Solved: wlc 5508 Certificate is expired fix versie 8.5.182.7

yastop · ‎07-05-2023

Hi,

We had an issue with APs whose certificates have expired. However, we have upgraded the WLC to the fixed version 8.5.182.7, but I still have the same problem. What could be the solution? When I enable 'config ap cert-expiry-ignore {mic|ssc}', the APs can join again, but if I disable it, they can no longer join.

cisco AIR-AP2802I-E-K9 ARMv7 Processor rev 1 (v7l) with 1028712/650760K bytes of memory.

Processor board ID FCW2346PTK2

AP Running Image : 8.5.182.7

Primary Boot Image : 8.5.182.7

Backup Boot Image : 8.5.182.0

2 Gigabit Ethernet interfaces

2 802.11 Radios

Radio Driver version : 9.0.5.5-W8964

Radio FW version : 9.1.8.1

NSS FW version : 2.4.26

(Cisco Controller) >show boot

Primary Boot Image............................... 8.5.182.7 (default) (active)

Backup Boot Image................................ 8.5.182.0

[*07/05/2023 10:47:03.6969] Restarting CAPWAP State Machine.

[*07/05/2023 10:47:03.8011] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Setup(3).

[*07/05/2023 10:47:03.8022] Failed to disconnect DTLS-CTRL session.

[*07/05/2023 10:47:03.8023]

[*07/05/2023 10:47:03.8023] CAPWAP State: DTLS Teardown

[*07/05/2023 10:47:03.8086] DTLS: Error while processing DTLS packet 0x276a000.

[*07/05/2023 10:47:08.5116] No more AP manager addresses remain..

[*07/05/2023 10:47:08.5116] No valid AP manager found for controller 'UT-25' (ip: 172.25.0.31)

[*07/05/2023 10:47:08.5116] Failed to join controller UT-25.

[*07/05/2023 10:47:08.5116] Failed to join controller.

[*07/05/2023 10:47:03.0000]

[*07/05/2023 10:47:03.0000] CAPWAP State: DTLS Setup

[*07/05/2023 10:47:03.0002] dtls_new_connection: Connection 0x26f0c00 is already there for this server port 5246, Deleting it. Number of connections: 147

[*07/05/2023 10:47:03.0002]

[*07/05/2023 10:47:03.0005] dtls_connectionDB_add_connection: Number of DTLS connections exceeded two

[*07/05/2023 10:47:03.6983] Certificate is expired

[*07/05/2023 10:47:03.6983] Certificate Start Date: Mar 26 15:10:29 2013 GMT

[*07/05/2023 10:47:03.6983] Certificate End Date: Mar 26 15:20:29 2023 GMT

[*07/05/2023 10:47:03.6984] display_verify_cert_status: Verify Cert: FAILED at 0 depth: certificate has expired

[*07/05/2023 10:47:03.6984] X509 OpenSSL Errors...

[*07/05/2023 10:47:03.6984]

[*07/05/2023 10:47:03.6984] NONE

[*07/05/2023 10:47:03.6984]

[*07/05/2023 10:47:03.6991] dtls_verify_con_cert: Controller certificate verification error

[*07/05/2023 10:47:03.6991] dtls_process_packet: Controller certificate verification failed

[*07/05/2023 10:47:03.7006] sendPacketToDtls: DTLS: Closing connection 0x26f0c00.

[*07/05/2023 10:47:03.7006]

[*07/05/2023 10:47:03.7006] Lost connection to the controller, going to restart CAPWAP (reason : dtls_rc_connection_closed)...

[*07/05/2023 10:47:03.7006]

[*07/05/2023 10:47:03.7008] DTLS: Error while processing DTLS packet 0x275e000.

[*07/05/2023 10:47:03.7009] Restarting CAPWAP State Machine.

[*07/05/2023 10:47:03.8050] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Setup(3).

[*07/05/2023 10:47:03.8063] Failed to disconnect DTLS-CTRL session.

[*07/05/2023 10:47:03.8063]

[*07/05/2023 10:47:03.8063] CAPWAP State: DTLS Teardown

[*07/05/2023 10:47:08.5111] No more AP manager addresses remain..

[*07/05/2023 10:47:08.5111] No valid AP manager found for controller 'UTR-25' (ip: 172.25.0.32)

[*07/05/2023 10:47:08.5111] Failed to join controller UT-25.

[*07/05/2023 10:47:08.5112] Failed to join controller.

[*07/05/2023 10:47:08.7209]

[*07/05/2023 10:47:08.7209] CAPWAP State: Discovery

[*07/05/2023 10:47:08.7216] Got WLC address 172.25.0.31 from DHCP.

[*07/05/2023 10:47:08.7216] IP DNS query for CISCO-CAPWAP-CONTROLLER.amg.local

[*07/05/2023 10:47:08.7294] Discovery Request sent to 172.25.0.31, discovery type STATIC_CONFIG(1)

[*07/05/2023 10:47:08.7334] Discovery Request sent to 172.25.0.32, discovery type STATIC_CONFIG(1)

[*07/05/2023 10:47:08.7345] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)

[*07/05/2023 10:47:08.7346] Discovery Response from 172.25.0.31

[*07/05/2023 10:47:08.7421] Discovery Response from 172.25.0.32

Certificate Name: Cisco SHA1 device cert

--More-- or (q)uit

Subject Name :

C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT5508-K9-4c4e357e56c0, emailAddress=support@cisco.com

Issuer Name :

O=Cisco Systems, CN=Cisco Manufacturing CA

Serial Number (Hex):

4B1A6562000000270326

Validity :

Start : Mar 26 15:14:18 2013 GMT

End : Mar 26 15:24:18 2023 GMT

Signature Algorithm :

sha1WithRSAEncryption

Hash key :

SHA1 Fingerprint : c4:e5:5c:2f:28:81:b8:39:88:a1:10:c7:03:f0:06:f6:ab:38:fe:c6

SHA256 Fingerprint : a7:ae:87:5b:f1:f0:6c:ee:39:bc:62:08:f3:90:98:e4:02:b4:78:ac:89:f8:ad:d9:b9:c8:35:d5:3d:53:4a:db

marce1000 · ‎07-05-2023

- I think the correct field notice for your issue is https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html , in that case , you will always need the workaround : 'config ap cert-expiry-ignore {mic|ssc}',

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

Dustin Anderson · ‎07-05-2023

the fix, added the workaround, but there is no way to replace the certs. you need to leave the cert-expiry-ignore set. I believe the command is the fix as the older code did not have it.