Cisco Bug: CSCuq19142 - LAP/WLC MIC or SSC lifetime expiration causes DTLS failure
May 18, 2018
- Cisco 5500 Series Wireless Controllers
Known Affected Releases
7.0(250.0) 7.4(130.0) 7.6(120.0) 8.0(115.0)
Symptom: Wireless Access Points fail to connect to the Wireless LAN Controller. Symptom 1 (where the AP's certificate has expired): At the time of the join failure, the WLC's msglog may show messages similar to the following: Jul 10 16:13:52.443 spam_lrad.c:6164 LWAPP-3-PAYLOAD_ERR: Join request does not contain valid certificate in certificate payload - AP 00:11:22:33:44:55 Symptom 2 (where the WLC's manufacturing installed certificate has expired): Once the WLC's MIC expires, the currently joined AP CAPWAP sessions will remain established. However, once an AP needs to reestablish the CAPWAP connection, it will fail. The AP logger will show messages similar to the following: *Oct 29 18:01:56.107: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 7E3446C40000000CBD95) has expired. Validity period ended on 14:38:08 UTC Oct 26 2021Peer certificate verification failed 001A *Oct 29 18:01:56.107: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:496 Certificate verified failed! *Oct 29 18:01:56.107: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.10.10:5246 *Oct 29 18:01:56.107: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.10.10:5246 On the WLC side, you will only see a message like this: *osapiBsnTimer: Oct 29 11:05:04.571: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2962 Failed to complete DTLS handshake with peer 192.168.202.8 Conditions: This symptom will occur after 10 years of the device manufacturing date. The oldest APs (1120, 1130, 1230, 1310 series) with MICs were manufactured in July 2005, so those APs will be unable to join AireOS controllers starting in July 2015. This problem also affects WLCs approximately 10 years after manufacturing date. For APs using Self-Signed Certificates (SSCs) that were generated by the Upgrade Tool, the symptom will occur on January 1, 2020. To determine when the AP's MIC was created, run this command on the WLC to find the SN: (Cisco Controller) >show ap inventory all Inventory for lap1130-sw3-9 NAME: "Cisco AP" , DESCR: "Cisco Wireless Access Point" PID: AIR-LAP1131AG-E-K9, VID: V01, SN: FCZ1128Q0PE NAME: "Dot11Radio0" , DESCR: "802.11G Radio" PID: UNKNOWN, VID: , SN: GAM112706LC NAME: "Dot11Radio1" , DESCR: "802.11A Radio" PID: UNKNOWN, VID: , SN: ALP112706LC The AP chassis SN is in the first section of the output, for example: PID: AIR-LAP1131AG-E-K9, VID: V01, SN: FCZ1128Q0PE The serial number format is: "LLLYYWWSSSS"; where "YY" is the year of manufacture and "WW" is the week of manufacture. The date code can be found in the 4 middle digits of the serial number. Manufacturing Year Codes: 01 = 1997 06 = 2002 11 = 2007 16 = 2012 02 = 1998 07 = 2003 12 = 2008 17 = 2013 03 = 1999 08 = 2004 13 = 2009 18 = 2014 04 = 2000 09 = 2005 14 = 2010 05 = 2001 10 = 2006 15 = 2011 Manufacturing Week Codes: 1-5 : January 15-18 : April 28-31 : July 41-44 : October 6-9 : February 19-22 : May 32-35 : August 45-48 : November 10-14 : March 23-27 : June 36-40 : September 49-52 : December Example: SN FCZ1128Q0PE has year code 11, meaning it was manufactured in 2007. The week code is 12, meaning it was manufactured in March. The SN can also be found using Prime Infrastructure Reporting to find SNs for all of the APs.
Related Community Discussions
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases