Re: Can't built the mobility tunnel between WLC3504 and C9800-40

yaoszhan · ‎09-20-2020

Hi Team,

I met a issue that the mobility tunnel can't be built between WLC3504 and WLC9800-40, their version meet the ICRM requirement, I suspect the issue happens since certificate using by DTLS, I saw the logging information as follow:

--------------------------------------------- Last Reboot MsgLog & Traplog ---------------------------------------------
Sys Name: Melco-Test
Model: AIR-CT3504-K9
Version: 8.8.120.0
Primary Boot Image: 8.8.120.0 (default) (active)
Backup Boot Image: 8.8.125.0
LastReset Reason: Planned Reset
Timestamp: Mon Jul 13 07:07:01 2020
SystemUpTime: 19 days 20 hrs 16 mins 8 secs

-------------------------------------------------------MsgLog Dump ------------------------------------------------------------

*mobilityCapwapSocketTask: Jul 13 07:06:48.342: %DTLS2-3-HANDSHAKE_FAILURE: dtls2.c:1500 DTLS handshake failed for link 10.124.112.178:16666 <-> 10.79.247.224:16666
Certificate issuer :Airespace 13 07:06:48.342: %SSHPM-3-GENERIC_CERT_ERROR: sshpmPkiApi.c:2241 Certificate validation failed! Reason Failure to extract MAC from certificate, Certificate type : MIC
*mobilityCapwapSocketTask: Jul 13 07:06:18.589: %DTLS2-3-HANDSHAKE_FAILURE: dtls2.c:1500 DTLS handshake failed for link 10.124.112.178:16666 <-> 10.79.247.224:16666
Certificate issuer :Airespace 13 07:06:18.588: %SSHPM-3-GENERIC_CERT_ERROR: sshpmPkiApi.c:2241 Certificate validation failed! Reason Failure to extract MAC from certificate, Certificate type : MIC
*mobilityCapwapSocketTask: Jul 13 07:05:48.834: %DTLS2-3-HANDSHAKE_FAILURE: dtls2.c:1500 DTLS handshake failed for link 10.124.112.178:16666 <-> 10.79.247.224:16666
Certificate issuer :Airespace 13 07:05:48.834: %SSHPM-3-GENERIC_CERT_ERROR: sshpmPkiApi.c:2241 Certificate validation failed! Reason Failure to extract MAC from certificate, Certificate type : MIC
*mobilityCapwapSocketTask: Jul 13 07:05:19.082: %DTLS2-3-HANDSHAKE_FAILURE: dtls2.c:1500 DTLS handshake failed for link 10.124.112.178:16666 <-> 10.79.247.224:16666
Certificate issuer :Airespace 13 07:05:19.081: %SSHPM-3-GENERIC_CERT_ERROR: sshpmPkiApi.c:2241 Certificate validation failed! Reason Failure to extract MAC from certificate, Certificate type : MIC

*capwapPingSocketTask: Jul 13 06:42:50.238: %CAPWAPPING-3-PKT_RECV_ERROR: capwapping_shim_wlc.c:800 capwapPingSocketTask: capwappingRecvPkt returned error
*capwapPingSocketTask: Jul 13 06:42:50.238: %LOG-3-Q_IND: capwapping_shim_wlc.c:800 capwapPingSocketTask: capwappingRecvPkt returned error
*capwapPingSocketTask: Jul 13 06:42:40.331: %CAPWAPPING-3-PKT_RECV_ERROR: capwapping_shim_wlc.c:800 capwapPingSocketTask: capwappingRecvPkt returned error
*capwapPingSocketTask: Jul 13 06:42:40.330: %DTLS2-3-HANDSHAKE_FAILURE: dtls2.c:1500 DTLS handshake failed for link 10.124.112.178:16667 <-> 10.79.247.224:16667
tificate issuer :Airespace 13 06:42:40.330: %SSHPM-3-GENERIC_CERT_ERROR: sshpmPkiApi.c:2241 Certificate validation failed! Reason Failure to extract MAC from certificate, Certificate type : MIC, Ce
*capwapPingSocketTask: Jul 13 06:42:40.330: %LOG-3-Q_IND: capwapping_shim_wlc.c:800 capwapPingSocketTask: capwappingRecvPkt returned error[...It occurred 3 times.!]
*capwapPingSocketTask: Jul 13 06:42:40.320: %CAPWAPPING-3-PKT_RECV_ERROR: capwapping_shim_wlc.c:800 capwapPingSocketTask: capwappingRecvPkt returned error

how to troubleshoot the issue? Thanks

Scott Fella · ‎09-20-2020

Did you follow the guide on setting up the AireOS and 9800 mobility? There are settings you need to configure before the two can communicate. It’s not just setting up mobility.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎09-20-2020

Per the guide:

Note: On the 9800 WLC, control plane encryption is always enabled, which means that you need to have secure mobility enabled on the AireOS side.However, data link encryption is optional. If you enable it on the 9800 side, you will need to enable it on AireOS with config mobility group member data-dtls enable.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213913-building-mobility-tunnels-on-catalyst-98.html#anc7

-Scott
*** Please rate helpful posts ***

yaoszhan · ‎09-20-2020

Yes, I have enabled the secure mobility tunnel and disable the data tunnel encryption, as follow:
[A screenshot of a cell phone Description automatically generated]
[A screenshot of a cell phone Description automatically generated]
[A screenshot of a cell phone Description automatically generated]
Above configuration should be right, I disable the data tunnel encryption in both sides.

Scott Fella · ‎09-21-2020

I don’t see your attachment. Well it is showing DTLS, so try to enable it and see.

-Scott
*** Please rate helpful posts ***

yaoszhan · ‎09-21-2020

Hi Scott,
Actually, I configured it as guide completely, but it still not work, I got the debug information as follow:
2020/09/21 01:41:04.174 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 7018.a7c8.b390 Received keepalive_data, sub type: 0 of XID (0) from (ipv4: 10.124.112.178 )
2020/09/21 01:41:04.174 {mobilityd_R0-0}{2}: [mm-dtls] [30962]: (debug): Peer IP: 10.124.112.178 Port: 16667 MM_KA_DTLS_START: DTLS not supported
2020/09/21 01:41:04.174 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 0000.0000.0000 Sending keepalive_data of XID (0) to (ipv4: 10.124.112.178 )
2020/09/21 01:41:14.092 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 7018.a7c8.b390 Received keepalive_data, sub type: 0 of XID (0) from (ipv4: 10.124.112.178 )
2020/09/21 01:41:14.092 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 0000.0000.0000 Sending keepalive_data of XID (0) to (ipv4: 10.124.112.178 )
2020/09/21 01:41:14.092 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 7018.a7c8.b390 Received keepalive_data, sub type: 0 of XID (0) from (ipv4: 10.124.112.178 )
2020/09/21 01:41:14.092 {mobilityd_R0-0}{2}: [mm-dtls] [30962]: (debug): Peer IP: 10.124.112.178 Port: 16667 MM_KA_DTLS_START: DTLS not supported
2020/09/21 01:41:14.092 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 0000.0000.0000 Sending keepalive_data of XID (0) to (ipv4: 10.124.112.178 )
2020/09/21 01:41:14.093 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 7018.a7c8.b390 Received keepalive_ctrl_req, sub type: 0 of XID (74266) from (ipv4: 10.124.112.178 )
2020/09/21 01:41:14.093 {mobilityd_R0-0}{2}: [mm-dtls] [30962]: (debug): Peer IP: 10.124.112.178 Port: 16666, Local IP: 10.79.247.224 Port: 16666 MM_KA_DTLS_START: Start DTLS connection of dgram type 0
2020/09/21 01:41:14.093 {mobilityd_R0-0}{2}: [mm-dtls] [30962]: (debug): Peer IP: 10.124.112.178 Port: 16666, Local IP: 10.79.247.224 Port: 16666 DTLS_CONNECT: DTLS connection initiated
2020/09/21 01:41:14.093 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 0000.0000.0000 Sending keepalive_ctrl_rsp of XID (74266) to (ipv4: 10.124.112.178 )
2020/09/21 01:41:14.093 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 7018.a7c8.b390 Received keepalive_data, sub type: 0 of XID (0) from (ipv4: 10.124.112.178 )
2020/09/21 01:41:14.094 {mobilityd_R0-0}{2}: [ewlc-infra-evq] [30962]: (info): DTLS record type: 22, handshake
2020/09/21 01:41:14.094 {mobilityd_R0-0}{2}: [ewlc-infra-evq] [30962]: (info): DTLS record type: 22, handshake
2020/09/21 01:41:14.094 {mobilityd_R0-0}{2}: [ewlc-infra-evq] [30962]: (info): DTLS record type: 22, handshake
2020/09/21 01:41:14.095 {mobilityd_R0-0}{2}: [ewlc-infra-evq] [30962]: (info): DTLS record type: 22, handshake
2020/09/21 01:41:14.095 {mobilityd_R0-0}{2}: [ewlc-infra-evq] [30962]: (info): DTLS record type: 22, handshake
2020/09/21 01:41:14.095 {mobilityd_R0-0}{2}: [ewlc-infra-evq] [30962]: (info): DTLS record type: 22, handshake
2020/09/21 01:41:14.095 {mobilityd_R0-0}{2}: [ewlc-infra-evq] [30962]: (info): DTLS record type: 0, unknown type
2020/09/21 01:41:14.104 {mobilityd_R0-0}{2}: [ewlc-infra-evq] [30962]: (info): DTLS record type: 0, unknown type
2020/09/21 01:41:14.104 {mobilityd_R0-0}{2}: [ewlc-dtls-sessmgr] [30962]: (info): Remote Host: 10.124.112.178[16666] alert type:fatal, description:certificate unknown
2020/09/21 01:41:14.105 {mobilityd_R0-0}{2}: [mm-dtls] [30962]: (debug): Peer IP: 10.124.112.178 Port: 16666 DTLS_CLEAR_KEY: DTLS keys cleared from MNC and FMAN
2020/09/21 01:41:14.105 {mobilityd_R0-0}{2}: [mm-dtls] [30962]: (debug): Peer IP: 10.124.112.178 Port: 16666, Local IP: 10.79.247.224 Port: 16666 DTLS_CLOSE_CB: DTLS connection is closed
2020/09/21 01:41:14.105 {mobilityd_R0-0}{2}: [ewlc-dtls-sess] [30962]: (info): release client sm resource
2020/09/21 01:41:14.105 {mobilityd_R0-0}{2}: [ewlc-dtls-sess] [30962]: (note): Remote Host: 10.124.112.178[16666] DTLS session destroy : Pending messages in read queue : 0, TX queue : 0
2020/09/21 01:41:24.010 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 7018.a7c8.b390 Received keepalive_data, sub type: 0 of XID (0) from (ipv4: 10.124.112.178 )
2020/09/21 01:41:24.010 {mobilityd_R0-0}{2}: [mm-dtls] [30962]: (debug): Peer IP: 10.124.112.178 Port: 16667 MM_KA_DTLS_START: DTLS not supported
2020/09/21 01:41:24.010 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 0000.0000.0000 Sending keepalive_data of XID (0) to (ipv4: 10.124.112.178 )
2020/09/21 01:41:33.928 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 7018.a7c8.b390 Received keepalive_data, sub type: 0 of XID (0) from (ipv4: 10.124.112.178 )
2020/09/21 01:41:33.928 {mobilityd_R0-0}{2}: [mm-dtls] [30962]: (debug): Peer IP: 10.124.112.178 Port: 16667 MM_KA_DTLS_START: DTLS not supported
2020/09/21 01:41:33.928 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 0000.0000.0000 Sending keepalive_data of XID (0) to (ipv4: 10.124.112.178 )
2020/09/21 01:41:43.846 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 7018.a7c8.b390 Received keepalive_data, sub type: 0 of XID (0) from (ipv4: 10.124.112.178 )
2020/09/21 01:41:43.847 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 0000.0000.0000 Sending keepalive_data of XID (0) to (ipv4: 10.124.112.178 )
2020/09/21 01:41:43.847 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 7018.a7c8.b390 Received keepalive_data, sub type: 0 of XID (0) from (ipv4: 10.124.112.178 )
2020/09/21 01:41:43.847 {mobilityd_R0-0}{2}: [mm-dtls] [30962]: (debug): Peer IP: 10.124.112.178 Port: 16667 MM_KA_DTLS_START: DTLS not supported
2020/09/21 01:41:43.847 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 0000.0000.0000 Sending keepalive_data of XID (0) to (ipv4: 10.124.112.178 )
2020/09/21 01:41:43.847 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 7018.a7c8.b390 Received keepalive_ctrl_req, sub type: 0 of XID (74267) from (ipv4: 10.124.112.178 )
2020/09/21 01:41:43.847 {mobilityd_R0-0}{2}: [mm-dtls] [30962]: (debug): Peer IP: 10.124.112.178 Port: 16666, Local IP: 10.79.247.224 Port: 16666 MM_KA_DTLS_START: Start DTLS connection of dgram type 0
2020/09/21 01:41:43.847 {mobilityd_R0-0}{2}: [mm-dtls] [30962]: (debug): Peer IP: 10.124.112.178 Port: 16666, Local IP: 10.79.247.224 Port: 16666 DTLS_CONNECT: DTLS connection initiated
2020/09/21 01:41:43.847 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 0000.0000.0000 Sending keepalive_ctrl_rsp of XID (74267) to (ipv4: 10.124.112.178 )
2020/09/21 01:41:43.848 {mobilityd_R0-0}{2}: [mm-client] [30962]: (debug): MAC: 7018.a7c8.b390 Received keepalive_data, sub type: 0 of XID (0) from (ipv4: 10.124.112.178 )
2020/09/21 01:41:43.848 {mobilityd_R0-0}{2}: [ewlc-infra-evq] [30962]: (info): DTLS record type: 22, handshake
2020/09/21 01:41:43.849 {mobilityd_R0-0}{2}: [ewlc-infra-evq] [30962]: (info): DTLS record type: 22, handshake
2020/09/21 01:41:43.849 {mobilityd_R0-0}{2}: [ewlc-infra-evq] [30962]: (info): DTLS record type: 22, handshake
2020/09/21 01:41:43.849 {mobilityd_R0-0}{2}: [ewlc-infra-evq] [30962]: (info): DTLS record type: 22, handshake
2020/09/21 01:41:43.849 {mobilityd_R0-0}{2}: [ewlc-infra-evq] [30962]: (info): DTLS record type: 22, handshake

asc · ‎10-01-2020

Did you figure this out? I'm having the same issue.

yaoszhan · ‎10-08-2020

Hi Asc,
I have not figured out it yet. It is very weird.

LC.IT · ‎04-25-2023

Hey @yaoszhan how did you fix the issue?