am also seeing on the WLC, via command line, the following when doing a sho nmsp statis summ:

SSL Handshake failed............................. 15542

and it is incrementing. So it definitely looks like either:

/opt/mse/locsrv/ssl    or   /var/mse/certs/nss

has something corrupt. But based on a different post, I don't think it's the nss directory, as apache is running fine, so I think it is the /opt/mse/locsrc/ssl directory. But I don't want to do anything that will make things any worse.

chris

Hi Guys,

Did you ever get this resolved?

I'm having a similiar issue. I have a wlc 8500 running v8.0.1, MSE is v8 and Prime is V2.1.

When i add mse on prime, MSE is added to the Auth list on the WLC automatically as a LBS-SSC. IF i change that to a SSC MSE complain about a hash key mismatch.

When i click NMSP status i get a time mismatch. i have set all 3 servers to sync to the same ntp server. The wlc is set to GMT, Prime and MSE are set to BST.  When  i click the NMSP status it says there is a time issue, but it shows that the wlc time and the MSE time are exactly the same.

Not sure what else to try apart from a MSE rebuild.

You need to define the new hashkey. Here is a support link that guides you to obtaining that hashkey:

https://supportforums.cisco.com/discussion/11053316/mse-location-problem-wcs-map

Scott

HI scott, Thanks for replying.

The hash key seems to be already defined as per below, once i added MSE it seemed to auto generate with the WLC. i have attached the screenshot error on nmsp status.

I can also see the ssl Handshake errors increasing

(Cisco Controller) >show auth-list

Authorize MIC APs against Auth-list or AAA ...... disabled
Authorize LSC APs against Auth-List ............. disabled
APs Allowed to Join
  AP with Manufacturing Installed Certificate.... yes
  AP with Self-Signed Certificate................ no
  AP with Locally Significant Certificate........ no

Mac Addr                  Cert Type    Key Hash
-----------------------   ----------   ------------------------------------------
00:0c:29:de:aa:4c         LBS-SSC      62d6c2d230f87615b1583394277f4cf59a451d96

cmd> show server-auth-info
invoke command: com.aes.server.cli.CmdGetServerAuthInfo
AesLog queue high mark: 50000
AesLog queue low mark: 500
----------------
Server Auth Info
----------------
MAC Address: 00:0c:29:de:aa:4c
SHA1 Key Hash: 62d6c2d230f87615b1583394277f4cf59a451d96
SHA2 Key Hash: 8579084679da0a14b0b07c3ca6b262d12b0a0a4ea3521668e1922d62f42ad1f6
Certificate Type: SSC

Have you tries removing it an adding it back?

Scott

Hi Scott,

yeah have removed and re added a few times. have rebooted the MSE a few times. I haven't rebooted the WLC as yet but might try that later tonight when there are no clients connected.

Just to let you all know, i got it resolved. it seems MSE version 8 uses  SHA 256. So i copied that string from MSE and changed to SHA 256 on the controller and it worked straight away,

That was also the fix for me. In the WLC GUI delete the MSE created MAC address under Security>AAA>AP Polices. You can not create an AP Authorization with SHA2(256) with the GUI. Go to the cmd line of the WLC and run.

config auth-list add sha256-lbs-ssc (MAC of the MSE in xx:yy format) SHA2 Key Hash

There are some differences in your setup from mine, but I definitely had a hash mismatch and a manual copy fixed things. As for the time sync thing, I really don't know if the different timezones would cause this or not. But it seems from the screenshot that it's not even trying to establish the nmsp connection due to this. Maybe Scott or someone can chime in here regarding timezones. - chris

Brian, and all,

basically, the result is that you have to manually copy the hash. FIrst, determine the hash on the MSE, and then copy it via CLI onto the controller. I did find a document that was specific to the "converged access" gear, but is applicable to all gear I guess nowadays.

The link to the document is http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117477-technote-addmac-00.html, and should get you going.

Please respond whether or not this worked for you, and I can send you some other stuff from the case offline. Thanks - chris

Hi Johnathan Waas,

I followed your CLI Command. And it works!

THANK YOU! - Jan

Had this issue myself when upgrading MSE from 8.0.140.9 to 8.0.150.0 with Prime Infra 3.4, WLC 8510s @8.0 and 8.3 ,  - no sync.

Several steps needed to fix it:

enable TLS v1.0 in MSE (via /opt/mse/setup/setup.sh)
delete/re-add MSE in Prime
enable R/W SNMP in WLC for Prime - then sync
Re-added MSE mac address and SHA2 key to WLC (on one WLC only, 3/4 were OK)

Hope this helps others!

Darren