DTLS-3-HANDSHAKE_FAILURE

RJ Riemensnider · ‎09-18-2014

I have a remote site with 2 AIR 2602i APs that were working up until a few days ago. One AP still connects fine but the second will not connect and keeps generating this error:

*spamApTask3: Sep 18 10:16:09.249: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:687 Failed to complete DTLS handshake with peer 970200748.0.144.127 for AP 97:cc:79:13b0b000:10507114:13040000

I have powered off and on both APs several times but still keep getting the same problem. Both APs are getting their config from DHCP and as part of that, a timesource. I can see traffic back and forth to/from both APs.

Any ideas on what the cause could be?

2504 WLC with free licenses on 7.6.120.0

Freerk Terpstra · ‎09-20-2014

Are the regulatory domains of the access-points the same?
Has the other access-point been connected to an other WLC in the past?
- If so please do a "test capwap erase" and a "test capwap restart" on the access-point (those are "hidden" commands).
If that still does not help the process, please post the output for the following commands on the WLC while the access-point is trying to join:
- debug capwap events enable
- debug capwap error enable
- debug pm pki enable
- debug disable-all (to turn of the debugs)

Also include all console information of a access-point while it is booting and trying to join the WLC.

RJ Riemensnider · ‎09-20-2014

Thank you very much for the reply. I opened a TAC case and they identified an openssh bug in .120 and suggested to go to .130. This did solve the handshake issue, at least for now, but introduced a couple other issues that I may post about in another thread. Thanks for the help.