?
Solved

Access point 1600i series not joining to Virtual wireless controller

Posted on 2013-12-25
9
Medium Priority
?
5,691 Views
Last Modified: 2016-11-23
Hi,


Wireless controller details :

cisco virtual wireless controller version 7.4.110  

My access point details :

cisco 1600 series acesspoint  (AP1G2-RCVK9W8-M), Version 15.2(2)JB2


Installation details :

Server : Dell
VMware ESXi 5.5

Configuraiton detials :

Esxi management address : 10.10.2.15

Virtual Controller service port : 10.10.2.16 connected to VLAN 2 acces point(10.10.2.0/24 network)  

virtual controller Management IP : 10.10.150.10 -> connected to trunk link


Steps folowed for join activity :

1. First Access point connected to VLAN 34 access point i.e 10.10.34.0 Network

2.Got Access point ip through DHCP server is which is running at core-switch

3.From access-point i am able to ping to COntroller Management ip i.e 10.10.150.10

4.But Access point not joining to the controller

5. Attached the console log of Access point


6. Next i have changed the COntroller management to 34th vlan ip i.e 10.10.34.200

7. Tried joining access-point,which is connedted to 34 vlan and got Ip address 10.10.34.x

8. From AP it is ping but not joining the controller , though both AP and controller are in same network.




Verification :

1. As per the google sites suggested , verified time setting at controller and AP and they are fine and showing updated time

2,configured DHCP option 43 and 60 in core-switch DHCP pools for redirecting to the
controller.

3. configured manually controller ip address  in Access point

4. by passed the ssc validation using knob turnoff option and cli command in controller also but no result

5. clear the capwap and restart using clear capwap privarte-config command

6.i have cleared the AP conf using test capwap erase and test capwap restart aommands




Pls confirm my queries :

1. Virtual wireless controller running 7.4 version and Access point running 15.2(2),

Do i need to downgrade / upgrade the access point image? if yes what is the image should i download from cisco site.. pls give clarification on this

2. As per the document Dell server doesn't support but installed but it is happening for UCS server depolyed based controller also

3. I have attached Switch configuration (it is old config and by the time it hasn't configured DHCP options) , pls verify NTP configuration , is that fine or should i change


Every time getting the following error at access point side :

Dec 24 10:56:51.023: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Dec 24 10:57:56.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.150.10 peer_port: 5246

*Dec 24 10:57:56.055: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed.  The certificate (SN: 1000) is not yet valid   Validity period starts on 14:51:37 UTC Dec 24 2013Peer certificate verification failed 001A

*Dec 24 10:57:56.055: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Dec 24 10:57:56.055: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!
*Dec 24 10:57:56.055: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.10.150.10:5246

*Dec 24 10:57:56.055: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.150.10:5246

*Dec 24 10:57:56.059: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.



The WLC saids in the log:
 
*spamApTask7: Sep 14 13:18:34.485: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer Y.Y.Y.Y
*spamApTask7: Sep 14 13:17:29.502: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer Y.Y.Y.Y



Pls treat this as a high priority and i gave most information for not making delay at  posting questions and clarifications from your side again and again

Regards
Ramu
ap-log.txt
sh-version-1600-series.txt
Switch-conf-23DEC13-2PM.TXT
0
Comment
Question by:RAMU CH
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39739144
This isn't what you will want to hear, but you should probably reinstall the vWLC.  This is a time issue, and if you installed the vWLC while the time was wrong in VMWare, the certificate on the vWLC will always be out of date.

%PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed.  The certificate (SN: 1000) is not yet valid   Validity period starts on 14:51:37 UTC Dec 24 2013Peer certificate verification failed 001A
So, set the time properly in the VMWare host, reinstall the vWLC and set the time correctly when you run through the configuration wizard, then the AP will join properly.
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 39739176
Thanks for the helpful information..

I would like to inform that

At access-point when i check the time using "  show clock " command it has shown that
UTC , Pls refer below command output

APc08c.606b.1d4e#sh clock
*11:05:18.423 UTC Tue Dec 24 2013

Where as controller selected timezone with  calcutta/newdelhi time zone

Core-Switch side NTP configured as below :

ntp authentication-key 123 md5 09425A19 7
ntp master
time-range blocked_hours
 periodic weekdays 9:00 to 14:00
!


While configuring VWLC , i gave NTP server as Core-swtch IP address..

So what do you suggest for synchronizing AP and WLC time zones..

Regards
Ram
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 39739181
AP and WLC timezones are no issue.  You can join an AP in one country/continent to a WLC in another without an issue.

The problem is that the VMWare host's time is probably incorrect, or was incorrect when the vWLC was installed.  The guest VM will take the time from VMWare by default unless you disable time integration services in the guest's VM settings.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 1

Author Comment

by:RAMU CH
ID: 39739195
Should i integrate VMguest with NTP server? , if it synchronises ,will AP  immediately joins or

based on zone time differences AP  joins?

Regards
Ram
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 39739204
Is there any changes needed at Core-Switch side? pls confirm
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39739206
You should let all your network devices use NTP if available, including the vWLC.

Unfortunately though if the time synchronizes it won't make the certificate become valid though as its validity length will be for a certain period only.  It's likely that your VMWare time is something like 2001, which would make the vWLC certificate expire in 2011.  The only way to fix this is to reinstall the vWLC.

You can backup the configuration and reapply it once the vWLC is rebuilt though.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39739221
There are no core switch changes which need to be made as far as I can see.  You don't really need DHCP option 60 (contrary to what people including Cisco say).

I would remove the usernames and passwords from the switch config file you posted though :-)
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 39741438
Thanks craigbeck,
Your information was really helped me a lot..

Now i am happy that isssue has been resolved..Just configured ESX host pc as NTP client
then started joining acitivity

Thank you very much.

Pls close the request.
0
 
LVL 1

Author Closing Comment

by:RAMU CH
ID: 39741441
very good solution
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question