07-11-2014 06:31 AM - edited 07-05-2021 01:13 AM
For some reason some AIR-AP1131AG-E-K9 access points are not joining the wlc.
I'm using the latest recovery image to convert from autonomous to lightweight (c1130-rcvk9w8-mx.124-25e.JAO5)
- The time on access point and wlc is the same
- We're using multiple countries (DE, GB, NL, NO, US)
- In WLC, under Security - AAA - AP Policies: only MIC is "ticked" on.
- WLC is using v7.6.110.0
- Tried 'clear capwap private-config'
Appreciate any thoughts!
LOG:
Jul 11 12:25:36.999: %CAPWAP-3-EVENTLOG: DTLS session cleanup completed. Restarting capwap state machine.
Jul 11 12:25:36.999: %CAPWAP-3-EVENTLOG: Previous CAPWAP state was DTLS Setup,numOfCapwapDiscoveryResp = 1.lwapp crypto context not initializedlwapp crypto context not initialized
Jul 11 12:25:37.001: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
Jul 11 12:25:37.004: %LWAPP-3-CLIENTERRORLOG: Config load from flash failed. Initialising Cfg
Jul 11 12:25:37.004: %CAPWAP-3-ERRORLOG: Failed to load configuration from flash. Resetting to default config
Jul 11 12:25:37.021: %CAPWAP-3-EVENTLOG: lwapp_crypto_init_mic_keys_and_certs : MIC not presentlwapp_crypto_init: MIC not present..Invoking SSC
LWAPP Crypto Init (SSC): no certs in the SSC Private FileLWAPP Crypto Init: could not start PKI session
Jul 11 12:25:37.027: %CAPWAP-3-EVENTLOG: Starting Discovery. Initializing discovery latency in discovery responses.
Jul 11 12:25:37.028: %CAPWAP-3-EVENTLOG: CAPWAP State: Discovery.
Jul 11 12:25:37.029: %CAPWAP-3-EVENTLOG: Discovery Request sent to 172.30.40.117 with discovery type set to 2
Jul 11 12:25:47.029: %CAPWAP-3-EVENTLOG: Selected MWAR 'wlc01' (index 0).
Jul 11 12:25:47.029: %CAPWAP-3-EVENTLOG: Ap mgr count=1
Jul 11 12:25:47.029: %CAPWAP-3-ERRORLOG: Go join a capwap controller
Jul 11 12:25:47.030: %CAPWAP-3-EVENTLOG: Choosing AP Mgr with index 0, IP = 0xAC1E0FE3, load = 52..
Jul 11 12:25:47.030: %CAPWAP-3-EVENTLOG: Synchronizing time with AC time.
Jul 11 12:25:47.000: %CAPWAP-3-EVENTLOG: Setting time to 12:25:47 UTC Jul 11 2014
Jul 11 12:25:47.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.30.40.117 peer_port: 5246
Jul 11 12:25:47.000: %CAPWAP-3-EVENTLOG: CAPWAP State: DTLS Setup.Peer certificate verification failed 000B
Jul 11 12:25:47.137: %CAPWAP-3-ERRORLOG: Certificate verification failed!
Jul 11 12:25:47.137: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!
Jul 11 12:25:47.138: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 172.30.40.117:5246
Jul 11 12:25:47.138: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.30.40.117:5246
Jul 11 12:25:47.139: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
Jul 11 12:26:47.000: %CAPWAP-3-EVENTLOG: Wait DTLS timer has expired
Jul 11 12:26:47.000: %CAPWAP-3-EVENTLOG: Dtls session establishment failed
Jul 11 12:26:47.000: %CAPWAP-3-EVENTLOG: CAPWAP State: DTLS Teardown.
Solved! Go to Solution.
07-17-2014 02:17 PM
Are you using the Cisco Aironet Upgrade Tool?
I recently ran into this problem when I started converting our older 1131AGs using tftp. It appears that our v02 devices don't have a MIC or SSC. The only solution I found was to use the Upgrade Tool that creates an SSC during the conversion.
You'll need to "tick" SSC and add the SSC Key Hash that the Upgrade Tool gives you.
07-11-2014 06:48 AM
Jul 11 12:25:47.137: %CAPWAP-3-ERRORLOG: Certificate verification failed!
on the WLC:
debug mac-addr < ap mac address>
debug capwap events enable
debug pm pki enable
these should give you more information as to what the cert error is, either invalid time/date or SSC(thought I doubt this one)
HTH,
Steve
07-11-2014 12:21 PM
Hi,
LWAPP Crypto Init (SSC): no certs in the SSC Private FileLWAPP Crypto Init: could not start PKI session
Please follow the below link to get the APs registered!!
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00806a426c.shtml
Regards
Dont forget to rate helpful posts
07-14-2014 03:52 AM
07-14-2014 06:09 AM
First off, see if the AP has a MIC. Take a look at this post for the command.
https://supportforums.cisco.com/discussion/10855661/lwapp-conversion-1131-does-not-have-ssc-or-mic-hash
If the AP does have a MIC, then I would suggest you delete the images in flash and upload the RCV image to the AP along with clearing the nvram.
Scott
07-17-2014 02:17 PM
Are you using the Cisco Aironet Upgrade Tool?
I recently ran into this problem when I started converting our older 1131AGs using tftp. It appears that our v02 devices don't have a MIC or SSC. The only solution I found was to use the Upgrade Tool that creates an SSC during the conversion.
You'll need to "tick" SSC and add the SSC Key Hash that the Upgrade Tool gives you.
07-18-2014 02:17 AM
I was not using the Upgrade Tool earlier but I converted the 1130 access point back and then converted them to lightweight again using Upgrade Tool. The tool generated the SSC certificate and the access points finally joined the controller.
Thanks to everyone for your help!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide