Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

AIR-LAP-1131AG not joining NM-AIR-WLC6-K9

Hi,

We have a LAP 1131AG thats not joining a WLC module. Looks like some DTLS certificate issue to me, but I'm unable to resolve it. Here are some debug messages.

Debug messages on LAP:

*Nov 15 09:55:44.000: CAPWAP_INFO: CAPWAP control packet sent to 192.168.99.25
*Nov 15 09:55:44.001: CAPWAP_INFO: DTLS connection created sucessfully local_ip: 192.168.100.108 local_port: 64898 peer_ip: 192.168.99.25 peer_port: 5246
*Nov 15 09:55:44.001: %CAPWAP-3-EVENTLOG: CAPWAP State: DTLS Setup.
*Nov 15 09:55:44.001: %CAPWAP-5-CHANGED: CAPWAP changed state to 
*Nov 15 09:55:44.019: CAPWAP_INFO: Rx DTLS encrypted CAPWAP packet from 192.168.99.25
*Nov 15 09:55:44.019: CAPWAP_INFO: Pkt recieved dst_ip: 192.168.100.108 dst_port: 64898 src_ip: 192.168.99.25 src_port: 5246
*Nov 15 09:55:44.019: DTLS_CLIENT_EVENT: dtls_process_HelloVerifyRequest: Processing...
*Nov 15 09:55:44.021: CAPWAP_INFO: CAPWAP control packet sent to 192.168.99.25
*Nov 15 09:55:44.021: CAPWAP_INFO: Packet processed by DTLS successfully
*Nov 15 09:55:44.023: CAPWAP_INFO: Rx DTLS encrypted CAPWAP packet from 192.168.99.25
*Nov 15 09:55:44.023: CAPWAP_INFO: Pkt recieved dst_ip: 192.168.100.108 dst_port: 64898 src_ip: 192.168.99.25 src_port: 5246
*Nov 15 09:55:44.023: DTLS_CLIENT_EVENT: dtls_process_ServerHello: Processing...
*Nov 15 09:55:44.023: DTLS_CLIENT_EVENT: dtls_connection_set_cipher: Setting cipher to TLS_RSA_WITH_AES_128_CBC_SHA
*Nov 15 09:55:44.024: CAPWAP_INFO: Packet processed by DTLS successfully
*Nov 15 09:55:44.024: CAPWAP_INFO: Rx DTLS encrypted CAPWAP packet from 192.168.99.25
*Nov 15 09:55:44.024: CAPWAP_INFO: Pkt recieved dst_ip: 192.168.100.108 dst_port: 64898 src_ip: 192.168.99.25 src_port: 5246
*Nov 15 09:55:44.025: CAPWAP_INFO: Packet processed by DTLS successfully
*Nov 15 09:55:44.025: CAPWAP_INFO: Rx DTLS encrypted CAPWAP packet from 192.168.99.25
*Nov 15 09:55:44.025: CAPWAP_INFO: Pkt recieved dst_ip: 192.168.100.108 dst_port: 64898 src_ip: 192.168.99.25 src_port: 5246
*Nov 15 09:55:44.025: DTLS_CLIENT_EVENT: dtls_process_Certificate: Processing...
*Nov 15 09:55:44.058: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:326 Certificate verified failed!
*Nov 15 09:55:44.059: DTLS_CLIENT_EVENT: dtls_send_Alert: Sending FATAL : Bad certificate Alert
*Nov 15 09:55:44.059: CAPWAP_INFO: CAPWAP control packet sent to 192.168.99.25
*Nov 15 09:55:44.059: DTLS_CLIENT_EVENT: dtls_client_process_record: Error processing Certificate.
*Nov 15 09:55:44.059: DTLS_CLIENT_EVENT: dtls_send_Alert: Sending WARNING : Close notify Alert
*Nov 15 09:55:44.060: CAPWAP_INFO: CAPWAP control packet sent to 192.168.99.25
*Nov 15 09:55:44.060: DTLS_CLIENT_EVENT: wtpDtlsCallback: DTLS-Ctrl Connection 0x00F0F818 closed
*Nov 15 09:55:44.060: DTLS_CLIENT_EVENT: dtls_free_connection: Done... for connection 0x00F0F818
*Nov 15 09:55:44.060: CAPWAP_INFO: Received packet caused DTLS to close connection
*Nov 15 09:55:44.060: DTLS_CLIENT_EVENT: sendPacketToDtls: Connection closed.
*Nov 15 09:55:44.061: CAPWAP_INFO: Capwap DTLS Msg.
*Nov 15 09:55:44.061: CAPWAP_DETAIL: Dtls Event = 38 Capwap State = 3.

Debug messages on the WLC module:

*Nov 15 09:55:54.821: openssl_dtls_connection_find_using_link_info: DTLS connection found! Acquiring lock for 0xa003020
*Nov 15 09:55:54.821: openssl_dtls_process_packet: Called... for connection 0xa003020
*Nov 15 09:55:54.821: local_openssl_dtls_record_inspect: record=Alert epoch=0 seq=2
*Nov 15 09:55:54.821: openssl_shim_info_callback: SSL state = 0x2180; where = 0x4004; ret = 0x22a
*Nov 15 09:55:54.821: openssl_shim_info_callback: ret_type_string=fatal
*Nov 15 09:55:54.821: openssl_shim_info_callback: ret_desc_string=bad certificate
*Nov 15 09:55:54.821: openssl_shim_info_callback: SSL_state_string=SSLv3 read client certificate A
*Nov 15 09:55:54.821: openssl_shim_info_callback: SSL state = 0x2180; where = 0x2002; ret = 0x0
*Nov 15 09:55:54.821: openssl_shim_info_callback: ret_type_string=unknown
*Nov 15 09:55:54.821: openssl_shim_info_callback: ret_desc_string=close notify
*Nov 15 09:55:54.821: openssl_shim_info_callback: SSL_state_string=SSLv3 read client certificate A
*Nov 15 09:55:54.821: openssl_dtls.c 615: SSL_do_handshake: SSL_ERROR_SSL while communicating with 192.168.100.108 : sslv3 alert bad certificate
*Nov 15 09:55:54.821: openssl_dtls_disconnect_detailed:  Requested by openssl_dtls_process_packet
*Nov 15 09:55:54.821: openssl_dtls_disconnect_detailed:          in openssl_dtls.c:623
*Nov 15 09:55:54.821: dtls_conn_hash_delete: Deleting hash for Local 192.168.99.25:5246  Peer 192.168.100.108:64898

*Nov 15 09:55:54.821: local_openssl_dtls_connection_free: Called...
*Nov 15 09:55:54.821: local_openssl_dtls_connection_free: Shutdown completed
*Nov 15 09:55:54.821: local_openssl_dtls_send: No data to send
*Nov 15 09:55:54.821: DTLS connection 0xa003020 closed by controller
*Nov 15 09:55:54.821: acDtlsCallback: DTLS Connection 0xa003020 closed by controller
*Nov 15 09:55:54.821: dtls_timer_stop: Called...
*Nov 15 09:55:54.821: DTLS connection was closed
*Nov 15 09:55:54.822: openssl_dtls_connection_release: Releaseing lock for 0xa003020
*Nov 15 09:55:54.822: CAPWAP DTLS connection closed msg

*Nov 15 09:55:54.822: DTLS connection closed event receivedserver (192:168:99:25/5246) client (192:168:100:108/64898)
*Nov 15 09:55:54.822: openssl_dtls_connection_find_using_link_info: DTLS connection find by 0x81c864f with Local 192.168.99.25:5247  Peer 192.168.100.108

*Nov 15 09:55:54.822: dtls_conn_hash_search: Connection not found in hash table - Table empty.
*Nov 15 09:55:54.822: DTLS Connection not found for 192:168:100:108:64898

Any help in this regardd would be greatly appreciated.

Thanks,

Divya

2 REPLIES
Cisco Employee

Re: AIR-LAP-1131AG not joining NM-AIR-WLC6-K9

Hi,

I have seen this when the WLC is not synched with the real time. Making the certificate to look invalid. (I see Nov 15 on the debugs...)

Setting up the correct time on the AP and WLC manually or via NTP is advised.

If after WLC and AP are timsynched, the same problem remains i would connect again to the AP via console, and enable the following debugs:

debug capwap client error

debug capwap client event

debug lwapp client error

debug lwapp client event

debug dtls client error

debug dtls client event

on the WLC:

debug mac address

debug capwap errors enable

debug capwap events enable

debug dtls all enable

debug pm pki enable

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Community Member

AIR-LAP-1131AG not joining NM-AIR-WLC6-K9

Master Yoda, you are most helpful! After power upgrade, all APs just couldn't join WLC and showed aboved mentioned messages. I synchronized the time for WLC, everything works fine like before!

May the Force be with you!

4392
Views
5
Helpful
2
Replies
CreatePlease to create content