Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

LAP join the wrong controller

Hello everybody,

I have an issue with my LAP and my two WLC. I have one WLC in production and another one in test, and I want to associate the LAP with the one in test but I can't, and my LAP join the WLC in production with this messages on the LAP :

*May 13 13:17:07.999: %CAPWAP-3-ERRORLOG: Selected MWAR 'TESTWLC'(index 0).
*May 13 13:17:07.999: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*May 13 13:16:03.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.30.117.10 peer_port: 5246
*May 13 13:16:03.036: %CAPWAP-3-ERRORLOG: Failed to authorize controller using trust config.
*May 13 13:16:03.036: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF

*May 13 13:16:03.040: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*May 13 13:16:03.040: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!
*May 13 13:16:03.040: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 172.30.117.10:5246
*May 13 13:16:03.041: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.30.117.10:5246
*May 13 13:16:03.042: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

 

I have disabled certificate checking, regulatory domain are the same between WLC and LAP, my LAP(1041), my WLC are updated with the good software version and the both WLC are "Virtual" WLC.

If you have any idea to resolve this problem, I will be happy to know it :)

 

Thanks

 

10 REPLIES
Hall of Fame Super Gold

Is the time accurate on the

Is the time accurate on the test WLC?

New Member

The both WLC are configured

The both WLC are configured with the same NTP server.

But I have an issue with the time. When I configure the time on my LAP, after the first DTLS connection, is two hour "before", and the time is well configured on the both WLC with the good timezone. It seems that LAP need to be configured with timezone parameters or something like that?

AP4c4e.3557.bb52#clock set 09:50:15 14 May 2014
AP4c4e.3557.bb52#
May 14 09:50:15.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 07:50:10 UTC Wed May 14 2014 to 09:50:15 UTC Wed May 14 2014, configured from console by cisco on console.
AP4c4e.3557.bb52#test capwap restart
restart capwap
AP4c4e.3557.bb52#
May 14 09:50:31.909: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.30.116.254:5246
May 14 09:50:31.966: %WIDS-6-DISABLED: IDS Signature is removed and disabled.
May 14 09:50:31.968: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
May 14 09:50:31.968: bsnInitRcbSlot: slot 1 has NO radio
May 14 09:50:31.994: %CAPWAP-3-ERRORLOG: Binding Config Initialization failed for binding 1

May 14 09:50:32.044: Starting Ethernet promiscuous mode
May 14 09:50:42.055: %CAPWAP-3-ERRORLOG: Selected MWAR 'TESTWLC'(index 0).
May 14 09:50:42.055: %CAPWAP-3-ERRORLOG: Go join a capwap controller
May 14 07:50:26.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.30.117.10 peer_port: 5246
May 14 07:50:26.022: %CAPWAP-3-ERRORLOG: Failed to authorize controller using trust config.
May 14 07:50:26.022: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF

May 14 07:50:26.026: %CAPWAP-3-ERRORLOG: Certificate verification failed!
May 14 07:50:26.026: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!

 

Thanks!

Silver

Its a certificate error are

Its a certificate error are you using the VWLC (if virtual the certificate need to be imported for new vwlcl)if the time is sync then make sure your wlc ios is supporting the AP

**********Do rate helpful posts*****************

Hall of Fame Super Gold

Post the output to the AP

Post the output to the AP command "sh version". 

 

What country code is the WLC set to?

VIP Purple

paste the output of these

paste the output of these.

from wlc: sh sysinfo

from ap: sh version

 

regards

New Member

(Cisco Controller) >show

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.6.110.0
RTOS Version..................................... 7.6.110.0
Bootloader Version............................... 7.6.110.0
Emergency Image Version.......................... 7.6.110.0

Build Type....................................... DATA + WPS

System Name...................................... TESTWLC
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1631
IP Address....................................... 172.30.117.10
System Up Time................................... 1 days 15 hrs 40 mins 5 secs
System Timezone Location......................... (GMT +1:00) Amsterdam, Berlin, Rome, Vienna
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

Configured Country............................... LU  - Luxembourg


State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 0

Burned-in MAC Address............................ 00:50:56:94:0E:12
Maximum number of APs supported.................. 200

 

TESTLAP#sh version
Cisco IOS Software, C1600 Software (AP1G2-K9W8-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 11-Dec-12 04:45 by prod_rel_team

ROM: Bootstrap program is C1600 boot loader
BOOTLDR: C1600 Boot Loader (AP1G2-BOOT-M) LoaderVersion 15.2(2)JAX, RELEASE SOFTWARE (fc1)

TESTLAP uptime is 15 hours, 36 minutes
System returned to ROM by power-on
System image file is "flash:/ap1g2-k9w8-mx.152-2.JB/ap1g2-k9w8-mx.152-2.JB"
Last reload reason:

 

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-CAP1602I-E-K9    (PowerPC) processor (revision B0) with 98294K/32768K bytes of memory.
Processor board ID FGL1807S09R
PowerPC CPU at 533Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 7.4.100.0
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 18:E7:28:1A:3B:1B
Part Number                          : 73-14671-04
PCA Assembly Number                  : 000-00000-00
PCA Revision Number                  :
PCB Serial Number                    : FOC18045ZD1
Top Assembly Part Number             : 800-38552-01
Top Assembly Serial Number           : FGL1807S09R
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP1602I-E-K9

 

Configuration register is 0xF

 

As you can see, I use the LU country code, maybe it can be a mismatch between the WLC version and the LAP version?

Thanks.

Hall of Fame Super Gold

Ok, you got me stumped.

Ok, you got me stumped.  Never seen this before. 

 

Has this particular AP joined this WLC before?  Can the WLC ping the management IP address of the WLC?

New Member

Yes, it was already

Yes, it was already associated with the test WLC before. The "join issue" happenned after a WLC (Test) reboot, the AP has join the second WLC (Production) during this operation and I don't why it is not come back to the test WLC.

From the AP, I can ping the management interface of the WLC.

Hall of Fame Super Gold

From the AP, I can ping the

From the AP, I can ping the management interface of the WLC.

Console into the AP and run the command "dir".  There should be two IOS file directories.  The first has the "RCV" in the filename.  The second file is the full IOS handed down by the WLC.  Delete the second directory using the command "del /f /r flash:<IOS Directory>".  

 

Next, run this command "clear capwap private" and reboot the AP.  Once the AP boots up and gets a valid IP address, enter the final command "capwap ap controller IP address <Management IP address of the TEST WLC>".

Bronze

Hi,It seems the certificate

Hi,

It seems the certificate issue.

remove all the running-config from the AP and the freshly join the AP with primary Controller and check it.

843
Views
0
Helpful
10
Replies
CreatePlease to create content