Cisco WLC – Bad certificate alert received from peer

I came across this error where access points had disconnected from the Wireless LAN Controller over the past weeks and never reconnected to the WLC.

There was no evident logs in the syslog of the WLC, but when we connected to the console port of the access point, we could see the follow errors:

*Oct 6 12:04:00.588: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.2.10.10 *Oct 6 12:04:00.588: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer. *Oct 6 12:04:00.588: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.2.10.10:5246 *Oct 6 12:04:00.589: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

Checking the certificate of the access points we could verify that the certificate installed when it was manufactured, had indeed expired.

AP# show crypto pki certificates Certificate Status: Available Certificate Usage: General Purpose Issuer: cn=Cisco Manufacturing CA o=Cisco Systems Subject: Name: C1130-001122aabbcc ea=support@cisco.com cn=C1130-001122aabbcc o=Cisco Systems l=San Jose st=California c=US CRL Distribution Points: http://www.cisco.com/security/crl/cmca.crl Validity Date: start date: 10:09:50 UTC Sep 26 2006 end date: 10:19:50 UTC Sep 26 2016 Associated Trustpoints: Cisco_IOS_MIC_cert

So what had happened was simply that the certificate of the access points had expired due to their age.
If I set the time of the WLC back to September 25th of 2016, the access points would join prefectly, furthermore validating the certificate problem.

Since the softare releases 7.0.252.0, 7.4.140.0, and 8.0.120.0, the WLC can be configured to ignore expired certificates and let access points join regardless their expiration date.

The commands are as follows
For Version 7.0.252.0, use this command: config ap lifetime-check {mic|ssc} enable
For Versions 7.4.140.0 and later, use this command: config ap cert-expiry-ignore {mic|ssc} enable

References

http://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuq19142

5.00 avg. rating (99% score) - 4 votes

8 Responses to Cisco WLC – Bad certificate alert received from peer

  1. Hey thank you all for this post. I came across it while troubleshooting my bosses lab at my house. I had to change the date in the WLC cli. for some reason the gui would not update using any of my browsers (fyi). Thanks again!!!

  2. I had the same issue following a power outage. The APs wouldn’t join the WLC.

    The AP was showing followings logs:
    *Jan 2 18:14:33.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.31.5.219 peer_port: 5246
    *Jan 2 18:14:33.535: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 172.31.5.219
    *Jan 2 18:14:33.535: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.31.5.219:5246

    the WLC2504 showed time 1st Jan 2000.

    I changed the time on WLC to year 2018. This made the AP to join the WLC.

    thanks for this post.

  3. Does anyone know how to get the cert on the AP to update so you don’t need to disable this feature? Is the cert included in the AP firmware, IOS image, etc. so APs could just be updated instead of disabling the security feature?

Leave a Reply to Usman Ajam Cancel reply

Your email address will not be published. Required fields are marked *