01-29-2014 07:03 PM - edited 07-05-2021 12:04 AM
Good day!
I try to migrate from WLC2112 to vWLC. But none of my APs cannot connect to vWLC:
AIR-LAP1242G-E-K9
AIR-LAP1131AG-E-K9
AIR-LAP1131G-E-K9
AIR-LAP1041N-E-K9
AIR-LAP1262N-R-K9
Log from 1131AG (I think, that another AP have same logs):
*Jan 29 12:57:17.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.10.10 peer_port: 5246
*Jan 29 12:57:17.016: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Jan 29 12:57:17.017: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Jan 29 12:57:17.017: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed!
*Jan 29 12:57:17.017: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 10.10.10.10
*Jan 29 12:57:17.017: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.10.10.10:5246
*Jan 29 12:57:17.017: %DTLS-3-BAD_RECORD: Erroneous record received from 10.10.10.10: Malformed Certificate
*Jan 29 12:57:17.018: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.10:5246
*Jan 29 12:57:17.018: CAPWAP_DETAIL: Dtls Event = 38 Capwap State = 3.
*Jan 29 12:57:17.018: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
Log from vWLC:
spamApTask6: Jan 29 20:37:33.422: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<
*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: called to evaluate <cscoDefaultIdCert>
*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<
*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<
*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<
*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<
*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<
*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<
*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<
*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<
*spamApTask6: Jan 29 20:37:33.422: sshpmGetSshPrivateKeyFromCID: called to get key for CID 1c1639ba
*spamApTask6: Jan 29 20:37:33.422: sshpmGetSshPrivateKeyFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<
*spamApTask6: Jan 29 20:37:33.422: sshpmGetSshPrivateKeyFromCID: comparing to row 1, certname >bsnDefaultIdCert<
*spamApTask6: Jan 29 20:37:33.422: sshpmGetSshPrivateKeyFromCID: comparing to row 2, certname >cscoDefaultIdCert<
*spamApTask6: Jan 29 20:37:33.422: sshpmGetSshPrivateKeyFromCID: match in row 2
*spamApTask6: Jan 29 20:37:33.433: ab:cd:ef:12:34:56 DTLS connection was closed
*spamApTask6: Jan 29 20:37:33.433: ab:cd:ef:12:34:56 Discarding non-ClientHello Handshake OR DTLS encrypted packet from 10.10.10.11:32152)since DTLS session is not established
As a solution i found:
1) Disable SSC Hash Validation - not work
2) Synchronize time on vWLC and APs - not work
Anyone have any ideas? Thanks in advance!
Solved! Go to Solution.
01-30-2014 12:41 AM
Here are various ways to upgrade code, one is a video which is easier.
Using a TFTP Server to Return to a Previous Release
http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp160918
https://supportforums.cisco.com/docs/DOC-18268
http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp160918
http://www.youtube.com/watch?v=QQ_NuxdRhQ4
https://supportforums.cisco.com/docs/DOC-14960
Sent from Cisco Technical Support iPhone App
01-29-2014 07:12 PM
Do you have any other checkbox enabled on the vWLC AP policy? It does seen the time is off but you have checked that already. The 1262 is what I would test with first.
Sent from Cisco Technical Support iPhone App
01-29-2014 07:53 PM
AP policy:
01-29-2014 08:44 PM
Must be something wrong with your vWLC. You have Promiscuous mode setup on the VM?
Sent from Cisco Technical Support iPhone App
01-29-2014 08:47 PM
I found, that I need manyally upgrade APs software to version 7.3. (Now 7.0.240.0)
01-29-2014 08:53 PM
Yeah but there is more to it. You need to also add the hash. If the AP's have the v15 RCV image, you wouldn't need the hash.
http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml#considerations
Also I don't know if non 802.11n AP's are supported because it also mentions that in the doc.
Sent from Cisco Technical Support iPhone App
01-29-2014 08:58 PM
Here is a support doc also
https://supportforums.cisco.com/docs/DOC-26765
Sent from Cisco Technical Support iPhone App
01-29-2014 09:50 PM
Do yo know how to manually upgrade AP software? AP have't commands for manage file system of AP (like a "Copy")...
01-29-2014 11:56 PM
Please follow the below doc. with AP IOS upgrade
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00809f0e94.shtml
01-30-2014 12:41 AM
Here are various ways to upgrade code, one is a video which is easier.
Using a TFTP Server to Return to a Previous Release
http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp160918
https://supportforums.cisco.com/docs/DOC-18268
http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp160918
http://www.youtube.com/watch?v=QQ_NuxdRhQ4
https://supportforums.cisco.com/docs/DOC-14960
Sent from Cisco Technical Support iPhone App
01-30-2014 01:32 AM
01-30-2014 01:39 AM
Glad it worked for you!
Sent from Cisco Technical Support iPhone App
01-30-2014 12:45 AM
Apart from this AP registration issue, you have to convert all your APs into FlexConnect Mode. vWLC only support FlexConnect mode APs.
If your AP is local mode, it will register to a vWLC, but not advertise any SSID. Keep that in mind as well
HTH
Rasika
**** Pls rate all useful responses ****
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide