AP Not Joining Controller – %DTLS-3-HANDSHAKE_FAILURE

Just a little bit of background to kick this one off. I have a 4506 chassis here at home (overkill yes I know) and I recently got a great deal on a PoE, gigabit blade. I came home and installed the new module and got it powered up. All good there. I started moving devices over and things were working well. My wired desktop and IP phone came back online without an issue. That’s when I realized it. My wireless network in the house was down.

What’s The Issue?

I started checking out the controller and I was getting messages like this:

*spamReceiveTask: Nov 17 19:14:32.385: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer for AP d0:d0:fd:cb:ae:5a 
*spamReceiveTask: Nov 17 19:14:23.408: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer for AP cc:ef:48:8f:89:76 
*spamReceiveTask: Nov 17 19:14:21.960: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer for AP 1c:df:0f:94:7d:75 
*spamReceiveTask: Nov 17 19:14:21.588: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer for AP 00:22:90:91:79:d3 

I found those errors in the log on the controller and knew something was up. It had been 10 minutes since I moved my access points to the new PoE module on my switch and they still hadn’t registered. I reset a few ports and even rebooted the controller with no luck. I started doing some research and sure enough, I wasn’t the first one to see this issue.

The Cause

On each of the access points, from the factory, a certificate is installed. In the case of here at home, they are all 3500i access points on a 4404 controller. When I consoled into the 3502i here in my basement office, I saw a message about a certificate, including these:

*Nov 17 19:14:22.088: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Nov 17 19:14:22.088: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed!
*Nov 17 19:14:22.088: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP:
*Nov 17 19:14:22.088: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to
*Nov 17 19:14:22.091: %DTLS-3-BAD_RECORD: Erroneous record received from Malformed Certificate

Turns out that the certificate from the factory was a 10 year cert and in my case, it expired October 15th of this year. Since the APs were registered already, they worked fine for the last month since they expired. Since I rebooted them by moving them to the new PoE switch, I unearthed this issue.

The Resolution

Turns out this is an easy one, which worked out well for me. Nothing worse than explaining to your wife why the network at home is down! Basically what you are doing is telling the controller to ignore the certificate issues and register the access points anyways. In the case of my 4404 controller I ran the following commands via SSH:

  • config ap lifetime-check mic enable
  • config ap lifetime-check ssc enable

Within seconds, I noticed my access points registering one by one and the issue was resolved. This issue is an odd one you will probably not normally run into, but if you have some legacy access points you may. Funny enough, those commands, which include the enable option, actually disable the check. Very odd. For more info on that, see the bug case h Hopefully this article helped if you were getting this error and you could get the wireless network back up and running.

Kevin Blackburn

Kevin Blackburn

Cisco CCNP, Senior Network Engineer in the Healthcare Industry. Currently working on my CCIE R&S which is the focus of most of my latest blog posts. #NFD15 Delegate.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.