01-15-2022 08:31 PM
Hi, I have few Cisco Aironet 3500i Access Points and realized that none of them have a valid certificate, already expired. And I read in the Field Notice: FN - 63942 that my AP's have a 10 years valid certificate according to the paragraph:
Prior to July 18, 2005, Cisco APs were not manufactured with MICs.
All Cisco wireless products that were manufactured between July 18, 2005, and mid-2017 have MICs that expire after 10 years.
Starting in 2017, Cisco manufactured all wireless devices with MICs that expire in 2037.
Starting in 2019, all 9800 WLCs and 9100 APs were manufactured with certificates that expire in 2099.
Other AP and WLC models continue to be manufactured with certificates that expire in 2037.
Until now I haven't find a way to have my Catalyst 3850 to ignore the expired cert of the AP's so I am considering to buy another model of aironets, but I am not sure how to choose them and I don't have the budget to just go ahead and shop for the latest model. So how can I determine if the AP's are manufactured after 2017 or 2019? is there a matrix for reference?
Thanks!!
Solved! Go to Solution.
01-16-2022 01:50 PM - edited 01-16-2022 02:45 PM
no @Haydn Andrews that's an AireOS command - the 3850 is IOS-XE.
He seems to have got past that now anyway and instead has problems with DTLS?
Why use DTLS?
All CAPWAP control data is encrypted by default and clients should be encrypting anything sensitive themselves (https etc).
As we've already said converged access was abandoned by Cisco because of numerous problems and they moved on to the next generation (9800 series). Maybe you should too?
Regarding cost maybe you should consider running EWC on a 9100 AP or if even that is too expensive for you then consider running a 9800-CL on a PC?
01-16-2022 02:49 PM
No license required to run as a standalone solution.
If you want to manage it with DNA centre then you need a license.
01-15-2022 08:42 PM
No one should be using Unified Access wireless controller.
3650/3850 has several design flaws and one of them is not enough CPU and not enough memory to do all the things promised.
Cisco has ditched this dumpster fire for version 2.0 (Catalyst 9k).
01-15-2022 09:46 PM
Did somebody deleted my post when I was asking how to setup certificate expiry ignore in Catalyst 3850?
I understand that 9k catalyst series are better but even a used model costs at least ten times what I paid for the 3850 (used as well).
So please let me ask again my two questions in this post since the other one was marked as duplicated:
1.- On the C3850 how can I setup certificate expiry ignore for the AP's?
2.- How can I determine if the AP that I am shopping for falls into 2017 or 2019 manufacturing date?
Thanks again!
Note: I don't know who deleted my other post but I wasn't point to another discussion where the solution was provided or a definitive answer was provided either.
01-15-2022 10:42 PM - edited 01-15-2022 10:44 PM
Aldo.zavala@gmail.com wrote:
2.- How can I determine if the AP that I am shopping for falls into 2017 or 2019 manufacturing date?
Please read the FN properly. How to determine the manufacturing date of a Cisco appliance based on the serial number can be found in the Derive Manufactured Date from the Product SN section.
Aldo.zavala@gmail.com wrote:
1.- On the C3850 how can I setup certificate expiry ignore for the AP's?
Please read the FN properly. Have a look at the Solution for Expired AP Certificates and/or for Scenario of Encrypted Mobility Tunnels That Fail to Form section.
01-16-2022 01:26 AM
Hi, I applied the recommended solution of the FN for the revocation-check none setting accordingly, these are my settings now:
crypto pki trustpoint TP-self-signed-1291928908
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1291928908
revocation-check none
rsakeypair TP-self-signed-1291928908
!
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check none
!
crypto pki trustpool policy
revocation-check none
match certificate map1 allow expired-certificate
!
!
!
crypto pki certificate map map1 1
issuer-name co cisco manufacturing ca
!
crypto pki certificate map map1 2
issuer-name co act2 sudi ca
But now, the catalyst says that cannot accept AP join based on certificate auth-policy, I don't remember setting any auth-policy, its not displaying the invalid certificate any more but now it says that still cannot join.
00:15:56: *%CAPWAP-6-DTLS_CLOSED_ERR:Switch 1 R0/0: wcm: 5835.d9d5.b530: DTLS connection closed forAP 192:168:9:2 (12267), Controller: 192:168:9:1 (5246) Cannot accept Join Request from MIC AP 58:35:d9:d5:b5:30 based on certificate auth-policy
00:15:56: *%LWAPP-3-AP_DB_ERR1:Switch 1 R0/0: wcm: Unable to find AP 5835.d9d5.b530 entry in the database, could not process delete request
Thanks in advance, I really appreciate the assistance and comments here
01-16-2022 02:21 AM
01-16-2022 10:11 AM
The time on the switch is the correct:
C3850#show ntp associations address ref clock st when poll reach delay offset disp +~216.239.35.0 .GOOG. 1 18 64 377 64.000 -32.745 2.208 +~216.239.35.8 .GOOG. 1 16 64 377 75.000 -30.705 2.191 *~216.239.35.4 .GOOG. 1 14 64 377 74.000 -32.102 5.989 +~216.239.35.12 .GOOG. 1 65 64 7 69.000 -31.773 2.412 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured C3850#show clock 09:59:40.132 PST Sun Jan 16 2022
The controller is the switch itself and here is the sh ver output:
C3850#show ver Cisco IOS Software [Denali], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.3.9, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2019 by Cisco Systems, Inc. Compiled Mon 29-Jul-19 13:16 by mcpre Cisco IOS-XE software, Copyright (c) 2005-2019 by cisco Systems, Inc. All rights reserved. Certain components of Cisco IOS-XE software are licensed under the GNU General Public License ("GPL") Version 2.0. The software code licensed under GPL Version 2.0 is free software that comes with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such GPL code under the terms of GPL Version 2.0. For more details, see the documentation or "License Notice" file accompanying the IOS-XE software, or the applicable URL provided on the flyer accompanying the IOS-XE software. ROM: IOS-XE ROMMON BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 4.68, RELEASE SOFTWARE (P) C3850 uptime is 1 hour, 14 minutes Uptime for this control processor is 1 hour, 17 minutes System returned to ROM by Power Failure at 01:03:04 PST Sun Jan 16 2022 System restarted at 08:44:11 PST Sun Jan 16 2022 System image file is "flash:packages.conf" Last reload reason: Power Failure This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. Technology Package License Information: ----------------------------------------------------------------- Technology-package Technology-package Current Type Next reboot ------------------------------------------------------------------ ipbasek9 Permanent ipbasek9 cisco WS-C3850-48P (MIPS) processor (revision S0) with 865684K/6147K bytes of memory. Processor board ID FCW1910D0V3 4 Virtual Ethernet interfaces 52 Gigabit Ethernet interfaces 4 Ten Gigabit Ethernet interfaces 2048K bytes of non-volatile configuration memory. 4194304K bytes of physical memory. 250456K bytes of Crash Files at crashinfo:. 1609272K bytes of Flash at flash:. 0K bytes of at webui:. Base Ethernet MAC Address : 40:a6:e8:92:27:80 Motherboard Assembly Number : 73-14442-10 Motherboard Serial Number : FOC19095D00 Model Revision Number : S0 Motherboard Revision Number : A0 Model Number : WS-C3850-48P System Serial Number : FCW1910D0V3 Switch Ports Model SW Version SW Image Mode ------ ----- ----- ---------- ---------- ---- * 1 56 WS-C3850-48P 16.3.9 CAT3K_CAA-UNIVERSALK9 INSTALL Configuration register is 0x102
It have enough licenses and it supports this AP model:
C3850#show ap is-supported AIR-CAP3502I-A-K9 AP Support: Yes C3850#show wireless ap summary Sub-Domain Access Point Summary Maximum AP Limit : 100 Total AP License Installed : 5 Total AP License Available : 5 Total AP Joined : 0
This is the sh ver and sh inv of the AP itself:
AP0007.7d42.fe90#show version Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 15.2(2)JN2, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2013 by Cisco Systems, Inc. Compiled Wed 11-Sep-13 01:30 by prod_rel_team ROM: Bootstrap program is C3500 boot loader BOOTLDR: C3500 Boot Loader (AP3G1-BOOT-M), Version 12.4 [mpleso-ap_jmr3_esc_0514 125] AP0007.7d42.fe90 uptime is 23 minutes System returned to ROM by power-on System image file is "flash:/ap3g1-k9w8-mx.152-2.JN2/ap3g1-k9w8-xx.152-2.JN2" Last reload reason: This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. cisco AIR-CAP3502I-A-K9 (PowerPC460exr) processor (revision A0) with 81910K/49152K bytes of memory. Processor board ID FTX1522E5H3 PowerPC460exr CPU at 666Mhz, revision number 0x18A8 Last reset from power-on LWAPP image version 10.0.120.0 1 Gigabit Ethernet interface 2 802.11 Radios 32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: 00:07:7D:42:FE:90 Part Number : 73-12175-05 PCA Assembly Number : 800-32268-05 PCA Revision Number : A0 PCB Serial Number : FOC15194T8J Top Assembly Part Number : 800-32891-01 Top Assembly Serial Number : FTX1522E5H3 Top Revision Number : A0 Product/Model Number : AIR-CAP3502I-A-K9 Configuration register is 0xF AP0007.7d42.fe90# show inventory NAME: "AP3500", DESCR: "Cisco Aironet 3500 Series (IEEE 802.11n) Access Point" PID: AIR-CAP3502I-A-K9 , VID: V01, SN: FTX1522E5H3 AP0007.7d42.fe90#show hardware Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 15.2(2)JN2, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2013 by Cisco Systems, Inc. Compiled Wed 11-Sep-13 01:30 by prod_rel_team ROM: Bootstrap program is C3500 boot loader BOOTLDR: C3500 Boot Loader (AP3G1-BOOT-M), Version 12.4 [mpleso-ap_jmr3_esc_0514 125] AP0007.7d42.fe90 uptime is 23 minutes System returned to ROM by power-on System image file is "flash:/ap3g1-k9w8-mx.152-2.JN2/ap3g1-k9w8-xx.152-2.JN2" Last reload reason: This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. cisco AIR-CAP3502I-A-K9 (PowerPC460exr) processor (revision A0) with 81910K/49152K bytes of memory. Processor board ID FTX1522E5H3 PowerPC460exr CPU at 666Mhz, revision number 0x18A8 Last reset from power-on LWAPP image version 10.0.120.0 1 Gigabit Ethernet interface 2 802.11 Radios 32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: 00:07:7D:42:FE:90 Part Number : 73-12175-05 PCA Assembly Number : 800-32268-05 PCA Revision Number : A0 PCB Serial Number : FOC15194T8J Top Assembly Part Number : 800-32891-01 Top Assembly Serial Number : FTX1522E5H3 Top Revision Number : A0 Product/Model Number : AIR-CAP3502I-A-K9 Configuration register is 0xF
Here is the console output from the switch (controller) at the time of connecting the AP physically:
00:44:08: %ILPOWER-7-DETECT: Interface Gi1/0/41: Power Device detected: IEEE PDex 00:44:09: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/41: Power grantedit 00:44:14: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/41, changed state to up 00:44:14: %LINK-3-UPDOWN: Interface Vlan9, changed state to up 00:44:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/41, changed state to up 00:44:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan9, changed state to up 00:47:12: *%CAPWAP-6-DTLS_CLOSED_ERR:Switch 1 R0/0: wcm: 5835.d9d5.b530: DTLS connection closed forAP 192:168:9:2 (12267), Controller: 192:168:9:1 (5246) Cannot accept Join Request from MIC AP 58:35:d9:d5:b5:30 based on certificate auth-policy 00:47:12: *%LWAPP-3-AP_DB_ERR1:Switch 1 R0/0: wcm: Unable to find AP 5835.d9d5.b530 entry in the database, could not process delete request 00:48:27: *%CAPWAP-6-DTLS_CLOSED_ERR:Switch 1 R0/0: wcm: 5835.d9d5.b530: DTLS connection closed forAP 192:168:9:2 (12266), Controller: 192:168:9:1 (5246) Cannot accept Join Request from MIC AP 58:35:d9:d5:b5:30 based on certificate auth-policy 00:48:27: *%LWAPP-3-AP_DB_ERR1:Switch 1 R0/0: wcm: Unable to find AP 5835.d9d5.b530 entry in the database, could not process delete request 00:49:42: *%CAPWAP-6-DTLS_CLOSED_ERR:Switch 1 R0/0: wcm: 5835.d9d5.b530: DTLS connection closed forAP 192:168:9:2 (12267), Controller: 192:168:9:1 (5246) Cannot accept Join Request from MIC AP 58:35:d9:d5:b5:30 based on certificate auth-policy 00:49:42: *%LWAPP-3-AP_DB_ERR1:Switch 1 R0/0: wcm: Unable to find AP 5835.d9d5.b530 entry in the database, could not process delete request
Here is the console output of the AP:
r WRDTR,CLKTR: 0x8200083f 0x40000000 r RQDC ,RFDC : 0x80000034 0x00000218 using eeprom values WRDTR,CLKTR: 0x8200083f 0x40000000 RQDC ,RFDC : 0x80000034 0x00000218 using MCNG ddr static values from serial eeprom ddr init done Running Normal Memtest... Passed. IOS Bootloader - Starting system. FLASH CHIP: Numonyx P33 Checking for Over Erased blocks ...................................................................................................................................................................................................................................................... Xmodem file system is available. DDR values used from system serial eeprom. WRDTR,CLKTR: 0x8200083f, 0x40000000 RQDC, RFDC : 0x80000034, 0x00000218 PCIE0: link is up. PCIE0: VC0 is active PCIE1: link is up. PCIE1: VC0 is active 64bit PCIE devices PCIEx: initialization done flashfs[0]: 42 files, 9 directories flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 31739904 flashfs[0]: Bytes used: 13940224 flashfs[0]: Bytes available: 17799680 flashfs[0]: flashfs fsck took 12 seconds. Reading cookie from system serial eeprom...Done Base Ethernet MAC address: 00:07:7d:42:fe:90 Ethernet speed is 1000 Mb - FULL duplex Unable to get our ip address: no "IP_ADDR" variable set The system has encountered an error initializing the TFTP file system. The system is ignoring the error and continuing to boot. If you abort the boot process, the following commands will set IP_ADDR, DEFAULT_ROUTER and NETMASK environment variables, initialize the tftp system, and load the operating system software: set IP_ADDR set DEFAULT_ROUTER set NETMASK tftp_init boot Loading "flash:/ap3g1-k9w8-mx.152-2.JN2/ap3g1-k9w8-mx.152-2.JN2"...################ File "flash:/ap3g1-k9w8-mx.152-2.JN2/ap3g1-k9w8-mx.152-2.JN2" uncompressed and installed, entry point: 0x4000 executing... enet halted IOS Secondary Bootloader - Starting system. FLASH CHIP: Numonyx P33 Checking for Over Erased blocks ...................................................................................................................................................................................................................................................... Xmodem file system is available. DDR values used from system serial eeprom. WRDTR,CLKTR: 0x8200083f, 0x40000000 RQDC, RFDC : 0x80000034, 0x00000218 PCIE0: link is up. PCIE0: VC0 is active PCIE1: link is up. PCIE1: VC0 is active 64bit PCIE devices PCIEx: initialization done flashfs[0]: 42 files, 9 directories flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 31739904 flashfs[0]: Bytes used: 13940224 flashfs[0]: Bytes available: 17799680 flashfs[0]: flashfs fsck took 10 seconds. Reading cookie from system serial eeprom...Done Base Ethernet MAC address: 00:07:7d:42:fe:90 Creating Test Kernel diagnostic commands Radio 0 : Vendor 0x11AB, Device 0x8324 Radio 1 : Vendor 0x11AB, Device 0x8350 Radio 2 : Vendor 0x7914, Device 0x2062 Radio 3 : Vendor 0xDE73, Device 0x7279 ******** AUTOMATIC DDR CALIBRATION UPGRADE LOGIC ********* === 1. Is original FCS bootloader in BS:? If not, skip upgrade === ---> original FCS bootloader not detected -- skip upgrade Boot CMD: 'boot flash:/ap3g1-k9w8-mx.152-2.JN2/ap3g1-k9w8-xx.152-2.JN2;flash:/ap3g1-k9w8-mx.152-2.JN2/ap3g1-k9w8-mx.152-2.JN2' Loading "flash:/ap3g1-k9w8-mx.152-2.JN2/ap3g1-k9w8-xx.152-2.JN2"...############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################ File "flash:/ap3g1-k9w8-mx.152-2.JN2/ap3g1-k9w8-xx.152-2.JN2" uncompressed and installed, entry point: 0x100000 executing... Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 15.2(2)JN2, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2013 by Cisco Systems, Inc. Compiled Wed 11-Sep-13 01:30 by prod_rel_team Initializing flashfs... FLASH CHIP: Numonyx P33 Checking for Over Erased blocks ...................................................................................................................................................................................................................................................... flashfs[3]: 42 files, 9 directories flashfs[3]: 0 orphaned files, 0 orphaned directories flashfs[3]: Total bytes: 31739904 flashfs[3]: Bytes used: 13940224 flashfs[3]: Bytes available: 17799680 flashfs[3]: flashfs fsck took 7 seconds. flashfs[3]: Initialization complete. flashfs[4]: 0 files, 1 directories flashfs[4]: 0 orphaned files, 0 orphaned directories flashfs[4]: Total bytes: 12257280 flashfs[4]: Bytes used: 1024 flashfs[4]: Bytes available: 12256256 flashfs[4]: flashfs fsck took 0 seconds. flashfs[4]: Initialization complete....done Initializing flashfs. Ethernet speed is 1000 Mb - FULL duplex Radio0 present 8364B 8000 B8020000 0 B8030000 10 Rate table has 80 entries (32 SGI/4 BF variants) Radio1 present 8364B 8000 B0020000 0 B0030000 C This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. cisco AIR-CAP3502I-A-K9 (PowerPC460exr) processor (revision A0) with 81910K/49152K bytes of memory. Processor board ID FTX1522E5H3 PowerPC460exr CPU at 666Mhz, revision number 0x18A8 Last reset from power-on LWAPP image version 10.0.120.0 1 Gigabit Ethernet interface 2 802.11 Radios 32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: 00:07:7D:42:FE:90 Part Number : 73-12175-05 PCA Assembly Number : 800-32268-05 PCA Revision Number : A0 PCB Serial Number : FOC15194T8J Top Assembly Part Number : 800-32891-01 Top Assembly Serial Number : FTX1522E5H3 Top Revision Number : A0 Product/Model Number : AIR-CAP3502I-A-K9 % Please define a domain-name first. Press RETURN to get started! *Mar 1 00:00:09.802: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed *Mar 1 00:00:09.802: *** CRASH_LOG = YES *Mar 1 00:00:09.802: 64bit PCIE devicesSecurity Core found. Base Ethernet MAC address: 00:07:7D:42:FE:90 *Mar 1 00:00:13.095: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up *Mar 1 00:00:14.294: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 *Mar 1 00:00:14.294: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up *Mar 1 00:00:17.594: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 *Mar 1 00:00:20.283: %SYS-5-RESTART: System restarted -- Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 15.2(2)JN2, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2013 by Cisco Systems, Inc. Compiled Wed 11-Sep-13 01:30 by prod_rel_team *Mar 1 00:00:20.283: %SNMP-5-COLDSTART: SNMP agent on host AP0007.7d42.fe90 is undergoing a cold start *Mar 1 00:00:20.635: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset *Mar 1 00:00:20.635: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset *Mar 1 00:00:20.831: %SSH-5-ENABLED: SSH 2.0 has been enabledlwapp_crypto_init: MIC Present and Parsed Successfully *Mar 1 00:00:21.315: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up *Mar 1 00:00:33.517: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source *Mar 1 00:00:34.606: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up *Mar 1 00:00:35.606: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up *Mar 1 00:00:35.697: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up *Mar 1 00:00:36.698: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up%Default route without gateway, if not a point-to-point interface, may impact performance *Mar 1 00:00:49.004: Logging LWAPP message to 255.255.255.255. *Mar 1 00:00:53.917: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.9.2, mask 255.255.255.248, hostname AP0007.7d42.fe90 *Mar 1 00:00:54.918: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 514 started - CLI initiated Translating "CISCO-CAPWAP-CONTROLLER"...domain server (1.1.1.1) *Mar 1 00:01:04.905: %CAPWAP-5-DHCP_OPTION_43: Controller address 192.168.9.1 obtained through DHCP *Mar 1 00:01:04.905: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP. (9.9.9.9) *Mar 1 00:01:22.911: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER *Mar 1 00:01:32.912: %CAPWAP-3-ERRORLOG: Go join a capwap controller *Jan 16 17:27:58.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.9.1 peer_port: 5246 *Jan 16 17:27:58.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.9.1 peer_port: 5246 *Jan 16 17:27:58.223: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.9.1 *Jan 16 17:27:58.229: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination. *Jan 16 17:27:58.229: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5. *Jan 16 17:27:58.229: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller *Jan 16 17:27:58.229: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 192.168.9.1 *Jan 16 17:28:03.225: %CAPWAP-3-ERRORLOG: DTLS connection not found Failed to encrypt and send packet. *Jan 16 17:28:03.225: %CAPWAP-3-ERRORLOG: Failed to encrypt and send packet. *Jan 16 17:28:03.225: %CAPWAP-3-ERRORLOG: Failed to send Join request to 192.168.9.1 *Jan 16 17:29:03.056: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255 *Jan 16 17:29:03.160: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down *Jan 16 17:29:03.160: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down *Jan 16 17:29:03.402: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up *Jan 16 17:29:03.434: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up *Jan 16 17:29:04.164: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down *Jan 16 17:29:04.186: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down *Jan 16 17:29:04.192: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset *Jan 16 17:29:05.180: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up *Jan 16 17:29:05.186: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down *Jan 16 17:29:05.208: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up *Jan 16 17:29:05.214: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down *Jan 16 17:29:05.221: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset *Jan 16 17:29:06.208: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up *Jan 16 17:29:06.215: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down *Jan 16 17:29:06.237: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up *Jan 16 17:29:07.237: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up *Jan 16 17:29:13.434: %CAPWAP-3-ERRORLOG: Go join a capwap controller *Jan 16 17:29:12.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.9.1 peer_port: 5246 *Jan 16 17:29:12.226: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.9.1 peer_port: 5246 *Jan 16 17:29:12.226: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.9.1 *Jan 16 17:29:12.229: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination. *Jan 16 17:29:12.229: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5. *Jan 16 17:29:12.229: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller *Jan 16 17:29:12.229: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 192.168.9.1 *Jan 16 17:29:17.228: %CAPWAP-3-ERRORLOG: DTLS connection not found Failed to encrypt and send packet. *Jan 16 17:29:17.228: %CAPWAP-3-ERRORLOG: Failed to encrypt and send packet. *Jan 16 17:29:17.228: %CAPWAP-3-ERRORLOG: Failed to send Join request to 192.168.9.1 *Jan 16 17:30:17.056: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255 *Jan 16 17:30:17.160: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down *Jan 16 17:30:17.160: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down *Jan 16 17:30:17.396: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up *Jan 16 17:30:17.418: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up *Jan 16 17:30:18.170: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down *Jan 16 17:30:18.186: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down *Jan 16 17:30:18.192: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset *Jan 16 17:30:19.180: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up *Jan 16 17:30:19.186: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down *Jan 16 17:30:19.208: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up *Jan 16 17:30:19.214: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down *Jan 16 17:30:19.221: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset *Jan 16 17:30:20.208: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up *Jan 16 17:30:20.215: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down *Jan 16 17:30:20.237: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up *Jan 16 17:30:21.237: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up *Jan 16 17:30:27.418: %CAPWAP-3-ERRORLOG: Go join a capwap controller *Jan 16 17:30:27.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.9.1 peer_port: 5246 *Jan 16 17:30:27.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.9.1 peer_port: 5246 *Jan 16 17:30:27.223: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.9.1 *Jan 16 17:30:27.229: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination. *Jan 16 17:30:27.229: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5. *Jan 16 17:30:27.229: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller *Jan 16 17:30:27.229: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 192.168.9.1 *Jan 16 17:30:32.225: %CAPWAP-3-ERRORLOG: DTLS connection not found Failed to encrypt and send packet. *Jan 16 17:30:32.225: %CAPWAP-3-ERRORLOG: Failed to encrypt and send packet. *Jan 16 17:30:32.225: %CAPWAP-3-ERRORLOG: Failed to send Join request to 192.168.9.1
From the AP these five lines called my attention specially:
*Jan 16 17:27:58.229: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
*Jan 16 17:27:58.229: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Jan 16 17:27:58.229: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 192.168.9.1
*Jan 16 17:28:03.225: %CAPWAP-3-ERRORLOG: DTLS connection not found Failed to encrypt and send packet.
*Jan 16 17:28:03.225: %CAPWAP-3-ERRORLOG: Failed to encrypt and send packet.
So I checked if maybe I can disable the country code (it was previously setup to US) just in case the AP was for another country? (but I was unable to undo the country selection in the switch)
C3850#ap country US C3850(config)#no ap country US % Invalid input detected at '^' marker.
Also because I got a "failed to encrypt and send message" I disabled AP link encryption in the switch just in case but that didn't work either: (was right to ran these two next commands?)
no ap link-encryption no ap dtls secure-cipher
Also, I havent find information on this:
Failed to process message type 10 state 5.
What does that means? what type 10 state 5 means?
Thanks in advance!!!!
01-16-2022 12:22 PM
I did post a reply with all the switch and AP console outputs but I no longer can see it (estrange)
Anyways, putting all these logs together helped me to understand that my catalyst didn't have any policy, so after this command: ap auth-list ap-policy mic the AP successfully joined the C3850 (my bad to disable all policies as part of the troubleshoot earlier).
So first allowed the crypto map to ignore expired certs, and then set the ios-xe to allow "Authorization of APs with manufacturing-installed certificates"
AP is registered and stable at this point.
But new issues started now after I ran the commands:
ap link-encryption
ap dtls secure-cipher aES256_SHA2
or
ap dtls secure-cipher aES256_SHA1
The AP started to reboot over and over because it failed to receive data keep-alive after I enabled DTLS
*Jan 16 19:36:52.983: %CAPWAP-3-DATA_KEEPALIVE_ERR: Failed to receive data keep-alive *Jan 16 19:36:52.983: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.9.1:5246 *Jan 16 19:36:52.983: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.9.1:5247 *Jan 16 19:36:53.065: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down *Jan 16 19:36:53.065: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down *Jan 16 19:36:53.068: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up *Jan 16 19:36:53.093: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up *Jan 16 19:36:54.071: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down *Jan 16 19:36:54.093: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down *Jan 16 19:36:54.100: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset *Jan 16 19:36:55.087: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up *Jan 16 19:36:55.094: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down *Jan 16 19:36:55.116: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up *Jan 16 19:36:55.122: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down *Jan 16 19:36:55.128: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset *Jan 16 19:36:56.116: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up *Jan 16 19:36:56.122: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down *Jan 16 19:36:56.148: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up *Jan 16 19:36:57.148: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up *Jan 16 19:37:03.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.9.1 peer_port: 5246 *Jan 16 19:37:03.245: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.9.1 peer_port: 5246 *Jan 16 19:37:03.245: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.9.1 Upstream QOS stats update is enabled *Jan 16 19:37:04.720: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down *Jan 16 19:37:04.780: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset *Jan 16 19:37:04.793: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller C3850 *Jan 16 19:37:04.896: %CAPWAP-6-DATA_DTLS_START: Starting Data DTLS handshake. Wireless client traffic will be blocked until DTLS tunnel is established. *Jan 16 19:37:04.900: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up *Jan 16 19:37:04.969: Registering HW DTLS DTLS keys are plumbed successfully.
Now I have a restarting AP... I Tried to find a command to enable dtls-keep-alives but I can't find it... am I looking at the wrong direction maybe?
Thanks!
01-16-2022 12:27 PM
Like @Leo Laohoo said read the FN in full.
There will always be a default policy even if you didn't configure one.
I don't see any mention of you configuring "allow expired-certificate" as per the field notice or the config guide:
And (as per the FN) you might also need to set the time back to make the certs appear valid in order to let the AP join to get updated software and config before allowing NTP to sync once it's been able to join and update.
01-16-2022 01:29 PM
config ap cert-expiry-ignore mic enable works on the aireos WLCs you could try that.
01-16-2022 01:50 PM - edited 01-16-2022 02:45 PM
no @Haydn Andrews that's an AireOS command - the 3850 is IOS-XE.
He seems to have got past that now anyway and instead has problems with DTLS?
Why use DTLS?
All CAPWAP control data is encrypted by default and clients should be encrypting anything sensitive themselves (https etc).
As we've already said converged access was abandoned by Cisco because of numerous problems and they moved on to the next generation (9800 series). Maybe you should too?
Regarding cost maybe you should consider running EWC on a 9100 AP or if even that is too expensive for you then consider running a 9800-CL on a PC?
01-16-2022 02:18 PM
Thanks for the advices, for now I will disable DTLS and will consider to get an ap 9000, do I need a separated license to run EWC on AP?
01-16-2022 02:49 PM
No license required to run as a standalone solution.
If you want to manage it with DNA centre then you need a license.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: