I was troubleshooting a Cisco WLC configured as FlexConnect (or H-REAP) to a remote AP 1242 that wouldn't join. You can view WLC logs under Management > Logs > Message Logs.
*spamApTask2: Aug 26 13:37:28.876:
#DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete DTLS handshake
with peer 192.168.10.14 for AP d4:6d:50:88:12:34
*spamApTask3: Aug 26
13:36:13.824: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete
DTLS handshake with peer 192.168.10.14 for AP d4:6d:50:88:12:34
*spamApTask2: Aug 26
13:35:03.936: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:681 Failed to complete
DTLS handshake with peer 192.168.10.14 for AP d4:6d:50:88:12:34
<OUTPUT TRUNCATED>
(Cisco Controller)
>show ap join stats summary all
Number of
APs.............................................. 1
Base Mac AP EthernetMac AP Name IP Address Status
00:3a:99:12:ab:cd
58:8d:09:03:12:34 ap01 192.168.10.14 Not Joined
Since DTLS need accurate date and time, I tried to manually configure the WLC date/time, timezone under Commands > Set Time and also removed NTP but still no joy.
I also tried to upgrade the WLC AireOS 7.4.121.0 > 7.4.150.0 but still AP won't join the WLC.
My search led me to an expired WLC Manufacturer Installed Certificate (MIC) which has reached its 10 year expiration date. Below are some WLC commands as a workaround.
(Cisco Controller)
>config ap ?
802.1Xuser Configures the dot1x user for AP.
SSH Enables/Disables SSH.
add Adds a Foreign Access Point.
bhrate Configures Cisco Bridge Backhaul Tx
Rate.
bridgegroupname
Sets/Deletes bridge group name.
bridging Enables/Disables Ethernet-to-Ethernet
bridging.
cdp Enable/Disable CDP on Cisco AP.
cert-expiry-ignore
Configures cert-expiry-ignore check operation.
core-dump Configures the AP's memory core dump.
country Configures the country of operation.
crash-file Manages crash data and radio core files.
delete Deletes a Foreign Access Point.
disable Disables Cisco APs
enable Enables Cisco APs
ethernet Configures Ethernet Port of the AP
flexconnect Enables/Disables VLAN on the flexconnect.
group-name Configures the group name.
hotspot Configures Hotspot configs on the AP.
image Configure image.
led-state Enables/Disables the LED-State or
configure LED flash
link-encryption
Capwap Data Link encryption options
--More-- or (q)uit
link-latency Configures Link Latency Feature.
location Configures the Location.
logging Configures the AP logging.
mgmtuser Configures the user for AP management.
mode Configures an AP's mode of operation.
monitor-mode Configures an AP's monitor-mode channel
optimization.
name Configures the Name of an AP.
packet-dump Configure AP Packet Capture parameters
port Configures the port for a Foreign
Access Point.
power Configures Cisco Power over Ethernet
(PoE) feature for an AP
primary-base Configures the Primary Cisco Switch for an
AP.
priority Configure the AP's priority.
reporting-period
Configures the AP's rogue/error reporting period
reset Resets an AP
retransmit Configures AP Control packet
retransmission parameters.
role Configures an AP's Bridge role of operation.
rst-button Enables or disables the Reset Button.
secondary-base
Configures the Secondary Cisco Switch for an AP.
sniff Enables/Disables sniffing on a radio.
static-IP Enables/Disables/Changes an AP's static
IP address configuration
stats-mode Configures the mode(realtime vs normal) in
which statistics are sent from an AP
stats-timer Configures the frequency at which
statistics are sent from an AP
syslog Configures the system logging settings
for an AP
--More-- or (q)uit
tcp-mss-adjust
Configures TCP on Cisco AP.
telnet Enables/Disables telnet.
tertiary-base Configures the Tertiary Cisco Switch for an
AP.
tftp-downgrade
Initiates AP's image downgrade from a TFTP server
(Cisco Controller)
>config ap cert-expiry-ignore ?
mic Configures cert-expiry-ignore check
operation for MIC.
ssc Configures cert-expiry-ignore check
operation for SSC.
(Cisco Controller)
>config ap cert-expiry-ignore mic ?
enable Enabling will ignore the
lifetime-check for MIC.
disable Disabling will do the lifetime-check
for MIC.
(Cisco Controller)
>config ap cert-expiry-ignore mic enable
(Cisco Controller)
>config ap cert-expiry-ignore ssc ?
enable Enabling will ignore the
lifetime-check for SSC.
disable Disabling will do the lifetime-check
for SSC.
(Cisco Controller)
>config ap cert-expiry-ignore ssc enable
(Cisco Controller)
>config auth-list ?
add Creates an authorized AP entry.
ap-policy Configures an AP authorization policy.
delete Delete an existing AP entry.
(Cisco Controller)
>config auth-list ap-policy ?
authorize-ap Configures AP authorization policies.
authorize-lsc-ap Use
auth-list to Authorize APs with Locally Significant Certificate.
ssc Configures authorization of APs
with self-signed certificate.
mic Configures authorization of APs
with manufacturing-installed certificates.
lsc Configures authorization of APs
with locally significant certificates.
(Cisco Controller)
>config auth-list ap-policy ssc ?
enable Allows APs with self-signed
certificates to connect.
disable Disallows APs with self-signed
certificates to connect.
(Cisco Controller)
>config auth-list ap-policy ssc enable
(Cisco Controller)
>config certificate ?
compatibility Configure certificate compatibility mode.
generate Generates new certificates.
lsc Configure Locally Significant
Certificates (LSC)
ssc Configure Self Signed Certificates
(SSC)
use-device-certificate
Use device certificate.
(Cisco Controller)
>config certificate ssc ?
hash Configure Self Signed Certificates
hash
(Cisco Controller)
>config certificate ssc hash ?
validation Configures validation of SSC Hash
(Cisco Controller)
>config certificate ssc hash validation ?
enable Enable hash validation of SSC
certificate
disable Disable hash validation of SSC
certificate
(Cisco Controller)
>config certificate ssc hash validation
enable
(Cisco Controller)
>save config
Are you sure you
want to save? (y/n) y
Configuration Saved!
After the said commands were configured, the AP 1242 joined the WLC again.
(Cisco Controller)
>show ap join stats summary all
Number of
APs.............................................. 1
Base Mac AP EthernetMac AP Name IP Address Status
00:3a:99:12:ab:cd
58:8d:09:03:12:34 ap01 192.168.10.14 Joined