01-10-2021 06:07 AM - edited 07-05-2021 12:59 PM
I have this old AIR-AP1252G-A-K9 (which i downgraded from autonomous to light using the c1250-rcvk9w8-tar.124-21a.JA image) connected to a vWLC AIR-CTVM-K9-8-0-152-0 running the trial license. They used to bind till yesterday when I cleared the vWLC config using "Recover-Config". Upon reconfiguring the vWLC they can't bind anymore due to expired certificates. I have already entered the commands:
config ap cert-expiry-ignore mic enable
config ap cert-expiry-ignore mic enable
but to no avail. I've already done the same steps rolling back the clock on both devices, on 1 device and not the other, using NTP, but I keep getting the following errors:
*Jan 10 09:31:45.999: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Jan 10 09:31:45.999: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Jan 10 09:31:56.007: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jan 10 09:31:56.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.251 peer_port: 5246
*Jan 10 09:31:56.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Jan 10 09:31:56.015: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Jan 10 09:31:56.015: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Jan 10 09:31:56.015: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:326 Certificate verified failed!
*Jan 10 09:31:56.015: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.1.251
*Jan 10 09:31:56.015: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.1.251:5246
*Jan 10 09:31:56.015: %DTLS-3-BAD_RECORD: Erroneous record received from 192.168.1.251: Malformed Certificate
*Jan 10 09:31:56.015: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.1.251:5246
Any ideas on what to do next?
Solved! Go to Solution.
01-10-2021 10:29 AM
- Check if the 1st=reply of this thread is applicable to your case :
https://community.cisco.com/t5/wireless/certificate-issue-joining-ap-to-vwlc/td-p/2036617
M.
01-10-2021 10:29 AM
- Check if the 1st=reply of this thread is applicable to your case :
https://community.cisco.com/t5/wireless/certificate-issue-joining-ap-to-vwlc/td-p/2036617
M.
01-12-2021 07:00 AM
Thank you very much for your reply..
I had actually read that post before but that means getting my hands on a vWLC 7.3 OVA and CIsco's website has them as deferred. So, no luck there....
I ended up using another reply from that same post and it was to reinstall the original autonomous image via the emergency recovery method. That too took some tweaking because when i renamed the file to "default" in Windows, it showed up as c1250-k9w7-tar.default.tar in the tftp filysystem, so the AP didn't recognize the image until I edited the name in linux.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide