[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5987
  • Last Modified:

Access point 1600i series not joining to Virtual wireless controller

Hi,


Wireless controller details :

cisco virtual wireless controller version 7.4.110  

My access point details :

cisco 1600 series acesspoint  (AP1G2-RCVK9W8-M), Version 15.2(2)JB2


Installation details :

Server : Dell
VMware ESXi 5.5

Configuraiton detials :

Esxi management address : 10.10.2.15

Virtual Controller service port : 10.10.2.16 connected to VLAN 2 acces point(10.10.2.0/24 network)  

virtual controller Management IP : 10.10.150.10 -> connected to trunk link


Steps folowed for join activity :

1. First Access point connected to VLAN 34 access point i.e 10.10.34.0 Network

2.Got Access point ip through DHCP server is which is running at core-switch

3.From access-point i am able to ping to COntroller Management ip i.e 10.10.150.10

4.But Access point not joining to the controller

5. Attached the console log of Access point


6. Next i have changed the COntroller management to 34th vlan ip i.e 10.10.34.200

7. Tried joining access-point,which is connedted to 34 vlan and got Ip address 10.10.34.x

8. From AP it is ping but not joining the controller , though both AP and controller are in same network.




Verification :

1. As per the google sites suggested , verified time setting at controller and AP and they are fine and showing updated time

2,configured DHCP option 43 and 60 in core-switch DHCP pools for redirecting to the
controller.

3. configured manually controller ip address  in Access point

4. by passed the ssc validation using knob turnoff option and cli command in controller also but no result

5. clear the capwap and restart using clear capwap privarte-config command

6.i have cleared the AP conf using test capwap erase and test capwap restart aommands




Pls confirm my queries :

1. Virtual wireless controller running 7.4 version and Access point running 15.2(2),

Do i need to downgrade / upgrade the access point image? if yes what is the image should i download from cisco site.. pls give clarification on this

2. As per the document Dell server doesn't support but installed but it is happening for UCS server depolyed based controller also

3. I have attached Switch configuration (it is old config and by the time it hasn't configured DHCP options) , pls verify NTP configuration , is that fine or should i change


Every time getting the following error at access point side :

Dec 24 10:56:51.023: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Dec 24 10:57:56.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.150.10 peer_port: 5246

*Dec 24 10:57:56.055: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed.  The certificate (SN: 1000) is not yet valid   Validity period starts on 14:51:37 UTC Dec 24 2013Peer certificate verification failed 001A

*Dec 24 10:57:56.055: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Dec 24 10:57:56.055: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!
*Dec 24 10:57:56.055: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.10.150.10:5246

*Dec 24 10:57:56.055: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.150.10:5246

*Dec 24 10:57:56.059: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.



The WLC saids in the log:
 
*spamApTask7: Sep 14 13:18:34.485: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer Y.Y.Y.Y
*spamApTask7: Sep 14 13:17:29.502: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer Y.Y.Y.Y



Pls treat this as a high priority and i gave most information for not making delay at  posting questions and clarifications from your side again and again

Regards
Ramu
ap-log.txt
sh-version-1600-series.txt
Switch-conf-23DEC13-2PM.TXT
0
RAMU CH
Asked:
RAMU CH
  • 5
  • 4
1 Solution
 
Craig BeckCommented:
This isn't what you will want to hear, but you should probably reinstall the vWLC.  This is a time issue, and if you installed the vWLC while the time was wrong in VMWare, the certificate on the vWLC will always be out of date.

%PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed.  The certificate (SN: 1000) is not yet valid   Validity period starts on 14:51:37 UTC Dec 24 2013Peer certificate verification failed 001A
So, set the time properly in the VMWare host, reinstall the vWLC and set the time correctly when you run through the configuration wizard, then the AP will join properly.
0
 
RAMU CHAuthor Commented:
Thanks for the helpful information..

I would like to inform that

At access-point when i check the time using "  show clock " command it has shown that
UTC , Pls refer below command output

APc08c.606b.1d4e#sh clock
*11:05:18.423 UTC Tue Dec 24 2013

Where as controller selected timezone with  calcutta/newdelhi time zone

Core-Switch side NTP configured as below :

ntp authentication-key 123 md5 09425A19 7
ntp master
time-range blocked_hours
 periodic weekdays 9:00 to 14:00
!


While configuring VWLC , i gave NTP server as Core-swtch IP address..

So what do you suggest for synchronizing AP and WLC time zones..

Regards
Ram
0
 
Craig BeckCommented:
AP and WLC timezones are no issue.  You can join an AP in one country/continent to a WLC in another without an issue.

The problem is that the VMWare host's time is probably incorrect, or was incorrect when the vWLC was installed.  The guest VM will take the time from VMWare by default unless you disable time integration services in the guest's VM settings.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
RAMU CHAuthor Commented:
Should i integrate VMguest with NTP server? , if it synchronises ,will AP  immediately joins or

based on zone time differences AP  joins?

Regards
Ram
0
 
RAMU CHAuthor Commented:
Is there any changes needed at Core-Switch side? pls confirm
0
 
Craig BeckCommented:
You should let all your network devices use NTP if available, including the vWLC.

Unfortunately though if the time synchronizes it won't make the certificate become valid though as its validity length will be for a certain period only.  It's likely that your VMWare time is something like 2001, which would make the vWLC certificate expire in 2011.  The only way to fix this is to reinstall the vWLC.

You can backup the configuration and reapply it once the vWLC is rebuilt though.
0
 
Craig BeckCommented:
There are no core switch changes which need to be made as far as I can see.  You don't really need DHCP option 60 (contrary to what people including Cisco say).

I would remove the usernames and passwords from the switch config file you posted though :-)
0
 
RAMU CHAuthor Commented:
Thanks craigbeck,
Your information was really helped me a lot..

Now i am happy that isssue has been resolved..Just configured ESX host pc as NTP client
then started joining acitivity

Thank you very much.

Pls close the request.
0
 
RAMU CHAuthor Commented:
very good solution
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now