Cisco 1142 not joining Cisco 2504 WLC

Posted on by mali

%PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID

Recently I was setting up my lab environment with a Cisco 1142 Access Point and a Cisco 2504 Wireless LAN Controller and I ran into a minor issue. Cisco 1142 Access Point was not joining the WLC. I was getting the following error message when I consoled into the access point.

*Jan 1 04:35:10.126: %CAPWAP-3-ERRORLOG: Go join a capwap controller *Jan 1 04:35:10.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.10.41 peer_port: 5246 *Jan 1 04:35:10.000: %CAPWAP-5-CHANGED: CAPWAP changed state to *Jan 1 04:35:10.316: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed. The certificate (SN: 4E0E3D20000000116445) is not yet valid Validity period starts on 21:44:46 UTC Dec 7 2011 *Jan 1 04:35:10.317: %LWAPP-3-CLIEN2.16TERRORLOG: Peer certificate verification failed *Jan 1 04:35:10.317: %CAPWAP-3-ERRORLOG: Certificate verification failed! *Jan 1 04:35:10.317: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:333 Certificate verified failed! *Jan 1 04:35:10.317: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.10.41 *Jan 1 04:35:10.318: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.10.41:5246 *Jan 1 04:35:10.318: %DTLS-3-BAD_RECORD: Erroneous record received from 19: Malformed Certificate

Initially I kinda jumped on the certificate issue and ran the following commands to resolve the issue, thinking perhaps there actually is an issue with the certificate on the WLC or the Access Point:

(WLC1) >show certificate summary Web Administration Certificate................... 3rd Party Web Authentication Certificate................... Locally Generated Certificate compatibility mode:.................. off Lifetime Check Ignore for MIC ................... Disable Lifetime Check Ignore for SSC ................... Disable (WLC1) >config ap cert-expiry-ignore mic enable (WLC1) >config ap cert-expiry-ignore ssc enable (WLC1) >show certificate summary Web Administration Certificate................... 3rd Party Web Authentication Certificate................... Locally Generated Certificate compatibility mode:.................. off Lifetime Check Ignore for MIC ................... Enable Lifetime Check Ignore for SSC ................... Enable

This however did not resolve my issue and Cisco 1142 still was not joining the 2504 WLC. With a little bit more checking I felt pretty embarrassed because I realized that the time on the Cisco 2504 WLC was wrong. So I fixed the time and date on the Cisco 2504 WLC, end result Cisco 1142 Access Point Successfully joined the Controller. Lesson in this is sometimes issue is right there in front of you and is pretty simple :). By the way here is a good write up on Access Points and certificates. Lightweight AP – Fail to create CAPWAP/LWAPP connection due to certificate expiration

Category: Cisco, Cisco Wireless

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

WordPress SEO