Re: How to move APs to other controller

sand-max83 · ‎12-19-2017

Hi guys! I have next question.

I need to replace virtual WLC. There are APs about 40 pcs and ones cannected to vWCL vers. 7.

I'd like install new vWCL version 8 and move all APs to new controller. But I faced with next issue AP does not connect to new controler.

Problem: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed

But it's really problematic , need to connect to each AP and reset config.

Maybe someone know other way?

marce1000 · ‎12-19-2017

Ref : https://www.cisco.com/c/en/us/support/docs/wireless/virtual-wireless-controller/113677-virtual-wlan-dg-00.html#hash

The AP may have an older SSC hash, either from an old installation or joining other controllers. It is possible to configure the WLC to not validate SSC, allow APs to join the vWLC, then re-enabling the validation again.

(Cisco Controller) >configure certificate ssc hash validation disable

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

sand-max83 · ‎12-20-2017

It's not work for me.

(Cisco Controller) show>certificate ssc
SSC Hash validation.............................. Disabled.
SSC Device Certificate details:
         Subject Name :
                 C=US, ST=California, L=San Jose, O=Cisco Virtual Wireless LAN Controller,
                 CN=DEVICE-vWLC-AIR-CTVM-K9-000C29D64621, emailAddress=support@vwlc.com
         Validity :
                 Start : Feb 3 09:44:21 2016 GMT
                 End   : Dec 12 09:44:21 2025 GMT
         Hash key : 974a6fa856b4a7db60c9b15bfbb33c82822f45fe
(Cisco Controller) show>

*Dec 21 10:16:59.411: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF

*Dec 21 10:16:59.411: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Dec 21 10:16:59.411: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:467 Certificate verified failed!
*Dec 21 10:16:59.411: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.78.241:5246
*Dec 21 10:16:59.415: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.78.241:5246
*Dec 21 10:16:59.615: %CAPWAP-3-ERRORLOG: Invalid event 40 & state 3 combination.
*Dec 21 10:17:00.127: APAVC: Succeeded to activate all the STILE protocols.

kapydan88 · ‎03-06-2020

Is it possible to move ap into another wlc, just change the addresses of the main and second controllers on the high availability tab? Because in my case this scheme doesnt work (((

Maybe im wrong, but i change ip of main wlc, apply it and reboot ap via power.

Scott Fella · ‎03-06-2020

That is the way to soft move AP’s to another controller. The controller needs to have an image that is supported by the access point and the ap needs to have connectivity to the wlc. The name of the controller is case sensitive so make sure it matches the system name. If it doesn’t join the other controller, you can console into the ap and review the output. The output will tell you what the ap is doing and any errors.

-Scott
*** Please rate helpful posts ***

kapydan88 · ‎03-06-2020

The name of the controller is case sensitive so make sure it matches the system name - does this mean that i should strictly specify the new wlc name as the primary controller in the high availability tab? If system name of new wlc wlc_mps_main - i should to write it as is.

Mikolaj Moryto · ‎12-19-2017

Hi,

I have had the same problem when trying to move AP between controllers.

Instead of disabling certificate validation, try this on affected APs:

AP#clear capwap private-config

Thank you,

Mikolaj

sand-max83 · ‎12-20-2017

Me too and it's worked, but I have a lot of installed APs and it is not comfortable for me

Leo Laohoo · ‎12-19-2017

What are the different APs and what exactly is the new vWLC firmware running on?

sand-max83 · ‎12-20-2017

Software Version

8.1.120.0

APs are AIR-CAP1602I-E-K9, AIR-LAP1141N-E-K9, AIR-CAP702I-H-K9 . I tested AIR-CAP702I

Leo Laohoo · ‎12-20-2017

Configure the AP to go to the new controller.
Console into the AP and reboot the AP.
Post the entire boot-up process. We want to see what the AP is doing.

sand-max83 · ‎12-20-2017

*Dec 21 09:48:14.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.78.241 peer_port: 5246
*Dec 21 09:48:16.399: %CAPWAP-3-ERRORLOG: Failed to authorize controller using trust config.
*Dec 21 09:48:16.399: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF

*Dec 21 09:48:16.403: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Dec 21 09:48:16.403: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:467 Certificate verified failed!
*Dec 21 09:48:16.403: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.78.241:5246
*Dec 21 09:48:16.403: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.78.241:5246
*Dec 21 09:48:16.603: %CAPWAP-3-ERRORLOG: Invalid event 40 & state 3 combination.
*Dec 21 09:48:17.479: APAVC: Succeeded to activate all the STILE protocols.

sand-max83 · ‎12-25-2017

Hi! Do you have any ideas?

Leo Laohoo · ‎12-25-2017

Post the entire boot-up process. We want to see what the AP is doing.

sand-max83 · ‎12-25-2017

Boot from flash

IOS Bootloader - Starting system.
FLASH CHIP: Micronix MX25L256_35F
Xmodem file system is available.
flashfs[0]: 47 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31936000
flashfs[0]: Bytes used: 18721280
flashfs[0]: Bytes available: 13214720
flashfs[0]: flashfs fsck took 10 seconds.
Reading cookie from SEEPROM
Base Ethernet MAC address: 18:e7:28:35:f7:6d
************* loopback_mode = 0
Loading "flash:/ap1g2-k9w8-mx.152-4.JB5/ap1g2-k9w8-mx.152-4.JB5"...###################################
File "flash:/ap1g2-k9w8-mx.152-4.JB5/ap1g2-k9w8-mx.152-4.JB5" uncompressed and installed, entry point: 0x100000
executing...

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706

Cisco IOS Software, C1600 Software (AP1G2-K9W8-M), Version 15.2(4)JB5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 01-May-14 20:57 by prod_rel_team

Initializing flashfs...
FLASH CHIP: Micronix MX25L256_35F

flashfs[3]: 47 files, 9 directories
flashfs[3]: 0 orphaned files, 0 orphaned directories
flashfs[3]: Total bytes: 31808000
flashfs[3]: Bytes used: 18721280
flashfs[3]: Bytes available: 13086720
flashfs[3]: flashfs fsck took 10 seconds.
flashfs[3]: Initialization complete.
flashfs[4]: 0 files, 1 directories
flashfs[4]: 0 orphaned files, 0 orphaned directories
flashfs[4]: Total bytes: 11999232
flashfs[4]: Bytes used: 1024
flashfs[4]: Bytes available: 11998208
flashfs[4]: flashfs fsck took 0 seconds.
flashfs[4]: Initialization complete....done Initializing flashfs.

Radio0 present 8764B 8000 0 A8000000 A8010000 0
Rate table has 586 entries (20 legacy/160 11n/406 11ac)

POWER TABLE FILENAME = flash:/ap1g2-k9w8-mx.152-4.JB5/K2.bin

Radio1 present 8764B 8000 0 88000000 88010000 4
POWER TABLE FILENAME = flash:/ap1g2-k9w8-mx.152-4.JB5/K5.bin

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-CAP1602I-E-K9 (PowerPC) processor (revision B0) with 229366K/32768K bytes of memory.
Processor board ID FGL1807X1VJ
PowerPC CPU at 533MHz, revision number 0x2151
Last reset from power-on
LWAPP image version 7.6.120.0
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 18:E7:28:35:F7:6D
Part Number                          : 73-14671-04
PCA Assembly Number                  : 000-00000-00
PCA Revision Number                  :
PCB Serial Number                    : FOC18045UZW
Top Assembly Part Number             : 800-38552-01
Top Assembly Serial Number           : FGL1807X1VJ
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP1602I-E-K9
% Please define a domain-name first.

Press RETURN to get started!

*Mar 1 00:00:12.231: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed (11)
*Mar 1 00:00:13.227: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed (1-4)
*Mar 1 00:00:13.227: Registering HW DTLS
APAVC: Initial WLAN Buffers Given to System is 2500
APAVC: WlanPAKs 9355 RadioPaks 8747

*Mar 1 00:00:14.943: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 (4)
*Mar 1 00:00:15.671: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:16.147: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 (4)
*Mar 1 00:00:16.387: Wait until the stile protocol list is initialized.

*Mar 1 00:00:19.395: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:30.735: Start STILE Activation

*Dec 25 15:44:32.007: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1600 Software (AP1G2-K9W8-M), Version 15.2(4)JB5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 01-May-14 20:57 by prod_rel_team
*Dec 25 15:44:32.007: %SNMP-5-COLDSTART: SNMP agent on host Architects is undergoing a cold start
*Dec 25 15:44:32.507: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up%Default route without gateway, if not a point-to-point interface, may impact performance
*Dec 25 15:44:32.743: Starting Ethernet promiscuous mode
*Dec 25 15:44:32.951: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Dec 25 15:44:33.355: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Dec 25 15:44:39.147: %SSH-5-ENABLED: SSH 2.0 has been enabledlwapp_crypto_init: MIC Present and Parsed Successfully

*Dec 25 15:44:45.519: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 25 15:44:45.519: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Dec 25 15:44:50.743: %LWAPP-3-LWAPP_INTERFACE_GOT_IP_ADDRESS: Interface BVI1 obtained IP from DHCP...
*Dec 25 15:44:50.947: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.78.95, mask 255.255.255.0, hostname Architects

*Dec 25 15:44:50.947: %LWAPP-3-LWAPP_INTERFACE_GOT_IP_ADDRESS: Interface BVI1 obtained IP from DHCP...
*Dec 25 15:44:55.171: Logging LWAPP message to 255.255.255.255.

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (192.168.78.1)

*Dec 25 15:45:07.051: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Dec 25 15:45:07.451: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Dec 25 15:45:17.575: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Dec 25 15:47:48.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.78.241 peer_port: 5246
*Dec 25 15:47:50.411: %CAPWAP-3-ERRORLOG: Failed to authorize controller using trust config.
*Dec 25 15:47:50.411: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF

*Dec 25 15:47:50.415: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Dec 25 15:47:50.415: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:467 Certificate verified failed!
*Dec 25 15:47:50.415: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.78.241:5246
*Dec 25 15:47:50.415: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.78.241:5246
*Dec 25 15:47:50.615: %CAPWAP-3-ERRORLOG: Invalid event 40 & state 3 combination.
*Dec 25 15:47:51.535: APAVC: Succeeded to activate all the STILE protocols.

*Dec 25 15:47:51.535: APAVC: Registering with CFT
APAVC: CFT registration of delete callback succeeded
APAVC: Reattaching Original Buffer pool for system use
Pool-ReAtach: paks 9355 radio8747