Solved: I followed the instructions

c.s · ‎07-11-2014

For some reason some AIR-AP1131AG-E-K9 access points are not joining the wlc.

I'm using the latest recovery image to convert from autonomous to lightweight (c1130-rcvk9w8-mx.124-25e.JAO5)

- The time on access point and wlc is the same
- We're using multiple countries (DE, GB, NL, NO, US)
- In WLC, under Security - AAA - AP Policies: only MIC is "ticked" on.
- WLC is using v7.6.110.0
- Tried 'clear capwap private-config'

Appreciate any thoughts!

LOG:

Jul 11 12:25:36.999: %CAPWAP-3-EVENTLOG: DTLS session cleanup completed. Restarting capwap state machine.
Jul 11 12:25:36.999: %CAPWAP-3-EVENTLOG: Previous CAPWAP state was DTLS Setup,numOfCapwapDiscoveryResp = 1.lwapp crypto context not initializedlwapp crypto context not initialized
Jul 11 12:25:37.001: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
Jul 11 12:25:37.004: %LWAPP-3-CLIENTERRORLOG: Config load from flash failed. Initialising Cfg

Jul 11 12:25:37.004: %CAPWAP-3-ERRORLOG: Failed to load configuration from flash. Resetting to default config
Jul 11 12:25:37.021: %CAPWAP-3-EVENTLOG: lwapp_crypto_init_mic_keys_and_certs : MIC not presentlwapp_crypto_init: MIC not present..Invoking SSC
LWAPP Crypto Init (SSC): no certs in the SSC Private FileLWAPP Crypto Init: could not start PKI session
Jul 11 12:25:37.027: %CAPWAP-3-EVENTLOG: Starting Discovery. Initializing discovery latency in discovery responses.
Jul 11 12:25:37.028: %CAPWAP-3-EVENTLOG: CAPWAP State: Discovery.
Jul 11 12:25:37.029: %CAPWAP-3-EVENTLOG: Discovery Request sent to 172.30.40.117 with discovery type set to 2
Jul 11 12:25:47.029: %CAPWAP-3-EVENTLOG: Selected MWAR 'wlc01' (index 0).
Jul 11 12:25:47.029: %CAPWAP-3-EVENTLOG: Ap mgr count=1
Jul 11 12:25:47.029: %CAPWAP-3-ERRORLOG: Go join a capwap controller
Jul 11 12:25:47.030: %CAPWAP-3-EVENTLOG: Choosing AP Mgr with index 0, IP = 0xAC1E0FE3, load = 52..
Jul 11 12:25:47.030: %CAPWAP-3-EVENTLOG: Synchronizing time with AC time.
Jul 11 12:25:47.000: %CAPWAP-3-EVENTLOG: Setting time to 12:25:47 UTC Jul 11 2014

Jul 11 12:25:47.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.30.40.117 peer_port: 5246
Jul 11 12:25:47.000: %CAPWAP-3-EVENTLOG: CAPWAP State: DTLS Setup.Peer certificate verification failed 000B

Jul 11 12:25:47.137: %CAPWAP-3-ERRORLOG: Certificate verification failed!
Jul 11 12:25:47.137: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!
Jul 11 12:25:47.138: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 172.30.40.117:5246
Jul 11 12:25:47.138: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.30.40.117:5246
Jul 11 12:25:47.139: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
Jul 11 12:26:47.000: %CAPWAP-3-EVENTLOG: Wait DTLS timer has expired
Jul 11 12:26:47.000: %CAPWAP-3-EVENTLOG: Dtls session establishment failed
Jul 11 12:26:47.000: %CAPWAP-3-EVENTLOG: CAPWAP State: DTLS Teardown.

Adam Boatright · ‎07-17-2014

Are you using the Cisco Aironet Upgrade Tool?

I recently ran into this problem when I started converting our older 1131AGs using tftp. It appears that our v02 devices don't have a MIC or SSC. The only solution I found was to use the Upgrade Tool that creates an SSC during the conversion.

You'll need to "tick" SSC and add the SSC Key Hash that the Upgrade Tool gives you.

View solution in original post

Stephen Rodriguez · ‎07-11-2014

Jul 11 12:25:47.137: %CAPWAP-3-ERRORLOG: Certificate verification failed!

on the WLC:

debug mac-addr < ap mac address>

debug capwap events enable

debug pm pki enable

these should give you more information as to what the cert error is, either invalid time/date or SSC(thought I doubt this one)

HTH,

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Sandeep Choudhary · ‎07-11-2014

Hi,

LWAPP Crypto Init (SSC): no certs in the SSC Private FileLWAPP Crypto Init: could not start PKI session

Please follow the below link to get the APs registered!!

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00806a426c.shtml

Regards

Dont forget to rate helpful posts

c.s · ‎07-14-2014

I followed the instructions on that site but I can't see the SSC Key Hash string in the log when I issue the command 'debug pm pki enable'

See attached log.

I have two 1131 access point continuously trying to connect to the wlc.

Any thoughts on why it's not showing?

Scott Fella · ‎07-14-2014

First off, see if the AP has a MIC. Take a look at this post for the command.

https://supportforums.cisco.com/discussion/10855661/lwapp-conversion-1131-does-not-have-ssc-or-mic-hash

If the AP does have a MIC, then I would suggest you delete the images in flash and upload the RCV image to the AP along with clearing the nvram.

Scott

-Scott
*** Please rate helpful posts ***

Adam Boatright · ‎07-17-2014

Are you using the Cisco Aironet Upgrade Tool?

I recently ran into this problem when I started converting our older 1131AGs using tftp. It appears that our v02 devices don't have a MIC or SSC. The only solution I found was to use the Upgrade Tool that creates an SSC during the conversion.

You'll need to "tick" SSC and add the SSC Key Hash that the Upgrade Tool gives you.

c.s · ‎07-18-2014

I was not using the Upgrade Tool earlier but I converted the 1130 access point back and then converted them to lightweight again using Upgrade Tool. The tool generated the SSC certificate and the access points finally joined the controller.

Thanks to everyone for your help!!

Some converted 1130 access points unable to join WLC