DTLS Error
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2020 02:17 AM - edited 07-05-2021 12:06 PM
All,
I am getting error as below;
%DTLS-3-HANDSHAKE_FAILURE: [PA]openssl_dtls.c:3191 Failed to complete DTLS handshake with peer <AP IP>
I have few AP's connected over Sat link and this was all online and all of a sudden AP's went offline and started throwing error for any AP connected from this site.
Any guidance in identifying root cause? We have left site with no wireless and its important to get this up and running.
Controller - 5508
8.3.143 Version, in HA
- Labels:
-
Wireless LAN Controller
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2020 03:33 AM
- Make sure the Sat link has not worsened the latency value for which a max value is allowed of 300ms for APWAP connections.
M.
-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2020 08:42 PM
The link RTT is always 550 to 600ms and it has worked in the past
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2020 10:09 PM
*** Please rate helpful posts ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2020 05:24 PM
Pls check your AP cert status. Pls check below for workaround
HTH
Rasika
*** Pls rate all useful responses ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2020 06:43 PM
The WAP we have shows Manufacture date as 2019. So will this be an issue still?
Also we have set to ignore check on MIC/SSC.
(Cisco Controller) >show certificate summary
Web Administration Certificate................... 3rd Party
Web Authentication Certificate................... 3rd Party
Certificate compatibility mode:.................. off
Lifetime Check Ignore for MIC ................... Enable
Lifetime Check Ignore for SSC ................... Enable
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2020 09:32 PM
What AP models you having this issue ?
Is it possible to get some debug filter by a affected AP ethernet MAC Address
(WC01) >debug client <affected_ap_eth_mac>
(WC01) >debug capwap errors enable
(WC01) >debug capwap events enable
Pls note that using below command you can disable debugging
(WC01) >debug disable-all
HTH
Rasika
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2020 01:21 AM
AP model is AIR-AP2802I-Z-K9.
Some logs
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 300, MaxLicense=200 joined Aps =130
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 apType = 56 apModel: AIR-AP2802I-Z-K9
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 apType: Ox38 bundleApImageVer:
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 Could not find image version of bundled AP(apType: 56)!!!
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 Unable to get AP Bundled Version. Using Controller Version!!!
*spamApTask6: May 28 14:45:56.982: [PA] 50:2f:a8:81:24:80 Discovery Request from <ip>:5248
*spamApTask6: May 28 14:45:56.982: [PA] 50:2f:a8:81:24:80 ApModel: AIR-AP2802I-Z-K9
*spamApTask6: May 28 14:45:56.982: [PA] 50:2f:a8:81:24:80 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 300, MaxLicense=200 joined Aps =130
*spamApTask6: May 28 14:45:56.982: [PA] 50:2f:a8:81:24:80 a
*spamApTask6: May 28 14:45:56.982: [PA] 50:2f:a8:81:24:80 apType: Ox38 bundleApImageVer:
*spamApTask6: May 28 14:45:56.982: [PA] 50:2f:a8:81:24:80 Could not find image version of bundled AP(apType: 56)!!!
*spamApTask6: May 28 14:45:56.982: [PA] 50:2f:a8:81:24:80 Unable to get AP Bundled Version. Using Controller Version!!!
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 Discovery Request from <ip>:5264
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 ApModel: AIR-AP2802I-Z-K9
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 300, MaxLicense=200 joined Aps =130
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 apType = 56 apModel: AIR-AP2802I-Z-K9
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 apType: Ox38 bundleApImageVer:
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 Could not find image version of bundled AP(apType: 56)!!!
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 Unable to get AP Bundled Version. Using Controller Version!!!
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 Discovery Response sent to <ip> port 5264
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 Discovery Response sent to <ip>:5264
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2020 01:33 AM
Post the complete output to the WLC command "sh sysinfo" and "sh time".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2020 02:43 AM
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.3.143.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.101.1
Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
OUI File Update Time............................. Sun Sep 07 10:44:07 IST 2014
Build Type....................................... DATA + WPS
System Name...................................... WLC
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. SSO
IP Address....................................... 10.180.x.x
IPv6 Address..................................... ::
Last Reset....................................... Software reset
System Up Time................................... 7 days 22 hrs 40 mins 40 secs
System Timezone Location......................... (GMT +8:00) HongKong, Bejing, Chongquing
System Stats Realtime Interval................... 5
--More-- or (q)uit
System Stats Normal Interval..................... 180
Configured Country............................... Multiple Countries : AU,GB,J2,KE,SG
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +40 C
External Temperature............................. +18 C
Fan Status....................................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 8
Number of Active Clients......................... 144
OUI Classification Failure Count................. 0
Burned-in MAC Address............................ 00:24:97:6A:03:00
Power Supply 1................................... Present, OK
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 500
System Nas-Id....................................
WLC MIC Certificate Types........................ SHA1
--More-- or (q)uit
(Cisco Controller) >
(Cisco Controller) >show time
Time............................................. Thu May 28 17:42:00 2020
Timezone delta................................... 0:0
Timezone location................................ (GMT +8:00) HongKong, Bejing, Chongquing
NTP Servers
NTP Polling Interval......................... 3600
Index NTP Key Index NTP Server Status NTP Msg Auth Status
------- ----------------------------------------------------------------------------------------------
1 0 NTP In Sync AUTH DISABLED
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2020 04:29 AM
*** Please rate helpful posts ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2020 02:44 AM
AIR-AP2802I-Z-K9 - Model
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2020 02:46 AM
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 Discovery Request from <ip>:5264
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 ApModel: AIR-AP2802I-Z-K9
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 300, MaxLicense=200 joined Aps =130
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 apType = 56 apModel: AIR-AP2802I-Z-K9
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 apType: Ox38 bundleApImageVer:
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 Could not find image version of bundled AP(apType: 56)!!!
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 Unable to get AP Bundled Version. Using Controller Version!!!
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 Discovery Response sent to <ip> port 5264
*spamApTask5: May 28 14:45:58.474: [PA] c4:b2:39:0b:bc:a0 Discovery Response sent to <ip>:5264
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2020 05:29 AM
If it is 2802, you may be hitting this bug listed in given Field Notice
CSCvb93909-AP-COS: AP not joining after enabling MIC certificate expiry check
https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html
If you hitting this bug, upgrade 8.5.161.0 may be the fix
AP-COS APs can be fixed via CSCvb93909 in AireOS 8.5 and later
If upgrade not possible, you can try below workaround
Workaround:
A temporary workaround is to set the WLC's date back (you will need to disable NTP, if enabled.)
If you have upgraded to software with this fix, then:
* configure "config ap cert-expiry-ignore mic enable" on the WLC
* set your date back, so that unfixed APs can join
* wait till all AP-COS APs have downloaded the fixed code, and have rebooted and rejoined
* now you can set the WLC date back to the current date
HTH
Rasika
*** Pls rate all useful responses ***
