Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problems with AP joining vWLC

I am working with a vWLC on 7.4 code with a 3500i AP on 12.4(23c)JA code.  The AP is not joining the controller automatically here is the output from the AP during a join failure,


*Jul 15 09:57:58.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.2.98.225 peer_port: 5246

*Jul 15 09:57:59.000: %CAPWAP-5-CHANGED: CAPWAP changed state to

*Jul 15 09:57:59.016: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed

*Jul 15 09:57:59.016: %CAPWAP-3-ERRORLOG: Certificate verification failed!

*Jul 15 09:57:59.016: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:333 Certificate verified failed!

*Jul 15 09:57:59.016: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 10.2.98.225

*Jul 15 09:57:59.016: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.2.98.225:5246

*Jul 15 09:57:59.016: %DTLS-3-BAD_RECORD: Erroneous record received from 10.2.98.225: Malformed Certificate

*Jul 15 09:57:59.016: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.2.98.225:5246

*Jul 15 09:57:59.016: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

*Jul 15 09:58:18.881: %CDP_PD-2-POWER_LOW: All radios disabled - NON_CISCO-NO_CDP_RECEIVED  (0000.0000.0000)

From my research about this issue I should be able to do debug pm pki enable and get the SSC key hash and join the AP manually to the controller.  When I do the debug I do not see the SSC key hash, I only see,

(Cisco Controller) >*sshpmLscTask: Jul 15 09:46:08.268: sshpmLscTask: LSC Task received a message 4

*spamApTask1: Jul 15 09:57:58.190: 50:3d:e5:f0:dc:f1 Discovery Request from 10.2.98.3:3536

*spamApTask1: Jul 15 09:57:58.190: 50:3d:e5:f0:dc:f1 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 200, joined Aps =0

*spamApTask1: Jul 15 09:57:58.190: 50:3d:e5:f0:dc:f1 Discovery Response sent to 10.2.98.3:3536

*spamApTask1: Jul 15 09:57:58.190: 50:3d:e5:f0:dc:f1 Discovery Response sent to 10.2.98.3:3536

*spamApTask1: Jul 15 09:58:09.121: 50:3d:e5:f0:dc:f1 DTLS connection not found, creating new connection for 10:2:98:3 (3536) 10:2:98:225 (5246)

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: called to evaluate <cscoDefaultIdCert>

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCertFromCID: called to get cert for CID 1234873a

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultIdCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: called to evaluate <cscoDefaultIdCert>

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetSshPrivateKeyFromCID: called to get key for CID 1234873a

*spamApTask1: Jul 15 09:58:09.121: sshpmGetSshPrivateKeyFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetSshPrivateKeyFromCID: comparing to row 1, certname >bsnDefaultIdCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetSshPrivateKeyFromCID: comparing to row 2, certname >cscoDefaultIdCert<

*spamApTask1: Jul 15 09:58:09.121: sshpmGetSshPrivateKeyFromCID: match in row 2

*spamApTask3: Jul 15 09:58:09.139: 50:3d:e5:f0:dc:f1 DTLS connection closed event receivedserver (10:2:98:225/5246) client (10:2:98:3/3536)

*spamApTask3: Jul 15 09:58:09.139: 50:3d:e5:f0:dc:f1 No entry exists for AP (10:2:98:3/3536)

*spamApTask3: Jul 15 09:58:09.139: 50:3d:e5:f0:dc:f1 No AP entry exist in temporary database for 10.2.98.3:3536

What else can I try to get this AP to join the controller??

Thank you.


Everyone's tags (3)
6 REPLIES

Problems with AP joining vWLC

Hello.

Ones question is the MIC enable?

New Member

Problems with AP joining vWLC

The MIC on the AP itself or MIC authentication on the WLC??  I haven't done anything special with the MIC

Problems with AP joining vWLC

On the WLC. You can try add the MAC Address of theAP to WLC and Check is MIC is enable

Bronze

Re: Problems with AP joining vWLC

better first let the ap join a physical box wlc

https://supportforums.cisco.com/docs/DOC-26765

or try "configure certificate ssc hash validation disable" on wlc first


Sent from Cisco Technical Support iPad App

New Member

Problems with AP joining vWLC

"configure certificate ssc hash validation disable"  didn't help, same problems

I tried to add the AP by its MAC and MIC to the authorized APs list but it just tells me "

50:3d:e5:f0:dc:f1 No AP entry exist in temporary database for 10.2.98.3:3536"

The SSC key Hash still doesn't show in the debug output.  What else can I try?

Hall of Fame Super Gold

Problems with AP joining vWLC

Hi John,

Can you please post the command outputs to the following:

1.  vWLC:  sh sysinfo;

2.  vWLC:  sh time;

3.  AP:  sh ip interface brief;

4.  AP:  sh version; and

5.  AP:  sh inventory

1071
Views
0
Helpful
6
Replies