Access point 1600i series not joining to Virtual wireless controller

Posted on 2013-12-25
Last Modified: 2016-11-23

Wireless controller details :

cisco virtual wireless controller version 7.4.110  

My access point details :

cisco 1600 series acesspoint  (AP1G2-RCVK9W8-M), Version 15.2(2)JB2

Installation details :

Server : Dell
VMware ESXi 5.5

Configuraiton detials :

Esxi management address :

Virtual Controller service port : connected to VLAN 2 acces point( network)  

virtual controller Management IP : -> connected to trunk link

Steps folowed for join activity :

1. First Access point connected to VLAN 34 access point i.e Network

2.Got Access point ip through DHCP server is which is running at core-switch

3.From access-point i am able to ping to COntroller Management ip i.e

4.But Access point not joining to the controller

5. Attached the console log of Access point

6. Next i have changed the COntroller management to 34th vlan ip i.e

7. Tried joining access-point,which is connedted to 34 vlan and got Ip address 10.10.34.x

8. From AP it is ping but not joining the controller , though both AP and controller are in same network.

Verification :

1. As per the google sites suggested , verified time setting at controller and AP and they are fine and showing updated time

2,configured DHCP option 43 and 60 in core-switch DHCP pools for redirecting to the

3. configured manually controller ip address  in Access point

4. by passed the ssc validation using knob turnoff option and cli command in controller also but no result

5. clear the capwap and restart using clear capwap privarte-config command

6.i have cleared the AP conf using test capwap erase and test capwap restart aommands

Pls confirm my queries :

1. Virtual wireless controller running 7.4 version and Access point running 15.2(2),

Do i need to downgrade / upgrade the access point image? if yes what is the image should i download from cisco site.. pls give clarification on this

2. As per the document Dell server doesn't support but installed but it is happening for UCS server depolyed based controller also

3. I have attached Switch configuration (it is old config and by the time it hasn't configured DHCP options) , pls verify NTP configuration , is that fine or should i change

Every time getting the following error at access point side :

Dec 24 10:56:51.023: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Dec 24 10:57:56.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: peer_port: 5246

*Dec 24 10:57:56.055: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed.  The certificate (SN: 1000) is not yet valid   Validity period starts on 14:51:37 UTC Dec 24 2013Peer certificate verification failed 001A

*Dec 24 10:57:56.055: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Dec 24 10:57:56.055: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!
*Dec 24 10:57:56.055: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to

*Dec 24 10:57:56.055: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to

*Dec 24 10:57:56.059: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

The WLC saids in the log:
*spamApTask7: Sep 14 13:18:34.485: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer Y.Y.Y.Y
*spamApTask7: Sep 14 13:17:29.502: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake with peer Y.Y.Y.Y

Pls treat this as a high priority and i gave most information for not making delay at  posting questions and clarifications from your side again and again

Question by:RAMU CH
  • 5
  • 4
LVL 46

Expert Comment

by:Craig Beck
ID: 39739144
This isn't what you will want to hear, but you should probably reinstall the vWLC.  This is a time issue, and if you installed the vWLC while the time was wrong in VMWare, the certificate on the vWLC will always be out of date.

%PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed.  The certificate (SN: 1000) is not yet valid   Validity period starts on 14:51:37 UTC Dec 24 2013Peer certificate verification failed 001A
So, set the time properly in the VMWare host, reinstall the vWLC and set the time correctly when you run through the configuration wizard, then the AP will join properly.

Author Comment

ID: 39739176
Thanks for the helpful information..

I would like to inform that

At access-point when i check the time using "  show clock " command it has shown that
UTC , Pls refer below command output

APc08c.606b.1d4e#sh clock
*11:05:18.423 UTC Tue Dec 24 2013

Where as controller selected timezone with  calcutta/newdelhi time zone

Core-Switch side NTP configured as below :

ntp authentication-key 123 md5 09425A19 7
ntp master
time-range blocked_hours
 periodic weekdays 9:00 to 14:00

While configuring VWLC , i gave NTP server as Core-swtch IP address..

So what do you suggest for synchronizing AP and WLC time zones..

LVL 46

Accepted Solution

Craig Beck earned 500 total points
ID: 39739181
AP and WLC timezones are no issue.  You can join an AP in one country/continent to a WLC in another without an issue.

The problem is that the VMWare host's time is probably incorrect, or was incorrect when the vWLC was installed.  The guest VM will take the time from VMWare by default unless you disable time integration services in the guest's VM settings.
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.


Author Comment

ID: 39739195
Should i integrate VMguest with NTP server? , if it synchronises ,will AP  immediately joins or

based on zone time differences AP  joins?


Author Comment

ID: 39739204
Is there any changes needed at Core-Switch side? pls confirm
LVL 46

Expert Comment

by:Craig Beck
ID: 39739206
You should let all your network devices use NTP if available, including the vWLC.

Unfortunately though if the time synchronizes it won't make the certificate become valid though as its validity length will be for a certain period only.  It's likely that your VMWare time is something like 2001, which would make the vWLC certificate expire in 2011.  The only way to fix this is to reinstall the vWLC.

You can backup the configuration and reapply it once the vWLC is rebuilt though.
LVL 46

Expert Comment

by:Craig Beck
ID: 39739221
There are no core switch changes which need to be made as far as I can see.  You don't really need DHCP option 60 (contrary to what people including Cisco say).

I would remove the usernames and passwords from the switch config file you posted though :-)

Author Comment

ID: 39741438
Thanks craigbeck,
Your information was really helped me a lot..

Now i am happy that isssue has been resolved..Just configured ESX host pc as NTP client
then started joining acitivity

Thank you very much.

Pls close the request.

Author Closing Comment

ID: 39741441
very good solution

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MAC Filtering: MAC filtering is like handing a list of names to a doorman. If someone comes to the door and mentions a name, this name is checked by the doorman on his list and granted or denied access by this. This means that if someone menti…
I recently purchased a Bluetooth headset called the Music Jogger (model BSH10). The control buttons on it look like this: One of my goals is to use it as the microphone and speakers for Skype calls. In that respect, it works well. However, I …
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question