02-12-2023 01:07 AM - edited 02-12-2023 11:59 PM
Hi
i have cisco WLC 4400 linked to sw 4500, WLC is up and SW, AP cant join the WLC, debug on WLC give
how i can fix that, WLC is set to net server of WS linked to.
*spamReceiveTask: Feb 12 08:48:41.017: 00:3a:98:77:fb:70 No entry exists for AP
*spamReceiveTask: Feb 12 08:48:41.017: 00:3a:98:77:fb:70 No AP entry exist in temporary database for
*spamReceiveTask: Feb 12 08:48:50.195: 00:3a:98:7c:ee:c0 DTLS connection not found, creating new connection for
*spamReceiveTask: Feb 12 08:48:50.313: 00:3a:98:7c:ee:c0 DTLS connection closed event receivedserver
*spamReceiveTask: Feb 12 08:48:50.313: 00:3a:98:7c:ee:c0 No entry exists for AP
*spamReceiveTask: Feb 12 08:48:50.313: 00:3a:98:7c:ee:c0 No AP entry exist in temporary database for
*spamReceiveTask: Feb 12 08:48:52.700: 00:3a:98:72:69:00 DTLS connection not found, creating new connection for
Solved! Go to Solution.
02-12-2023 01:37 PM
@kingstdz wrote:
and set time to before 2020 (example 2019)
That is not the correct method of fixing the problem. Please READ and UNDERSTAND the contents of the Field Notice.
If nobody wants to read the Field Notice, find someone else.
02-12-2023 11:39 PM
- By starting to read replies ,
M.
02-12-2023 01:46 AM
Need to provide more information here :
1. what model of AP ?
2. what Code running on WLC ?
3. is there any AP working, none of the AP works ?
4. can you connect the console to AP and check what logs you getting (pos the logs here)
5. provide below information and enable debug:
>show license in-use
>show sysinfo
>debug capwap events enable
>debug capwap packet enable
>debug capwap errors enable
>debug capwap detail enable
02-12-2023 06:59 AM
1. what model of AP ? AP1100, 1300,1242 and 2600
3. is there any AP working, none of the AP works ? no
i give other as soon as
02-12-2023 07:18 AM
The WLC 4400 is very very old and also the last code release is 7.4.x. I really would look at migrating to another model that can support your ap's or maybe its time for a full uplift. It's amazing that you controller and some of your ap's are still functioning.
02-12-2023 01:36 PM
@kingstdz wrote:
how i can fix that cert
Read the Field Notice that I have provided.
02-12-2023 01:57 AM
02-12-2023 06:55 AM
thanks for reply
how i can fix that cert, cert is localy wlc, i enabled web mode but i cant access web interface to generate other cert please show me how to.
ap 1100, 1242,1300, and 2600 LAP
thanks
02-12-2023 06:27 AM - edited 02-12-2023 06:28 AM
As @balaji.bandi says need more info but very likely the problem is expired certificate as per the FN link which @Leo Laohoo shared. You must follow all the steps in the field notice, in the correct order, to permanently resolve the issue. My summary from numerous previous posts:
Read this field notice through very carefully (twice if necessary) then follow all the instructions carefully in the right order:
https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html
I'll summarise it for the umpteenth time:
1. Upgrade to the latest version which supports your APs and WLC - probably 8.5.182.7
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc10
2. Apply the config workaround on the WLC
3. Disable WLC NTP and set time manually to before your certs expired
4. Allow all the APs to join, download new code, pick up the config workaround
5 Re-enable NTP
Note that it could be AP and/or WLC certs which have expired.
You should also make yourself aware of the other field notices and alerts mentioned in my signature below:
02-12-2023 07:36 AM - edited 02-12-2023 07:46 AM
in certifcate
Name:
bsnSslWebadminCert
Type:
Locally Generated
Serial Number:
1332271936
Valid:
From 2020 Mar 25th, 00:00:01 GMT Until 2030 Mar 25th, 00:00:01 GMT
Subject Name:
C=US, O=Cisco Systems Inc., OU=DeviceSSL (WebAdmin), CN=
Issuer Name:
C=US, O=Cisco Systems Inc., OU=DeviceSSL (WebAdmin), CN=
MD5 Fingerprint:
4f:f1:4a:9b:06:44:31:1b:e2:08:83:ca:54:85:b9:99
SHA1 Fingerprint:
3b:ba:82:7f:f3:32:c6:00:9f:dd:aa:16:45:73:bd:a2:1f:fe:d9:80
Download SSL Certificate *
* Controller must be rebooted for the new certificate to take effect.
02-12-2023 08:13 AM
HI
log from AP
*Feb 12 15:09:18.115: %DTLS-3-BAD_RECORD: Erroneous record received from X.X.X.X: Malformed Certificate
*Feb 12 15:09:18.115: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to X.X.X.X:5246
*Feb 12 15:09:18.116: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
*Feb 12 15:10:22.084: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Feb 12 15:10:22.084: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Feb 12 15:10:22.134: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Feb 12 15:10:22.134: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Feb 12 15:10:22.135: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Feb 12 15:10:22.165: status of voice_diag_test from WLC is false
*Feb 12 15:10:22.166: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Feb 12 15:10:22.167: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
*Feb 12 15:10:22.173: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Feb 12 15:10:22.199: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Feb 12 15:10:32.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: X.X.X.X peer_port: 5246
*Feb 12 15:10:32.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Feb 12 15:10:32.116: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 70D0C3120000001E93A6) has expired. Validity period ended on 01:12:55 UTC Feb 6 2020
*Feb 12 15:10:32.118: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Feb 12 15:10:32.118: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Feb 12 15:10:32.118: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed!
*Feb 12 15:10:32.118: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: X.X.X.X
*Feb 12 15:10:32.118: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to X.X.X.X:5246
*Feb 12 15:10:32.119: %DTLS-3-BAD_RECORD: Erroneous record received from X.X.X.X: Malformed Certificate
*Feb 12 15:10:32.119: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to X.X.X.X:5246
02-12-2023 08:55 AM
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.240.0
RTOS Version..................................... 7.0.240.0
Bootloader Version............................... 4.2.205.0
Emergency Image Version.......................... N/A
Build Type....................................... DATA + WPS
System Name...................................... WLCpruebas
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3
02-12-2023 09:50 AM - edited 02-12-2023 09:50 AM
PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 70D0C3120000001E93A6) has expired. Validity period ended on 01:12:55 UTC Feb 6 2020
then make sense to use the Field notice URL suggested :
https://www.cisco.com/c/en/us/support/docs/field-notices/725/fn72524.html
On the WLC check
> show certificate all
For testing :
> config time ntp delete 1
>config time manual mm/dd/yy HH:mm:sec ( see if that fix the issue - not recomended in production)
EDIT :
your version of code too old try to uplift to latest supported version.
02-12-2023 09:47 AM
on ap
sh crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number: 00
Certificate Usage: General Purpose
Issuer:
ea=support@airespace.com
cn=ca
ou=none
o=airespace Inc
l=San Jose
st=California
c=US
Subject:
ea=support@airespace.com
cn=ca
ou=none
o=airespace Inc
l=San Jose
st=California
c=US
Validity Date:
start date: 23:38:55 UTC Feb 12 2003
end date: 23:38:55 UTC Nov 11 2012
02-12-2023 09:52 AM
Validity Date:
start date: 23:38:55 UTC Feb 12 2003
end date: 23:38:55 UTC Nov 11 2012
update as suggested URL.
02-12-2023 10:30 AM
thanks
any way to bypass certification WLC ---AP Policy??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide