Re: certificate issue joining AP to vWLC

fcorfdir · ‎09-12-2012

Hello,

I just install the new cisco virtual Wireless controller, and I try to join an lap 1042 to it but i receive this error:

Sep 13 04:58:43.000: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

Sep 13 04:58:53.008: %CAPWAP-3-ERRORLOG: Go join a capwap controller

Sep 13 03:59:51.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.41.253 peer_port: 5246

Sep 13 03:59:51.000: %CAPWAP-5-CHANGED: CAPWAP changed state to

Sep 13 03:59:51.014: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed

Sep 13 03:59:51.015: %CAPWAP-3-ERRORLOG: Certificate verification failed!

Sep 13 03:59:51.015: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:333 Certificate verified failed!

Sep 13 03:59:51.015: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 172.16.41.253

Sep 13 03:59:51.015: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 172.16.41.253:5246

Sep 13 03:59:51.016: %DTLS-3-BAD_RECORD: Erroneous record received from 172.16.41.253: Malformed Certificate

Sep 13 03:59:51.016: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.41.253:5246

I have already verify the time config on the WLC. I have try 2 LAP but same issue.

Cisco IOS Software, C1040 Software (C1140-RCVK9W8-M), Version 12.4(23c)JA, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Compiled Tue 01-Jun-10 12:53 by prod_rel_team

ROM: Bootstrap program is C1040 boot loader

BOOTLDR: C1040 Boot Loader (C1140-BOOT-M) Version 12.4(23c)JA3, RELEASE SOFTWARE (fc1)

AP5057.a87b.44e4 uptime is 8 minutes

System returned to ROM by reload

System restarted at 03:54:24 UTC Thu Sep 13 2012

System image file is "flash:/c1140-rcvk9w8-mx/c1140-rcvk9w8-mx"

Last reload reason:

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

cisco AIR-LAP1042N-E-K9 (PowerPC405ex) processor (revision B0) with 98294K/32768K bytes of memory.

Processor board ID FCZ1614W572

PowerPC405ex CPU at 333Mhz, revision number 0x147E

Last reset from reload

LWAPP image version 7.0.94.21

1 Gigabit Ethernet interface

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 50:57:A8:7B:44:E4

Part Number : 73-14034-04

PCA Assembly Number : 800-34273-05

PCA Revision Number : A0

PCB Serial Number : FOC16091WYH

Top Assembly Part Number : 800-34285-03

Top Assembly Serial Number : FCZ1614W572

Top Revision Number : A0

Product/Model Number : AIR-LAP1042N-E-K9

Configuration register is 0xF

Dave Anthony David · ‎09-13-2012

Hi there. One requirement of AP joining to vWLC for the first time is to 1st prime the AP to an appliance based WLC using version 7.3.x...like 2500, 5500 series WLC.. etc.

Have you done this?

ffischer · ‎09-13-2012

Hello David,

I seem to have a similar issue here with a 1250

can see Join Req from AP,

see join reply from my vWLC

then syslog from the AP

31: AP:5475.xxxx.yyyy: *Sep 13 14:13:20.000: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed

32: AP:5475.xxxx.yyyy: *Sep 13 14:13:20.000: %LWAPP-3-CLIENTERRORLOG: Join Reply: certificate is not valid

33: AP:5475.xxxx.yyyy: *Sep 13 14:13:20.000: %LWAPP-3-CLIENTERRORLOG: Join Reply: message decoding failed (controller- vWLC)

Is there any other way to join the AP

if no phys. controller available ?

Could using LSCs be a way ?

Frank

Scott Fella · ‎09-13-2012

You need to have the AP join a WLC running 7.3 first then you can have it join the vWLC. No way around that right now.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Mirko Grabel · ‎11-23-2015

I know this thread is very old but I just came across it while troubleshooting the same issue.

I had an 3502e stuck in the same situation.

I've upgraded it manually to the latest code version from CCO (153-3.JBB6, via image recovery), afterwards the AP joined the vWLC with no issues. It downloaded the image ap3g1-k9w8-xx.153-3.JA4 automatically, therefore I would say if you use this image or later you should be good to join a vWLC.

For reference, I'm runnning 8.0.120.0 on my vWLC.

ffischer · ‎09-13-2012

OK. Solved myself

dowloaded latest LWAP IOS Image for 1250 from CCO
installed it on the 1250 via tftp / press mode button 20-30sec emergency recovery method
now the AP joined the vWLC and pulled the 7.3 firmware from the controller.

Frank

fcorfdir · ‎09-13-2012

I haven't the right in my CCO account to download latest lwap. I have asked it.

No I have not join the ap to a standard controler first. bad thing if Cisco have choose this path. Frank have you first register it to a WLC or just latest lwap and register to vWLC

ffischer · ‎09-13-2012

The 1250 had already joined a legacy controller 4.2 before and

it was running LWAPP Software 4.2 just befor my tests with the vWLC.

The AP is our test-boxes ... it is unlikely that it did join a 7.3 controller controller..

I did not have one accessable...

As far as I know there are only 2 ways to get 7.3 software on it:

Either the AP downloads it from the controller or you download it

from the CCO and tftp it to the AP manually, as i did ...

If your AP is on service contract you should ask your service partner to provide

you the image needed. If not... well...

maybe you could investigate wether it is possible to extract it from the WLC somehow...

dwaters · ‎09-24-2012

Hey Frank,

On the CCO what did you download?

I have an issue whereby I can’t get a physical controller running 7.3 therefore my only option is to manually put the 7.3 code on there myself, if possible.

On my test 1200 series (currently running c1200-rcvk9w8-mx.124-21a.JA2) I don’t see the option to TFTP files onto it?

I can get my hands on a 1250 therefore I’m intrigued J

Cheers, Dan.

ffischer · ‎09-25-2012

Hello,

I use a more recent 1252AG.

Software I downloaded from the CCO:

Cisco Aironet 1250 Series Access Point

Lightweight AP IOS Software

15.2.2-JA

c1250-rcvk9w8-tar.152-2.JA.tar

Check the Release notes

http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn73.html#wp976967

Your old 1231 is not supported any longer with 7.3. Last WLC that did support it was 7.0

TFTP procedure can be found in the manuals or here https://supportforums.cisco.com/thread/329982

Scott Fella · ‎09-13-2012

Per the doc

http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml#aps

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎09-24-2012

The 1200 isn't supported on the 7.3. You can look for the AP firmware code in the download section but you will need to have a valid contract in order to download the image. Take a look first to see if the 7.3 recovery image is available or not.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

dwaters · ‎09-24-2012

Hi Scott,

Thank you for the rapid response.

It’s a 1231G to be more persist, which I believe is supported.

I have pretty much full access with my CCO and “WIRELESS LAN LWAPP RECOVERY c1200-rcvk9w8-tar.124-21a.JA2.tar” is the latest image I can get.

I think I may be a little confused here:

How can I force a download of the 7.3 code to my AP?

Cheers, Dan.

Scott Fella · ‎09-24-2012

You either need to have the ap join a WLC that is running 7.3 or you see if there is a recovery image for 7.3... The date for the code should be August or newer as was posted earlier. If there isn't a new code then you need to buy an AP that has a recovery code that is new.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Winyou Kanokperavut · ‎10-03-2012

It seem we have the same problem on vWLC. However, my problem is on Aironet 3602e. I got two sets of vWLC and two types of AP. In the first set of my lab equipment, Aironet 1142N does not found this problem. However, I found this problem in the second set when I PoC vWLC with Aironet 3602e @ customer site. The below message is the problem I got :-

period starts on 13:46:25 UTC Oct 3 2012Peer certificate verification failed 001A

*Oct 3 11:10:49.071: %CAPWAP-3-ERRORLOG: Certificate verification failed!

*Oct 3 11:10:49.071: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!

*Oct 3 11:10:49.071: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 172.16.24.201:5246

*Oct 3 11:10:49.071: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.24.201:5246

*Oct 3 11:10:49.071: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

*Oct 3 11:10:49.071: %CAPWAP-3-ERRORLOG: Certificate verification failed!

*Oct 3 11:10:49.071: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!

*Oct 3 11:10:49.071: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 172.16.24.201:5246
*Oct 3 11:10:49.071: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.24.201:5246
*Oct 3 11:10:49.071: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

I am not sure that I should enable AP provisioning (In Securitiy -> Certificate -> LSC -> AP Provisioning) and in put MAC of AP like Aironet 1500 series or not.

P.S.> Both Aironet 3602e and Aironet 1142N have already joined Cisco 2504 WLC with software version 7.3 before they used for testing this lab. In addition, I also try to format flash rom in rommon mode and xtract the latest firmware (ap3g2-rcvk9w8-tar.152-2.JA.tar) to the AP but this problem is still exist