Cisco WLC AP cert issue: %DTLS-3-HANDSHAKE_FAILURE
Posted by on December 16, 2016
Recently we were troubleshooting some network issues with a Cisco 1242 AP that suddenly stopped communicating with our WLC.
Controller firmware is 8.0.133
We consoled into the AP and found logs that looked like below. Then we logged into the WLC and saw similar logs.
*spamApTask0: %LWAPP-3-PAYLOAD_MISSING: spam_lrad.c:6433 Join request does not contain BOARD_DATA payload
*spamApTask5: %CAPWAP-3-DECODE_ERR: capwap_ac_sm.c:4702 Error decoding Join request from AP 00:26:0b:10:34:70
*spamApTask6: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:844 Failed to complete DTLS handshake with peer 10.192.112.241
*spamApTask2: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:844 Failed to complete DTLS handshake with peer 10.10.91.20
*spamApTask6: %CAPWAP-3-DECODE_ERR: capwap_ac_sm.c:4702 Error decoding Join request from AP 00:26:0b:10:34:70
*spamApTask5: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:844 Failed to complete DTLS handshake with peer 10.10.75.23
*spamApTask0: %LWAPP-3-DECODE_ERR: spam_lrad.c:2364 Error decoding join request from AP 00:19:aa:35:10:88
*spamApTask0: %LWAPP-3-KEY_ERR3: spam_crypto.c:1630 The system is unable to free public key for AP 00:19:aa:35:10:88
*spamApTask0: %LWAPP-3-PAYLOAD_ERR: spam_lrad.c:7931 Join request does not contain valid certificate in certificate payload – AP 00:19:aa:35:10:88
Seems the AP cert had expired. To get around this we had to enable a command in the WLC that ignored the AP cert. The happened because the Manufacturer Installed Certificate (MIC) has now become older than ten years and has expired. This will not be accepted now.
I SSH’d into the controller and ran the below command:
config ap cert-expiry-ignore mic enable
This allowed the AP to come back online immediately.
If you happen to be on 7.0.252.X the command and logs are different:
log example:
Failed to complete DTLS handshake with peer 10.32.41.96 for AP 00:1d:45:36:97:30
*spamReceiveTask: Sep 19 21:42:59.855: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.32.41.101 for AP 00:1d:45:56:b6:1c
Each log will of course be different due to IP/MAC. The commands to resolve this:
config ap lifetime-check {mic|ssc} enable
So:
config ap lifetime-check mic enable
config ap lifetime-check ssc enable
That should do it!
Cisco information:
Just note this fix is code dependent. Older versions won’t allow this command
Thanks for the comment Mark! You are most certainly correct. In this example the code is 8.0.133. I tried on a 7 code base it was not supported.
I had same exact problem 2 months ago, WLC 2504, 1242 AP’s, and apply same instruction to resolve the issue, but as Mark said, it did not work on my 8.0.110 firmware, had to apply 8.0.133 to work. Next week i will upgrade to 8.0.140. Hope no big issues there.
Worked for me – many thanks
Pingback: Cisco WLC AP 1240 series – cert issue | Server-Crew.com
Thanks a million!!!! You just saved me a lot of time with 1252 bases
Thank you very much for sharing this info – fixed our issue quickly! We are on FW 8.0.152.0.
Regards,
Michael
Thanks Heaps…!!! a timeless solution…!!!
Thank you so much….
Work for me also
I’m running Software Version 8.0.115.0 and it said: “Incorrect usage” when i try to ran that command
When i try to ran the command, i ge. the messege: “Incorrect usage”. i’m runing Software Version 8.0.115.0
Thank you so much, this worked exactly!
Pingback: Unos aps que no querían hacer join contra un WLC (Cisco) - Mundosysadmin
Thank you so much for this instruction, help me a lot!!
Thank you for writing this. It helped me restore the wireless network right away.