Re: Perte de communication entre AIR-CT2504-K9 et une dizaine de CAP17

support-it · ‎24-10-2024

Bonjour,

J'ai depuis hier un souci de communication entre mon WLC et mes APs

Le matériel est le suivant coté controleur :

Model No. AIR-CT2504-K9
Burned-in MAC Address ******
Maximum number of APs supported 75
FIPS Prerequisite Mode Disable
WLANCC Prerequisite Mode Disable
UCAPL Prerequisite Mode Disable

UDI :

Product Identifier Description AIR-CT2504-K9
Version Identifier Description V04
Serial Number PSZ18371***
Entity Name Chassis
Entity Description Cisco 2500 Series Wireless LAN Controller
Tous les APs répondent au ping sur le réseau, tous en POE.

Mais ils restent non joignables dans l'interface du WLC :

00:42:68:ce:ad:80
AP00120
Not joined
00:00:00:00:00:00
192.168.0.161

00:c1:64:f2:5a:e0
AP00124
Not joined
00:00:00:00:00:00
192.168.0.156

00:c8:8b:1b:c8:50
AP00128
Not joined
00:00:00:00:00:00
192.168.0.165

00:c8:8b:1b:cf:30
AP00125
Not joined
00:00:00:00:00:00
192.168.0.167

00:fe:c8:5a:eb:50
AP00129
Not joined
00:00:00:00:00:00
192.168.0.160

00:fe:c8:fe:0a:a0
AP00122
Not joined
00:00:00:00:00:00
192.168.0.163

Et ci-joint les messages de Log :

Failed to complete DTLS handshake with peer 192.168.0.167
*osapiBsnTimer: Oct 24 09:24:46.047: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:3231 Failed to complete DTLS handshake with peer 192.168.0.163
*osapiBsnTimer: Oct 24 09:23:39.447: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:3231 Failed to complete DTLS handshake with peer 192.168.0.165
*osapiBsnTimer: Oct 24 09:22:17.031: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:3231 Failed to complete DTLS handshake with peer 192.168.0.160
*osapiBsnTimer: Oct 24 09:21:59.631: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:3231 Failed to complete DTLS handshake with peer 192.168.0.158

Tous fonctionnait, pas de coupure de courant rien c'est tombé d'un coup.

Au plaisir de vous lire.

Flavio Miranda · ‎24-10-2024

@support-it

It can be expired certificate. Try to run this command.

config ap cert-expiry-ignore mic enable

support-it · ‎24-10-2024

Merci @Flavio Miranda pour ta réactivité !

Visiblement l'option est déja activé :

(Cisco Controller) config>Expire MIC Mode allow is already configured.

Flavio Miranda · ‎24-10-2024

Then check data and time on the WLC. Make sure this is correct.

support-it · ‎24-10-2024

It seem to be correct on the WLC (FRANCE) :

(Cisco Controller) >show time

Time............................................. Thu Oct 24 12:32:44 2024

Timezone delta................................... 0:0
Timezone location................................ (GMT +1:00) Amsterdam, Berlin, Rome, Vienna

NTP Servers
NTP Version.................................. 3
NTP Polling Interval......................... 600

Index NTP Key Index NTP Server Status NTP Msg Auth Status
------- ------------------------------------------------------------------- --
1 0 192.168.0.220 In Sync AUTH DISABLED

(Cisco Controller) >

Flavio Miranda · ‎24-10-2024

Which WLC IOS version?

Could you console to one AP and share the logs?

support-it · ‎24-10-2024

It's a 8.5.151.0 version

I have only IO cable and no adapter...

Flavio Miranda · ‎24-10-2024

Would be great to see the logs from the Access Points but, if you are not able to, try to get this logs from the WLC please.

debug capwap events enable
    debug capwap errors enable
    debug pm pki enable

support-it · ‎24-10-2024

debug capwap errors enable

*spamApTask0: Oct 24 14:22:36.122: 00:42:68:cc:37:70 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 15, MaxLicense=15 joined Aps =0
*spamApTask0: Oct 24 14:22:36.122: 00:42:68:cc:37:70 apType = 77 apModel: AIR-CAP1702I-E-K9

*spamApTask0: Oct 24 14:22:36.122: 00:42:68:cc:37:70 Discovery Response sent to 192.168.0.164 port 49653

*spamApTask0: Oct 24 14:22:36.122: 00:42:68:cc:37:70 Discovery Response sent to 192.168.0.164:49653

*spamApTask7: Oct 24 14:22:41.355: 00:42:68:ce:ad:80 Discovery Request from 192.168.0.161:56450

*spamApTask7: Oct 24 14:22:41.355: 00:42:68:ce:ad:80 ApModel: AIR-CAP1702I-E-K9

*spamApTask7: Oct 24 14:22:41.355: 00:42:68:ce:ad:80 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 15, MaxLicense=15 joined Aps =0
*spamApTask7: Oct 24 14:22:41.355: 00:42:68:ce:ad:80 apType = 77 apModel: AIR-CAP1702I-E-K9

*spamApTask7: Oct 24 14:22:41.355: 00:42:68:ce:ad:80 Discovery Response sent to 192.168.0.161 port 56450

*spamApTask7: Oct 24 14:22:41.355: 00:42:68:ce:ad:80 Discovery Response sent to 192.168.0.161:56450

*spamApTask3: Oct 24 14:22:43.015: 00:fe:c8:fe:0a:a0 Discovery Request from 192.168.0.163:57761

*spamApTask3: Oct 24 14:22:43.015: 00:fe:c8:fe:0a:a0 ApModel: AIR-CAP1702I-E-K9

*spamApTask3: Oct 24 14:22:43.015: 00:fe:c8:fe:0a:a0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 15, MaxLicense=15 joined Aps =0
*spamApTask3: Oct 24 14:22:43.015: 00:fe:c8:fe:0a:a0 apType = 77 apModel: AIR-CAP1702I-E-K9

*spamApTask3: Oct 24 14:22:43.015: 00:fe:c8:fe:0a:a0 Discovery Response sent to 192.168.0.163 port 57761

*spamApTask3: Oct 24 14:22:43.015: 00:fe:c8:fe:0a:a0 Discovery Response sent to 192.168.0.163:57761

*spamApTask3: Oct 24 14:22:43.016: 00:fe:c8:fe:0a:a0 Discovery Request from 192.168.0.163:57761

*spamApTask3: Oct 24 14:22:43.016: 00:fe:c8:fe:0a:a0 ApModel: AIR-CAP1702I-E-K9

*spamApTask3: Oct 24 14:22:43.016: 00:fe:c8:fe:0a:a0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 15, MaxLicense=15 joined Aps =0
*spamApTask3: Oct 24 14:22:43.016: 00:fe:c8:fe:0a:a0 apType = 77 apModel: AIR-CAP1702I-E-K9

*spamApTask3: Oct 24 14:22:43.017: 00:fe:c8:fe:0a:a0 Discovery Response sent to 192.168.0.163 port 57761

*spamApTask3: Oct 24 14:22:43.017: 00:fe:c8:fe:0a:a0 Discovery Response sent to 192.168.0.163:57761

*spamApTask3: Oct 24 14:22:43.017: 00:fe:c8:fe:0a:a0 Discovery Request from 192.168.0.163:57761

*spamApTask3: Oct 24 14:22:43.017: 00:fe:c8:fe:0a:a0 ApModel: AIR-CAP1702I-E-K9

*spamApTask3: Oct 24 14:22:43.017: 00:fe:c8:fe:0a:a0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 15, MaxLicense=15 joined Aps =0
*spamApTask3: Oct 24 14:22:43.017: 00:fe:c8:fe:0a:a0 apType = 77 apModel: AIR-CAP1702I-E-K9

*spamApTask3: Oct 24 14:22:43.017: 00:fe:c8:fe:0a:a0 Discovery Response sent to 192.168.0.163 port 57761

*spamApTask3: Oct 24 14:22:43.017: 00:fe:c8:fe:0a:a0 Discovery Response sent to 192.168.0.163:57761

*spamApTask7: Oct 24 14:22:48.498: cc:46:d6:aa:c2:34 DTLS connection not found, creating new connection for 192.168.0.160 (60451) 192.168.0.214 (5246)

support-it · ‎24-10-2024

debug pm pki enable

isco Controller) >*spamApTask7: Oct 24 14:24:06.468: 00:78:88:b5:c8:18 DTLS connection not found, creating new connection for 192.168.0.161 (56450) 192.168.0.214 (5246)

*spamApTask7: Oct 24 14:24:06.469: sshpmGetCID: called to evaluate <cscoSha2IdCert>

*spamApTask7: Oct 24 14:24:06.469: sshpmGetCID: Found matching ID cert cscoSha2IdCert in row 3
*spamApTask7: Oct 24 14:24:06.469: GetIDCert: Using SHA2 Id cert on WLC

*spamApTask7: Oct 24 14:24:06.469: Get Cert from CID: For CID 1319ddc4 certType 1
*spamApTask7: Oct 24 14:24:06.469: Get Cert from CID: Found match of ID Cert in row 3
*spamApTask7: Oct 24 14:24:06.469: sshpmGetCID: called to evaluate <cscoSha2IdCert>

*spamApTask7: Oct 24 14:24:06.469: sshpmGetCID: Found matching ID cert cscoSha2IdCert in row 3
*spamApTask7: Oct 24 14:24:06.469: GetDERIDKey: Using SHA2 Id cert Private Keys on WLC

support-it · ‎24-10-2024

The

debug capwap events enable

(Cisco Controller) >*spamApTask7: Oct 24 14:19:46.232: 00:78:88:b5:c8:18 DTLS Ha ndshake Timeout server (192.168.0.214:5246), client (192.168.0.161:56450)
*spamApTask7: Oct 24 14:19:46.232: 00:78:88:b5:c8:18 acDtlsPlumbControlPlaneKeys : lrad:192.168.0.161(56450) mwar:192.168.0.214(5246)

*spamApTask7: Oct 24 14:19:46.233: 00:78:88:b5:c8:18 DTLS connection closed even t receivedserver (192.168.0.214/5246) client (192.168.0.161/56450)
*spamApTask7: Oct 24 14:19:46.233: 00:78:88:b5:c8:18 No entry exists for AP (192 .168.0.161/56450)
*spamApTask7: Oct 24 14:19:46.233: 00:78:88:b5:c8:18 No AP entry exist in tempor ary database for 192.168.0.161:56450
*spamApTask3: Oct 24 14:19:46.832: 00:fe:c8:4e:1a:04 DTLS Handshake Timeout serv er (192.168.0.214:5246), client (192.168.0.163:57761)
*spamApTask3: Oct 24 14:19:46.832: 00:fe:c8:4e:1a:04 acDtlsPlumbControlPlaneKeys : lrad:192.168.0.163(57761) mwar:192.168.0.214(5246)

*spamApTask3: Oct 24 14:19:46.833: 00:fe:c8:4e:1a:04 DTLS connection closed even t receivedserver (192.168.0.214/5246) client (192.168.0.163/57761)
*spamApTask3: Oct 24 14:19:46.833: 00:fe:c8:4e:1a:04 No entry exists for AP (192 .168.0.163/57761)
*spamApTask3: Oct 24 14:19:46.833: 00:fe:c8:4e:1a:04 No AP entry exist in tempor ary database for 192.168.0.163:57761

(Cisco Controller) >debug capwap events enable

(Cisco Controller) >*spamApTask7: Oct 24 14:20:09.906: 00:35:1a:cb:82:60 Discovery Request from 192.168.0.159:52605

*spamApTask7: Oct 24 14:20:09.906: 00:35:1a:cb:82:60 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 15, MaxLicense=15 joined Aps =0
*spamApTask7: Oct 24 14:20:09.906: 00:35:1a:cb:82:60 apType = 77 apModel: AIR-CAP1702I-E-K9

*spamApTask7: Oct 24 14:20:09.906: 00:35:1a:cb:82:60 Discovery Response sent to 192.168.0.159 port 52605

*spamApTask7: Oct 24 14:20:09.906: 00:35:1a:cb:82:60 Discovery Response sent to 192.168.0.159:52605

*spamApTask7: Oct 24 14:20:09.907: 00:35:1a:cb:82:60 Discovery Request from 192.168.0.159:52605

*spamApTask7: Oct 24 14:20:09.907: 00:35:1a:cb:82:60 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 15, MaxLicense=15 joined Aps =0
*spamApTask7: Oct 24 14:20:09.907: 00:35:1a:cb:82:60 apType = 77 apModel: AIR-CAP1702I-E-K9

*spamApTask7: Oct 24 14:20:09.908: 00:35:1a:cb:82:60 Discovery Response sent to 192.168.0.159 port 52605

*spamApTask7: Oct 24 14:20:09.908: 00:35:1a:cb:82:60 Discovery Response sent to 192.168.0.159:52605

*spamApTask7: Oct 24 14:20:09.908: 00:35:1a:cb:82:60 Discovery Request from 192.168.0.159:52605

*spamApTask7: Oct 24 14:20:09.908: 00:35:1a:cb:82:60 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 15, MaxLicense=15 joined Aps =0
*spamApTask7: Oct 24 14:20:09.908: 00:35:1a:cb:82:60 apType = 77 apModel: AIR-CAP1702I-E-K9

*spamApTask7: Oct 24 14:20:09.908: 00:35:1a:cb:82:60 Discovery Response sent to 192.168.0.159 port 52605

*spamApTask7: Oct 24 14:20:09.908: 00:35:1a:cb:82:60 Discovery Response sent to 192.168.0.159:52605

*spamApTask7: Oct 24 14:20:18.396: 00:fe:c8:5a:eb:50 Discovery Request from 192.168.0.160:60451

*spamApTask7: Oct 24 14:20:18.396: 00:fe:c8:5a:eb:50 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 15, MaxLicense=15 joined Aps =0
*spamApTask7: Oct 24 14:20:18.396: 00:fe:c8:5a:eb:50 apType = 77 apModel: AIR-CAP1702I-E-K9

*spamApTask7: Oct 24 14:20:18.397: 00:fe:c8:5a:eb:50 Discovery Response sent to 192.168.0.160 port 60451

*spamApTask7: Oct 24 14:20:18.397: 00:fe:c8:5a:eb:50 Discovery Response sent to 192.168.0.160:60451

*spamApTask1: Oct 24 14:20:19.832: 84:b2:61:46:44:e8 DTLS Handshake Timeout server (192.168.0.214:5246), client (192.168.0.162:58447)
*spamApTask1: Oct 24 14:20:19.832: 84:b2:61:46:44:e8 acDtlsPlumbControlPlaneKeys: lrad:192.168.0.162(58447) mwar:192.168.0.214(5246)

*spamApTask1: Oct 24 14:20:19.833: 84:b2:61:46:44:e8 DTLS connection closed event receivedserver (192.168.0.214/5246) client (192.168.0.162/58447)
*spamApTask1: Oct 24 14:20:19.833: 84:b2:61:46:44:e8 No entry exists for AP (192.168.0.162/58447)
*spamApTask1: Oct 24 14:20:19.833: 84:b2:61:46:44:e8 No AP entry exist in temporary database for 192.168.0.162:58447
*spamApTask3: Oct 24 14:20:21.904: 00:fe:c8:4e:1a:04 DTLS connection not found, creating new connection for 192.168.0.163 (57761) 192.168.0.214 (5246)

Flavio Miranda · ‎24-10-2024

Thank you. Pleasae, run the following command

show certificate all

support-it · ‎24-10-2024

J'ai finalement pu me connecter sur l'AP en retrouvant un câble, j'ai le message ci dessous :

*Oct 24 13:42:37.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.0.214 peer_port: 5246
*Oct 24 13:42:42.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:929 Unexpected message received while expecting HelloVerifyRequest
*Oct 24 13:42:42.999: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to 192.168.0.214:5246
*Oct 24 13:42:42.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.0.214:5246

Flavio Miranda · ‎24-10-2024

It is something related to certificate. Maybe a certificate expired on the WLC side.

I would ask you to show the command "show certificate all" on the WLC side.

Eventually, you can also try to factory reset one AP, just in case.

support-it · ‎24-10-2024

(Cisco Controller) >show certificate all

--------------- Verification Certificates ---------------
Certificate Name: ACT2 EC CA cert

Subject Name :
O=Cisco, CN=ACT2 ECC SUDI CA
Issuer Name :
O=Cisco, CN=Cisco ECC Root CA
Serial Number (Hex):
02
Validity :
Start : Apr 4 08:26:13 2013 GMT
End : Apr 4 08:15:43.704 2053 GMT
Signature Algorithm :
ecdsa-with-SHA384
Hash key :
SHA1 Fingerprint : 32:78:95:b8:c***********************************:d9:34: 0b:80:e6
SHA256 Fingerprint : f2:a3:92:57:1*****************************************0c:26:fe:f6:d8:4a:c6:e8:4b:db

----------------------------

Certificate Name: ACT2 EC ROOT CA cert

--More-- or (q)uit

Perte de communication entre AIR-CT2504-K9 et une dizaine de CAP1702i

Liens rapides