Archive for August, 2017

Cisco 1142 AP won’t join after WLC reboot.

Update: It looks like it the end of the line for 2106, because there is no update and hasn’t been since 2015 which I have installed.

I have a couple Cisco LAP1142N access points and a Cisco WLC2106. I noticed some pretty consistent packet loss on the management interface of the WLC. I opted to reload the WLC, since it had been up a long time, to see if it would help. However, when it came up and the access points attempted to join the WLC, I was getting certificate errors like these:

*Aug 30 18:17:08.097: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Aug 30 18:17:08.097: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Aug 30 18:17:08.097: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed!
*Aug 30 18:17:08.097: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.0.141
*Aug 30 18:17:08.097: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.0.141:5246
*Aug 30 18:17:08.097: %DTLS-3-BAD_RECORD: Erroneous record received from 192.168.0.141: Malformed Certificate
*Aug 30 18:17:08.097: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.0.141:5246
*Aug 30 18:17:08.098: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
*Aug 30 18:17:08.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.0.141 peer_port: 5246
*Aug 30 18:17:08.095: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: myserialnumber) has expired. Validity period ended on 20:42:36 UTC Aug 18 2017
*Aug 30 18:17:08.096: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Aug 30 18:17:08.097: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Aug 30 18:17:08.097: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed!
*Aug 30 18:17:08.097: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.0.141
*Aug 30 18:17:08.097: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.0.141:5246
*Aug 30 18:17:08.097: %DTLS-3-BAD_RECORD: Erroneous record received from 192.168.0.141: Malformed Certificate
*Aug 30 18:17:08.097: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.0.141:5246
*Aug 30 18:17:08.098: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
*Aug 30 18:17:08.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.0.141 peer_port: 5246

I checked the time on all of the devices. My WLC is synced to my internal NTP server, and the access points were syncing their time with the WLC when they would load. I found the following field notice from Cisco that addresses the issue:

Field Notice: FN – 63942 – Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP/LWAPP Connections Due to Certificate Expiration

I applied the workaround, since I currently do not have the software upgrade:

(Cisco Controller) config>ap lifetime-check mic enable

(Cisco Controller) config>ap lifetime-check ssc enable

(Cisco Controller) config>exit
(Cisco Controller) >save
(Cisco Controller) save>config

Are you sure you want to save? (y/n) y

Configuration Saved!

I reloaded one of the access points, but by the time it came up and joined, I noticed that the other access point had already joined, so I guess I didn’t need to do that.

Enable Windows Server To Utilize Invoke-Command Remotely

When I attempted to the Powershell option Invoke-Command against an old server, I was getting the following:

Connecting to remote server servername failed with the following error message : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests.
Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure
the WinRM service: “winrm quickconfig”. For more information, see the about_Remote_Troubleshooting Help topic.

Fortunately, it told me what to do resolve the issue. Nice:

C:\>winrm quickconfig
WinRM already is set up to receive requests on this machine.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:

Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this
machine.

Make these changes [y/n]? y

WinRM has been updated for remote management.

Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this
machine.

Cisco 1941 password recovery

Note: This procedure is applicable to most Cisco routers, however the key is knowing the register to use.

Turn the power off.
Turn the power on.
About when you see the following message, hit Ctrl-Break (yes the Pause/Break key).

Readonly ROMMON initialized

You should be presented with the following prompt:

rommon 1 >

Enter confreg 0x2142:

rommon 1 > confreg 0x2142

Then, you will get the following message:

You must reset or power cycle for new config to take effect

Enter reset:

rommon 2 > reset

The router will reboot and start the initial configuration wizard. Just say “No” to skip. This will drop you to a “Router>” prompt.

Enter enable, and you will presented with a “Router#” prompt.

Copy your startup-config to running-config (make sure you do not switch the order or you will lose your configuration):

Router#copy startup-config running-config

Then reset the password (I set it to “cisco” below.):

Router#configure term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable secret cisco

Then, type the following:

config-register 0x2142

If you cannot remember the register number from earlier, you can find by issuing the following:

Router(config)#do show version

Enter:

Router(config)#end

And save:

Router#write mem
Building configuration…
[OK]

Then reload to test:

Router#reload
Proceed with reload? [confirm]

Return top

INFORMATION