Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WLC Failed to complete DTLS handshake with peer

WLC 5508 running 7.0.98.0

Site was running fine until the WLC had a hardware failure.

A new WLC was shipped out, was running 6.0.99 then manually upgraded to 7.0.98. Clients cannot authenticatewith recurrent logs messages like this.

*dot1xMsgTask: Feb 23 17:05:03.648: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2914 Max EAP identity request retries (3) exceeded for client 00:21:5c:<snip>
*spamApTask0: Feb 23 17:05:01.926: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:629 Failed to complete DTLS handshake with peer 192.168.214.91

I have tried changing the key on the radius server to no avail.Anybody have any ideas?

5 REPLIES
Cisco Employee

Re: WLC Failed to complete DTLS handshake with peer

DTLS message corresponds to an AP not joining or disconnecting.

The EAP message above is about a client not finishing its dot1x authentication.

Since what changed is the WLC itself, I would check for changes :

-did it change ip address ? is the config EXACTLY the same as before ?

-What does your radius server reports as failed attempt reason ?

Nicolas

New Member

Re: WLC Failed to complete DTLS handshake with peer

Hi Nicolas,

I reconfigured the WLC manually and from what I can see the configs are the same.

Are the AP disconnect (DTLS) and EAP messages even related to each other?

The log on the radius indicates Filtering Platform Packet drop, its an NPS server

Tia

New Member

Re: WLC Failed to complete DTLS handshake with peer

I also saw this message in the NPS logs.

Authentication failed due to an EAP session timeout; the EAP session with the access client was incomplete.

Cisco Employee

Re: WLC Failed to complete DTLS handshake with peer

I'm unsure about what the first NPS message means.

It's a dot1x authentication not completing issue, the authentication process must be looked at to understand which part is stopping. It could be the client not trusting the NPS certificate, the NPS stopping the authentication because it doesn't like the WLC for some reason ... could be anything.

New Member

Cisco Wireless LAN Controller

Cisco Wireless LAN Controller System Message Guide 7.0.116.0 is good guide
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0MR1/message/guide/SysMsgGuide_7-0MR1/dtl_eap_7-0MR1_msgs9.html

12269
Views
0
Helpful
5
Replies