Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1107
Views
2
Helpful
5
Replies

Some APs are not joining the controller

Go to solution
Turki.A.Baqatada
Level 1
Level 1

‎09-12-2023 11:49 PM

Hi

Actually I am facing issue that some access points are not joining the WLC and I got this message

DTLS-3 HANDSHAKE FAILURE:openssl dtls.failed to complete DTLS handshake with peer SSHPM-3-GENERIC_CERT_ERROR

and i check cisco device certificate which all pointing this issue to certificate and found it is still valid and will be expire after couple of months

BY the way i have 2 controllers in 2 sites

AIR-CT5508-K9 8.5.161.11

AIR-CT8510-K9 8.5.161.11

and this version mentioned in

Field Notice: FN - 63942 - Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP Connections Due to Certificate Expiration - Software Upgrade Recommended

could be the issue even though certificate is valid ?

also one more thing that some access points are joined to controller

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame
In response to Turki.A.Baqatada

‎09-13-2023 03:15 AM

 

   >...one more thing i was about to use manual clock to previous date as i saw solution but i found that certificate is still valid and maybe will not help am i right ?
      - My argument is the same as in my initial reply ; it is simple to test by setting the time back (too) ; if you fear security issues then this option is probably better , 

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

View solution in original post

5 Replies 5

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame

‎09-13-2023 12:22 AM

 

 - Well , if it is the issue you may verify by using the workaround commands anyway :
                 config ap cert-expiry-ignore mic enable
                 config ap cert-expiry-ignore ssc enable

 (ignore the color change , not relevant)

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

Go to solution
Turki.A.Baqatada
Level 1
Level 1
In response to Mark Elsen

‎09-13-2023 01:59 AM

Thank you marce1000

if you use these commands going to ignore the negotiation by certificate ? 

if so is it secure to enable these command or will face attack issues ?

one more thing i was about to use manual clock to previous date as i saw solution but i found that certificate is still valid and maybe will not help am i right ?

0 Helpful

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame
In response to Turki.A.Baqatada

‎09-13-2023 03:15 AM

 

   >...one more thing i was about to use manual clock to previous date as i saw solution but i found that certificate is still valid and maybe will not help am i right ?
      - My argument is the same as in my initial reply ; it is simple to test by setting the time back (too) ; if you fear security issues then this option is probably better , 

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

Go to solution
Turki.A.Baqatada
Level 1
Level 1
In response to Mark Elsen

‎09-13-2023 07:59 AM

Is there any command to check certificate in access point 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Turki.A.Baqatada

‎09-13-2023 09:46 AM

connect the console cable to AP and capture the logs

some Filednotice :

https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card