Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15775
Views
20
Helpful
12
Replies

Certificate unknown alert

Go to solution
David Ritter
Enthusiast
Enthusiast

‎03-26-2021 07:53 AM - edited ‎07-05-2021 01:02 PM

I have 4 AIR-CAP3502i-A-K9's that received Fatal reports from WLC 8.5.164.0.  I have 7 others still associating.

 

*Mar 26 14:01:47.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: x.x.x.x peer_port: 5246
*Mar 26 14:01:47.210: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from x.x.x.x
*Mar 26 14:01:47.210: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to x.x.x.x:5246

How do I regen or create a new Cert?

4 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
superego
Beginner
Beginner

‎03-29-2021 05:52 AM

ON WLC CLI> config ap cert-expiry-ignore mic enable

View solution in original post

12 Replies 12

Go to solution
marce1000
VIP Mentor VIP Mentor
VIP Mentor

‎03-26-2021 09:10 AM

 

       - On the AP check the certificate with : AP# show crypto pki certificates

 M.



-- ' A nun once asked a penguin 'do you think the earth is flat ? ; the penguin replied :
Madam, it all depends in Riemann geometries the earth can be perfectly flat! The nun thanked him , he tripped and fell forward : the poor animal had forgotten that he might be living in a Riemann geometry too!
0 Helpful

Go to solution
David Ritter
Enthusiast
Enthusiast
In response to marce1000

‎03-26-2021 09:27 AM

unfortunately there is no Show Crypto cmd but I can view them all in show tech..  

there is:

crypto pki certificate chain cisco-m2-root-cert
certificate ca 01...

crypto pki certificate chain Cisco_IOS_M2_MIC_cert
certificate ca 02...

crypto pki certificate chain airespace-old-root-cert
certificate ca 00...

crypto pki certificate chain airespace-new-root-cert
certificate ca 00..

crypto pki certificate chain airespace-device-root-cert
certificate ca 03...

crypto pki certificate chain cisco-root-cert
certificate ca 5FF87B282B54DC8D42A315B568C9ADFF..

crypto pki certificate chain Cisco_IOS_MIC_cert
certificate 15B7774C000000055EC7...

certificate ca 6A6967B3000000000003

end list..

 

 

 

0 Helpful

Go to solution
marce1000
VIP Mentor VIP Mentor
VIP Mentor
In response to David Ritter

‎03-26-2021 11:45 PM

 

                          >crypto pki certificate chain cisco-m2-root-cert
                                               certificate ca 01...

  - Check if any expiration dates are mentioned too.

 M.



-- ' A nun once asked a penguin 'do you think the earth is flat ? ; the penguin replied :
Madam, it all depends in Riemann geometries the earth can be perfectly flat! The nun thanked him , he tripped and fell forward : the poor animal had forgotten that he might be living in a Riemann geometry too!
0 Helpful

Go to solution
Rich R
VIP Advisor VIP Advisor
VIP Advisor
In response to David Ritter

‎03-28-2021 02:35 AM

Have you read https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html and followed the instructions carefully?

 

If you forgot to apply the config to allow APs or WLC (you didn't mention WLC model but they can also be affected) with expired cert then you'll have to turn off NTP, set the time back to before cert(s) expired, apply the config workaround on WLC, allow all APs to rejoin and get the update, then put NTP on again.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Recommended
WARNING - see CSCwd37092 Throughput degraded after upgrading to code 8.10.181.0/17.3.6 - 2800/3800/4800 series
- The fix for CSCwd37092 is now released in 8.10.183.0 and
- For IOS-XE 17.3.6 select controller model, go to IOS XE Software AP Service Pack, select CSCwd40096 17.3.6 APSP2
Field Notice: FN-63942 Lightweight APs and WLCs Fail to Create CAPWAP Connections Due to Certificate
      Expiration - Software Upgrade Recommended
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     After 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.183.0 and 17.3.6 APSP5 (APSP_CSCwd83653)
     Also fixed in 8.5.182.7 (8.5 mainline) and 8.5.182.105 (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that subordinate Mobility Express APs downloading by TFTP are not affected so ME 8.5.182.0 still works
     Note that 8.10.181.0 and 8.10.182.0 have been deferred (withdrawn) and are effectively unsupported by Cisco
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs
___________________________________________
Richard R
0 Helpful

Go to solution
David Ritter
Enthusiast
Enthusiast
In response to Rich R

‎03-29-2021 08:59 AM

I have NOW! I feel a migraine headache coming on.

0 Helpful

Go to solution
Feichti
Beginner
Beginner
In response to David Ritter

‎08-06-2021 04:14 AM

We had the same Problem

But you can check the certificates on the cli, but you have to use the debug command first.

 

debug capwap console cli
show crypto pki certificates
0 Helpful

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

‎03-26-2021 07:59 PM

Certificate expired for some ap

0 Helpful

Go to solution
superego
Beginner
Beginner

‎03-29-2021 05:52 AM

ON WLC CLI> config ap cert-expiry-ignore mic enable

Go to solution
David Ritter
Enthusiast
Enthusiast
In response to superego

‎03-29-2021 09:12 AM

that solved the 4 3502's attached to the 5508 on 8.5.164.0 . reporting the cert unknown.

not the 1810w reporting Discovery response from MWAR ''running version 0.0.0.0 is rejected

or the 3 1852s attached to the 5520 also reporting: Discovery response from MWAR ''running version 0.0.0.0 is rejected

 

I have not yet been thru all the previous replies..

 

thank you the 3502's comprised an entire site..  so good they are alive again.

0 Helpful

Go to solution
superego
Beginner
Beginner
In response to David Ritter

‎03-29-2021 09:45 AM

I never upgraded to 8.5.164 as I see the warning "This Image/Release is used ONLY for C9800 IRCM Compatibility."

 

Can you try upgrading to 8.5.171?

Preview file
47 KB
0 Helpful

Go to solution
David Ritter
Enthusiast
Enthusiast
In response to superego

‎03-29-2021 11:36 AM

understood.  however, I have a 9800-40 sitting in the wings waiting to take command once it gets vlan interfaces to support the entire campus.  I'm combining two sites into one and need more elbow room.

0 Helpful

Go to solution
Rich R
VIP Advisor VIP Advisor
VIP Advisor
In response to David Ritter

‎03-30-2021 04:55 AM

Note that there is a new IRCM release 8.5.176.0 which Cisco said on webinar last week resolves a number of bugs in 8.5.164.0 and should also have all the fixes which went into 8.5.171.0 so suggest you upgrade to that for a start:

https://software.cisco.com/download/home/286284738/type/280926587/release/8.5IRCM

https://software.cisco.com/download/home/282600534/type/280926587/release/8.5IRCM

They said the TAC recommended releases https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc9 should get updated with that info soon (not yet I see).

 

If you still have the problem with the other APs then try factory defaulting them (often fixes that type of problem) and if that doesn't help you'll need to get full console logs from at least one of them and ideally packet captures of the CAPWAP discovery/join at the same time.

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Recommended
WARNING - see CSCwd37092 Throughput degraded after upgrading to code 8.10.181.0/17.3.6 - 2800/3800/4800 series
- The fix for CSCwd37092 is now released in 8.10.183.0 and
- For IOS-XE 17.3.6 select controller model, go to IOS XE Software AP Service Pack, select CSCwd40096 17.3.6 APSP2
Field Notice: FN-63942 Lightweight APs and WLCs Fail to Create CAPWAP Connections Due to Certificate
      Expiration - Software Upgrade Recommended
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     After 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.183.0 and 17.3.6 APSP5 (APSP_CSCwd83653)
     Also fixed in 8.5.182.7 (8.5 mainline) and 8.5.182.105 (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that subordinate Mobility Express APs downloading by TFTP are not affected so ME 8.5.182.0 still works
     Note that 8.10.181.0 and 8.10.182.0 have been deferred (withdrawn) and are effectively unsupported by Cisco
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs
___________________________________________
Richard R
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents