01-21-2019 09:04 AM - edited 07-05-2021 09:43 AM
I am a Computer Technician at a Hospital in Kansas. We are currently running on a Cisco 5508 WLC and have 57 Cisco Aironet 1240AG AP's. Somehow today our wireless controller crashed. After about 10 mins it came back online but only 36 of the 57 AP's were showing online. I went through the logs and found:
*spamApTask6: Jan 21 11:00:36.290: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:698 Failed to complete DTLS handshake with peer
on all of the missing AP's.
Most of our Clinics run off a clinical wlan that is setup in the WLC. Can anyone help?
01-21-2019 09:28 AM
Most probably it's the AP cert expired for 1240 models.
on CLI:
For WLC Code 7.4.140.0 and later:
config ap cert-expiry-ignore ssc enable
config ap cert-expiry-ignore mic enable
For 7.0.252.0:
config ap lifetime-check ssc enable
config ap lifetime-check mic enable
***Please mark as an acceptable solution/rate helpful posts
01-21-2019 09:57 AM
I was following a few other posts about the error that we are getting and they offered the same advice with the commands. I ssh'd into the WLC and it doesnt recognize either of those commands. So, I do not know where to go from there.
01-21-2019 10:00 AM
You have to console into the access point and deploy that command with the IP address of the WLC. If you haven't configured a global un/pw for those APs the default is Cisco/Cisco.
01-21-2019 10:03 AM
Ah, wasnt reading right, Apologies. Ill try and give this a go. All of these AP's are unnamed and in lock boxes in the panels for some reason. Hopefully I can get this fixed soon!
01-21-2019 09:39 AM
Do you have Option 43 configured for your controller on those subnets where the APs are located? Sounds like they cannot find the controller. Maybe try to login to one of the access points and use the command "lwapp ap controller ip address" to point it to the controller.
01-21-2019 10:01 AM
I have no clue as to where to find the Option 43. Do you have a general idea of where to look for. As for the AP's, I have been at this hospital for going on 2 months. I dont have a lot of information to go off of because most of the people here havent ever messed with them before. I tried to ssh and telnet into the missing AP's and even the online AP's and it wont work. I do have ssh and telnet access allowed through the WLC
01-21-2019 10:07 AM
What is your DHCP solution? ie..Infoblox, BT Diamond, etc? This is where you have to enter the option 43 under those subnets which contain access points.
Setup is pretty easy and will allow your access points to find the WLCs automatically when they get an IP via DHCP in the event something like this happens again.
01-21-2019 10:43 AM
01-22-2019 03:07 AM
Try adding the "MAC address / Serial number of Access point with option MIC under security tab ---AP policies option.
Try Associating the Access point manually to controller by using below command :
"capwap ap controller ip address A.B.C.D"
in order to wirte the above command controllers should be running with 7.6 or later releases and the access point must be running Cisco IOS Release 12.3(11)JX1 or later releases.
01-22-2019 07:01 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide