Virtual WLC - Certificate errors

Endorsed Question
Sep 14th, 2012

Hello

I have just setup a vWLC for lab purposes and it´s up and running. I have a few used 1131 LAP:s that tries to join the AP but I just get DTLS certificate errors like these:

*Sep 14 13:25:27.229: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up

*Sep 14 13:25:27.258: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

*Sep 14 13:25:36.198: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Sep 14 13:26:41.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.105 peer_port: 5246

*Sep 14 13:26:41.001: %CAPWAP-5-CHANGED: CAPWAP changed state to 

*Sep 14 13:26:41.019: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed

*Sep 14 13:26:41.020: %CAPWAP-3-ERRORLOG: Certificate verification failed!

*Sep 14 13:26:41.020: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:333 Certificate verified failed!

*Sep 14 13:26:41.020: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.1.105

*Sep 14 13:26:41.020: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.1.105:5246

*Sep 14 13:26:41.021: %DTLS-3-BAD_RECORD: Erroneous record received from 192.168.1.105: Malformed Certificate

*Sep 14 13:26:41.021: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.105:5246

*Sep 14 13:27:46.000: %CAPWAP-3-ERRORLOG: Go join a capwap controller

The WLC saids in the log:

*spamApTask7: Sep 14 13:18:34.485: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer 192.168.1.207

*spamApTask7: Sep 14 13:17:29.502: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer 192.168.1.207

These AP:s (I have tried 2 so far) have earlier been in use connected to a cluster of 5508:s.

Any idea how I should troubleshoot or solve this? Thanks in advance!

Best regards

Jimmy

I have this problem too.
0 votes
Endorsed by Scott Fella
petnugen about 1 year 7 months ago

The latest recovery code will code your ap as 7.3, I setup my vWLC running 3500s. Cant check availability for 1131 as site maintenance going on. The code was dated 30th Aug.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (4 ratings)
Scott Fella Fri, 09/14/2012 - 07:20

Well the requirement as of right now is the ap needs to have 7.3 code in order for them to join the vWLC. So you would need the APs to join a WLC running 7.3 in order for it to join the vWLC. The vWLC will not push out the ap code like a 2504, 5508, 7500, 8500, or WiSM2.

Sent from Cisco Technical Support iPhone App

jilahbg Fri, 09/14/2012 - 07:45

Oh, I see. Is there a way that I can put a 7.3-code into my AP:s without having a physical WLC?

/Jimmy

Scott Fella Fri, 09/14/2012 - 08:27

There is no download available for access points. The only available downloads are for the recovery image, but that's not a 7.3 replacement.

Sent from Cisco Technical Support iPhone App

jilahbg Fri, 09/14/2012 - 11:11

So the vWLC is useless unless you have access to a "ordinary" controller also?

Best regards

Jimmy

Scott Fella Fri, 09/14/2012 - 11:18

The vWLC doesn't replace the appliance and it doesn't support features that the appliance supports.  So it depends if your looking for certain features or not.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

petnugen Fri, 09/14/2012 - 18:55

The latest recovery code will code your ap as 7.3, I setup my vWLC running 3500s. Cant check availability for 1131 as site maintenance going on. The code was dated 30th Aug.

Scott Fella Fri, 09/14/2012 - 18:58

Peter,

That is good to know... do you know if this is going to be documented as I don't think it was in the vWLC guide.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

petnugen Fri, 09/14/2012 - 19:01

Not sure Scott

I spoke to a few people as I saw this as a major headache.

UNcertain when all aps will ship with this code but oviously there are people out there wanting to test. I use it as it sits on my VM server. There was talk of a utility etc but thats the only way I have discovered so far.

Scott Fella Fri, 09/14/2012 - 19:04

Well its still good news... I had to put a WLC out in the dmz for my peers to have their aps join in order to test out the vWLC.... that was my easy fix:)

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

petnugen Fri, 09/14/2012 - 19:09

Yeah they did talk about a WLC with 7.3 on specifically for partners aswell as this was seen as a real shortcoming but they got the code out in time.

I struggled as I dont have anything physical in my own lab that will run 7.3, just 4400s and 2100. Need to invest in a 2500 soon I think.

vWLC lets me test some of the newer features of ISE now such as COA etc. STill not perfect but whos lab is!!

jilahbg Sat, 09/15/2012 - 13:50

As far as I can see there is no code for 1131 newer than 2008. Looks like I am stuck...

/Jimmy

Sent from Cisco Technical Support iPad App

daviwatk Tue, 10/02/2012 - 22:58

Have you tried loading the Sept. 4 release LWAPP recovery image? c1130-rcvk9w8-tar.124-25e.JAL.tar

You may also need to disable ssc hash validation via the vWLC CLI for the 1130 APs.

>config certificate ssc hash validation disable

dwaters@nowcomm... Sat, 10/20/2012 - 01:33

Hello,

I now have an LAP1131AG (eBay for £60) working on my vWLC without the use of first assigning it to a physical WLC running 7.3 code as everyone keeps mentioning.

My vWLC is running 7.3.101.0

Now the most important bit: the Cisco website mentions under its Latest Releases for my 1130 series AP “12.4.10b-JDA(ED)” (03-Nov-08) THIS IS NOT CORRECT! There is a later version than this named “12.4.25e-JAL(ED)” (04-Sept-12) << this is the one you need!

Download “c1130-rcvk9w8-tar.124-25e.JAL.tar” and upgrade; I didn’t use the Upgrade Tool, admittedly the AP did come preconfigured with an LWAPP image (quite old). I just used the general method of renaming the file to .default, changing your IP address to 10.0.0.2/8 etc and using the MODE button.

Changed the mode to Flexconnect, which I believe is the new H-REAP and were off! Serving SSIDs and working without faults •J (I believe I may have played with Certificates also)

I hope this helps everyone and saves them the few hours this cost me •J

P.S. I have some 1200 series, AKA 1200, 1231, 1232, these do not work! However 1240’s do •J

Cheers! Dan.

Scott Fella Fri, 09/14/2012 - 19:12

True.... but what is IES... is that replacing ISE:)  just kidding!

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

petnugen Fri, 09/14/2012 - 19:17

LOL its 0315 here! Didn't realise.

I need to spend more time back in these forums CLN is pretty quiet on the wireless front.

And thanks for endorsing my answer Scott.

Scott Fella Fri, 09/14/2012 - 19:19

No problem... Well hopefully we see you more on the forums!

Sent from Cisco Technical Support iPhone App

Mikael.G@ Sun, 10/07/2012 - 01:53

Could anyone point me in the right direction on how to do a recovery on a 3500i?

Im not been working that much with wireless, but do alot of work with ISE and need some WLC labbing done

Thanks

Scott Fella Sun, 10/07/2012 - 05:49

First you need to download the rcv image for the AP. Here is a link to how to upload the file.

https://supportforums.cisco.com/docs/DOC-14960

Sent from Cisco Technical Support iPhone App

Actions

Login or Register to take actions

This Discussion

Posted September 14, 2012 at 6:31 AM
Stats:
Replies:19 Avg. Rating:5
Views:4774 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard