Re: CT5760 ap cert command

AK002 · ‎03-31-2020

Hi Team,

What will be the equivalent command for (WLC)>config ap cert-expiry-ignore {mic|ssc} enable in Cisco CT5760 wireless controller, We suspect some certificate issue between controller and access point.

AIR-CT5760 03.06.05E

AP - 3700

Some of the AP's keep on reconnecting and joining other controllers in the setup.

Error message
PKI-3-CERTIFICATE_INVALID_EXPIRED : Certificate chain validation has failed. The certificate (SN : [chars]) has expired. Validity period ended on [chars]

Regards,

AK

marce1000 · ‎04-01-2020

- Strange could you check the end date of the certificate on the AP with :

AP_CLI# show crypto pki certificates

then look for the string end date

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

AK002 · ‎04-01-2020

show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA M2
o=Cisco
Subject:
cn=Cisco Root CA M2
o=Cisco
Validity Date:
start date: 13:00:18 UTC Nov 12 2012
end date: 06:32:02 UTC Oct 7 1901
Associated Trustpoints: cisco-m2-root-cert
Storage:

Certificate
Status: Available
Certificate Serial Number (hex): 71B9E8530000000C2D3D
Certificate Usage: General Purpose
Issuer:
cn=Cisco Manufacturing CA SHA2
o=Cisco
--More-- Subject:
Name: AP3
e=support@cisco.com
cn=AP
o=Cisco Systems
l=San Jose
st=California
c=US
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/cmca2.crl
Validity Date:
start date: 09:49:27 UTC Jun 4 2016
end date: 09:59:27 UTC Jun 4 2026
Associated Trustpoints: Cisco_IOS_M2_MIC_cert
Storage:

CA Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA M2
o=Cisco
--More-- Subject:
cn=Cisco Manufacturing CA SHA2
o=Cisco
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crcam2.crl
Validity Date:
start date: 13:50:58 UTC Nov 12 2012
end date: 06:32:01 UTC Oct 7 1901
Associated Trustpoints: Cisco_IOS_M2_MIC_cert
Storage:

CA Certificate
Status: Available
Certificate Serial Number (hex): 00
Certificate Usage: General Purpose
Issuer:
e=support@airespace.com
cn=ca
ou=none
o=airespace Inc
l=San Jose
st=California
c=US
--More-- Subject:
e=support@airespace.com
cn=ca
ou=none
o=airespace Inc
l=San Jose
st=California
c=US
Validity Date:
start date: 23:38:55 UTC Feb 12 2003
end date: 23:38:55 UTC Nov 11 2012
Associated Trustpoints: airespace-old-root-cert
Storage:

CA Certificate
Status: Available
Certificate Serial Number (hex): 03
Certificate Usage: General Purpose
Issuer:
e=support@airespace.com
cn=Airespace Root CA
ou=Engineering
o=Airespace Inc.
--More-- l=San Jose
st=California
c=US
Subject:
e=support@airespace.com
cn=Airespace Device CA
ou=Engineering
o=Airespace Inc.
l=San Jose
st=California
c=US
Validity Date:
start date: 22:37:13 UTC Apr 28 2005
end date: 22:37:13 UTC Jan 26 2015
Associated Trustpoints: airespace-device-root-cert
Storage:

Certificate
Status: Available
Certificate Serial Number (hex): 5615E28A00000003E644
Certificate Usage: General Purpose
Issuer:
cn=Cisco Manufacturing CA
=Cisco Systems
Subject:
Name: AP

e=support@cisco.com
cn=AP
o=Cisco Systems
l=San Jose
st=California
c=US
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/cmca.crl
Validity Date:
start date: 09:46:55 UTC Jun 4 2016
end date: 09:56:55 UTC Jun 4 2026
Associated Trustpoints: Cisco_IOS_MIC_cert
Storage:

CA Certificate
Status: Available
Certificate Serial Number (hex): 6A6967B3000000000003
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2048
=Cisco Systems
Subject:
cn=Cisco Manufacturing CA
o=Cisco Systems
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2048.crl
Validity Date:
start date: 22:16:01 UTC Jun 10 2005
end date: 20:25:42 UTC May 14 2029
Associated Trustpoints: Trustpool Cisco_IOS_MIC_cert
Storage:

patoberli · ‎04-01-2020

Check if the date and time is correct on the WLC (NTP enabled).
Although some CA certs have an expiration in the past 19xx, which is quite weird.
The AP certificate looks fine:
Certificate
Status: Available
Certificate Serial Number (hex): 5615E28A00000003E644
Certificate Usage: General Purpose
Issuer:
cn=Cisco Manufacturing CA
=Cisco Systems
Subject:
Name: AP

e=support@cisco.com
cn=AP
o=Cisco Systems
l=San Jose
st=California
c=US
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/cmca.crl
Validity Date:
start date: 09:46:55 UTC Jun 4 2016
end date: 09:56:55 UTC Jun 4 2026
Associated Trustpoints: Cisco_IOS_MIC_cert

FrankCerniglia5327 · ‎04-29-2020

PLEASE ANSWER THIS QUESTION "What will be the equivalent command for (WLC)>config ap cert-expiry-ignore {mic|ssc} enable in Cisco CT5760 wireless controller",

I have the same issue with 1142N APs certification expiring

patoberli · ‎04-29-2020

I just had a look at the bug, field notice and community entry and I could nowhere find the 5760 mentioned.

I wonder if this controller is affected at all.

The information I've checked:

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

https://community.cisco.com/t5/wireless-mobility-documents/lightweight-ap-fail-to-create-capwap-lwapp-connection-due-to/ta-p/3155111

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuq19142

One workaround that works with all other WLC was to create your own certificate and roll it out to the APs, I wonder if that workaround would also work here.

FrankCerniglia5327 · ‎04-30-2020

I have several AP's out but when I turn back the date, the AP's comes up but can I keep the date incorrect in the 5760 Controller with out effecting the network? I just have a lot of old AP's 1140's and I am afraid they will all shut down. We are updating the WLC with 9800 but hot ready yet from the 5760 Controller. we will have to replace them but I need to make them work till that happen, I tried these command s but they do not take (bellow) is there another command that does the same for the 5760?

config ap lifetime-check {mic|ssc} enable

config ap cert-expiry-ignore {mic|ssc} enable

patoberli · ‎04-30-2020

I think it's not a big problem to leave the date in the past, as long as you don't use any certificate based authentication on the WLC. Of course, all logfiles have a wrong date then.

Did you look at the workaround with your own certificates for the APs?

marce1000 · ‎04-01-2020

>Some of the AP's keep on reconnecting and joining other controllers in the setup.

- What do you mean by this sentence ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

AK002 · ‎04-02-2020

Around 250 AP's are associated to WLC out of that 20 AP's are always trying to bouncing between controllers ( other Two Anchor controllers ) When they trying to connect 5760 it will download the image and trying to associate after some time it will again trying to associate other WLC and downloading the image..

marce1000 · ‎04-02-2020

- This is not advisable and may somehow be an underlying cause of your original issue; AP should use dedicated and known controller by for instance using DHCP option 43 to direct the AP to the intended controller.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

AK002 · ‎04-02-2020

Yes from the AP end we have mentioned the primary controller, But some how the WLC is not accepting the AP join request.

Raising a case with Cisco TAC, Thanks for the help..

pwilliams86 · ‎10-22-2020

Hi,

Did you ever find a command for this? We have a similar issue with anchor controllers with expired certificates not forming mobility tunnels with our 5760.

Cheers,

P

Axsuptls · ‎10-13-2021

Just in case anyone would still need this, since it was quite a pain on my side to find out:

9800-1#conf t
9800-1(config)#crypto pki certificate map <mapname> 1
9800-1(ca-certificate-map)#issuer-name co Cisco Manufacturing CA
9800-1(ca-certificate-map)#exit
9800-1(config)#crypto pki trustpool policy
9800-1(ca-trustpool)#match certificate <mapname> allow expired-certificate
9800-1(ca-trustpool)#end

This is mainly used for inter-controller links (anchor and such), but i believe it should be fine for AP certs too (though i did not have any problems with the APs on my 5760s so I cannot be 100% sure).

Best regards,

Pdub3850 · ‎04-22-2024

We are still using 5760 WLCs because of delays in upgrading our network and ran into this issue today and can confirm that this config fixes the issue

WLC01#show ap summary
Number of APs: 534

WLC01#conf t
WLC01(config)#crypto pki certificate map ap-cert-expired 1
WLC01(ca-certificate-map)#issuer-name co Cisco Manufacturing CA
WLC01(ca-certificate-map)#exit
WLC01(config)#crypto pki trustpool policy
WLC01(ca-trustpool)#match certificate ap-cert-expired allow expired-certificate
WLC01(ca-trustpool)#end
WLC01#
WLC01#show ap summary
Number of APs: 543

We saw an immediate jump in the number of APs joined. Many thanks Axsuptls.