12-19-2017 05:01 AM - edited 07-05-2021 07:59 AM
Hi guys! I have next question.
I need to replace virtual WLC. There are APs about 40 pcs and ones cannected to vWCL vers. 7.
I'd like install new vWCL version 8 and move all APs to new controller. But I faced with next issue AP does not connect to new controler.
But it's really problematic , need to connect to each AP and reset config.
Maybe someone know other way?
12-19-2017 08:41 AM
The AP may have an older SSC hash, either from an old installation or joining other controllers. It is possible to configure the WLC to not validate SSC, allow APs to join the vWLC, then re-enabling the validation again.
(Cisco Controller) >configure certificate ssc hash validation disable
12-20-2017 11:18 PM
It's not work for me.
(Cisco Controller) show>certificate ssc
SSC Hash validation.............................. Disabled.
SSC Device Certificate details:
Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Virtual Wireless LAN Controller,
CN=DEVICE-vWLC-AIR-CTVM-K9-000C29D64621, emailAddress=support@vwlc.com
Validity :
Start : Feb 3 09:44:21 2016 GMT
End : Dec 12 09:44:21 2025 GMT
Hash key : 974a6fa856b4a7db60c9b15bfbb33c82822f45fe
(Cisco Controller) show>
*Dec 21 10:16:59.411: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF
*Dec 21 10:16:59.411: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Dec 21 10:16:59.411: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:467 Certificate verified failed!
*Dec 21 10:16:59.411: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.78.241:5246
*Dec 21 10:16:59.415: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.78.241:5246
*Dec 21 10:16:59.615: %CAPWAP-3-ERRORLOG: Invalid event 40 & state 3 combination.
*Dec 21 10:17:00.127: APAVC: Succeeded to activate all the STILE protocols.
03-06-2020 04:07 AM
03-06-2020 06:38 AM
03-06-2020 06:57 AM - edited 03-06-2020 07:04 AM
12-19-2017 11:40 AM - edited 12-19-2017 11:40 AM
Hi,
I have had the same problem when trying to move AP between controllers.
Instead of disabling certificate validation, try this on affected APs:
AP#clear capwap private-config
Thank you,
Mikolaj
12-20-2017 12:16 AM
12-19-2017 12:13 PM
12-20-2017 12:12 AM
Software Version | 8.1.120.0 |
APs are AIR-CAP1602I-E-K9, AIR-LAP1141N-E-K9, AIR-CAP702I-H-K9 . I tested AIR-CAP702I
12-20-2017 12:30 AM
12-20-2017 11:12 PM
*Dec 21 09:48:14.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.78.241 peer_port: 5246
*Dec 21 09:48:16.399: %CAPWAP-3-ERRORLOG: Failed to authorize controller using trust config.
*Dec 21 09:48:16.399: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF
*Dec 21 09:48:16.403: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Dec 21 09:48:16.403: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:467 Certificate verified failed!
*Dec 21 09:48:16.403: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.78.241:5246
*Dec 21 09:48:16.403: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.78.241:5246
*Dec 21 09:48:16.603: %CAPWAP-3-ERRORLOG: Invalid event 40 & state 3 combination.
*Dec 21 09:48:17.479: APAVC: Succeeded to activate all the STILE protocols.
12-25-2017 02:33 AM
Hi! Do you have any ideas?
12-25-2017 04:16 AM
Post the entire boot-up process. We want to see what the AP is doing.
12-25-2017 04:48 AM - edited 12-25-2017 04:49 AM
Boot from flash
IOS Bootloader - Starting system.
FLASH CHIP: Micronix MX25L256_35F
Xmodem file system is available.
flashfs[0]: 47 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31936000
flashfs[0]: Bytes used: 18721280
flashfs[0]: Bytes available: 13214720
flashfs[0]: flashfs fsck took 10 seconds.
Reading cookie from SEEPROM
Base Ethernet MAC address: 18:e7:28:35:f7:6d
************* loopback_mode = 0
Loading "flash:/ap1g2-k9w8-mx.152-4.JB5/ap1g2-k9w8-mx.152-4.JB5"...###################################
File "flash:/ap1g2-k9w8-mx.152-4.JB5/ap1g2-k9w8-mx.152-4.JB5" uncompressed and installed, entry point: 0x100000
executing...
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, C1600 Software (AP1G2-K9W8-M), Version 15.2(4)JB5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 01-May-14 20:57 by prod_rel_team
Initializing flashfs...
FLASH CHIP: Micronix MX25L256_35F
flashfs[3]: 47 files, 9 directories
flashfs[3]: 0 orphaned files, 0 orphaned directories
flashfs[3]: Total bytes: 31808000
flashfs[3]: Bytes used: 18721280
flashfs[3]: Bytes available: 13086720
flashfs[3]: flashfs fsck took 10 seconds.
flashfs[3]: Initialization complete.
flashfs[4]: 0 files, 1 directories
flashfs[4]: 0 orphaned files, 0 orphaned directories
flashfs[4]: Total bytes: 11999232
flashfs[4]: Bytes used: 1024
flashfs[4]: Bytes available: 11998208
flashfs[4]: flashfs fsck took 0 seconds.
flashfs[4]: Initialization complete....done Initializing flashfs.
Radio0 present 8764B 8000 0 A8000000 A8010000 0
Rate table has 586 entries (20 legacy/160 11n/406 11ac)
POWER TABLE FILENAME = flash:/ap1g2-k9w8-mx.152-4.JB5/K2.bin
Radio1 present 8764B 8000 0 88000000 88010000 4
POWER TABLE FILENAME = flash:/ap1g2-k9w8-mx.152-4.JB5/K5.bin
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco AIR-CAP1602I-E-K9 (PowerPC) processor (revision B0) with 229366K/32768K bytes of memory.
Processor board ID FGL1807X1VJ
PowerPC CPU at 533MHz, revision number 0x2151
Last reset from power-on
LWAPP image version 7.6.120.0
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 18:E7:28:35:F7:6D
Part Number : 73-14671-04
PCA Assembly Number : 000-00000-00
PCA Revision Number :
PCB Serial Number : FOC18045UZW
Top Assembly Part Number : 800-38552-01
Top Assembly Serial Number : FGL1807X1VJ
Top Revision Number : A0
Product/Model Number : AIR-CAP1602I-E-K9
% Please define a domain-name first.
Press RETURN to get started!
*Mar 1 00:00:12.231: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed (11)
*Mar 1 00:00:13.227: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed (1-4)
*Mar 1 00:00:13.227: Registering HW DTLS
APAVC: Initial WLAN Buffers Given to System is 2500
APAVC: WlanPAKs 9355 RadioPaks 8747
*Mar 1 00:00:14.943: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 (4)
*Mar 1 00:00:15.671: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:16.147: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 (4)
*Mar 1 00:00:16.387: Wait until the stile protocol list is initialized.
*Mar 1 00:00:19.395: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:30.735: Start STILE Activation
*Dec 25 15:44:32.007: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1600 Software (AP1G2-K9W8-M), Version 15.2(4)JB5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 01-May-14 20:57 by prod_rel_team
*Dec 25 15:44:32.007: %SNMP-5-COLDSTART: SNMP agent on host Architects is undergoing a cold start
*Dec 25 15:44:32.507: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up%Default route without gateway, if not a point-to-point interface, may impact performance
*Dec 25 15:44:32.743: Starting Ethernet promiscuous mode
*Dec 25 15:44:32.951: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Dec 25 15:44:33.355: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Dec 25 15:44:39.147: %SSH-5-ENABLED: SSH 2.0 has been enabledlwapp_crypto_init: MIC Present and Parsed Successfully
*Dec 25 15:44:45.519: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 25 15:44:45.519: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Dec 25 15:44:50.743: %LWAPP-3-LWAPP_INTERFACE_GOT_IP_ADDRESS: Interface BVI1 obtained IP from DHCP...
*Dec 25 15:44:50.947: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.78.95, mask 255.255.255.0, hostname Architects
*Dec 25 15:44:50.947: %LWAPP-3-LWAPP_INTERFACE_GOT_IP_ADDRESS: Interface BVI1 obtained IP from DHCP...
*Dec 25 15:44:55.171: Logging LWAPP message to 255.255.255.255.
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (192.168.78.1)
*Dec 25 15:45:07.051: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Dec 25 15:45:07.451: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Dec 25 15:45:17.575: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Dec 25 15:47:48.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.78.241 peer_port: 5246
*Dec 25 15:47:50.411: %CAPWAP-3-ERRORLOG: Failed to authorize controller using trust config.
*Dec 25 15:47:50.411: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF
*Dec 25 15:47:50.415: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Dec 25 15:47:50.415: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:467 Certificate verified failed!
*Dec 25 15:47:50.415: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.78.241:5246
*Dec 25 15:47:50.415: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.78.241:5246
*Dec 25 15:47:50.615: %CAPWAP-3-ERRORLOG: Invalid event 40 & state 3 combination.
*Dec 25 15:47:51.535: APAVC: Succeeded to activate all the STILE protocols.
*Dec 25 15:47:51.535: APAVC: Registering with CFT
APAVC: CFT registration of delete callback succeeded
APAVC: Reattaching Original Buffer pool for system use
Pool-ReAtach: paks 9355 radio8747
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide