Solved: vWLC and Cisco 1130

Ditter · ‎06-12-2024

Hi to all,

coming back to an old subject which i digged into but no answer in my case.

I have an number of old 1130s still working and need to transfer these from an old WISM to a vWLC.

Th problem is that they do not want to register to this vWLC (Ip address10.10.32.4) .

The debug messages i get are the following:

*Jun 12 10:02:26.765: status of voice_diag_test from WLC is false
*Jun 12 10:01:06.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.32.4 peer_port: 5246
*Jun 12 10:01:06.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Jun 12 10:01:06.014: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Jun 12 10:01:06.015: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Jun 12 10:01:06.015: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed!
*Jun 12 10:01:06.015: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 10.10.32.4
*Jun 12 10:01:06.015: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.10.32.4:5246
*Jun 12 10:01:06.016: %DTLS-3-BAD_RECORD: Erroneous record received from 10.10.32.4: Malformed Certificate
*Jun 12 10:01:06.016: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.32.4:5246
*Jun 12 10:01:06.016: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

The IOS the vWLC runs is :

Maximum number of APs supported.................. 200
Press Enter to continue or <ctrl-z> to abort

System Information
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.4.121.0
RTOS Version..................................... 8.0.150.0
Bootloader Version............................... 7.6.110.0
Emergency Image Version.......................... 7.6.110.0

Build Type....................................... DATA + WPS

The access points run :

>show version
Cisco IOS Software, C1130 Software (C1130-K9W8-M), Version 12.4(23c)JA10, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Fri 20-Mar-15 13:37 by prod_rel_team

ROM: Bootstrap program is C1130 boot loader
BOOTLDR: C1130 Boot Loader (C1130-BOOT-M) Version 12.3(8)JEA, RELEASE SOFTWARE (fc2)

AP0021.d847.86b8 uptime is 4 days, 20 hours, 49 minutes
System returned to ROM by power-on
System image file is "flash:/c1130-k9w8-mx.124-23c.JA10/c1130-k9w8-mx.124-23c.JA10"

According to cisco the 8.0.150 version supports the 1130s. Please refer to the attached png.

However , not able to get them registered to the WLC.

I also changed the time back to 2010 , as i have seen a relative post with no luck.

Any ideas?

Thaks,

Ditter.

Leo Laohoo · ‎06-13-2024

@Ditter wrote:

LWAPP image version 3.0.51.0

That is one old firmware right there!

Search for and download the filename "c1130-rcvk9w8-tar.124-25e.JAP10.tar". That's a recovery file but slightly "newer". It may help.

View solution in original post

Leo Laohoo · ‎06-13-2024

@Ditter wrote:
Is there a way to pass this software to these APs without going on site with an ethernet cable back to back?

There is and this entirely depends if the APs in question can be remotely accessed (telnet or SSH).

If remote access to the AP is possible, then do the following:

debug capwap console cli
delete /f /r flash:c1130*
archive download-sw tftp://<IP ADDRESS>/c1130-rcvk9w8-tar.124-25e.JAP10.tar

And then reboot the AP.

If, the "archive download-sw" does not work use an alternative method:

archive tar /x tftp://<IP ADDRESS>/c1130-rcvk9w8-tar.124-25e.JAP10.tar flash:

View solution in original post

marce1000 · ‎06-12-2024

- FYI : https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Ditter · ‎06-12-2024

Thanks for your answer.

According to this https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

1130s are supported up to version 8.0.152

According to the link you sent , the problem is to version 8.0 , 7.4 and 7.0

According to cisco site the only versions you can download are 8.0 and 7.4 (all other versions are deferred) , so there is no solution?

Please see attached png fro cisco download site.

Thanks,

Ditter

marce1000 · ‎06-12-2024

>..., so there is no solution?
- There is : set the controller's time in the past (backwards sufficiently) ; but that will be the only option available in this case .

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

RoadRunner4k · ‎06-12-2024

config ap cert-expiry-ignore {mic|ssc} enable

Tried this command ?

marce1000 · ‎06-12-2024

- @RoadRunner4k Those commands are only available from 8.3.x and onwards ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

RoadRunner4k · ‎06-12-2024

@marce1000 Thanks was not aware of that. Then its only to turn back the time.

Ditter · ‎06-12-2024

Went back to the old 2005 , 2006 , nothing.

marce1000 · ‎06-12-2024

- Way back , 1960 or what ever is most possible!

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Ditter · ‎06-12-2024

2000 is the earliest date i can issue on the vWLC. Nothing changed.

*Jun 12 12:32:39.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.32.4 peer_port: 5246
*Jun 12 12:32:39.014: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Jun 12 12:32:39.014: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Jun 12 12:32:39.014: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed!
*Jun 12 12:32:39.015: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 10.10.32.4
*Jun 12 12:32:39.015: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.10.32.4:5246
*Jun 12 12:32:39.015: %DTLS-3-BAD_RECORD: Erroneous record received from 10.10.32.4: Malformed Certificate
*Jun 12 12:32:39.015: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.32.4:5246
*Jun 12 12:32:39.016: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

marce1000 · ‎06-12-2024

>....2000 is the earliest date i can issue on the vWLC. Nothing changed.
- Probably this AP can no longer be used on the intended infrastructure then. You may want to log on to it
and issue the command show pki certifcate and look at the certificate dates.
Note also that this AP model is very old and can no longer offer modern wireless performance (standards) for customers ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Ditter · ‎06-12-2024

the show crypto pki certificates shows the following:

CA Certificate
Status: Available
Certificate Serial Number: 00
Certificate Usage: General Purpose
Issuer:
ea=support@airespace.com
cn=ca
ou=none
o=airespace Inc
l=San Jose
st=California
c=US
Subject:
ea=support@airespace.com
cn=ca
ou=none
o=airespace Inc
l=San Jose
st=California
c=US
Validity Date:
start date: 23:38:55 UTC Feb 12 2003
end date: 23:38:55 UTC Nov 11 2012
Associated Trustpoints: airespace-old-root-cert

CA Certificate
Status: Available
Certificate Serial Number: 00
Certificate Usage: Signature
Issuer:
ea=support@airespace.com
cn=Airespace Root CA
ou=Engineering
o=Airespace Inc.
l=San Jose
st=California
c=US
Subject:
ea=support@airespace.com
cn=Airespace Root CA
ou=Engineering
o=Airespace Inc.
l=San Jose
st=California
c=US
Validity Date:
start date: 13:41:22 UTC Jul 31 2003
end date: 13:41:22 UTC Apr 29 2013
Associated Trustpoints: airespace-new-root-cert

CA Certificate
Status: Available
Certificate Serial Number: 03
Certificate Usage: General Purpose
Issuer:
ea=support@airespace.com
cn=Airespace Root CA
ou=Engineering
o=Airespace Inc.
l=San Jose
st=California
c=US
Subject:
ea=support@airespace.com
cn=Airespace Device CA
ou=Engineering
o=Airespace Inc.
l=San Jose
st=California
c=US
Validity Date:
start date: 22:37:13 UTC Apr 28 2005
end date: 22:37:13 UTC Jan 26 2015
Associated Trustpoints: airespace-device-root-cert

CA Certificate
Status: Available
Certificate Serial Number: 5FF87B282B54DC8D42A315B568C9ADFF
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2048
o=Cisco Systems
Subject:
cn=Cisco Root CA 2048
o=Cisco Systems
Validity Date:
start date: 20:17:12 UTC May 14 2004
end date: 20:25:42 UTC May 14 2029
Associated Trustpoints: cisco-root-cert

Certificate
Status: Available
Certificate Serial Number: 71D0B71D000000298A64
Certificate Usage: General Purpose
Issuer:
cn=Cisco Manufacturing CA
o=Cisco Systems
Subject:
Name: C1130-0021d84786b8
ea=support@cisco.com
cn=C1130-0021d84786b8
o=Cisco Systems
l=San Jose
st=California
c=US
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/cmca.crl
Validity Date:
start date: 16:47:28 UTC Oct 17 2008
end date: 16:57:28 UTC Oct 17 2018
Associated Trustpoints: Cisco_IOS_MIC_cert

CA Certificate
Status: Available
Certificate Serial Number: 6A6967B3000000000003
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2048
o=Cisco Systems
Subject:
cn=Cisco Manufacturing CA
o=Cisco Systems
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2048.crl
Validity Date:
start date: 22:16:01 UTC Jun 10 2005
end date: 20:25:42 UTC May 14 2029
Associated Trustpoints: Cisco_IOS_MIC_cert

The reason i need to move these old 1130s is that i use an old Cat6500 with a WISM card only for these 50 1130s and 1140s. So before replacing the APs i need to decommission the old 6500.

That is the reason i am trying to register them to the vWLC.

Thanks,

Ditter

Leo Laohoo · ‎06-12-2024

Please provide a list of the serial numbers of the 1130. The 1130/1140 only have a ten year old certificate that has long expired (see @marce1000 Field Notice).

Base on the year of manufacture of the APs, the clock of the vWLC will need to be rolled back.

Ditter · ‎06-13-2024

I turned the vWLC clock back to 2013 but no luck.

(Cisco Controller) >show time

Time............................................. Thu Jun 13 11:20:20 2013

Timezone delta................................... 0:0
Timezone location................................ (GMT +2:00) Jerusalem

NTP Servers
NTP Polling Interval......................... 3600

Index NTP Key Index NTP Server NTP Msg Auth Status
------- ---------------------------------------------------------------

(Cisco Controller) >

I also send you the serial number of the 1130 that i use as test:

Part Number : 73-8962-14
PCA Assembly Number : 800-24818-13
PCA Revision Number : A0
PCB Serial Number : FOC12374G8S
Top Assembly Part Number : 800-29230-02
Top Assembly Serial Number : FCZ1242Q188
Top Revision Number : A0
Product/Model Number : AIR-AP1131AG-E-K9

Thanks,

Ditter

marce1000 · ‎06-13-2024

- Note that if you set the time back, then disable NTP first!

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '