Answer

 From https://community.cisco.com/t5/other-wireless-mobility-subjects/controller-keyhash-matches-with-the-mse/m-p/3377668 richard wakefield explains the workaround. enable option 23 on MSE

1. Invoke the setup script in the MSE:

• /opt/mse/setup/setup.sh

2. Select option 23
3. Save the settings by selecting the option#25

This fix worked for me. Thanks!

Abdul H. Malik

Ric,
Thank you. Your recommendations helped solve the problem with NMSP status is inactive on my MSE (Cisco MSE 8.0.150, Cisco Prime 3.4.0.0.348, Cisco WLC 8.2.170).

Hi all!

For CMX 10.x and WLC 8.5.x i had the same problem and found a solution. I am posting this for future reference.

WLC 8.5.140.0

CMX 10.4.1-28

On WLC connection was down, cipher high option was enabled:

WLC > show nmsp status
NMSP Cipher High Option......................... Enabled
Max number of Nmsp Connections supported : 4
MSE IP Address Echo Resp Echo Req Tx Data Rx Data
-------------- ------------ ----------- ------- -------

WLC > show nmsp statistics connection

NMSP Connection Counters

0.0.0.0
Connection status: DOWN

Debug shows SSL wrong version number and Decode Failure detected at MSE:

WLC > debug nmsp all enable

SSL routines:ssl3_get_client_hello:wrong version number

Decode Failure detected at MSE: Sending out keys to MSE

On CMX:

cmxctl config controllers show
+------------+------+-----------+------+----------+
| IP Address | Type | Version | SHA2 | Status |
+------------+------+-----------+------+----------+
| 172.29.0.4 | WLC | 8.5.140.0 | Yes | INACTIVE |
+------------+------+-----------+------+----------+

The solution was to disable NMSP cipher high option:

WLC > config nmsp cipher-option high disable

NMSP high cipher option will be enabled/disabled after WLC Reboot.
Power MUST be ON while 'save config' is getting executed.

Both controllers need to be rebooted for this to work, as stated above. If your controllers are in HA, you can reboot one at the time without service interruption - reset system self

After reboot:

cmxctl config controllers show
+------------+------+-----------+------+--------+
| IP Address | Type | Version | SHA2 | Status |
+------------+------+-----------+------+--------+
| 172.29.0.4 | WLC | 8.5.140.0 | Yes | ACTIVE |
+------------+------+-----------+------+--------+

WLC > show nmsp status
NMSP Cipher High Option......................... Disabled

Max number of Nmsp Connections supported : 4

MSE IP Address Echo Resp Echo Req Tx Data Rx Data
-------------- ------------ ----------- ------- -------
172.29.0.11 22 22 937 10

Downside to turning off cipher high is the loss of advanced security. I hope someone from Cisco can clarify this.

I hope this helps.

BR,

Tom

When using the show nmsp status command im not seeing the cipher option, however I am also on 8.5.140

MSE IP Address Tx Echo Resp Rx Echo Req Tx Data Rx Data
-------------- ------------ ----------- ------- -------
XXXXXX                  242114 242114 9089556 8

Any idea? On CMX the controller is shown as inactive. Other WLCs work great.

Thanks for that Tom, it was very helpful post.

I ran into the same problem setting up CMX 10.4.1-15 with WLC 8.5.140.0

I was getting the following error when running the debug command on the WLC:

*spectrumNMSPTask: May 24 11:06:52.717: [PA] NMSP Send Msg To Task failed - All NMSP connections are down

Setting the 'NMSP Cipher High Option' to 'Disabled' appears to have resolve it.

I'm running this in a dev environment but would like some feedback from Cisco regarding the implications of disabling this the cipher high option before moving to a production environment.

Verify “configureCiscoJ.sh status” on Primary MSE?

If the output shows disabled, enable it by running the below command.

configureCiscoJ.sh enable

Restart MSED services.

Service msed restart

worked for me.

Thanks