Cisco – APs not joining WLC Cisco 4400 Series

access-pointciscocisco-wireless

A few office APs are not joining the WLC after a restart, and this is the log from the controller:

*spamReceiveTask: Feb 13 20:18:44.173: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.77.76.3
*spamReceiveTask: Feb 13 20:18:15.485: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.74.7.27
*spamReceiveTask: Feb 13 20:17:48.129: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.75.7.22
*spamReceiveTask: Feb 13 20:17:47.166: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.77.161.10
*spamReceiveTask: Feb 13 20:17:46.888: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.77.161.11
*spamReceiveTask: Feb 13 20:17:46.518: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.74.7.25
*spamReceiveTask: Feb 13 20:17:46.511: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.73.100.11
*spamReceiveTask: Feb 13 20:17:45.667: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.72.7.20
*spamReceiveTask: Feb 13 20:17:41.915: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.71.77.103
*spamReceiveTask: Feb 13 20:17:40.132: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.77.76.3
*spamReceiveTask: Feb 13 20:17:39.695: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.77.121.13
*spamReceiveTask: Feb 13 20:17:39.185: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.77.161.13
*spamReceiveTask: Feb 13 20:17:39.006: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.77.161.12
*spamReceiveTask: Feb 13 20:17:38.833: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.73.100.10
*spamReceiveTask: Feb 13 20:17:37.075: %CAPWAP-3-DISC_INTF_ERR1: capwap_ac_sm.c:1445  (2) from AP 00:22:90:a1:b1:40
*spamReceiveTask: Feb 13 20:17:36.793: %CAPWAP-3-DISC_INTF_ERR1: capwap_ac_sm.c:1445 Ignoring discovery request received on non-management interface (2) from AP 00:24:14:ff:73:10
*spamReceiveTask: Feb 13 20:17:30.021: %CAPWAP-3-DISC_INTF_ERR1: capwap_ac_sm.c:1445 Ignoring discovery request received on non-management interface (2) from AP 88:43:e1:14:58:50
*spamReceiveTask: Feb 13 20:17:29.522: %CAPWAP-3-DISC_INTF_ERR1: capwap_ac_sm.c:1445 Ignoring discovery request received on non-management interface (2) from AP 00:24:14:31:f6:b0
*spamReceiveTask: Feb 13 20:17:29.466: %CAPWAP-3-DISC_INTF_ERR1: capwap_ac_sm.c:1445 Ignoring discovery request received on non-management interface (2) from AP 00:24:97:71:b9:b0
*spamReceiveTask: Feb 13 20:17:28.347: %LWAPP-3-DISC_INTF_ERR1: spam_lrad.c:1298 Ignoring discovery request received on non-management interface (2) in L3 LWAPP mode from AP 00:24:97:b7:03:b0
*spamReceiveTask: Feb 13 20:17:28.345: %CAPWAP-3-DISC_INTF_ERR1: capwap_ac_sm.c:1445 Ignoring discovery request received on non-management interface (2) from AP 00:24:97:b7:03:b0
*nim_t: Feb 13 20:17:28.293: %SIM-3-PORT_UP: sim.c:9820 Physical port 2 is up!.
*nim_t: Feb 13 20:17:28.290: %SIM-3-PORT_UP: sim.c:9820 Physical port 1 is up!.
*fp_main_task: Feb 13 20:17:28.069: %CNFGR-3-INV_COMP_ID: cnfgr.c:2221 Invalid Component Id : Unrecognized (77) in cfgConfiguratorInit.
*fp_main_task: Feb 13 20:17:27.987: %LOG-3-Q_IND: rrmCfg.c:1501 RRM LOG: Airewave Director: Configuration has been sanitized -- save configuration to commit
*fp_main_task: Feb 13 20:17:27.780: %RRM-3-RRM_LOGMSG: rrmCfg.c:1501 RRM LOG: Airewave Director: Configuration has been sanitized -- save configuration to commit
*fp_main_task: Feb 13 20:17:20.955: %MM-3-MEMBER_ADD_FAILED: mm_dir.c:926 Could not add Mobility Member. Reason: IP already assigned, Member-Count:1,MAC: 00:00:00:00:00:00, IP: 0.0.0.0
*fp_main_task: Feb 13 20:17:20.747: %DTL-3-DSNET_CONF_FAILED: dtl_ds.c:424 Unable to set symmetric mobility tunneling to disabled on Distribution Service interface.
*fp_main_task: Feb 13 20:17:03.486: %CNFGR-3-INV_COMP_ID: cnfgr.c:2221 Invalid Component Id : Unrecognized (36) in cfgConfiguratorInit.
*mfpKeyRefreshTask: Feb 13 20:17:03.485: %SSHPM-3-NOT_INIT: bsnrandom.c:621 Random context not initialized

I have connected to one of the APs and captured the following from serial:

*Feb 13 18:26:14.083: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Feb 13 18:26:14.083: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
*Feb 13 18:26:14.135: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Feb 13 18:26:14.139: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Feb 13 18:26:14.139: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Feb 13 18:26:14.147: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Feb 13 18:26:14.163:  status of voice_diag_test from WLC is false
*Feb 13 18:26:14.163: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Feb 13 18:26:14.175: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Feb 13 18:26:14.183: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Feb 13 18:26:24.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.77.77.59 peer_port: 5246
*Feb 13 18:26:24.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Feb 13 18:26:24.099: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed.  The certificate (SN: 3C1E27950000000C5C4B) has expired.    Validity period ended on 19:56:24 UTC Jan 17 2017
*Feb 13 18:26:24.099: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Feb 13 18:26:24.099: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Feb 13 18:26:24.099: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed!
*Feb 13 18:26:24.099: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 10.77.77.59
*Feb 13 18:26:24.099: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.77.77.59:5246
*Feb 13 18:26:24.099: %DTLS-3-BAD_RECORD: Erroneous record received from 10.77.77.59: Malformed Certificate
*Feb 13 18:26:24.099: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.77.77.59:5246

Is it a certificate issue? Provided that the certificate is actually not expired.

Any help will be appreciated.

Best Answer

Certificate with serial number: 3C1E27950000000C5C4B expired on 17 Jan 2017. Please double check certificates and configured trustpoints. It could be manufacturing installed certificates. I've found issue over here check if is not same in your case.

Related Topic