Cisco WLC – Bad certificate alert received from peer

I came across this error where access points had disconnected from the Wireless LAN Controller over the past weeks and never reconnected to the WLC.

There was no evident logs in the syslog of the WLC, but when we connected to the console port of the access point, we could see the follow errors:

*Oct 6 12:04:00.588: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from *Oct 6 12:04:00.588: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer. *Oct 6 12:04:00.588: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to *Oct 6 12:04:00.589: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

Checking the certificate of the access points we could verify that the certificate installed when it was manufactured, had indeed expired.

AP# show crypto pki certificates Certificate Status: Available Certificate Usage: General Purpose Issuer: cn=Cisco Manufacturing CA o=Cisco Systems Subject: Name: C1130-001122aabbcc cn=C1130-001122aabbcc o=Cisco Systems l=San Jose st=California c=US CRL Distribution Points: Validity Date: start date: 10:09:50 UTC Sep 26 2006 end date: 10:19:50 UTC Sep 26 2016 Associated Trustpoints: Cisco_IOS_MIC_cert

So what had happened was simply that the certificate of the access points had expired due to their age.
If I set the time of the WLC back to September 25th of 2016, the access points would join prefectly, furthermore validating the certificate problem.

Since the softare releases,, and, the WLC can be configured to ignore expired certificates and let access points join regardless their expiration date.

The commands are as follows
For Version, use this command: config ap lifetime-check {mic|ssc} enable
For Versions and later, use this command: config ap cert-expiry-ignore {mic|ssc} enable


5.00 avg. rating (98% score) - 2 votes

One Response to Cisco WLC – Bad certificate alert received from peer

Leave a Reply

Your email address will not be published. Required fields are marked *