Access point 1600i series not joining to Virtual wireless controller

Posted on 2013-12-25
Medium Priority
Last Modified: 2016-11-23

Wireless controller details :

cisco virtual wireless controller version 7.4.110  

My access point details :

cisco 1600 series acesspoint  (AP1G2-RCVK9W8-M), Version 15.2(2)JB2

Installation details :

Server : Dell
VMware ESXi 5.5

Configuraiton detials :

Esxi management address :

Virtual Controller service port : connected to VLAN 2 acces point( network)  

virtual controller Management IP : -> connected to trunk link

Steps folowed for join activity :

1. First Access point connected to VLAN 34 access point i.e Network

2.Got Access point ip through DHCP server is which is running at core-switch

3.From access-point i am able to ping to COntroller Management ip i.e

4.But Access point not joining to the controller

5. Attached the console log of Access point

6. Next i have changed the COntroller management to 34th vlan ip i.e

7. Tried joining access-point,which is connedted to 34 vlan and got Ip address 10.10.34.x

8. From AP it is ping but not joining the controller , though both AP and controller are in same network.

Verification :

1. As per the google sites suggested , verified time setting at controller and AP and they are fine and showing updated time

2,configured DHCP option 43 and 60 in core-switch DHCP pools for redirecting to the

3. configured manually controller ip address  in Access point

4. by passed the ssc validation using knob turnoff option and cli command in controller also but no result

5. clear the capwap and restart using clear capwap privarte-config command

6.i have cleared the AP conf using test capwap erase and test capwap restart aommands

Pls confirm my queries :

1. Virtual wireless controller running 7.4 version and Access point running 15.2(2),

Do i need to downgrade / upgrade the access point image? if yes what is the image should i download from cisco site.. pls give clarification on this

2. As per the document Dell server doesn't support but installed but it is happening for UCS server depolyed based controller also

3. I have attached Switch configuration (it is old config and by the time it hasn't configured DHCP options) , pls verify NTP configuration , is that fine or should i change

Every time getting the following error at access point side :

Dec 24 10:56:51.023: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Dec 24 10:57:56.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: peer_port: 5246

*Dec 24 10:57:56.055: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed.  The certificate (SN: 1000) is not yet valid   Validity period starts on 14:51:37 UTC Dec 24 2013Peer certificate verification failed 001A

*Dec 24 10:57:56.055: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Dec 24 10:57:56.055: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!
*Dec 24 10:57:56.055: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to

*Dec 24 10:57:56.055: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to

*Dec 24 10:57:56.059: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

The WLC saids in the log:
*spamApTask7: Sep 14 13:18:34.485: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer Y.Y.Y.Y
*spamApTask7: Sep 14 13:17:29.502: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer Y.Y.Y.Y

Pls treat this as a high priority and i gave most information for not making delay at  posting questions and clarifications from your side again and again

Question by:RAMU CH
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 47

Expert Comment

by:Craig Beck
ID: 39739144
This isn't what you will want to hear, but you should probably reinstall the vWLC.  This is a time issue, and if you installed the vWLC while the time was wrong in VMWare, the certificate on the vWLC will always be out of date.

%PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed.  The certificate (SN: 1000) is not yet valid   Validity period starts on 14:51:37 UTC Dec 24 2013Peer certificate verification failed 001A
So, set the time properly in the VMWare host, reinstall the vWLC and set the time correctly when you run through the configuration wizard, then the AP will join properly.

Author Comment

ID: 39739176
Thanks for the helpful information..

I would like to inform that

At access-point when i check the time using "  show clock " command it has shown that
UTC , Pls refer below command output

APc08c.606b.1d4e#sh clock
*11:05:18.423 UTC Tue Dec 24 2013

Where as controller selected timezone with  calcutta/newdelhi time zone

Core-Switch side NTP configured as below :

ntp authentication-key 123 md5 09425A19 7
ntp master
time-range blocked_hours
 periodic weekdays 9:00 to 14:00

While configuring VWLC , i gave NTP server as Core-swtch IP address..

So what do you suggest for synchronizing AP and WLC time zones..

LVL 47

Accepted Solution

Craig Beck earned 2000 total points
ID: 39739181
AP and WLC timezones are no issue.  You can join an AP in one country/continent to a WLC in another without an issue.

The problem is that the VMWare host's time is probably incorrect, or was incorrect when the vWLC was installed.  The guest VM will take the time from VMWare by default unless you disable time integration services in the guest's VM settings.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 39739195
Should i integrate VMguest with NTP server? , if it synchronises ,will AP  immediately joins or

based on zone time differences AP  joins?


Author Comment

ID: 39739204
Is there any changes needed at Core-Switch side? pls confirm
LVL 47

Expert Comment

by:Craig Beck
ID: 39739206
You should let all your network devices use NTP if available, including the vWLC.

Unfortunately though if the time synchronizes it won't make the certificate become valid though as its validity length will be for a certain period only.  It's likely that your VMWare time is something like 2001, which would make the vWLC certificate expire in 2011.  The only way to fix this is to reinstall the vWLC.

You can backup the configuration and reapply it once the vWLC is rebuilt though.
LVL 47

Expert Comment

by:Craig Beck
ID: 39739221
There are no core switch changes which need to be made as far as I can see.  You don't really need DHCP option 60 (contrary to what people including Cisco say).

I would remove the usernames and passwords from the switch config file you posted though :-)

Author Comment

ID: 39741438
Thanks craigbeck,
Your information was really helped me a lot..

Now i am happy that isssue has been resolved..Just configured ESX host pc as NTP client
then started joining acitivity

Thank you very much.

Pls close the request.

Author Closing Comment

ID: 39741441
very good solution

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question