AP wont join WLC, WHY?

Tuesday, January 1, 2019 Latest Tech News
0 comments By

SOLUTION: If you see an error DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2962 Failed to complete DTLS handshake with peer 192.168.202.8” in WLC logs then it’s a Cisco Bug and that’s why AP’s are not joining WLC. To solve this problem first change the time in WLC back to 4-5years eg: If the date in WLC is 1/17/2017, change it manually to 1/17/2012. Then download the latest firmware in WLC and reboot the controller. Once WLC and all the AP’s are upgraded to latest firmware change the time back to 1/17/2017.

Related image

Symptom:

  1. Wireless Access Points fail to connect to the Wireless LAN Controller.
  2. Symptom 1 (where the AP’s certificate has expired):
  3. At the time of the join failure, the WLC’s msglog may show messages similar to the following:
  4. LWAPP-3-PAYLOAD_ERR: Join request does not contain valid certificate in certificate payload – AP 00:11:22:33:44:55
  5. Symptom 2 (where the WLC’s manufacturing installed certificate has expired):
  6. Once the WLC’s MIC expires, the currently joined AP CAPWAP sessions will remain established.

The AP logger will show messages similar to the following:

  •  %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed.
  • The certificate (SN: 7E3446C40000000CBD95) has expired.    Validity period ended on 14:38:08 UTC Oct
  • 26 2021Peer certificate verification failed 001A
  •  DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:496
  • Certificate verified failed!
  •  %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.10.10:5246
  • %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.10.10:5246

On the WLC side, you will only see a message like this:

  •  #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2962 Failed to complete DTLS handshake with peer 192.168.202.8

Conditions:

  • This symptom will occur after 10 years of the device manufacturing date.
  • The oldest APs (1120, 1130, 1230, 1310 series) with MICs were manufactured in July 2005, so those APs will be unable to join AireOS controllers starting in July 2015.
  • This problem also affects WLCs approximately 10 years after manufacturing date. For APs using Self-Signed Certificates (SSCs) that were generated by the Upgrade Tool, the symptom will occur on January 1, 2020.

 

About the author

Admin

Website: https://www.optimal.com.bd

Related Posts