Connection problem between Cisco-vWLC-AIR-CTVM-7-3-101-0.ova and AIR-L

medzeinmaaloum · ‎01-01-2023

Hi there,

I deployed vWLC version 7-3-101-0 on ESXI 5.5:

When I put the ESXI (vWLC) and the AP on the same network the vWLC did not display AP

See the Message Logs from vWLC:

*spamApTask6: Jan 01 01:39:32.302: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer 192.168.74.10

*spamApTask6: Jan 01 01:38:27.284: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer 192.168.74.10

*spamApTask5: Jan 01 01:37:11.976: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer 192.168.74.10

*spamApTask5: Jan 01 01:36:08.957: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer 192.168.74.10

*fp_main_task: Jan 01 01:29:41.047: #LOG-3-Q_IND: sisf_shim_utils.c:316 Internal error, NULL entry in sisf_sw_policy_get_cfg_ptr[...It occurred 3 times.!]

*fp_main_task: Jan 01 01:29:41.036: #SISF-3-INTERNAL: sisf_shim_utils.c:316 Internal error, NULL entry in sisf_sw_policy_get_cfg_ptr

*fp_main_task: Jan 01 01:29:41.035: #SISF-3-INTERNAL: sisf_shim_utils.c:316 Internal error, Can't create the acl for 0000019F

*fp_main_task: Jan 01 01:29:40.358: #MM-3-MEMBER_ADD_FAILED: mm_dir.c:1193 Could not add Mobility Member. Reason: IP already assigned, Member-Count:1,MAC: 00:00:00:00:00:00, IP: 0.0.0.0

*mfpKeyRefreshTask: Jan 01 01:29:37.863: #SSHPM-3-NOT_INIT: bsnrandom.c:620 Random context not initialized

*fp_main_task: Jan 01 01:29:37.835: #CNFGR-3-INV_COMP_ID: cnfgr.c:2667 Invalid Component Id : Unrecognized (36) in cfgConfiguratorInit.

And see the AP message logs via Putty:

*Jan 1 01:48:44.005: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255

*Jan 1 01:48:54.289: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Jan 1 01:49:59.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.74.240 peer_port: 5246

*Jan 1 01:49:59.490: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 192.168.74.240

*Jan 1 01:49:59.490: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.

*Jan 1 01:49:59.490: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.74.240:5246

*Jan 1 01:49:59.491: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

*Jan 1 01:51:04.004: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Jan 1 01:49:59.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.74.240 peer_port: 5246

*Jan 1 01:49:59.487: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 192.168.74.240

*Jan 1 01:49:59.487: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.

*Jan 1 01:49:59.488: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.74.240:5246

*Jan 1 01:49:59.488: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

logging facility kern

^

% Invalid input detected at '^' marker.

logging trap emergencies

^

% Invalid input detected at '^' marker.

logging facility kern

^

% Invalid input detected at '^' marker.

logging trap emergencies

^

% Invalid input detected at '^' marker.

Summary of the config:

Enter Administrative User Name (24 characters Max):mohamed

Enter Administrative Password (3 to 24 characters):1974Med

Re-enter Administrative Password :1974Med

service Interface IP Address Configuration [static] [DHCP]:static

service Interface IP Address:192.168.1.1

service Interface Netmask:255.255.255.0

Management Interface IP Address :192.168.74.240

Management Interface Netmask :255.255.255.0

Management Interface Default Router :192.168.74.254

Management Interface VLAN Identifier (0 = untagged):0

Management Interface Port Num [1 to 1] :1

Management Interface DHCP Server IP Address :192.168.74.254

Virtual Gatewaye IP Address :1.1.1.1

Mobility/RF Groupe Name:Mobility

Network Name (SSID): Projets-Education

Cinfigure DHCP Bridging Mode [yes][NO]:

Allow Static IP Addresses [YES][no]:

Configure a RADIUS Server now? [YES][no]:no

Enter Country Code list (enter 'help' for a list of countries) [US]:MA

Enable 802.11b Network [YES][no]:YES

Enable 802.11a Network [YES][no]:YES

Enable 802.11g Network [YES][no]:YES

Enable Auto-RF [YES][no]:YES

Configure a NTP server now? [YES] [no]:yes

Enter the NTP server's IP address : 192.168.74.254

Enter a polling interval between 3600 and 604800 secs:3600

Configuration correct? if yes, system will save it and reset. [yes][NO]: yes

Note: there is no configuration in the Switch.

merci

Roger Kallberg · ‎01-01-2023

As this has nothing to do with Collaboration I moved your post to the Wireless part of the community where it seems to fit better.

medzeinmaaloum · ‎01-01-2023

Thank you

marce1000 · ‎01-01-2023

- The vWLC software version is very old , big chance is that your AP(s) are not compatible with it , check : https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

medzeinmaaloum · ‎01-01-2023

Can you please advise a vWLC compatible with my APs?

Thank you

marce1000 · ‎01-01-2023

- Depends, which ap model(s) are you using ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

medzeinmaaloum · ‎01-01-2023

I have 5 AIR-LAP1142N- A-K9

marce1000 · ‎01-01-2023

- Rest assured that these AP-models have expired certificates as described in https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html
In order to be able to use the mentioned workarounds you need at least 8.3.x ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

medzeinmaaloum · ‎01-01-2023

In the document part: Workaround/Solution

if the AP's and/or WLC's certificates have expired:
2. Change the WLC clock time to a recent earlier time when the certificates were still valid.

I just installed the vWLC yesterday, how can I Change the WLC clock time to a recent earlier?

marce1000 · ‎01-01-2023

- FYI : https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-3/configuration/guide/b_cg73/b_wlc-cg_chapter_010.html#ID1009 , make sure NTP is not used and or disabled ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

medzeinmaaloum · ‎01-01-2023

dose this is correct?

marce1000 · ‎01-01-2023

- No that is unrelated , anyway normally NTP will not be enabled upon an initial configuration anyway , so you don't need to worry , use command Show Run-config (CLI) to verify (further) that no NTP settings are being applied ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

medzeinmaaloum · ‎01-01-2023

I don’t find NTP on the Show Run-config (CLI) list.

Now I will deploy the Cisco-vWLC-AIR-CTVM-7-3-101-0.ova again, and I will disable the NTP, if there some things that I should do please let know.

marce1000 · ‎01-01-2023

>if there some things that I should do please let know.
Note that if this is a business oriented environment consider using more modern wireless infrastructure.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

medzeinmaaloum · ‎01-01-2023

This just a test for how the cisco network works, and I'm enjoying it as I have 5 Cisco type access points.
Concerning the new material, I see the possibility of acquiring some, but it will take time, because there is no Cisco in Mauritania.