07-05-2023 07:03 AM
Hi,
We had an issue with APs whose certificates have expired. However, we have upgraded the WLC to the fixed version 8.5.182.7, but I still have the same problem. What could be the solution? When I enable 'config ap cert-expiry-ignore {mic|ssc}', the APs can join again, but if I disable it, they can no longer join.
cisco AIR-AP2802I-E-K9 ARMv7 Processor rev 1 (v7l) with 1028712/650760K bytes of memory.
Processor board ID FCW2346PTK2
AP Running Image : 8.5.182.7
Primary Boot Image : 8.5.182.7
Backup Boot Image : 8.5.182.0
2 Gigabit Ethernet interfaces
2 802.11 Radios
Radio Driver version : 9.0.5.5-W8964
Radio FW version : 9.1.8.1
NSS FW version : 2.4.26
(Cisco Controller) >show boot
Primary Boot Image............................... 8.5.182.7 (default) (active)
Backup Boot Image................................ 8.5.182.0
[*07/05/2023 10:47:03.6969] Restarting CAPWAP State Machine.
[*07/05/2023 10:47:03.8011] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Setup(3).
[*07/05/2023 10:47:03.8022] Failed to disconnect DTLS-CTRL session.
[*07/05/2023 10:47:03.8023]
[*07/05/2023 10:47:03.8023] CAPWAP State: DTLS Teardown
[*07/05/2023 10:47:03.8086] DTLS: Error while processing DTLS packet 0x276a000.
[*07/05/2023 10:47:08.5116] No more AP manager addresses remain..
[*07/05/2023 10:47:08.5116] No valid AP manager found for controller 'UT-25' (ip: 172.25.0.31)
[*07/05/2023 10:47:08.5116] Failed to join controller UT-25.
[*07/05/2023 10:47:08.5116] Failed to join controller.
[*07/05/2023 10:47:03.0000]
[*07/05/2023 10:47:03.0000] CAPWAP State: DTLS Setup
[*07/05/2023 10:47:03.0002] dtls_new_connection: Connection 0x26f0c00 is already there for this server port 5246, Deleting it. Number of connections: 147
[*07/05/2023 10:47:03.0002]
[*07/05/2023 10:47:03.0005] dtls_connectionDB_add_connection: Number of DTLS connections exceeded two
[*07/05/2023 10:47:03.6983] Certificate is expired
[*07/05/2023 10:47:03.6983] Certificate Start Date: Mar 26 15:10:29 2013 GMT
[*07/05/2023 10:47:03.6983] Certificate End Date: Mar 26 15:20:29 2023 GMT
[*07/05/2023 10:47:03.6984] display_verify_cert_status: Verify Cert: FAILED at 0 depth: certificate has expired
[*07/05/2023 10:47:03.6984] X509 OpenSSL Errors...
[*07/05/2023 10:47:03.6984]
[*07/05/2023 10:47:03.6984] NONE
[*07/05/2023 10:47:03.6984]
[*07/05/2023 10:47:03.6984]
[*07/05/2023 10:47:03.6991] dtls_verify_con_cert: Controller certificate verification error
[*07/05/2023 10:47:03.6991] dtls_process_packet: Controller certificate verification failed
[*07/05/2023 10:47:03.7006] sendPacketToDtls: DTLS: Closing connection 0x26f0c00.
[*07/05/2023 10:47:03.7006]
[*07/05/2023 10:47:03.7006] Lost connection to the controller, going to restart CAPWAP (reason : dtls_rc_connection_closed)...
[*07/05/2023 10:47:03.7006]
[*07/05/2023 10:47:03.7008] DTLS: Error while processing DTLS packet 0x275e000.
[*07/05/2023 10:47:03.7009] Restarting CAPWAP State Machine.
[*07/05/2023 10:47:03.8050] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Setup(3).
[*07/05/2023 10:47:03.8063] Failed to disconnect DTLS-CTRL session.
[*07/05/2023 10:47:03.8063]
[*07/05/2023 10:47:03.8063] CAPWAP State: DTLS Teardown
[*07/05/2023 10:47:08.5111] No more AP manager addresses remain..
[*07/05/2023 10:47:08.5111] No valid AP manager found for controller 'UTR-25' (ip: 172.25.0.32)
[*07/05/2023 10:47:08.5111] Failed to join controller UT-25.
[*07/05/2023 10:47:08.5112] Failed to join controller.
[*07/05/2023 10:47:08.7209]
[*07/05/2023 10:47:08.7209] CAPWAP State: Discovery
[*07/05/2023 10:47:08.7216] Got WLC address 172.25.0.31 from DHCP.
[*07/05/2023 10:47:08.7216] IP DNS query for CISCO-CAPWAP-CONTROLLER.amg.local
[*07/05/2023 10:47:08.7294] Discovery Request sent to 172.25.0.31, discovery type STATIC_CONFIG(1)
[*07/05/2023 10:47:08.7334] Discovery Request sent to 172.25.0.32, discovery type STATIC_CONFIG(1)
[*07/05/2023 10:47:08.7345] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*07/05/2023 10:47:08.7346] Discovery Response from 172.25.0.31
[*07/05/2023 10:47:08.7421] Discovery Response from 172.25.0.32
Certificate Name: Cisco SHA1 device cert
--More-- or (q)uit
Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT5508-K9-4c4e357e56c0, emailAddress=support@cisco.com
Issuer Name :
O=Cisco Systems, CN=Cisco Manufacturing CA
Serial Number (Hex):
4B1A6562000000270326
Validity :
Start : Mar 26 15:14:18 2013 GMT
End : Mar 26 15:24:18 2023 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : c4:e5:5c:2f:28:81:b8:39:88:a1:10:c7:03:f0:06:f6:ab:38:fe:c6
SHA256 Fingerprint : a7:ae:87:5b:f1:f0:6c:ee:39:bc:62:08:f3:90:98:e4:02:b4:78:ac:89:f8:ad:d9:b9:c8:35:d5:3d:53:4a:db
Solved! Go to Solution.
07-05-2023 09:41 AM
- I think the correct field notice for your issue is https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html , in that case , you will always need the workaround : 'config ap cert-expiry-ignore {mic|ssc}',
M.
07-05-2023 01:22 PM
the fix, added the workaround, but there is no way to replace the certs. you need to leave the cert-expiry-ignore set. I believe the command is the fix as the older code did not have it.
07-05-2023 09:29 AM
Field Notice - https://www.cisco.com/c/en/us/support/docs/field-notices/725/fn72524.html
You can try the workaround listed in the field notice and see if the APs join back.
Cisco 2800 series APs not listed under affected products
These AP series are affected:
CJ
/**Please rate all useful responses**/
07-05-2023 09:35 AM
Thank you for your response. The issue is that the certificate of the Cisco device continues to remain invalid, even after updating to the fix version. There is no alignment with the fix version."
Cisco SHA1 device cert
--More-- or (q)uit
Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT5508-K9-4c4e357e56c0, emailAddress=support@cisco.com
Issuer Name :
O=Cisco Systems, CN=Cisco Manufacturing CA
Serial Number (Hex):
4B1A6562000000270326
Validity :
Start : Mar 26 15:14:18 2013 GMT
End : Mar 26 15:24:18 2023 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : c4:e5:5c:2f:28:81:b8:39:88:a1:10:c7:03:f0:06:f6:ab:38:fe:c6
SHA256 Fingerprint : a7:ae:87:5b:f1:f0:6c:ee:39:bc:62:08:f3:90:98:e4:02:b4:78:ac:89:f8:ad:d9:b9:c8:35:d5:3d:53:4a:db
07-05-2023 09:41 AM
- I think the correct field notice for your issue is https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html , in that case , you will always need the workaround : 'config ap cert-expiry-ignore {mic|ssc}',
M.
07-05-2023 01:22 PM
the fix, added the workaround, but there is no way to replace the certs. you need to leave the cert-expiry-ignore set. I believe the command is the fix as the older code did not have it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide