cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
118536
Views
100
Helpful
20
Replies

AP can't join. DTLS connection closed by controller

Saman Shamim
Beginner
Beginner

Hi guys,

1140 APs don't register with the 5508 controller. Here are some debug outputs:

AP's IP: 100.31

WLC's IP:100.2

debug capwap events enable

*spamApTask1: Nov 01 11:25:04.958: 30:e4:db:d3:a4:ca Discovery Request from 192.168.100.31:47690

*spamApTask1: Nov 01 11:25:04.958: 30:e4:db:d3:a4:ca Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 100, joined Aps =0

*spamApTask1: Nov 01 11:25:04.958: 30:e4:db:d3:a4:ca Discovery Response sent to 192.168.100.31:47690

*spamApTask1: Nov 01 11:25:04.958: 30:e4:db:d3:a4:ca Discovery Response sent to 192.168.100.31:47690

*spamApTask1: Nov 01 11:25:14.959: 30:e4:db:d3:a4:ca DTLS connection not found, creating new connection for 192:168:100:31 (47690) 192:168:100:2 (5246)

*spamApTask1: Nov 01 11:25:15.101: 30:e4:db:d3:a4:ca DTLS connection closed event receivedserver (192:168:100:2/5246) client (192:168:100:31/47690)

*spamApTask1: Nov 01 11:25:15.101: 30:e4:db:d3:a4:ca No entry exists for AP (192:168:100:31/47690)

*spamApTask1: Nov 01 11:25:15.101: 30:e4:db:d3:a4:ca No AP entry exist in temporary database for 192.168.100.31:47690

**************************************************************

debug capwap packet enable

>*spamApTask1: Nov 01 11:36:20.039: <<<<  Start of CAPWAP Packet  >>>>

*spamApTask1: Nov 01 11:36:20.039: CAPWAP Control mesg Recd from 192.168.100.31, Port 47690

*spamApTask1: Nov 01 11:36:20.039:              HLEN 4,   Radio ID 0,    WBID 1

*spamApTask1: Nov 01 11:36:20.039:              Msg Type   :   CAPWAP_DISCOVERY_REQUEST

*spamApTask1: Nov 01 11:36:20.039:              Msg Length : 73

*spamApTask1: Nov 01 11:36:20.039:              Msg SeqNum : 0

*spamApTask1: Nov 01 11:36:20.039:

*spamApTask1: Nov 01 11:36:20.039:       Type : CAPWAP_MSGELE_DISCOVERY_TYPE, Length 1

*spamApTask1: Nov 01 11:36:20.039:              Discovery Type : CAPWAP_DISCOVERY_TYPE_UNKNOWN

*spamApTask1: Nov 01 11:36:20.039:

*spamApTask1: Nov 01 11:36:20.039:       Type : CAPWAP_MSGELE_WTP_DESCRIPTOR, Length 40

*spamApTask1: Nov 01 11:36:20.039:              Maximum Radios Supported  : 0

*spamApTask1: Nov 01 11:36:20.039:              Radios in Use             : 0

*spamApTask1: Nov 01 11:36:20.039:              Encryption Capabilities   : 0x00 0x01

*spamApTask1: Nov 01 11:36:20.039:

*spamApTask1: Nov 01 11:36:20.039:       Type : CAPWAP_MSGELE_WTP_FRAME_TUNNEL, Length 1

*spamApTask1: Nov 01 11:36:20.039:              WTP Frame Tunnel Mode : NATIVE_FRAME_TUNNEL_MODE

*spamApTask1: Nov 01 11:36:20.039:

*spamApTask1: Nov 01 11:36:20.039:       Type : CAPWAP_MSGELE_WTP_MAC_TYPE, Length 1

*spamApTask1: Nov 01 11:36:20.039:              WTP Mac Type  : SPLIT_MAC

*spamApTask1: Nov 01 11:36:20.039:

*spamApTask1: Nov 01 11:36:20.039:       Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 10

*spamApTask1: Nov 01 11:36:20.039:              Vendor Identifier  : 0x00409600

*spamApTask1: Nov 01 11:36:20.039:

        IE            :   UNKNOWN IE 207

*spamApTask1: Nov 01 11:36:20.039:      IE Length     :   4

*spamApTask1: Nov 01 11:36:20.039:      Decode routine not available, Printing Hex Dump

*spamApTask1: Nov 01 11:36:20.039: 00000000: 01 00 00 01                                       ....

*spamApTask1: Nov 01 11:36:20.039: <<<<  End of CAPWAP Packet  >>>>

**************************************************************

debug capwap errors enable

*spamApTask1: Nov 01 11:45:15.244: 30:e4:db:d3:a4:ca Deleting AP 192.168.100.31 which has not been plumbed

*spamApTask1: Nov 01 11:45:15.245: 30:e4:db:d3:a4:ca DTLS connection was closed

**************************************************************

debug capwap detail enable

*spamApTask1: Nov 01 11:52:45.298: 30:e4:db:d3:a4:ca CAPWAP Control Msg Received from 192.168.100.31:47690

*spamApTask1: Nov 01 11:52:45.298: 30:e4:db:d3:a4:ca DTLS connection 0x1454bc38 closed by controller

*spamApTask1: Nov 01 11:52:45.299: CAPWAP DTLS connection closed msg

1 Accepted Solution

Accepted Solutions

Check your time on the wlc. It's off so that is why the AP's ate not joining.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

View solution in original post

20 Replies 20

Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

What does the log show when you are consoled into the AP? Is it just one AP or a bunch?

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

I haven't consoled into AP yet. I'll do it now and post the outputs.

First I connected 3 APs and then disconnected 2 of them to make debug outputs more readable. So currently just one AP is connected to the network

Hello all ,

    my lightweight AP(3502i) is not joining with virtual Wireless Lan Controller 

my Ap is getting IP from DHCP , but it shows not joined  in wlc, can you please tell me what was the problem,

APa44c.11d3.3ae9#sh version
Cisco IOS Software, C3500 Software (AP3G1-RCVK9W8-M), Version 12.4(23c)JA3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 18-Oct-11 15:02 by prod_rel_team

ROM: Bootstrap program is C3500 boot loader
BOOTLDR: C3500 Boot Loader (AP3G1-BOOT-M) Version 12.4(23c)JA5, RELEASE SOFTWARE (fc1)

APa44c.11d3.3ae9 uptime is 24 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-mx"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-CAP3502I-E-K9 (PowerPC460exr) processor (revision A0) with 81910K/49152K bytes of memory.
Processor board ID FCZ1623W0UL
PowerPC460exr CPU at 666Mhz, revision number 0x18A8
Last reset from power-on
LWAPP image version 7.0.112.74
1 Gigabit Ethernet interface

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: A4:4C:11:D3:3A:E9
Part Number : 73-12175-05
PCA Assembly Number : 800-32268-05
PCA Revision Number : A0
PCB Serial Number : FOC16175AYN
Top Assembly Part Number : 800-32891-01
Top Assembly Serial Number : FCZ1623W0UL
Top Revision Number : A0
Product/Model Number : AIR-CAP3502I-E-K9

Configuration register is 0xF

APa44c.11d3.3ae9#
*Apr 16 07:12:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.100.3.72 peer_port: 5246
*Apr 16 07:12:23.003: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Apr 16 07:12:23.003: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Apr 16 07:12:23.003: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:348 Certificate verified failed!
*Apr 16 07:12:23.003: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 10.100.3.72
*Apr 16 07:12:23.003: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.100.3.72:5246
*Apr 16 07:12:23.003: %DTLS-3-BAD_RECORD: Erroneous record received from 10.100.3.72: Malformed Certificate
*Apr 16 07:12:23.003: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.100.3.72:5246
*Apr 16 07:12:23.003: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

-----------------------------

from wlc

(Cisco Controller) >show ap join stats summary all

Number of APs.............................................. 2

Base Mac AP EthernetMac AP Name IP Address Status
67:58:34:01:00:00 N A N A 10.100.3.7 Not Joined
a4:4c:11:d3:3a:e9 N A APa44c.11d3.3ae9 10.100.3.7 Not Joined


(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Build Name....................................... Engg Special Image

Product Version.................................. 8.2.100.0
RTOS Version..................................... 8.2.100.0
Bootloader Version............................... 8.2.100.0
Emergency Image Version.......................... 8.2.100.0

Build Type....................................... DATA + WPS

System Name...................................... Cisco_66:e5:93
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1631
IP Address....................................... 10.100.3.72
IPv6 Address..................................... ::
System Up Time................................... 0 days 0 hrs 30 mins 58 secs
System Timezone Location.........................
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

--More-- or (q)uit

Configured Country............................... US - United States

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 2
Number of Active Clients......................... 0

Burned-in MAC Address............................ 00:0C:29:66:E5:93
Maximum number of APs supported.................. 200
System Nas-Id....................................
WLC MIC Certificate Types........................ SHA1
Licensing Type................................... RTU
vWLC config...................................... Small

*Nov  1 12:27:24.999: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Nov  1 12:27:25.000: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Nov  1 12:27:35.003: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Nov  1 12:27:35.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.2 peer_port: 5246

*Nov  1 12:27:35.000: %CAPWAP-5-CHANGED: CAPWAP changed state to

*Nov  1 12:27:35.138: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed.  The certificate (SN: 6F5328F20000000F6A57) is not yet valid   Validity period starts on 13:39:13 UTC Nov 17 2011

*Nov  1 12:27:35.139: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed

*Nov  1 12:27:35.139: %CAPWAP-3-ERRORLOG: Certificate verification failed!

*Nov  1 12:27:35.139: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:326 Certificate verified failed!

*Nov  1 12:27:35.139: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.100.2

*Nov  1 12:27:35.139: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.100.2:5246

*Nov  1 12:27:35.140: %DTLS-3-BAD_RECORD: Erroneous record received from 192.168.100.2: Malformed Certificate

*Nov  1 12:27:35.140: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.100.2:5246

*Nov  1 12:27:35.140: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

Check your time on the wlc. It's off so that is why the AP's ate not joining.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

*Nov  1 12:27:35.138: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID:  Certificate chain validation has failed.  The certificate (SN:  6F5328F20000000F6A57) is not yet valid   Validity period starts on  13:39:13 UTC Nov 17 2011

This is why.. the certificate exchange is failing.

-Scott
*** Please rate helpful posts ***

Well, the WLC was a month late (November 1st) !!!

Fixed it and now everything is good.

Thanks a lot Scott

No problem:)

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Good catch Scott. Thanks for helping Cisco Partners. 

Vinay Sharma

Community Manager - Wireless

Thanks & Regards

The date had to do with the cert failing?

Hello,

 

i am having the same issue as you, and i appreciate if you can help me to fix the issue i am having the below error message on the AP.

 

The certificate (SN:  6F5328F20000000F6A57) is not yet valid   Validity period starts on  13:39:13 UTC Nov 17 2011

 

could you please help me.

Hi,

You can solve the problem of certificates with these commands;

config ap lifetime-check {mic|ssc} enable

config ap cert-expiry-ignore {mic|ssc} enable

 

Came across this 4 years later but THANKS!  I was scratching my head for an hour and couldn't figure out just why my AP wasn't joining.  Fixed the time on WLC and AP and got DTLS up instantly.

-Ricky

I change the time on WLC.Then It's working.Thanks.!!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers