Solved: DTLS connection not found

kingstdz · ‎02-12-2023

Hi

i have cisco WLC 4400 linked to sw 4500, WLC is up and SW, AP cant join the WLC, debug on WLC give

how i can fix that, WLC is set to net server of WS linked to.

*spamReceiveTask: Feb 12 08:48:41.017: 00:3a:98:77:fb:70 No entry exists for AP
*spamReceiveTask: Feb 12 08:48:41.017: 00:3a:98:77:fb:70 No AP entry exist in temporary database for
*spamReceiveTask: Feb 12 08:48:50.195: 00:3a:98:7c:ee:c0 DTLS connection not found, creating new connection for

*spamReceiveTask: Feb 12 08:48:50.313: 00:3a:98:7c:ee:c0 DTLS connection closed event receivedserver
*spamReceiveTask: Feb 12 08:48:50.313: 00:3a:98:7c:ee:c0 No entry exists for AP
*spamReceiveTask: Feb 12 08:48:50.313: 00:3a:98:7c:ee:c0 No AP entry exist in temporary database for
*spamReceiveTask: Feb 12 08:48:52.700: 00:3a:98:72:69:00 DTLS connection not found, creating new connection for

Leo Laohoo · ‎02-12-2023

@kingstdz wrote:
and set time to before 2020 (example 2019)

That is not the correct method of fixing the problem. Please READ and UNDERSTAND the contents of the Field Notice.

If nobody wants to read the Field Notice, find someone else.

View solution in original post

marce1000 · ‎02-12-2023

- By starting to read replies ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

balaji.bandi · ‎02-12-2023

Need to provide more information here :

1. what model of AP ?

2. what Code running on WLC ?

3. is there any AP working, none of the AP works ?

4. can you connect the console to AP and check what logs you getting (pos the logs here)

5. provide below information and enable debug:

>show license in-use

>show sysinfo

>debug capwap events enable

>debug capwap packet enable

>debug capwap errors enable

>debug capwap detail enable

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kingstdz · ‎02-12-2023

1. what model of AP ? AP1100, 1300,1242 and 2600

3. is there any AP working, none of the AP works ? no

i give other as soon as

Scott Fella · ‎02-12-2023

The WLC 4400 is very very old and also the last code release is 7.4.x. I really would look at migrating to another model that can support your ap's or maybe its time for a full uplift. It's amazing that you controller and some of your ap's are still functioning.

-Scott
*** Please rate helpful posts ***

Leo Laohoo · ‎02-12-2023

@kingstdz wrote:
how i can fix that cert

Read the Field Notice that I have provided.

Leo Laohoo · ‎02-12-2023

FN - 63942 - Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP Connections Due to Certificate Expiration

kingstdz · ‎02-12-2023

thanks for reply

how i can fix that cert, cert is localy wlc, i enabled web mode but i cant access web interface to generate other cert please show me how to.

ap 1100, 1242,1300, and 2600 LAP

thanks

Rich R · ‎02-12-2023

As @balaji.bandi says need more info but very likely the problem is expired certificate as per the FN link which @Leo Laohoo shared. You must follow all the steps in the field notice, in the correct order, to permanently resolve the issue. My summary from numerous previous posts:

Read this field notice through very carefully (twice if necessary) then follow all the instructions carefully in the right order:
https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html
I'll summarise it for the umpteenth time:
1. Upgrade to the latest version which supports your APs and WLC - probably 8.5.182.7
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc10
2. Apply the config workaround on the WLC
3. Disable WLC NTP and set time manually to before your certs expired
4. Allow all the APs to join, download new code, pick up the config workaround
5 Re-enable NTP
Note that it could be AP and/or WLC certs which have expired.

You should also make yourself aware of the other field notices and alerts mentioned in my signature below:

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

kingstdz · ‎02-12-2023

in certifcate

Name:
bsnSslWebadminCert
Type:
Locally Generated
Serial Number:
1332271936
Valid:
From 2020 Mar 25th, 00:00:01 GMT Until 2030 Mar 25th, 00:00:01 GMT
Subject Name:
C=US, O=Cisco Systems Inc., OU=DeviceSSL (WebAdmin), CN=
Issuer Name:
C=US, O=Cisco Systems Inc., OU=DeviceSSL (WebAdmin), CN=
MD5 Fingerprint:
4f:f1:4a:9b:06:44:31:1b:e2:08:83:ca:54:85:b9:99
SHA1 Fingerprint:
3b:ba:82:7f:f3:32:c6:00:9f:dd:aa:16:45:73:bd:a2:1f:fe:d9:80
Download SSL Certificate *
* Controller must be rebooted for the new certificate to take effect.

kingstdz · ‎02-12-2023

HI

log from AP

*Feb 12 15:09:18.115: %DTLS-3-BAD_RECORD: Erroneous record received from X.X.X.X: Malformed Certificate
*Feb 12 15:09:18.115: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to X.X.X.X:5246
*Feb 12 15:09:18.116: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
*Feb 12 15:10:22.084: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Feb 12 15:10:22.084: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Feb 12 15:10:22.134: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Feb 12 15:10:22.134: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Feb 12 15:10:22.135: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Feb 12 15:10:22.165: status of voice_diag_test from WLC is false
*Feb 12 15:10:22.166: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Feb 12 15:10:22.167: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
*Feb 12 15:10:22.173: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Feb 12 15:10:22.199: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Feb 12 15:10:32.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: X.X.X.X peer_port: 5246
*Feb 12 15:10:32.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Feb 12 15:10:32.116: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 70D0C3120000001E93A6) has expired. Validity period ended on 01:12:55 UTC Feb 6 2020
*Feb 12 15:10:32.118: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Feb 12 15:10:32.118: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Feb 12 15:10:32.118: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed!
*Feb 12 15:10:32.118: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: X.X.X.X
*Feb 12 15:10:32.118: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to X.X.X.X:5246
*Feb 12 15:10:32.119: %DTLS-3-BAD_RECORD: Erroneous record received from X.X.X.X: Malformed Certificate
*Feb 12 15:10:32.119: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to X.X.X.X:5246

kingstdz · ‎02-12-2023

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.240.0
RTOS Version..................................... 7.0.240.0
Bootloader Version............................... 4.2.205.0
Emergency Image Version.......................... N/A
Build Type....................................... DATA + WPS

System Name...................................... WLCpruebas
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3

balaji.bandi · ‎02-12-2023

PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 70D0C3120000001E93A6) has expired. Validity period ended on 01:12:55 UTC Feb 6 2020

then make sense to use the Field notice URL suggested :

https://www.cisco.com/c/en/us/support/docs/field-notices/725/fn72524.html

https://www.cisco.com/c/en/us/support/docs/wireless/aironet-700-series-access-points/218447-ios-ap-image-download-fails-due-to-expir.html

On the WLC check

> show certificate all

For testing :

> config time ntp delete 1
> config time manual  mm/dd/yy HH:mm:sec   ( see if that fix the issue - not recomended in production)

EDIT :

your version of code too old try to uplift to latest supported version.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kingstdz · ‎02-12-2023

on ap

sh crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number: 00
Certificate Usage: General Purpose
Issuer:
ea=support@airespace.com
cn=ca
ou=none
o=airespace Inc
l=San Jose
st=California
c=US
Subject:
ea=support@airespace.com
cn=ca
ou=none
o=airespace Inc
l=San Jose
st=California
c=US
Validity Date:
start date: 23:38:55 UTC Feb 12 2003
end date: 23:38:55 UTC Nov 11 2012