Field Notice: FN - 62379 - Wireless LAN Controller Network Module does not Authenticate with Cisco/Airespace Access Points - Hardware Upgrade
Wireless LAN Controller Network Modules NM-AIR-WLC6-K9 and NM-AIR-WLC6-K9= were shipped with incorrect certificates, causing the WLCNM to not be authenticated by Cisco/Airespace Access Points. Wireless LAN Controller Network Modules shipped between February 1, 2006 and March 22, 2006 are affected. A manufacturing process failure did not copy the correct certificates to WLCNM devices. The incorrect certificate creates an RSA key mismatch, which causes LWAPP-based Access Points to fail to join/associate/register to WLCNM.
On March 20, 2006, a bug was logged indicating that Access Points were not authenticating to NM-AIR-WLC6-K9 or NM-AIR-WLC6-K9= network modules. It was found that an RSA key mismatch causes LWAPP-based Access Points to fail to join/associate/register to WLCNM. The cause of the incorrect certificate was related to a manufacturing process failure which prevented copying of the correct certificate to WLCNM devices. The manufacturing anomaly has since been corrected and Wireless LAN Controller Network Modules produced as of March 23, 2006 should no longer experience this problem.
Access point console log will show it is unable to decode the JOIN response:
LWAPP_CLIENT_ERROR_DEBUG: peer RSA public key decrypt failed
LWAPP_CLIENT_ERROR_DEBUG: spamDecodeJoinReply :
sessionId 0x7E7F8081 does not match sent 0xDD2439D8
LWAPP_CLIENT_ERROR_DEBUG: Unable to decode join reply
LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not recieve the Join response
LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses remain.
%SYS-5-RELOAD: Reload requested by LWAPP CLIENT.
Reload Reason: DID NOT GET JOIN RESPONSE.
%LWAPP-5-CHANGED: LWAPP changed state to DOWN
Replace the affected hardware using the Upgrade Form at the bottom of this field notice. As of approximately March 23, 2006, new products that were manufactured are guaranteed to be free of this problem. To ensure an RMA replacement is not affected by this problem, use the Upgrade Form below.
This upgrade program is scheduled to expire on March 31, 2007. After the upgrade program expires, customers may only replace product which has actually failed. Replacements for failed products will be through the standard RMA process.
Replacements fulfilled through this upgrade process typically take three business days or more to arrive on-site. Therefore, service level agreements do not apply to replacements obtained using the upgrade form.
Just curious, this log shows a date of Mar 1 @ 00:00:05 was this the actual time and date of the attempt? I'm running out of ideas here, but I do know that the time and date is very important;
The WLC time should be synchronized with the machine that hosts the upgrade utility. The upgrade utility configures the access point to generate a self-signed certificate with a validity interval, beginning with the machine time of the utility host or a time specified at run-time. If the WLC time is outside the validity interval of the SSC, the access point cannot join the controller. To configure the WLC time, use the WLC web-interface found by choosing Commands > Set Time
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...