Preview Tool

Cisco Bug: CSCut21564 - 5760 delays AP certificate processing resulting in DTLS failure

Last Modified

Dec 13, 2018

Products (1)

  • Cisco IOS

Known Affected Releases


Description (partial)

APs that could previously join the WLC (but have lost their connection) are unable to establish a DTLS connection with the 5760 at 3.6.1 software. Both the AP and WLC successfully validate the other's certificate. After the AP sends its cert to the WLC, it expects to receive the Change Cipher Spec message from the WLC. Instead, the WLC resends its Server Hello + Certificate followed by the Change Cipher Spec. The AP registers this error:

*Mar  2 14:54:58.327: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:394 BD is not of DTLS Change Cipher Spec type

WLC appears to pause for at least one second before retransmitting its certificate to the AP. This may be related to high CPU on the WLC (verify with 'show process cpu').

5760 WLC at 3.6.1

Related Community Discussions

Lightweight AP 3500 fail to join capwap/lwapp
Hi All I just took an old, never used 2012 manufactured AP 3502i-E out of the box (it had image (or something like this) preinstalled) and was unable to join it to any of my controllers. It's unable to build the DTLS connection to the controller. What I tried so far: manually upgrade the image in recovery on the AP to ap3g1-k9w8-mx.153-3.JD (from the 8.3.x release) changed the clock on an old WiSM running to the year 2012 set this command on the old controller "config ap lifetime-check ...
Latest activity: Feb 07, 2017
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.