Field Notice: FN - 63942 - Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP Connections Due to Certificate Expiration - Software Upgrade Recommended

Turki.A.Baqatada · ‎09-12-2023

Hi

Actually I am facing issue that some access points are not joining the WLC and I got this message

DTLS-3 HANDSHAKE FAILURE:openssl dtls.failed to complete DTLS handshake with peer SSHPM-3-GENERIC_CERT_ERROR

and i check cisco device certificate which all pointing this issue to certificate and found it is still valid and will be expire after couple of months

BY the way i have 2 controllers in 2 sites

AIR-CT5508-K9 8.5.161.11

AIR-CT8510-K9 8.5.161.11

and this version mentioned in

Field Notice: FN - 63942 - Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP Connections Due to Certificate Expiration - Software Upgrade Recommended

could be the issue even though certificate is valid ?

also one more thing that some access points are joined to controller

marce1000 · ‎09-13-2023

>...one more thing i was about to use manual clock to previous date as i saw solution but i found that certificate is still valid and maybe will not help am i right ?
- My argument is the same as in my initial reply ; it is simple to test by setting the time back (too) ; if you fear security issues then this option is probably better ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

marce1000 · ‎09-13-2023

- Well , if it is the issue you may verify by using the workaround commands anyway :
config ap cert-expiry-ignore mic enable
config ap cert-expiry-ignore ssc enable

(ignore the color change , not relevant)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Turki.A.Baqatada · ‎09-13-2023

Thank you marce1000

if you use these commands going to ignore the negotiation by certificate ?

if so is it secure to enable these command or will face attack issues ?

one more thing i was about to use manual clock to previous date as i saw solution but i found that certificate is still valid and maybe will not help am i right ?

marce1000 · ‎09-13-2023

>...one more thing i was about to use manual clock to previous date as i saw solution but i found that certificate is still valid and maybe will not help am i right ?
- My argument is the same as in my initial reply ; it is simple to test by setting the time back (too) ; if you fear security issues then this option is probably better ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Turki.A.Baqatada · ‎09-13-2023

Is there any command to check certificate in access point

balaji.bandi · ‎09-13-2023

connect the console cable to AP and capture the logs

some Filednotice :

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Some APs are not joining the controller

Field Notice: FN - 63942 - Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP Connections Due to Certificate Expiration - Software Upgrade Recommended