Solved

Access point 1600i series not joining to Virtual wireless controller

Posted on 2013-12-25
9
5,023 Views
Last Modified: 2016-11-23
Hi,


Wireless controller details :

cisco virtual wireless controller version 7.4.110  

My access point details :

cisco 1600 series acesspoint  (AP1G2-RCVK9W8-M), Version 15.2(2)JB2


Installation details :

Server : Dell
VMware ESXi 5.5

Configuraiton detials :

Esxi management address : 10.10.2.15

Virtual Controller service port : 10.10.2.16 connected to VLAN 2 acces point(10.10.2.0/24 network)  

virtual controller Management IP : 10.10.150.10 -> connected to trunk link


Steps folowed for join activity :

1. First Access point connected to VLAN 34 access point i.e 10.10.34.0 Network

2.Got Access point ip through DHCP server is which is running at core-switch

3.From access-point i am able to ping to COntroller Management ip i.e 10.10.150.10

4.But Access point not joining to the controller

5. Attached the console log of Access point


6. Next i have changed the COntroller management to 34th vlan ip i.e 10.10.34.200

7. Tried joining access-point,which is connedted to 34 vlan and got Ip address 10.10.34.x

8. From AP it is ping but not joining the controller , though both AP and controller are in same network.




Verification :

1. As per the google sites suggested , verified time setting at controller and AP and they are fine and showing updated time

2,configured DHCP option 43 and 60 in core-switch DHCP pools for redirecting to the
controller.

3. configured manually controller ip address  in Access point

4. by passed the ssc validation using knob turnoff option and cli command in controller also but no result

5. clear the capwap and restart using clear capwap privarte-config command

6.i have cleared the AP conf using test capwap erase and test capwap restart aommands




Pls confirm my queries :

1. Virtual wireless controller running 7.4 version and Access point running 15.2(2),

Do i need to downgrade / upgrade the access point image? if yes what is the image should i download from cisco site.. pls give clarification on this

2. As per the document Dell server doesn't support but installed but it is happening for UCS server depolyed based controller also

3. I have attached Switch configuration (it is old config and by the time it hasn't configured DHCP options) , pls verify NTP configuration , is that fine or should i change


Every time getting the following error at access point side :

Dec 24 10:56:51.023: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Dec 24 10:57:56.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.150.10 peer_port: 5246

*Dec 24 10:57:56.055: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed.  The certificate (SN: 1000) is not yet valid   Validity period starts on 14:51:37 UTC Dec 24 2013Peer certificate verification failed 001A

*Dec 24 10:57:56.055: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Dec 24 10:57:56.055: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!
*Dec 24 10:57:56.055: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.10.150.10:5246

*Dec 24 10:57:56.055: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.150.10:5246

*Dec 24 10:57:56.059: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.



The WLC saids in the log:
 
*spamApTask7: Sep 14 13:18:34.485: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer Y.Y.Y.Y
*spamApTask7: Sep 14 13:17:29.502: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer Y.Y.Y.Y



Pls treat this as a high priority and i gave most information for not making delay at  posting questions and clarifications from your side again and again

Regards
Ramu
ap-log.txt
sh-version-1600-series.txt
Switch-conf-23DEC13-2PM.TXT
0
Comment
Question by:RAMU CH
  • 5
  • 4
9 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39739144
This isn't what you will want to hear, but you should probably reinstall the vWLC.  This is a time issue, and if you installed the vWLC while the time was wrong in VMWare, the certificate on the vWLC will always be out of date.

%PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed.  The certificate (SN: 1000) is not yet valid   Validity period starts on 14:51:37 UTC Dec 24 2013Peer certificate verification failed 001A
So, set the time properly in the VMWare host, reinstall the vWLC and set the time correctly when you run through the configuration wizard, then the AP will join properly.
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 39739176
Thanks for the helpful information..

I would like to inform that

At access-point when i check the time using "  show clock " command it has shown that
UTC , Pls refer below command output

APc08c.606b.1d4e#sh clock
*11:05:18.423 UTC Tue Dec 24 2013

Where as controller selected timezone with  calcutta/newdelhi time zone

Core-Switch side NTP configured as below :

ntp authentication-key 123 md5 09425A19 7
ntp master
time-range blocked_hours
 periodic weekdays 9:00 to 14:00
!


While configuring VWLC , i gave NTP server as Core-swtch IP address..

So what do you suggest for synchronizing AP and WLC time zones..

Regards
Ram
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39739181
AP and WLC timezones are no issue.  You can join an AP in one country/continent to a WLC in another without an issue.

The problem is that the VMWare host's time is probably incorrect, or was incorrect when the vWLC was installed.  The guest VM will take the time from VMWare by default unless you disable time integration services in the guest's VM settings.
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 39739195
Should i integrate VMguest with NTP server? , if it synchronises ,will AP  immediately joins or

based on zone time differences AP  joins?

Regards
Ram
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 
LVL 1

Author Comment

by:RAMU CH
ID: 39739204
Is there any changes needed at Core-Switch side? pls confirm
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39739206
You should let all your network devices use NTP if available, including the vWLC.

Unfortunately though if the time synchronizes it won't make the certificate become valid though as its validity length will be for a certain period only.  It's likely that your VMWare time is something like 2001, which would make the vWLC certificate expire in 2011.  The only way to fix this is to reinstall the vWLC.

You can backup the configuration and reapply it once the vWLC is rebuilt though.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39739221
There are no core switch changes which need to be made as far as I can see.  You don't really need DHCP option 60 (contrary to what people including Cisco say).

I would remove the usernames and passwords from the switch config file you posted though :-)
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 39741438
Thanks craigbeck,
Your information was really helped me a lot..

Now i am happy that isssue has been resolved..Just configured ESX host pc as NTP client
then started joining acitivity

Thank you very much.

Pls close the request.
0
 
LVL 1

Author Closing Comment

by:RAMU CH
ID: 39741441
very good solution
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article is split into background info to start and actual review at bottom: Some time ago I wanted to sell a system with both wired and wireless capability but at minimum expense.  Having visited my trusted online auction I was pleasantly su…
With the purchase of CloudCommand by Comcast customers are left in a bind as subscriptions expire and render the AP's disabled. The following will explain how to flash your Ubiquiti AP's with CloudCommand firmware back to Ubiquiti firmware. HOWTO…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now