Guest

Preview Tool

Cisco Bug: CSCuq19142 - LAP/WLC MIC or SSC lifetime expiration causes DTLS failure

Last Modified

Nov 16, 2018

Products (1)

  • Cisco 5500 Series Wireless Controllers

Known Affected Releases

7.0(250.0) 7.4(130.0) 7.6(120.0) 8.0(115.0)

Description (partial)

Symptom:
Wireless Access Points fail to connect to the Wireless LAN Controller.

Symptom 1 (where the AP's certificate has expired):

At the time of the join failure, the WLC's msglog may show messages similar to
the following:

Jul 10 16:13:52.443 spam_lrad.c:6164 LWAPP-3-PAYLOAD_ERR: Join request does not contain valid certificate in certificate payload - AP 00:11:22:33:44:55

Symptom 2 (where the WLC's manufacturing installed certificate has expired):

Once the WLC's MIC expires, the currently joined AP CAPWAP sessions will remain established.
However, once an AP needs to reestablish the CAPWAP connection, it will fail.

The AP logger will show messages similar to the following:

*Oct 29 18:01:56.107: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. 
The certificate (SN: 7E3446C40000000CBD95) has expired.    Validity period ended on 14:38:08 UTC Oct
26 2021Peer certificate verification failed 001A

*Oct 29 18:01:56.107: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:496
Certificate verified failed!
*Oct 29 18:01:56.107: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.10.10:5246
*Oct 29 18:01:56.107: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.10.10:5246

On the WLC side, you will only see a message like this:

*osapiBsnTimer: Oct 29 11:05:04.571: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2962 Failed to complete DTLS handshake with peer 192.168.202.8

Conditions:
This symptom will occur after 10 years of the device manufacturing date.
The oldest APs (1120, 1130, 1230, 1310 series) with MICs were manufactured in July 2005,
so those APs will be unable to join AireOS controllers starting in July 2015.

This problem also affects WLCs approximately 10 years after manufacturing date.

For APs using Self-Signed Certificates (SSCs) that were generated by the Upgrade Tool, the symptom will occur on January 1, 2020.

To determine when the AP's MIC was created, run this command on the WLC to find the SN:
(Cisco Controller) >show ap inventory all
Inventory for lap1130-sw3-9
NAME: "Cisco AP" , DESCR: "Cisco Wireless Access Point"
PID: AIR-LAP1131AG-E-K9, VID: V01, SN: FCZ1128Q0PE
NAME: "Dot11Radio0" , DESCR: "802.11G Radio"
PID: UNKNOWN, VID: , SN: GAM112706LC
NAME: "Dot11Radio1" , DESCR: "802.11A Radio"
PID: UNKNOWN, VID: , SN: ALP112706LC
The AP chassis SN is in the first section of the output, for example: PID: AIR-LAP1131AG-E-K9, VID: V01, SN: FCZ1128Q0PE
The serial number format is: "LLLYYWWSSSS"; where "YY" is the year of manufacture and "WW" is the week of manufacture. The date code can be found in the 4 middle digits of the serial number.
Manufacturing Year Codes:
01 = 1997 06 = 2002 11 = 2007 16 = 2012
02 = 1998 07 = 2003 12 = 2008 17 = 2013
03 = 1999 08 = 2004 13 = 2009 18 = 2014
04 = 2000 09 = 2005 14 = 2010
05 = 2001 10 = 2006 15 = 2011

Manufacturing Week Codes:
1-5 : January 15-18 : April 28-31 : July 41-44 : October
6-9 : February 19-22 : May 32-35 : August 45-48 : November
10-14 : March 23-27 : June 36-40 : September 49-52 : December

Example: SN FCZ1128Q0PE has year code 11, meaning it was manufactured in 2007. The week code is 12, meaning it was manufactured in March.
The SN can also be found using Prime Infrastructure Reporting to find SNs for all of the APs.

Related Community Discussions

<key>CSCuq19142</key> - My controllers MIC expired!
HELP!   I am using a Cisco 4402 WLC with Cisco 3502i-A APs (there are a couple 1142i's, but its primaraly 3502).   Just 2 days ago, I started noticing APs would be disappearing from the controller (AP counts were decreasing).  At first, it was just one or two, but we recently just had a power outage, and NONE of them reconnected.   I consoled into one of the APs directly, and this is what I found:   *Mar 23 17:24:03.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.1.90.3 peer_port: ...
Latest activity: Apr 29, 2015
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.