Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Migrate from WLC to Virtual WLC

Good day!

I try to migrate from WLC2112 to vWLC. But none of my APs cannot connect to vWLC:

AIR-LAP1242G-E-K9

AIR-LAP1131AG-E-K9

AIR-LAP1131G-E-K9

AIR-LAP1041N-E-K9  

AIR-LAP1262N-R-K9

Log from 1131AG (I think, that another AP have same logs):

*Jan 29 12:57:17.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.10.10 peer_port: 5246

*Jan 29 12:57:17.016: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed

*Jan 29 12:57:17.017: %CAPWAP-3-ERRORLOG: Certificate verification failed!

*Jan 29 12:57:17.017: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed!

*Jan 29 12:57:17.017: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 10.10.10.10

*Jan 29 12:57:17.017: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.10.10.10:5246

*Jan 29 12:57:17.017: %DTLS-3-BAD_RECORD: Erroneous record received from 10.10.10.10: Malformed Certificate

*Jan 29 12:57:17.018: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.10:5246

*Jan 29 12:57:17.018: CAPWAP_DETAIL: Dtls Event = 38 Capwap State = 3.

*Jan 29 12:57:17.018: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

Log from vWLC:

spamApTask6: Jan 29 20:37:33.422: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: called to evaluate <cscoDefaultIdCert>

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetSshPrivateKeyFromCID: called to get key for CID 1c1639ba

*spamApTask6: Jan 29 20:37:33.422: sshpmGetSshPrivateKeyFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetSshPrivateKeyFromCID: comparing to row 1, certname >bsnDefaultIdCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetSshPrivateKeyFromCID: comparing to row 2, certname >cscoDefaultIdCert<

*spamApTask6: Jan 29 20:37:33.422: sshpmGetSshPrivateKeyFromCID: match in row 2

*spamApTask6: Jan 29 20:37:33.433: ab:cd:ef:12:34:56 DTLS connection was closed

*spamApTask6: Jan 29 20:37:33.433: ab:cd:ef:12:34:56 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  10.10.10.11:32152)since DTLS session is not established

As a solution i found:

1) Disable SSC Hash Validation - not work

2) Synchronize time on vWLC and APs - not work

Anyone have any ideas? Thanks in advance!


1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Migrate from WLC to Virtual WLC

12 REPLIES
Hall of Fame Super Silver

Re: Migrate from WLC to Virtual WLC

Do you have any other checkbox enabled on the vWLC AP policy? It does seen the time is off but you have checked that already. The 1262 is what I would test with first.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Migrate from WLC to Virtual WLC

AP policy:

wlc.PNG

Hall of Fame Super Silver

Re: Migrate from WLC to Virtual WLC

Must be something wrong with your vWLC. You have Promiscuous mode setup on the VM?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Migrate from WLC to Virtual WLC

I found, that I need manyally upgrade APs software to version 7.3. (Now 7.0.240.0)

Hall of Fame Super Silver

Re: Migrate from WLC to Virtual WLC

Yeah but there is more to it. You need to also add the hash. If the AP's have the v15 RCV image, you wouldn't need the hash.

http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml#considerations

Also I don't know if non 802.11n AP's are supported because it also mentions that in the doc.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Migrate from WLC to Virtual WLC

Here is a support doc also

https://supportforums.cisco.com/docs/DOC-26765

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Migrate from WLC to Virtual WLC

Do yo know how to manually upgrade AP software? AP have't commands for manage file system of AP (like a "Copy")...

Migrate from WLC to Virtual WLC

Hall of Fame Super Silver

Re: Migrate from WLC to Virtual WLC

New Member

Migrate from WLC to Virtual WLC

I solve my problem. Manually upgrade AP

https://supportforums.cisco.com/docs/DOC-18268


Hall of Fame Super Silver

Re: Migrate from WLC to Virtual WLC

Glad it worked for you!

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
VIP Purple

Re: Migrate from WLC to Virtual WLC

Apart from this AP registration issue, you have to convert all your APs into FlexConnect Mode. vWLC only support FlexConnect mode APs.

If your AP is local mode, it will register to a vWLC, but not advertise any SSID. Keep that in mind as well

HTH

Rasika

**** Pls rate all useful responses ****

545
Views
0
Helpful
12
Replies