03-31-2020 09:03 AM - edited 07-05-2021 11:54 AM
Hi Team,
What will be the equivalent command for (WLC)>config ap cert-expiry-ignore {mic|ssc} enable in Cisco CT5760 wireless controller, We suspect some certificate issue between controller and access point.
AIR-CT5760 03.06.05E
AP - 3700
Some of the AP's keep on reconnecting and joining other controllers in the setup.
Error message
PKI-3-CERTIFICATE_INVALID_EXPIRED : Certificate chain validation has failed. The certificate (SN : [chars]) has expired. Validity period ended on [chars]
Regards,
AK
04-01-2020 02:40 AM
- Strange could you check the end date of the certificate on the AP with :
AP_CLI# show crypto pki certificates
then look for the string end date
M.
04-01-2020 04:51 AM
show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA M2
o=Cisco
Subject:
cn=Cisco Root CA M2
o=Cisco
Validity Date:
start date: 13:00:18 UTC Nov 12 2012
end date: 06:32:02 UTC Oct 7 1901
Associated Trustpoints: cisco-m2-root-cert
Storage:
Certificate
Status: Available
Certificate Serial Number (hex): 71B9E8530000000C2D3D
Certificate Usage: General Purpose
Issuer:
cn=Cisco Manufacturing CA SHA2
o=Cisco
--More-- Subject:
Name: AP3
e=support@cisco.com
cn=AP
o=Cisco Systems
l=San Jose
st=California
c=US
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/cmca2.crl
Validity Date:
start date: 09:49:27 UTC Jun 4 2016
end date: 09:59:27 UTC Jun 4 2026
Associated Trustpoints: Cisco_IOS_M2_MIC_cert
Storage:
CA Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA M2
o=Cisco
--More-- Subject:
cn=Cisco Manufacturing CA SHA2
o=Cisco
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crcam2.crl
Validity Date:
start date: 13:50:58 UTC Nov 12 2012
end date: 06:32:01 UTC Oct 7 1901
Associated Trustpoints: Cisco_IOS_M2_MIC_cert
Storage:
CA Certificate
Status: Available
Certificate Serial Number (hex): 00
Certificate Usage: General Purpose
Issuer:
e=support@airespace.com
cn=ca
ou=none
o=airespace Inc
l=San Jose
st=California
c=US
--More-- Subject:
e=support@airespace.com
cn=ca
ou=none
o=airespace Inc
l=San Jose
st=California
c=US
Validity Date:
start date: 23:38:55 UTC Feb 12 2003
end date: 23:38:55 UTC Nov 11 2012
Associated Trustpoints: airespace-old-root-cert
Storage:
CA Certificate
Status: Available
Certificate Serial Number (hex): 03
Certificate Usage: General Purpose
Issuer:
e=support@airespace.com
cn=Airespace Root CA
ou=Engineering
o=Airespace Inc.
--More-- l=San Jose
st=California
c=US
Subject:
e=support@airespace.com
cn=Airespace Device CA
ou=Engineering
o=Airespace Inc.
l=San Jose
st=California
c=US
Validity Date:
start date: 22:37:13 UTC Apr 28 2005
end date: 22:37:13 UTC Jan 26 2015
Associated Trustpoints: airespace-device-root-cert
Storage:
Certificate
Status: Available
Certificate Serial Number (hex): 5615E28A00000003E644
Certificate Usage: General Purpose
Issuer:
cn=Cisco Manufacturing CA
=Cisco Systems
Subject:
Name: AP
e=support@cisco.com
cn=AP
o=Cisco Systems
l=San Jose
st=California
c=US
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/cmca.crl
Validity Date:
start date: 09:46:55 UTC Jun 4 2016
end date: 09:56:55 UTC Jun 4 2026
Associated Trustpoints: Cisco_IOS_MIC_cert
Storage:
CA Certificate
Status: Available
Certificate Serial Number (hex): 6A6967B3000000000003
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2048
=Cisco Systems
Subject:
cn=Cisco Manufacturing CA
o=Cisco Systems
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2048.crl
Validity Date:
start date: 22:16:01 UTC Jun 10 2005
end date: 20:25:42 UTC May 14 2029
Associated Trustpoints: Trustpool Cisco_IOS_MIC_cert
Storage:
04-01-2020 08:42 AM
04-29-2020 12:26 PM
PLEASE ANSWER THIS QUESTION "What will be the equivalent command for (WLC)>config ap cert-expiry-ignore {mic|ssc} enable in Cisco CT5760 wireless controller",
I have the same issue with 1142N APs certification expiring
04-29-2020 11:47 PM
I just had a look at the bug, field notice and community entry and I could nowhere find the 5760 mentioned.
I wonder if this controller is affected at all.
The information I've checked:
https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuq19142
One workaround that works with all other WLC was to create your own certificate and roll it out to the APs, I wonder if that workaround would also work here.
04-30-2020 11:00 AM
I have several AP's out but when I turn back the date, the AP's comes up but can I keep the date incorrect in the 5760 Controller with out effecting the network? I just have a lot of old AP's 1140's and I am afraid they will all shut down. We are updating the WLC with 9800 but hot ready yet from the 5760 Controller. we will have to replace them but I need to make them work till that happen, I tried these command s but they do not take (bellow) is there another command that does the same for the 5760?
config ap lifetime-check {mic|ssc} enable
config ap cert-expiry-ignore {mic|ssc} enable
04-30-2020 11:41 PM
04-01-2020 09:01 AM
>Some of the AP's keep on reconnecting and joining other controllers in the setup.
- What do you mean by this sentence ?
M.
04-02-2020 02:51 AM
Around 250 AP's are associated to WLC out of that 20 AP's are always trying to bouncing between controllers ( other Two Anchor controllers ) When they trying to connect 5760 it will download the image and trying to associate after some time it will again trying to associate other WLC and downloading the image..
04-02-2020 03:23 AM
- This is not advisable and may somehow be an underlying cause of your original issue; AP should use dedicated and known controller by for instance using DHCP option 43 to direct the AP to the intended controller.
M.
04-02-2020 04:53 AM
10-22-2020 04:13 AM
Hi,
Did you ever find a command for this? We have a similar issue with anchor controllers with expired certificates not forming mobility tunnels with our 5760.
Cheers,
P
10-13-2021 03:31 AM
Just in case anyone would still need this, since it was quite a pain on my side to find out:
9800-1#conf t
9800-1(config)#crypto pki certificate map <mapname> 1
9800-1(ca-certificate-map)#issuer-name co Cisco Manufacturing CA
9800-1(ca-certificate-map)#exit
9800-1(config)#crypto pki trustpool policy
9800-1(ca-trustpool)#match certificate <mapname> allow expired-certificate
9800-1(ca-trustpool)#end
This is mainly used for inter-controller links (anchor and such), but i believe it should be fine for AP certs too (though i did not have any problems with the APs on my 5760s so I cannot be 100% sure).
Best regards,
04-22-2024 05:59 AM
We are still using 5760 WLCs because of delays in upgrading our network and ran into this issue today and can confirm that this config fixes the issue
WLC01#show ap summary
Number of APs: 534
WLC01#conf t
WLC01(config)#crypto pki certificate map ap-cert-expired 1
WLC01(ca-certificate-map)#issuer-name co Cisco Manufacturing CA
WLC01(ca-certificate-map)#exit
WLC01(config)#crypto pki trustpool policy
WLC01(ca-trustpool)#match certificate ap-cert-expired allow expired-certificate
WLC01(ca-trustpool)#end
WLC01#
WLC01#show ap summary
Number of APs: 543
We saw an immediate jump in the number of APs joined. Many thanks Axsuptls.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide