:05:40.011: %CAPWAP-3-ERRORLOG: Certificate verification failed!

*Feb  9 15:05:40.011: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:467 Certificate verified failed!

*Feb  9 15:05:40.011: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.4.75.201:5246

*Feb  9 15:05:40.011: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.4.75.201:5246

*Feb  9 15:05:40.011: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

The SSC on the second vWLC is actually different from the SSC on the first one.

What I tried so far:

- reboot the vWLC to secondary 7.5.102 - same error. The SSC btw stays the same as in 7.6

- upload rcv software to the 1140 - still the same

- disable SSC hash check

Any suggestions?

Given 7.6 might not be what I'm looking for, I could downgrade the vWLC to 7.4 - but can I ? Or I'll have to make a new VA and relicense the WLC and stuff? And is 7.4 actually better than 7.5?

On a general standpoint it looks to me that the vWLC might not be as mature as a product as it should be... any experiences?

thanks

5 Replies 5

Scott Fella
Hall of Fame
Hall of Fame

v7.4 is the main code beside v7.0 which is the stable version in the v7.x train. The issue with v7.0 is the support for newer hardware requirements. v7.4 is the code to be on and if you require features, v7.6. v7.3 and v7.5 will be deferred soon so just understand that. You should be able to downgrade/upgrade without having to change any of the licensing in the vWLC. Why your having bad luck with it, I don't know. Downgrade your test vWLC to v7.4.121.0 and see how it goes.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Leo Laohoo
Hall of Fame
Hall of Fame

Please post the following outputs:

1.  vWLC:  sh sysinfo;

2.  vWLC:  sh time;

3.  AP:  sh version;

4.  AP:  sh ip interface brief;

5.  AP:  Post the entire bootup sequence.

Sandeep Choudhary
VIP Alumni
VIP Alumni

HI Paolo,

Try to disable the hash

config certificate ssc hash validation disable

Also Use these commands:

'test capwap erase' and  'test capwap restart'

After doing this, paste the output of these commands from WLC

show certificate ssc

show time

*** Note: Some time AP take more then 1-2 hours to join WLC

Check this link:

http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml#hash

Regards

Dont forget to rate helpful posts

Paolo Marchiori
Level 1
Level 1

Hi all,

thank you for the replies.

I have achieved some degree of success now erasing the private configs on the APs and they happily joined to vWLC02 (the one with 7.6); I then downgraded vWLC02 to 7.4.121 as suggested to test it for at least a week before downgrading vWLC01 (the one with 7.5) to 7.4 too.

Will report later.

Much later, sorry.

Ended up getting two 5508's in HA as it turned out vWLC can't support TrustSec.

OTOH 5508 works a blast.

Review Cisco Networking for a $25 gift card