Good day!

I try to migrate from WLC2112 to vWLC. But none of my APs cannot connect to vWLC:

AIR-LAP1242G-E-K9

AIR-LAP1131AG-E-K9

AIR-LAP1131G-E-K9

AIR-LAP1041N-E-K9  

AIR-LAP1262N-R-K9

Log from 1131AG (I think, that another AP have same logs):

*Jan 29 12:57:17.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.10.10 peer_port: 5246

*Jan 29 12:57:17.016: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed

*Jan 29 12:57:17.017: %CAPWAP-3-ERRORLOG: Certificate verification failed!

*Jan 29 12:57:17.017: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed!

*Jan 29 12:57:17.017: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 10.10.10.10

*Jan 29 12:57:17.017: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.10.10.10:5246

*Jan 29 12:57:17.017: %DTLS-3-BAD_RECORD: Erroneous record received from 10.10.10.10: Malformed Certificate

*Jan 29 12:57:17.018: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.10:5246

*Jan 29 12:57:17.018: CAPWAP_DETAIL: Dtls Event = 38 Capwap State = 3.

*Jan 29 12:57:17.018: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

Log from vWLC:

spamApTask6: Jan 29 20:37:33.422: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: called to evaluate <cscoDefaultIdCert>

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetSshPrivateKeyFromCID: called to get key for CID 1c1639ba

*spamApTask6: Jan 29 20:37:33.422: sshpmGetSshPrivateKeyFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetSshPrivateKeyFromCID: comparing to row 1, certname >bsnDefaultIdCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetSshPrivateKeyFromCID: comparing to row 2, certname >cscoDefaultIdCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetSshPrivateKeyFromCID: match in row 2

*spamApTask6: Jan 29 20:37:33.433: ab:cd:ef:12:34:56 DTLS connection was closed

*spamApTask6: Jan 29 20:37:33.433: ab:cd:ef:12:34:56 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  10.10.10.11:32152)since DTLS session is not established

As a solution i found:

1) Disable SSC Hash Validation - not work

2) Synchronize time on vWLC and APs - not work

Anyone have any ideas? Thanks in advance!