Guest

Preview Tool

Cisco Bug: CSCsy88329 - AP fails on downloading code - Bad Record MAC - DTLS Encrypted Alerts

Last Modified

Mar 05, 2018

Products (1)

  • Cisco 5500 Series Wireless Controllers

Known Affected Releases

5.2(178.0)

Description (partial)

Symptom:
AP will not download code from a WLC running CAPWAP code.

CAPWAP debugs on AP indicate Bad Record MAC alert
Mar 30 20:07:51.815: %DTLS-5-ALERT: Received FATAL : Bad Record MAC alert from ip-address

CAPWAP debugs on WLC indicate Invalid CAPWAP states
*Apr 01 12:57:50.540: local_openssl_dtls_record_inspect: record=Alert epoch=1 seq=51
*Apr 01 12:57:50.540: Invalid event 16 & state 0 combination
*Apr 01 12:57:50.540: Failed to process CAPWAP packet from ip-addr:port
*Apr 01 12:57:50.540: Failed to process packet from ip-addr:port
*Apr 01 12:57:51.297: Received CAPWAP_MESSAGE
*Apr 01 12:57:51.297: CAPWAP Control Msg Received from ip-addr:port

*Apr 01 12:57:51.297: xx:xx:xx:xx:xx:xx packet received of length 53 from ip-addr:port
*Apr 01 12:57:51.297: xx:xx:xx:xx:xx:xx Msg Type = 1 Capwap state = 10
*Apr 01 12:57:51.297: Invalid event 1 & state 10 combination
*Apr 01 12:57:51.297: xx:xx:xx:xx:xx:xx State machine handler: Failed to process  msg type
 = 1 state = 10 from ip-addr:port
*Apr 01 12:57:51.297: Failed to parse CAPWAP packet from ip-addr:port
*Apr 01 12:57:51.297: Failed to process packet from ip-addr:port
Wire sniffer capture indicates during AP downloading code
DTLSv1.0  Application Data 

followed by one or more packets indicating
DTLSv1.0 Encrypted Alert

Sometimes a bad UDP checksum is seen for a packet sent by the AP to WLC.

Conditions:
WLC is running 5.2.157.0 and 5.2.178.0

seen with the following AP series - 1240, 1310, 1140
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.