cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
28648
Views
24
Helpful
12
Replies

Certificate unknown alert

David Ritter
Level 4
Level 4

I have 4 AIR-CAP3502i-A-K9's that received Fatal reports from WLC 8.5.164.0.  I have 7 others still associating.

 

*Mar 26 14:01:47.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: x.x.x.x peer_port: 5246
*Mar 26 14:01:47.210: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from x.x.x.x
*Mar 26 14:01:47.210: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to x.x.x.x:5246

How do I regen or create a new Cert?

1 Accepted Solution

Accepted Solutions

superego
Level 1
Level 1

ON WLC CLI> config ap cert-expiry-ignore mic enable

View solution in original post

12 Replies 12

marce1000
VIP
VIP

 

       - On the AP check the certificate with : AP# show crypto pki certificates

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

unfortunately there is no Show Crypto cmd but I can view them all in show tech..  

there is:

crypto pki certificate chain cisco-m2-root-cert
certificate ca 01...

crypto pki certificate chain Cisco_IOS_M2_MIC_cert
certificate ca 02...

crypto pki certificate chain airespace-old-root-cert
certificate ca 00...

crypto pki certificate chain airespace-new-root-cert
certificate ca 00..

crypto pki certificate chain airespace-device-root-cert
certificate ca 03...

crypto pki certificate chain cisco-root-cert
certificate ca 5FF87B282B54DC8D42A315B568C9ADFF..

crypto pki certificate chain Cisco_IOS_MIC_cert
certificate 15B7774C000000055EC7...

certificate ca 6A6967B3000000000003

end list..

 

 

 

 

                          >crypto pki certificate chain cisco-m2-root-cert
                                               certificate ca 01...

  - Check if any expiration dates are mentioned too.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Have you read https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html and followed the instructions carefully?

 

If you forgot to apply the config to allow APs or WLC (you didn't mention WLC model but they can also be affected) with expired cert then you'll have to turn off NTP, set the time back to before cert(s) expired, apply the config workaround on WLC, allow all APs to rejoin and get the update, then put NTP on again.

I have NOW! I feel a migraine headache coming on.

We had the same Problem

But you can check the certificates on the cli, but you have to use the debug command first.

 

debug capwap console cli
show crypto pki certificates

Certificate expired for some ap

superego
Level 1
Level 1

ON WLC CLI> config ap cert-expiry-ignore mic enable

that solved the 4 3502's attached to the 5508 on 8.5.164.0 . reporting the cert unknown.

not the 1810w reporting Discovery response from MWAR ''running version 0.0.0.0 is rejected

or the 3 1852s attached to the 5520 also reporting: Discovery response from MWAR ''running version 0.0.0.0 is rejected

 

I have not yet been thru all the previous replies..

 

thank you the 3502's comprised an entire site..  so good they are alive again.

I never upgraded to 8.5.164 as I see the warning "This Image/Release is used ONLY for C9800 IRCM Compatibility."

 

Can you try upgrading to 8.5.171?

understood.  however, I have a 9800-40 sitting in the wings waiting to take command once it gets vlan interfaces to support the entire campus.  I'm combining two sites into one and need more elbow room.