A few days ago the user called to say that the administrative building wireless network is not good use, all the APS are bright red! Very strange, because the day before the use is normal, how all the bad use it?
Rushed to the user site login WLC, found on the WLC a lot less APS, and these APs are 1131, the other models of 1142, 1602 are working properly, is it really bad?
View WLC log, see log, Trance Remember to see an article, said is AP because use certificate problem can not notice on the controller, in order to verify the problem, I found a good AP access to the network, found that the good AP still can't register to the controller. It seems that the certificate is out of date.
Further documentation discovery: The AP at the factory, the internal will have a certificate, when the use of time exceeded the validity time of the certificate, the AP can no longer join to the WLC, this time is generally 10, with the user recalled, this batch of 1131 of APS is indeed almost 10 years ago deployed.
View Cisco official documentation Discovery it's a bug:cscuq19142.
To view the log on the WLC, there is a similar message like this:
*osapibsntimer:oct 11:05:04.571: #DTLS -3-handshake_failure:openssl_dtls.c:2962 Failed to complete DTLS handshake wit H Peer 192.168.202.8.
The log information on my controller is not saved, but it is the same as the display.
The method for confirming the validity time of a certificate is as follows:
Run Show AP inventory all on the controller
The following excerpt from Cisco official website *********************************************
(Cisco Controller) >show AP Inventory All
Inventory for Lap1130-sw3-9
NAME: "Cisco APS", DESCR: "Cisco Wireless Access Point"
Pid:air-lap1131ag-e-k9, VID:V01, sn:fcz1128q0pe
NAME: "Dot11radio0", DESCR: "802.11G Radio"
Pid:unknown, VID:, SN:GAM112706LC
NAME: "Dot11radio1", DESCR: "802.11A Radio"
Pid:unknown, VID:, SN:ALP112706LC
The AP chassis SN is in the first sections of the output, for Example:pid:air-lap1131ag-e-k9, VID:V01, sn:fcz1128q0pe
The serial number format is: "Lllyywwssss"; where "YY" is the year of manufacture and "WW" is the week of manufacture. The date code can is found in the 4 middle digits of the serial number.
Manufacturing Year Codes:
01 = 1997 06 = 2002 11 = 2007 16 = 2012
02 = 1998 07 = 2003 12 = 2008 17 = 2013
03 = 1999 08 = 2004 13 = 2009 18 = 2014
04 = 2000 09 = 2005 14 = 2010
05 = 2001 10 = 2006 15 = 2011
Manufacturing Week Codes:
1-5: January 15-18:april 28-31:july 41-44:october
6-9: February 19-22:may 32-35:august 45-48:november
10-14:march 23-27:june 36-40:september 49-52:december
EXAMPLE:SN Fcz1128q0pe had year code one, meaning it was manufactured in 2007. The week code is a, meaning it was manufactured in March.
The SN can also is found using Prime Infrastructure Reporting to find SNs for all of the APs.
*************************************************************************************************************** *****
I took a look at the AP information in my controller as follows:
NAME: "Cisco APS", DESCR: "Cisco Wireless Access Point"
Pid:air-lap1131ag-c-k9, VID:V01, sn:foc12172u3q
NAME: "Dot11radio0", DESCR: "802.11G Radio"
Pid:unknown, VID:, sn:gam12172u3q
NAME: "Dot11radio1", DESCR: "802.11A Radio"
Pid:unknown, VID:, sn:alp12172u3q
NAME: "Cisco APS", DESCR: "Cisco Wireless Access Point"
Pid:air-lap1131ag-c-k9, VID:V01, Sn:foc12174e38
NAME: "Dot11radio0", DESCR: "802.11G Radio"
Pid:unknown, VID:, Sn:gam12174e38
NAME: "Dot11radio1", DESCR: "802.11A Radio"
Pid:unknown, VID:, Sn:alp12174e38
My AP was found to be manufactured in April 2008 by comparison.
Really did not think unexpectedly caught up with the AP robbery life and Death!
There are two ways to deal with this problem at present:
(1) Upgrading the wireless controller, currently some new versions have disabled the MIC and SSC lifetime validity checks, allowing APS with more than 10 years of MIC or SSC to join. However, the upgrade may face a problem, that is, the upgraded WLC does not support some old models of APS. This requires careful consideration.
(2) Change the time of the WLC and change it forward, but don't go too long, or some new APS will not be supported.
Here our solution is to modify the WLC's time, put the time forward for 4 years, after tuning, then observe the WLC, and found that the drop-off of the APS are normal registration up. At this point, the fault solved!
Cisco 1131AP off-line problem processing