05-07-2022 01:52 AM
Hi,
I have 3802i APs and a 2504 controler runniung 8.5.161.0.
My network rebooted the controller came back up fine, the NTP is set and have checked the clock and set to correct time, but none of the APs are joining the controller it was all working fine before the reboot.
I have consoled into an AP and here is the failure message
[*05/07/2022 08:39:43.0000] CAPWAP State: DTLS Setup
[*05/07/2022 08:39:43.0005] dtls_connectionDB_add_connection: Number of DTLS connections exceeded two
[*05/07/2022 08:39:43.6896] display_verify_cert_status: Verify Cert: FAILED at 0 depth: certificate has expired
[*05/07/2022 08:39:43.6903] dtls_verify_con_cert: Controller certificate verification error
[*05/07/2022 08:39:43.6903] dtls_process_packet: Controller certificate verification failed
[*05/07/2022 08:39:43.6907] sendPacketToDtls: DTLS: Closing connection 0x1b91a00.
[*05/07/2022 08:39:43.6908] Restarting CAPWAP State Machine.
Solved! Go to Solution.
05-07-2022 02:42 AM
- Don't go into the wild , take actions only when problem mention in link is verified , you may try on controller :
(Cisco Controller) >config ap cert-expiry-ignore mic enable
(Cisco Controller) >config ap cert-expiry-ignore ssc enable
M.
05-07-2022 02:21 AM
- Are you affected by (please check) : https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html ?
M.
05-07-2022 02:25 AM
my software version is on there, but i cant get new software dont have the access on my CCO account
05-07-2022 02:30 AM
- Sorry , the latter could be a show stopper , it is always advisable to have access to software (updates) for business environments, anyway for current issue : also issue show logging on the controller, check what happens there when an ap can not join. Also note these bug reports : https://bst.cloudapps.cisco.com/bugsearch?pf=prdNm&kw=dtls_connectionDB_add_connection&bt=custV&sb=anfr
M.
05-07-2022 02:36 AM
i changed the date as recomended by that link but now i get this
[*05/07/2015 09:33:20.0001] CAPWAP State: DTLS Setup
[*05/07/2015 09:33:20.0005] dtls_connectionDB_add_connection: Number of DTLS connections exceeded two
[*05/07/2015 09:33:20.6790] dtls_process_packet: DTLS Error: 1046
[*05/07/2015 09:33:20.6790] dtls_process_packet: The controller shut down the DTLS connection.
[*05/07/2015 09:33:20.6790] dtls_process_packet: Please verify that the AP certificate is valid and has not expired.
[*05/07/2015 09:34:17.0161] dtls_disconnect: ERROR shutting down dtls connection ...
05-07-2022 02:42 AM
- Don't go into the wild , take actions only when problem mention in link is verified , you may try on controller :
(Cisco Controller) >config ap cert-expiry-ignore mic enable
(Cisco Controller) >config ap cert-expiry-ignore ssc enable
M.
05-07-2022 03:03 AM
Ok thanks, i have it working, but i would like to upgrade the software so its done properly. I have seen in the past if there is a major bug then cisco will supply the software for free i just cant remeber the page we go to for that
05-07-2022 03:40 AM
05-09-2022 11:14 AM
Well you software version already has the fix/workaround.
If you want to try to get something newer then you need to find a security advisory which applies to your hardware and software version and refer to the section "Customers Without Service Contracts" then contact TAC by email (not phone) referring to the advisory URL and text and specify the precise name/location of the file you require.
eg: https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20191106-wlc-dos.html
Your controller is past End of Vulnerability/Security Support https://www.cisco.com/c/en/us/products/collateral/wireless/2504-wireless-controller/eos-eol-notice-c51-740645.html so you may battle to find an advisory which would help you get anything newer than 8.5.161.0 so you other option is to search for the file you're looking for or speak to your supplier.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide