AP wont join WLC, WHY?
0 comments
By Admin
SOLUTION: If you see an error DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2962 Failed to complete DTLS handshake with peer 192.168.202.8” in WLC logs then it’s a Cisco Bug and that’s why AP’s are not joining WLC. To solve this problem first change the time in WLC back to 4-5years eg: If the date in WLC is 1/17/2017, change it manually to 1/17/2012. Then download the latest firmware in WLC and reboot the controller. Once WLC and all the AP’s are upgraded to latest firmware change the time back to 1/17/2017.
Symptom:
- Wireless Access Points fail to connect to the Wireless LAN Controller.
- Symptom 1 (where the AP’s certificate has expired):
- At the time of the join failure, the WLC’s msglog may show messages similar to the following:
- LWAPP-3-PAYLOAD_ERR: Join request does not contain valid certificate in certificate payload – AP 00:11:22:33:44:55
- Symptom 2 (where the WLC’s manufacturing installed certificate has expired):
- Once the WLC’s MIC expires, the currently joined AP CAPWAP sessions will remain established.
The AP logger will show messages similar to the following:
- %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed.
- The certificate (SN: 7E3446C40000000CBD95) has expired. Validity period ended on 14:38:08 UTC Oct
- 26 2021Peer certificate verification failed 001A
- DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:496
- Certificate verified failed!
- %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.10.10:5246
- %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.10.10:5246
On the WLC side, you will only see a message like this:
- #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2962 Failed to complete DTLS handshake with peer 192.168.202.8
Conditions:
- This symptom will occur after 10 years of the device manufacturing date.
- The oldest APs (1120, 1130, 1230, 1310 series) with MICs were manufactured in July 2005, so those APs will be unable to join AireOS controllers starting in July 2015.
- This problem also affects WLCs approximately 10 years after manufacturing date. For APs using Self-Signed Certificates (SSCs) that were generated by the Upgrade Tool, the symptom will occur on January 1, 2020.