WLC Failed to complete DTLS handshake with peer

Unanswered Question
Feb 22nd, 2011
User Badges:

WLC 5508 running

Site was running fine until the WLC had a hardware failure.

A new WLC was shipped out, was running 6.0.99 then manually upgraded to 7.0.98. Clients cannot authenticatewith recurrent logs messages like this.

*dot1xMsgTask: Feb 23 17:05:03.648: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2914 Max EAP identity request retries (3) exceeded for client 00:21:5c:<snip>
*spamApTask0: Feb 23 17:05:01.926: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:629 Failed to complete DTLS handshake with peer

I have tried changing the key on the radius server to no avail.Anybody have any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nicolas Darchis Wed, 02/23/2011 - 00:17
User Badges:
  • Cisco Employee,

DTLS message corresponds to an AP not joining or disconnecting.

The EAP message above is about a client not finishing its dot1x authentication.

Since what changed is the WLC itself, I would check for changes :

-did it change ip address ? is the config EXACTLY the same as before ?

-What does your radius server reports as failed attempt reason ?


shaanismath Wed, 02/23/2011 - 15:16
User Badges:

Hi Nicolas,

I reconfigured the WLC manually and from what I can see the configs are the same.

Are the AP disconnect (DTLS) and EAP messages even related to each other?

The log on the radius indicates Filtering Platform Packet drop, its an NPS server


shaanismath Wed, 02/23/2011 - 19:05
User Badges:

I also saw this message in the NPS logs.

Authentication failed due to an EAP session timeout; the EAP session with the access client was incomplete.

Nicolas Darchis Wed, 02/23/2011 - 22:59
User Badges:
  • Cisco Employee,

I'm unsure about what the first NPS message means.

It's a dot1x authentication not completing issue, the authentication process must be looked at to understand which part is stopping. It could be the client not trusting the NPS certificate, the NPS stopping the authentication because it doesn't like the WLC for some reason ... could be anything.


This Discussion



Trending Topics - Security & Network