AP can't join. DTLS connection closed by controller

Answered Question
Dec 2nd, 2011

Hi guys,

1140 APs don't register with the 5508 controller. Here are some debug outputs:

AP's IP: 100.31

WLC's IP:100.2

debug capwap events enable

*spamApTask1: Nov 01 11:25:04.958: 30:e4:db:d3:a4:ca Discovery Request from 192.168.100.31:47690

*spamApTask1: Nov 01 11:25:04.958: 30:e4:db:d3:a4:ca Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 100, joined Aps =0

*spamApTask1: Nov 01 11:25:04.958: 30:e4:db:d3:a4:ca Discovery Response sent to 192.168.100.31:47690

*spamApTask1: Nov 01 11:25:04.958: 30:e4:db:d3:a4:ca Discovery Response sent to 192.168.100.31:47690

*spamApTask1: Nov 01 11:25:14.959: 30:e4:db:d3:a4:ca DTLS connection not found, creating new connection for 192:168:100:31 (47690) 192:168:100:2 (5246)

*spamApTask1: Nov 01 11:25:15.101: 30:e4:db:d3:a4:ca DTLS connection closed event receivedserver (192:168:100:2/5246) client (192:168:100:31/47690)

*spamApTask1: Nov 01 11:25:15.101: 30:e4:db:d3:a4:ca No entry exists for AP (192:168:100:31/47690)

*spamApTask1: Nov 01 11:25:15.101: 30:e4:db:d3:a4:ca No AP entry exist in temporary database for 192.168.100.31:47690

**************************************************************

debug capwap packet enable

>*spamApTask1: Nov 01 11:36:20.039: <<<<  Start of CAPWAP Packet  >>>>

*spamApTask1: Nov 01 11:36:20.039: CAPWAP Control mesg Recd from 192.168.100.31, Port 47690

*spamApTask1: Nov 01 11:36:20.039:              HLEN 4,   Radio ID 0,    WBID 1

*spamApTask1: Nov 01 11:36:20.039:              Msg Type   :   CAPWAP_DISCOVERY_REQUEST

*spamApTask1: Nov 01 11:36:20.039:              Msg Length : 73

*spamApTask1: Nov 01 11:36:20.039:              Msg SeqNum : 0

*spamApTask1: Nov 01 11:36:20.039:

*spamApTask1: Nov 01 11:36:20.039:       Type : CAPWAP_MSGELE_DISCOVERY_TYPE, Length 1

*spamApTask1: Nov 01 11:36:20.039:              Discovery Type : CAPWAP_DISCOVERY_TYPE_UNKNOWN

*spamApTask1: Nov 01 11:36:20.039:

*spamApTask1: Nov 01 11:36:20.039:       Type : CAPWAP_MSGELE_WTP_DESCRIPTOR, Length 40

*spamApTask1: Nov 01 11:36:20.039:              Maximum Radios Supported  : 0

*spamApTask1: Nov 01 11:36:20.039:              Radios in Use             : 0

*spamApTask1: Nov 01 11:36:20.039:              Encryption Capabilities   : 0x00 0x01

*spamApTask1: Nov 01 11:36:20.039:

*spamApTask1: Nov 01 11:36:20.039:       Type : CAPWAP_MSGELE_WTP_FRAME_TUNNEL, Length 1

*spamApTask1: Nov 01 11:36:20.039:              WTP Frame Tunnel Mode : NATIVE_FRAME_TUNNEL_MODE

*spamApTask1: Nov 01 11:36:20.039:

*spamApTask1: Nov 01 11:36:20.039:       Type : CAPWAP_MSGELE_WTP_MAC_TYPE, Length 1

*spamApTask1: Nov 01 11:36:20.039:              WTP Mac Type  : SPLIT_MAC

*spamApTask1: Nov 01 11:36:20.039:

*spamApTask1: Nov 01 11:36:20.039:       Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 10

*spamApTask1: Nov 01 11:36:20.039:              Vendor Identifier  : 0x00409600

*spamApTask1: Nov 01 11:36:20.039:

        IE            :   UNKNOWN IE 207

*spamApTask1: Nov 01 11:36:20.039:      IE Length     :   4

*spamApTask1: Nov 01 11:36:20.039:      Decode routine not available, Printing Hex Dump

*spamApTask1: Nov 01 11:36:20.039: 00000000: 01 00 00 01                                       ....

*spamApTask1: Nov 01 11:36:20.039: <<<<  End of CAPWAP Packet  >>>>

**************************************************************

debug capwap errors enable

*spamApTask1: Nov 01 11:45:15.244: 30:e4:db:d3:a4:ca Deleting AP 192.168.100.31 which has not been plumbed

*spamApTask1: Nov 01 11:45:15.245: 30:e4:db:d3:a4:ca DTLS connection was closed

**************************************************************

debug capwap detail enable

*spamApTask1: Nov 01 11:52:45.298: 30:e4:db:d3:a4:ca CAPWAP Control Msg Received from 192.168.100.31:47690

*spamApTask1: Nov 01 11:52:45.298: 30:e4:db:d3:a4:ca DTLS connection 0x1454bc38 closed by controller

*spamApTask1: Nov 01 11:52:45.299: CAPWAP DTLS connection closed msg

I have this problem too.
0 votes
Correct Answer by Scott Fella about 4 years 5 months ago

Check your time on the wlc. It's off so that is why the AP's ate not joining.

Sent from my iPhone

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Scott Fella Fri, 12/02/2011 - 12:22

What does the log show when you are consoled into the AP? Is it just one AP or a bunch?

Sent from my iPhone

Saman.Shamim Fri, 12/02/2011 - 12:24

I haven't consoled into AP yet. I'll do it now and post the outputs.

First I connected 3 APs and then disconnected 2 of them to make debug outputs more readable. So currently just one AP is connected to the network

sifathmirza Tue, 05/17/2016 - 00:23

Hello all ,

    my lightweight AP(3502i) is not joining with virtual Wireless Lan Controller 

my Ap is getting IP from DHCP , but it shows not joined  in wlc, can you please tell me what was the problem,

APa44c.11d3.3ae9#sh version
Cisco IOS Software, C3500 Software (AP3G1-RCVK9W8-M), Version 12.4(23c)JA3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 18-Oct-11 15:02 by prod_rel_team

ROM: Bootstrap program is C3500 boot loader
BOOTLDR: C3500 Boot Loader (AP3G1-BOOT-M) Version 12.4(23c)JA5, RELEASE SOFTWARE (fc1)

APa44c.11d3.3ae9 uptime is 24 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-mx"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected]

cisco AIR-CAP3502I-E-K9 (PowerPC460exr) processor (revision A0) with 81910K/49152K bytes of memory.
Processor board ID FCZ1623W0UL
PowerPC460exr CPU at 666Mhz, revision number 0x18A8
Last reset from power-on
LWAPP image version 7.0.112.74
1 Gigabit Ethernet interface

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: A4:4C:11:D3:3A:E9
Part Number : 73-12175-05
PCA Assembly Number : 800-32268-05
PCA Revision Number : A0
PCB Serial Number : FOC16175AYN
Top Assembly Part Number : 800-32891-01
Top Assembly Serial Number : FCZ1623W0UL
Top Revision Number : A0
Product/Model Number : AIR-CAP3502I-E-K9

Configuration register is 0xF

APa44c.11d3.3ae9#
*Apr 16 07:12:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.100.3.72 peer_port: 5246
*Apr 16 07:12:23.003: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Apr 16 07:12:23.003: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Apr 16 07:12:23.003: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:348 Certificate verified failed!
*Apr 16 07:12:23.003: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 10.100.3.72
*Apr 16 07:12:23.003: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.100.3.72:5246
*Apr 16 07:12:23.003: %DTLS-3-BAD_RECORD: Erroneous record received from 10.100.3.72: Malformed Certificate
*Apr 16 07:12:23.003: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.100.3.72:5246
*Apr 16 07:12:23.003: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

-----------------------------

from wlc

(Cisco Controller) >show ap join stats summary all

Number of APs.............................................. 2

Base Mac AP EthernetMac AP Name IP Address Status
67:58:34:01:00:00 N A N A 10.100.3.7 Not Joined
a4:4c:11:d3:3a:e9 N A APa44c.11d3.3ae9 10.100.3.7 Not Joined


(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Build Name....................................... Engg Special Image

Product Version.................................. 8.2.100.0
RTOS Version..................................... 8.2.100.0
Bootloader Version............................... 8.2.100.0
Emergency Image Version.......................... 8.2.100.0

Build Type....................................... DATA + WPS

System Name...................................... Cisco_66:e5:93
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1631
IP Address....................................... 10.100.3.72
IPv6 Address..................................... ::
System Up Time................................... 0 days 0 hrs 30 mins 58 secs
System Timezone Location.........................
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

--More-- or (q)uit

Configured Country............................... US - United States

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 2
Number of Active Clients......................... 0

Burned-in MAC Address............................ 00:0C:29:66:E5:93
Maximum number of APs supported.................. 200
System Nas-Id....................................
WLC MIC Certificate Types........................ SHA1
Licensing Type................................... RTU
vWLC config...................................... Small

Saman.Shamim Fri, 12/02/2011 - 12:30

*Nov  1 12:27:24.999: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Nov  1 12:27:25.000: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Nov  1 12:27:35.003: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Nov  1 12:27:35.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.2 peer_port: 5246

*Nov  1 12:27:35.000: %CAPWAP-5-CHANGED: CAPWAP changed state to

*Nov  1 12:27:35.138: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed.  The certificate (SN: 6F5328F20000000F6A57) is not yet valid   Validity period starts on 13:39:13 UTC Nov 17 2011

*Nov  1 12:27:35.139: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed

*Nov  1 12:27:35.139: %CAPWAP-3-ERRORLOG: Certificate verification failed!

*Nov  1 12:27:35.139: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:326 Certificate verified failed!

*Nov  1 12:27:35.139: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.100.2

*Nov  1 12:27:35.139: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.100.2:5246

*Nov  1 12:27:35.140: %DTLS-3-BAD_RECORD: Erroneous record received from 192.168.100.2: Malformed Certificate

*Nov  1 12:27:35.140: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.100.2:5246

*Nov  1 12:27:35.140: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

Correct Answer
Scott Fella Fri, 12/02/2011 - 12:32

Check your time on the wlc. It's off so that is why the AP's ate not joining.

Sent from my iPhone

Scott Fella Fri, 12/02/2011 - 12:35

*Nov  1 12:27:35.138: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID:  Certificate chain validation has failed.  The certificate (SN:  6F5328F20000000F6A57) is not yet valid   Validity period starts on  13:39:13 UTC Nov 17 2011

This is why.. the certificate exchange is failing.

Saman.Shamim Fri, 12/02/2011 - 12:44

Well, the WLC was a month late (November 1st) !!!

Fixed it and now everything is good.

Thanks a lot Scott

Vinay Sharma Fri, 12/02/2011 - 21:51

Good catch Scott. Thanks for helping Cisco Partners. 

Vinay Sharma

Community Manager - Wireless

Ricky Sandhu Tue, 02/09/2016 - 18:10

Came across this 4 years later but THANKS!  I was scratching my head for an hour and couldn't figure out just why my AP wasn't joining.  Fixed the time on WLC and AP and got DTLS up instantly.

-Ricky

Gustavo Adolfo ... Fri, 12/20/2013 - 14:59

Im moving from controller A to Controller B with the same version of software and any of the APs join to my new controller. Im getting the same debug outputs than this original POST.
I have to clear the prive config too?

Daniel Ordonez Fri, 12/20/2013 - 15:02

El problema del post Original es que tiene incorrecta la fecha del WLC. En tu caso la fecha es correcta? tu nuevo WLC esta en el mismo segmento de red que el original?

Actions

This Discussion