AP can't join. DTLS connection closed by controller

Answered Question
Dec 2nd, 2011

Hi guys,

1140 APs don't register with the 5508 controller. Here are some debug outputs:

AP's IP: 100.31

WLC's IP:100.2

debug capwap events enable

*spamApTask1: Nov 01 11:25:04.958: 30:e4:db:d3:a4:ca Discovery Request from 192.168.100.31:47690

*spamApTask1: Nov 01 11:25:04.958: 30:e4:db:d3:a4:ca Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 100, joined Aps =0

*spamApTask1: Nov 01 11:25:04.958: 30:e4:db:d3:a4:ca Discovery Response sent to 192.168.100.31:47690

*spamApTask1: Nov 01 11:25:04.958: 30:e4:db:d3:a4:ca Discovery Response sent to 192.168.100.31:47690

*spamApTask1: Nov 01 11:25:14.959: 30:e4:db:d3:a4:ca DTLS connection not found, creating new connection for 192:168:100:31 (47690) 192:168:100:2 (5246)

*spamApTask1: Nov 01 11:25:15.101: 30:e4:db:d3:a4:ca DTLS connection closed event receivedserver (192:168:100:2/5246) client (192:168:100:31/47690)

*spamApTask1: Nov 01 11:25:15.101: 30:e4:db:d3:a4:ca No entry exists for AP (192:168:100:31/47690)

*spamApTask1: Nov 01 11:25:15.101: 30:e4:db:d3:a4:ca No AP entry exist in temporary database for 192.168.100.31:47690

**************************************************************

debug capwap packet enable

>*spamApTask1: Nov 01 11:36:20.039: <<<<  Start of CAPWAP Packet  >>>>

*spamApTask1: Nov 01 11:36:20.039: CAPWAP Control mesg Recd from 192.168.100.31, Port 47690

*spamApTask1: Nov 01 11:36:20.039:              HLEN 4,   Radio ID 0,    WBID 1

*spamApTask1: Nov 01 11:36:20.039:              Msg Type   :   CAPWAP_DISCOVERY_REQUEST

*spamApTask1: Nov 01 11:36:20.039:              Msg Length : 73

*spamApTask1: Nov 01 11:36:20.039:              Msg SeqNum : 0

*spamApTask1: Nov 01 11:36:20.039:

*spamApTask1: Nov 01 11:36:20.039:       Type : CAPWAP_MSGELE_DISCOVERY_TYPE, Length 1

*spamApTask1: Nov 01 11:36:20.039:              Discovery Type : CAPWAP_DISCOVERY_TYPE_UNKNOWN

*spamApTask1: Nov 01 11:36:20.039:

*spamApTask1: Nov 01 11:36:20.039:       Type : CAPWAP_MSGELE_WTP_DESCRIPTOR, Length 40

*spamApTask1: Nov 01 11:36:20.039:              Maximum Radios Supported  : 0

*spamApTask1: Nov 01 11:36:20.039:              Radios in Use             : 0

*spamApTask1: Nov 01 11:36:20.039:              Encryption Capabilities   : 0x00 0x01

*spamApTask1: Nov 01 11:36:20.039:

*spamApTask1: Nov 01 11:36:20.039:       Type : CAPWAP_MSGELE_WTP_FRAME_TUNNEL, Length 1

*spamApTask1: Nov 01 11:36:20.039:              WTP Frame Tunnel Mode : NATIVE_FRAME_TUNNEL_MODE

*spamApTask1: Nov 01 11:36:20.039:

*spamApTask1: Nov 01 11:36:20.039:       Type : CAPWAP_MSGELE_WTP_MAC_TYPE, Length 1

*spamApTask1: Nov 01 11:36:20.039:              WTP Mac Type  : SPLIT_MAC

*spamApTask1: Nov 01 11:36:20.039:

*spamApTask1: Nov 01 11:36:20.039:       Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 10

*spamApTask1: Nov 01 11:36:20.039:              Vendor Identifier  : 0x00409600

*spamApTask1: Nov 01 11:36:20.039:

        IE            :   UNKNOWN IE 207

*spamApTask1: Nov 01 11:36:20.039:      IE Length     :   4

*spamApTask1: Nov 01 11:36:20.039:      Decode routine not available, Printing Hex Dump

*spamApTask1: Nov 01 11:36:20.039: 00000000: 01 00 00 01                                       ....

*spamApTask1: Nov 01 11:36:20.039: <<<<  End of CAPWAP Packet  >>>>

**************************************************************

debug capwap errors enable

*spamApTask1: Nov 01 11:45:15.244: 30:e4:db:d3:a4:ca Deleting AP 192.168.100.31 which has not been plumbed

*spamApTask1: Nov 01 11:45:15.245: 30:e4:db:d3:a4:ca DTLS connection was closed

**************************************************************

debug capwap detail enable

*spamApTask1: Nov 01 11:52:45.298: 30:e4:db:d3:a4:ca CAPWAP Control Msg Received from 192.168.100.31:47690

*spamApTask1: Nov 01 11:52:45.298: 30:e4:db:d3:a4:ca DTLS connection 0x1454bc38 closed by controller

*spamApTask1: Nov 01 11:52:45.299: CAPWAP DTLS connection closed msg

I have this problem too.
0 votes
Correct Answer by Scott Fella about 2 years 4 months ago

Check your time on the wlc. It's off so that is why the AP's ate not joining.

Sent from my iPhone

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Scott Fella Fri, 12/02/2011 - 12:22

What does the log show when you are consoled into the AP? Is it just one AP or a bunch?

Sent from my iPhone

Saman.Shamim Fri, 12/02/2011 - 12:24

I haven't consoled into AP yet. I'll do it now and post the outputs.

First I connected 3 APs and then disconnected 2 of them to make debug outputs more readable. So currently just one AP is connected to the network

Saman.Shamim Fri, 12/02/2011 - 12:30

*Nov  1 12:27:24.999: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Nov  1 12:27:25.000: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Nov  1 12:27:35.003: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Nov  1 12:27:35.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.100.2 peer_port: 5246

*Nov  1 12:27:35.000: %CAPWAP-5-CHANGED: CAPWAP changed state to

*Nov  1 12:27:35.138: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed.  The certificate (SN: 6F5328F20000000F6A57) is not yet valid   Validity period starts on 13:39:13 UTC Nov 17 2011

*Nov  1 12:27:35.139: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed

*Nov  1 12:27:35.139: %CAPWAP-3-ERRORLOG: Certificate verification failed!

*Nov  1 12:27:35.139: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:326 Certificate verified failed!

*Nov  1 12:27:35.139: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.100.2

*Nov  1 12:27:35.139: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.100.2:5246

*Nov  1 12:27:35.140: %DTLS-3-BAD_RECORD: Erroneous record received from 192.168.100.2: Malformed Certificate

*Nov  1 12:27:35.140: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.100.2:5246

*Nov  1 12:27:35.140: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

Correct Answer
Scott Fella Fri, 12/02/2011 - 12:32

Check your time on the wlc. It's off so that is why the AP's ate not joining.

Sent from my iPhone

Scott Fella Fri, 12/02/2011 - 12:35

*Nov  1 12:27:35.138: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID:  Certificate chain validation has failed.  The certificate (SN:  6F5328F20000000F6A57) is not yet valid   Validity period starts on  13:39:13 UTC Nov 17 2011

This is why.. the certificate exchange is failing.

Saman.Shamim Fri, 12/02/2011 - 12:44

Well, the WLC was a month late (November 1st) !!!

Fixed it and now everything is good.

Thanks a lot Scott

Vinay Sharma Fri, 12/02/2011 - 21:51

Good catch Scott. Thanks for helping Cisco Partners. 

Vinay Sharma

Community Manager - Wireless

Gustavo Adolfo ... Fri, 12/20/2013 - 14:59

Im moving from controller A to Controller B with the same version of software and any of the APs join to my new controller. Im getting the same debug outputs than this original POST.
I have to clear the prive config too?

d.ordonez Fri, 12/20/2013 - 15:02

El problema del post Original es que tiene incorrecta la fecha del WLC. En tu caso la fecha es correcta? tu nuevo WLC esta en el mismo segmento de red que el original?

Actions

Login or Register to take actions

This Discussion

Posted December 2, 2011 at 12:02 PM
Stats:
Replies:10 Avg. Rating:5
Views:4197 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard