01-16-2021 05:05 AM - edited 07-05-2021 01:01 PM
Hi all
Device info as below:
WLC-5508 controller running 8.5.164.216
WLC-9800 controller running 17.3.2a
The situation:
After config the mobility setting ; the status displayed is :Control Path Down
From the WLC-9800 show logg , found that the WLC-5508's MIC is expired:
Jan 16 12:40:22.264: %DTLS_TRACE_MSG-3-WLC_DTLS_ERR: Chassis 2 R0/0: mobilityd: DTLS Error, session:10.36.197.177[16666], Certificate validation failed
Jan 16 12:40:52.263: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 16D8553C000000119DEC) has expired. Validity period ended on 2020-11-23T17:58:29Z
Jan 16 12:40:52.265: %CERT_MGR_ERRMSG-3-CERT_VALIDATION_ERR: Chassis 2 R0/0: mobilityd: Certificate Validation Error, Cert validation status:pki_ssl_status@pki_ssl_status:PKI_SSL_ERROR
Is there any way to let WLC-9800 ignore the MIC expired ?
I have already excute the command on the WLC-5508 : config ap cert-expiry-ignore mic enable
--------------------------------------------------------------------------
Other information:
WLC-5508
(TPE-WLC-5508-6) >show mobility summary encryption
Mobility Number of Mobility members configure.... 2
MAC Address IP Address Group Name Secure Data Encryption Status
1c:df:0f:c7:02:c0 10.36.197.177 Foxconn-RF N/A N/A Up
4c:e1:75:02:32:eb 10.5.100.9 Cisco Enabled Disabled Control Path Down
(TPE-WLC-5508-6) >show mobility summary
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... Foxconn-RF
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0xd58a
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 48
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Status
1c:df:0f:c7:02:c0 10.36.197.177 Foxconn-RF 0.0.0.0 Up
4c:e1:75:02:32:eb 10.5.100.9 Cisco 0.0.0.0 Control Path Down
WLC-9800
WLC01-C9800-40#show wireless management trustpoint
Trustpoint Name : CISCO_IDEVID_SUDI
Certificate Info : Available
Certificate Type : MIC
Certificate Hash : 585d9f405a1cf79f7c5cf752a1eb0bec33874d1f
Private key Info : Available
FIPS suitability : Not Applicable
!
WLC01-C9800-40#show wireless mobilit summary
Mobility Summary
Wireless Management VLAN: 100
Wireless Management IP Address: 10.5.100.9
Wireless Management IPv6 Address:
Mobility Control Message DSCP Value: 48
Mobility Keepalive Interval/Count: 10/3
Mobility Group Name: Cisco
Mobility Multicast Ipv4 address: 0.0.0.0
Mobility Multicast Ipv6 address: ::
Mobility MAC Address: 4ce1.7502.32eb
Mobility Domain Identifier: 0xdc29
Controllers configured in the Mobility Domain:
IP Public Ip MAC Address Group Name Multicast IPv4 Multicast IPv6 Status PMTU
------------------ ------------------------------------------------------------------------------
10.5.100.9 N/A 4ce1.7502.32eb Cisco 0.0.0.0 :: N/A N/A
10.36.197.177 10.36.197.177 1cdf.0fc7.02c0 Foxconn-RF 0.0.0.0 :: Control Path Down 1385
Solved! Go to Solution.
12-14-2023 07:27 AM
What version of software on 5508?
What version of software on 9800?
12-14-2023 07:36 AM
C9800 - 17.6.4
C5508- 8.3.143.0
12-14-2023 08:06 AM
Upgrade 9800 as per TAC recommended link below - currently 17.9.4 + SMU_CSCwh87343 + APSP (as needed) OR 17.9.4a + APSP(as needed) for all deployments.
8.3.143.0 does not support IRCM with 9800! Upgrade to 8.5.182.108 and check the compatibility matrix (below) for AP compatibility.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide