Update: It looks like it the end of the line for 2106, because there is no update and hasn’t been since 2015 which I have installed.

I have a couple Cisco LAP1142N access points and a Cisco WLC2106. I noticed some pretty consistent packet loss on the management interface of the WLC. I opted to reload the WLC, since it had been up a long time, to see if it would help. However, when it came up and the access points attempted to join the WLC, I was getting certificate errors like these:

*Aug 30 18:17:08.097: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Aug 30 18:17:08.097: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Aug 30 18:17:08.097: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed!
*Aug 30 18:17:08.097: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.0.141
*Aug 30 18:17:08.097: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.0.141:5246
*Aug 30 18:17:08.097: %DTLS-3-BAD_RECORD: Erroneous record received from 192.168.0.141: Malformed Certificate
*Aug 30 18:17:08.097: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.0.141:5246
*Aug 30 18:17:08.098: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
*Aug 30 18:17:08.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.0.141 peer_port: 5246
*Aug 30 18:17:08.095: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: myserialnumber) has expired. Validity period ended on 20:42:36 UTC Aug 18 2017
*Aug 30 18:17:08.096: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Aug 30 18:17:08.097: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Aug 30 18:17:08.097: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed!
*Aug 30 18:17:08.097: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.0.141
*Aug 30 18:17:08.097: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.0.141:5246
*Aug 30 18:17:08.097: %DTLS-3-BAD_RECORD: Erroneous record received from 192.168.0.141: Malformed Certificate
*Aug 30 18:17:08.097: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.0.141:5246
*Aug 30 18:17:08.098: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
*Aug 30 18:17:08.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.0.141 peer_port: 5246

I checked the time on all of the devices. My WLC is synced to my internal NTP server, and the access points were syncing their time with the WLC when they would load. I found the following field notice from Cisco that addresses the issue:

Field Notice: FN – 63942 – Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP/LWAPP Connections Due to Certificate Expiration

I applied the workaround, since I currently do not have the software upgrade:

(Cisco Controller) config>ap lifetime-check mic enable

(Cisco Controller) config>ap lifetime-check ssc enable

(Cisco Controller) config>exit
(Cisco Controller) >save
(Cisco Controller) save>config

Are you sure you want to save? (y/n) y

Configuration Saved!

I reloaded one of the access points, but by the time it came up and joined, I noticed that the other access point had already joined, so I guess I didn’t need to do that.