06-13-2023 12:57 PM
I have a Cisco 2602i that will not join a Cisco 5508 WLC.
When I watch the AP start up from console I see these messages:
*Jun 13 16:55:09.999: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jun 13 16:54:05.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.0.65 peer_port: 5246
*Jun 13 16:54:05.007: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 567A9C8300000000EBB9) has expired. Validity period ended on 14:43:58 UTC Jun 21 2022Peer certificate verification failed 001A
*Jun 13 16:54:05.007: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Jun 13 16:54:05.007: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:467 Certificate verified failed!
*Jun 13 16:54:05.007: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.10.0.65:5246
*Jun 13 16:54:05.007: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.0.65:5246
On the controller we see:
*spamApTask7: Jun 13 14:50:26.832: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:955 Failed to complete DTLS handshake with peer 10.10.0.97
10.10.0.65 is the controller and 10.10.0.97 is AP.
We have applied the config to allow APs with expired certs:
config ap cert-expiry-ignore ssc enable
config ap cert-expiry-ignore mic enable
And we do have APs with expired certs that are joining the controller without issue.
I don't understand why the 2602 is not joining the controller.
Any help would be appreciated.
Solved! Go to Solution.
07-05-2023 01:42 PM
Nothing to do with setting the time resolved the issue of the 2602 not being able to join. However, converting the AP to autonomous from light weight, and then back again to light weight did resolve the issue, and it joined the controller without a problem after that.
06-13-2023 01:00 PM
I should mention that this is the only AP that is not joining the controller. We have a mic of 1140s, 2600s, and 2700s, and all are joined but this problem 2602i.
Software version on the controller is
8.3.150.0 |
06-13-2023 02:29 PM
You can try factory reset that AP (hold down reset button for 20-30s while powering the AP). Once boot you can point it to WLC using "capwap ap primary-base <WLC_NAME> <WLC_MGT_IP>"
Even though you are not hitting below issue, please note that if you upgrade your 5508 you will come across this issue.
https://www.cisco.com/c/en/us/support/docs/field-notices/725/fn72524.html
HTH
Rasika
*** Pls rate all useful responses ***
06-13-2023 04:42 PM
Turn off NTP and set the year of the WLC to 2022.
06-15-2023 06:09 AM
Exactly as @Leo Laohoo said - you need to change the date to before the cert expired.
Then the AP can join the WLC and only then will it pick up the cert-expiry-ignore config from the WLC.
After that you can re-enable NTP on the WLC and the AP will keep working. If you factory default the config as Rasika suggested then it will lose that config and you'd need to follow the same process again.
These steps are detailed in FN-63942 below.
07-05-2023 01:42 PM
Nothing to do with setting the time resolved the issue of the 2602 not being able to join. However, converting the AP to autonomous from light weight, and then back again to light weight did resolve the issue, and it joined the controller without a problem after that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide