- As suggested by other reply use (on controller ) : config ap cert-expiry-ignore mic enable

 M.

Ok disabled and rebooted the wlc2504. The message log now says the info below.

The config ap cert-expiry-ignore mic enable command can only be issued when connected directly to the wlc via CLI, correct?

Thanks,

Niels

Message Uploaded at Jan 24 15:52:14.240.

*spamApTask6: Jan 24 15:52:11.973: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:981 Failed to complete DTLS handshake with peer 192.168.1.101

*spamApTask6: Jan 24 15:52:11.973: %SSHPM-3-GENERIC_CERT_ERROR: sshpmPkiApi.c:2237 Certificate validation failed! Reason Cisco user certificate not verified by cisco root., Certificate type : MIC, Certificate issuer :Cisco Certificate
*spamApTask5: Jan 24 15:52:10.235: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:981 Failed to complete DTLS handshake with peer 192.168.1.31

*spamApTask5: Jan 24 15:52:10.235: %SSHPM-3-GENERIC_CERT_ERROR: sshpmPkiApi.c:2237 Certificate validation failed! Reason Cisco user certificate not verified by cisco root., Certificate type : MIC, Certificate issuer :Cisco Certificate
*spamApTask6: Jan 24 15:50:56.981: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:981 Failed to complete DTLS handshake with peer 192.168.1.101

*spamApTask6: Jan 24 15:50:56.980: %SSHPM-3-GENERIC_CERT_ERROR: sshpmPkiApi.c:2237 Certificate validation failed! Reason Cisco user certificate not verified by cisco root., Certificate type : MIC, Certificate issuer :Cisco Certificate
*spamApTask5: Jan 24 15:50:55.264: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:981 Failed to complete DTLS handshake with peer 192.168.1.31

*spamApTask5: Jan 24 15:50:55.263: %SSHPM-3-GENERIC_CERT_ERROR: sshpmPkiApi.c:2237 Certificate validation failed! Reason Cisco user certificate not verified by cisco root., Certificate type : MIC, Certificate issuer :Cisco Certificate
*spamApTask3: Jan 24 15:50:53.026: %LWAPP-3-VENDOR_PLD_VALIDATE_ERR: spam_lrad.c:12016 Validation of SPAM_VENDOR_SPECIFIC_PAYLOAD(185) with length=9 failed - AP 04:62:73:ad:6f:b0
*sntpReceiveTask: Jan 24 15:50:50.413: %SNTP-3-FATAL_ERROR_OCCURED: sntp_main.c:233 Fatal error: : unable to send NTP packet to ::ffff:128.138.141.172.
*sntpReceiveTask: Jan 24 15:50:48.413: %SNTP-3-FATAL_ERROR_OCCURED: sntp_main.c:233 Fatal error: : unable to send NTP packet to ::ffff:128.138.141.172.
*sntpReceiveTask: Jan 24 15:50:46.409: %SNTP-3-FATAL_ERROR_OCCURED: sntp_main.c:233 Fatal error: : unable to send NTP packet to ::ffff:128.138.141.172.
*nim_t: Jan 24 15:50:41.133: %SIM-3-PORT_UP: sim.c:13902 Physical port 1 is up!.
*cpuAclLogTask: Jan 24 15:50:40.954: %ACL-3-CPU_ACL_LOG_UCAPL_DISABLED: acl.c:1361 UCAPL disabled. CPU ACL hits will not be logged.
*bcastDataTask: Jan 24 15:50:35.547: %APF-3-INVALID_MCAST_MODE_ADDR: apf_net.c:5070 Received ipv6 capwap multicast packet source: (fe80::3aed:18ff:fe50:b240) destination: (::) whencapwap multicast mode is multicast with unconfigured ipv6 address.
*fp_main_task: Jan 24 15:50:22.721: %CNFGR-3-INV_COMP_ID: cnfgr.c:4138 Invalid Component Id : Unrecognized (45) in cfgConfiguratorInit.

yes you can run this command via CLI: config ap cert-expiry-ignore mic enable

Regards

   >....The config ap cert-expiry-ignore mic enable command can only be issued when connected directly to the wlc via CLI, correct
   Yes, but the reboot was not needed for testing (then you need to save the configuration too) , but I would like to focus first on a few other items seen in the output provided :
            >....SNTP-3-FATAL_ERROR_OCCURED: sntp_main.c:233 Fatal error: : unable to send NTP packet to ::ffff:128.138.141.172
            >...APF-3-INVALID_MCAST_MODE_ADDR: apf_net.c:5070 Received ipv6 capwap multicast packet source: (fe80::3aed:18ff:fe50:b240) destination: 
       It looks like ipv6 is being used or configured , if not ipv6 is not  needed could you try : config ipv6 disable , save the configuration , reboot and try  again, post the same logs again afterwards too , 

 M.

Hi again - it was a while since I used the CLI over serial but I managed to connect and issue both commands:

config ap cert-expiry-ignore mic enable
config ipv6 disable

and then saved the configuration, performed a reboot. The access points that previously did not join the controller are now joining again. I do see some more ipv6 errors in my message log whereas the controller returned that ipv6 was globally disabled already when I issued the config ipv6 disable command:

*spamApTask4: Jan 24 16:43:08.557: %LWAPP-3-VENDOR_PLD_VALIDATE_ERR: spam_lrad.c:12016 Validation of SPAM_VENDOR_SPECIFIC_PAYLOAD(185) with length=9 failed - AP 04:da:d2:90:6d:e0
*spamApTask0: Jan 24 16:43:06.986: %LWAPP-3-VENDOR_PLD_VALIDATE_ERR: spam_lrad.c:12016 Validation of SPAM_VENDOR_SPECIFIC_PAYLOAD(185) with length=9 failed - AP 04:62:73:ad:6f:b0
*spamApTask7: Jan 24 16:43:06.662: %LWAPP-3-VENDOR_PLD_VALIDATE_ERR: spam_lrad.c:12016 Validation of SPAM_VENDOR_SPECIFIC_PAYLOAD(185) with length=9 failed - AP 1c:e6:c7:0c:66:b0
*sntpReceiveTask: Jan 24 16:43:01.605: %SNTP-3-FATAL_ERROR_OCCURED: sntp_main.c:233 Fatal error: : unable to send NTP packet to ::ffff:86.80.166.233.
*sntpReceiveTask: Jan 24 16:42:59.605: %SNTP-3-FATAL_ERROR_OCCURED: sntp_main.c:233 Fatal error: : unable to send NTP packet to ::ffff:86.80.166.233.
*sntpReceiveTask: Jan 24 16:42:57.605: %SNTP-3-FATAL_ERROR_OCCURED: sntp_main.c:233 Fatal error: : unable to send NTP packet to ::ffff:86.80.166.233.
*nim_t: Jan 24 16:42:52.345: %SIM-3-PORT_UP: sim.c:13902 Physical port 1 is up!.
*cpuAclLogTask: Jan 24 16:42:52.168: %ACL-3-CPU_ACL_LOG_UCAPL_DISABLED: acl.c:1361 UCAPL disabled. CPU ACL hits will not be logged.
*bcastDataTask: Jan 24 16:42:45.571: %APF-3-INVALID_MCAST_MODE_ADDR: apf_net.c:5070 Received ipv6 capwap multicast packet source: (fe80::3aed:18ff:fe50:b240) destination: (::) whencapwap multicast mode is multicast with unconfigured ipv6 address.
*fp_main_task: Jan 24 16:42:33.953: %CNFGR-3-INV_COMP_ID: cnfgr.c:4138 Invalid Component Id : Unrecognized (45) in cfgConfiguratorInit.

.

Thank you so much for your help. Will there be a software update made available in which these certificates have been renewed?

Kind regards,

Niels van Strien

 - No because that is a built-in certificate on the access point , hence they provided the config ap cert-expiry-ignore mic enable , command as a workaround , 

 M.

Hello Rich,

Thanks for your helpful addition. I think I should update the software to 8.5.182.7 to be sure all will continue to work. How can I obtain 8.5.182.7 -  I don't have an active software license, nor do I see it listed on the downloads.

Kind regards,

Niels