08-08-2021 11:26 PM
Hi folks i have the following scenario
5520 anchor wlc running 8.5.164.0 IRCM image
9800 foreign wlc running 17.3.3
I have configured mobility tunnels between the two and enabled secure mobility , there is a firewall between the two but the capwap and EOIP ports are open, the control path shows up as "down"
took some debugs on the 5520 and saw the following , i have tried disabling secure mobility but then the control and data patch both go down.
*capwapPingSocketTask: Aug 04 13:41:39.590: returning rc 0 for ping packet from peer x.x.x.x
*mobilityCapwapSocketTask: Aug 09 05:46:14.205: Cannot retrieve ID cert
*mobilityCapwapSocketTask: Aug 09 05:47:14.245: Cannot retrieve ID cert
*mobilityCapwapSocketTask: Aug 09 05:47:14.245: Failed to fetch credential for DTLS handshake
*mobilityCapwapSocketTask: Aug 09 05:47:14.245: Failed to create a server connection
*mobilityCapwapSocketTask: Aug 09 05:48:14.261: Cannot retrieve ID cert
*mobilityCapwapSocketTask: Aug 09 05:48:14.261: Failed to fetch credential for DTLS handshake
*mobilityCapwapSocketTask: Aug 09 05:48:14.261: Failed to create a server connection
*mobilityCapwapSocketTask: Aug 09 05:49:14.293: Cannot retrieve ID cert
*mobilityCapwapSocketTask: Aug 09 05:49:14.293: Failed to fetch credential for DTLS handshake
08-09-2021 01:43 AM
- Check this thread :
M.
08-09-2021 01:48 AM
this post is about a 5508 and not a 5520 , i also have a 5508 and i had to use to cert expiry command on the to bring the mobility UP between 5508 and 9800.
but what is the fix for 5520 ?
08-09-2021 03:51 AM
>... i had to use to cert expiry command on the to bring the mobility UP between 5508 and 9800.
That denotes that the fix described from Grendizer in the mentioned-thread may very well be needed on your 9800 too , I would give it a try (meaning start with the 9800-side first with the command-actions described in the resolving-port of the thread mentioned, see what comes 'up' (...) )
M.
08-09-2021 05:27 AM
hi, this command has already been tried on the 9800 (and thats how we brought mobility UP with another 5508), also the "HTTPS" certificate has expired on the 5520 aireos wlc, will this cause an issue ?
08-09-2021 08:55 AM
- The resolving-reply in the mentioned thread exactly deals with that.
M.
08-09-2021 09:36 AM
Might want to think about moving to 8-5-176-2 on the 5520 - has a whole lot of fixes in it:
https://software.cisco.com/download/home/286284738/type/280926587/release/8.5IRCM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide