I have just setup a vWLC for lab purposes and it´s up and running. I have a few used 1131 LAP:s that tries to join the AP but I just get DTLS certificate errors like these:
*Sep 14 13:25:27.229: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Sep 14 13:25:27.258: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Sep 14 13:25:36.198: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Sep 14 13:26:41.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.105 peer_port: 5246
*Sep 14 13:26:41.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Sep 14 13:26:41.019: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Sep 14 13:26:41.020: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Sep 14 13:26:41.020: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:333 Certificate verified failed!
*Sep 14 13:26:41.020: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.1.105
*Sep 14 13:26:41.020: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.1.105:5246
*Sep 14 13:26:41.021: %DTLS-3-BAD_RECORD: Erroneous record received from 192.168.1.105: Malformed Certificate
*Sep 14 13:26:41.021: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.105:5246
*Sep 14 13:27:46.000: %CAPWAP-3-ERRORLOG: Go join a capwap controller
The WLC saids in the log:
*spamApTask7: Sep 14 13:18:34.485: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer 192.168.1.207
*spamApTask7: Sep 14 13:17:29.502: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer 192.168.1.207
These AP:s (I have tried 2 so far) have earlier been in use connected to a cluster of 5508:s.
Any idea how I should troubleshoot or solve this? Thanks in advance!
I encountered the same issue recently while setting up a lab using a vWLC with 220.127.116.11 code and some 3502i AP's. The info in this article was a great help and pointed me in the right direction. The code on my 3502i's was 18.104.22.168 and obviously had issues with the certs connecting to the vWLC.
I downloaded the latest recovery image for the 3502i - ap3g1-rcvk9w8-tar.153-3.JBB6.tar and used the following procedure below to TFTP the file to the AP:
Unplugged the power to the AP, held down the reset button while plugging in the power to the AP, kept holding in the reset button until the AP LED went solid Red color, then let go.
Then setup my laptop for a static IP of 10.0.0.2, SN of 255.0.0.0 and no GW.
Launched Tftpd32 and selected the folder that contained the recovery image file.
Used PuTTY to console into the AP via serial cable, entered the following commands on the AP:
set IP_ADDR 10.0.0.9
set NETMASK 255.0.0.0
set DEFAULT_ROUTER 10.0.0.15
tar -xtract tftp://10.0.0.2/ap3g1-rcvk9w8-tar.153-3.JBB6.tar flash:
set BOOT flash:/ap3g1-rcvk9w8-mx/ap3g1-rcvk9w8-mx
Once the AP downloaded the new recovery file and booted, it joined my vWLC and downloaded the 22.214.171.124 code, registered and was ready to go.
The other issue that I encountered pertained to the Eval AP Base License. I had forgot to accept the EULA for the eval license, so no AP's were able to join until I did that step too.
Hope this helps someone.
Here are the links to the Cisco articles for the aforementioned procedures:
Special thanks to Peter Nugent and Scott Fella for the great support they offer on the Cisco Support Forums. Much appreciated guys!