Cisco :: WLC 5508 Failed To Complete DTLS Handshake With Peer
Feb 21, 2011
WLC 5508 running 7.0.98.0
Site was running fine until the WLC had a hardware failure.
A new WLC was shipped out, was running 6.0.99 then manually upgraded to 7.0.98. Clients cannot authenticatewith recurrent logs messages like this.
*dot1xMsgTask: Feb 23 17:05:03.648: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2914 Max EAP identity request retries (3) exceeded for client 00:21:5c:<snip>*spamApTask0: Feb 23 17:05:01.926: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:629 Failed to complete DTLS handshake with peer 192.168.214.91
I have tried changing the key on the radius server to no avail.
View 4 Replies
ADVERTISEMENT
Mar 21, 2013
I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication. In short, all EAP-TLS authentication is failing with the following error. Below that is the relevant excerpt from the logs:
Authentication failed : 12508 EAP-TLS handshake failed
OpenSSLErrorMessage=SSL alert: code=0x233=563 ; source=local ; type=fatal ; message="X509 decrypt error - certificate signature failure", OpenSSLErrorStack= 597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown
[Code].....
View 5 Replies
View Related
Feb 25, 2010
I have a Cisco WLC talking to a ACS 4400 version 5.1 which in turn talks to Active Directory.Ive been trying to get 802.1x for wireless clients going, I have a cert on the ACS from verisign on the box but when users try to sign in they get 12309 PEAP handshake failed in the ACS RADIUS log.The cert was exported and placed directly on the testing laptop and at one point it all worked. I stepped away from it for 2 weeks to get a new internal CA built on a windows box, now coming back to it with the intent of issuing new certs to the ACS from the internal CA and thought I would check it to make sure all was good, but its not.Google doesn’t return happy results for “12309 PEAP handshake failed”, I opened a TAC case on it and they took my cert to their lab. Haven’t heard back.
View 6 Replies
View Related
Jan 24, 2013
I want to prevent guest from doing peer - peer communication on my Guest (5508) controllers. Is this a feature on the WLC or only by applying an ACL on the router interface?
View 2 Replies
View Related
Feb 25, 2013
I am working on wi-fi networks (ISP), So I need to block the peer to peer on my network.My network involves cisco switch 2950/2960, cisco 2800 routers and Access Points, config for peer to peer blocking, for this where I need to config either switches or router.My network basic setup is, The internet will pass from router to switch and then Access Points.
View 1 Replies
View Related
Apr 19, 2012
I got ASA 5510 with base license, can I block all Peer-2-Peer traffic from inside to outside.
ASA Giga 0/0 connected to ISP Router 2811
ASA Giga 0/1 connected to LAN switch 3560
View 3 Replies
View Related
Jul 25, 2011
I see that Application protection - blocking peer-to-peer file sharing traffic is a capability of Cisco IOS Firewall. How do i configure my Cisco 2911 ISR to block peer-to-peer file sharing traffic?
View 1 Replies
View Related
Feb 13, 2013
I am facing issues in blocking Peer to Peer applications in LAN. I am using 881 Cisco router and below is the config done. [code]
View 1 Replies
View Related
Jul 31, 2011
I recently bought the WAG320N can I block Peer to Peer file sharing on my Network?
View 3 Replies
View Related
Jul 31, 2011
I bought my WAG320N, I too have the internet drop out and from reading in here is a very common problem. Cisco really should bring out a new firmware version and address this issue. Any way you can block peer to peer file sharing with the WAG320N? If so how do you go about it?
View 1 Replies
View Related
Jan 28, 2011
One of the schools whose networks I administer has a peer to peer network running about 30 xp machines. DHCP is achieved and DNS settings distributed via a basic Linksys router; is there any way of distributing proxy server address and port short of entering manually in LAN settings of IE on every terminal - there is no budget to install a server.
View 4 Replies
View Related
Jan 18, 2011
i just set up my 2Xp pc's and one windows7 laptop peer to peer for file and printer sharing but i can not configure internet connection for those pc's
View 2 Replies
View Related
Mar 12, 2011
i want to set up my two computers /win xp/ installed using peer to peer network , just tell me the needed steps
View 2 Replies
View Related
Oct 7, 2010
I have a Cisco WLC5508 controller which I recently upgraded to software 7.0.98.0 because I tried to add a Aironet 3502 and it gave me an invalid software. After the upgrade this is the error I get from the AP when I try to add. [code]
View 5 Replies
View Related
Jul 10, 2012
i have WLC 5508 showing the below Logs , which prevent the users from connecting to the SSIDs , also its disconnecting the associted users DHCP Socket Task: Jul 11 09:54:08.992: %SIM-3-DHCP_SERVER_NO_REPLY: sim_interface.c:1039 Failed to get DHCP response on interface 'interface-02'. Marking interface dirty.*mmListen: Jul 11 09:54:08.638: %MM-3-INVALID_PKT_RECVD: mm_listen.c:7671 Received an invalid packet from 10.21.1.25. Source member:0.0.0.0. source member unknown.it shows 3 to 4 times durring 1 hour ,
View 2 Replies
View Related
Apr 3, 2013
Seen this error on 5508 controller with 3600i APs? WLC is running v7.3.101.0
*apfOrphanSocketTask: Apr 04 09:44:41.444: #IPV6-3-INVALID_ADDR_ORPHAN: ipv6_net.c:715 Invalid ipv6 address ::, failed to do data gleaning.
View 1 Replies
View Related
Oct 28, 2012
I am having problems with my WLC to connect in my LDAP (ActiveDirectory). I have 3 interfaces in the controller:
- Management (vlan709): 10.41.200.253
- lan (vlan 1): 190.1.1.123
- guest (vlan 708): 10.41.222.253
My LDAP server is: 190.1.1.22
The controller could ping the LDAP Server. And LDAP Server ping WLC too. When the controller try to connect in the LDAP server, return this on debug:
ldap_db.c:1038 Could not connect to LDAP server 1, reason: 1005 (LDAP bind failed).
*LDAP DB Task 1: Oct 29 15:11:16.924: %AAA-3-LDAP_CONNECT_SERVER_FAILED:
*LDAP DB Task 1: Oct 29 15:10:52.932: ldapInitAndBind [1] called lcapi_init (rc = 0 - Success)
*LDAP DB Task 1: Oct 29 15:10:54.932: ldapInitAndBind [1] configured Method Authenticated lcapi_bind (rc = 1005 - LDAP bind failed)
*LDAP DB Task 1: Oct 29 15:10:54.932: ldapClose [1] called lcapi_close (rc = 0 - Success)
*LDAP DB Task 1: Oct 29 15:10:54.933: LDAP server 1 changed state to IDLE
*LDAP DB Task 1: Oct 29 15:10:54.933: LDAP server 1 changed state to RETRY
*LDAP DB Task 1: Oct 29 15:10:54.933: LDAP_OPT_REFERRALS = -1
View 4 Replies
View Related
Nov 17, 2011
I have two WLC-5508 for 50 AP's deployed. One is primary controller & other is secondary.Recently noticed an unknown "authorization failed, no sufficient privileges for user" message poping up while making configuration changes in WLC. Specificly when trying to create an new SSID. WLC Authentication is local. This message poped up earlier once or twice but it didnt prevent from making changes that time.
View 3 Replies
View Related
May 22, 2013
We are experiencing a lot of these RADIUS failed to respond messages on our WLC's leading to a lot of RADIUS server hopping within the WLC.We are using Cisco 5508's, 1142 AP's and a Microsoft NPS RADIUS backend. SSID is WPA2+802.1xThe first workaround to this problem was to disable aggressive failover on the WLC. But this is only a temporary fix, because in the end, there will be more than 3 consequetive clients, failing to authenticate to the WLAN network. As a result, the WLC will swap to the 2nd RADIUS server configured.When we dived into this a little bit more we saw the following messages being logged on the RADIUS backend at the time we saw the RADIUS messages on the WL:Event ID: 6274: Network Policy Server discarded the request for a user.
View 16 Replies
View Related
May 31, 2012
I am running a guest wireless network on a Cisco 5508 WLC with 6.0.202.0 code. My syslog is filling up with the following error message:
WLC: *May 15 12:32:59.244: %AAA-3-VALIDATE_GUEST_SESSION_FAILED: file_db.c:3968 Guest user session validation failed for guest_user10. Index provided is out of range..
The user that is assigned to the guest_user10 account works fine and has no idea this error is occurring.
This error message is occuring exactly every 15 minutes 24x7.
I believe I have a rogue user who has setup a device to try and login to the guest network automatically, every 15 minutes with the guest_user10 credentials. I need to track this device down. I need a way to find either the MAC or IP address of the device that is causing this error message. I have tried turning on AAA debugging on the controller but I dont get anything more than the above error. I have also tried using WCS to look at the client history but it only show the normal activity.
View 3 Replies
View Related
May 30, 2013
I am using ISE 1.1.1.268 and WLC 7.2.111.3 and NAC agent version 4.9.1.6 on Windows 7 Client machines.
About once a day i get the error "ISE Alarm (WARNING): Dynamic Authorization Failed for Device".
The device it is referring to is my NAD, a WLC 5508 running 7.2.111.3
I have looked at the logs and I cannot see anything in the logs which corresponds to this message so that I can troubleshoot further. Maybe I can if I am enabling the correct logging level on the correct ISE component.
What are the components and the logging level that I should set to get some more detail about this error?
At the moment, I have only set debug logging on Active Directory. I have TRACE logging set on Posture, Run time AAA & prrt-JNI.
I do not want to enable too much debug logs, so what is the specific element that I should be debugging.
I thought debugging the posture element would be enough but when I look at the logs there is nothing there that relates to this message.
View 3 Replies
View Related
Aug 29, 2011
I have a problem where wireless clients at a remote site cannot successfully authenticate through their WLC to my ACS 5.2 (Linux on VM). I have three sites where this authentication is functioning properly; at my fourth site the wireless clients fail with a PEAP error: "12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate". My wireless clients are Win7 using WPA2-Enterprise security type with AES encryption. The authentication method is set to Microsoft PEAP (EAP-MSCHAP v2) and the 'Validate server certificate' is not checked. My wireless access rules on ACS 5.2 are working well at three sites. My ACS 5.2 has a self-signed certificate that doesn't expire until August 2012. A laptop that can successfully authenticate at other sites cannot authenticate at the fourth site.
Phase one of the PEAP process is where the client authenticates the server certificate and the TLS tunnel is created so that in phase two user authentication credentials are sent through the TLS tunnel using EAP. My clients do not seem to be able to create the TLS tunnel because they reject the ACS local certificate; thus, user credentials are never passed and authentication fails. I have renewed the ACS local certificate and rebooted the ACS server but the problem persists. My WLAN on the WLC has its security policy set to [WPA + WPA2][Auth(802.1X)]. WPA uses TKIP and WPA2 uses AES; Auth Key Mgmt is set to 802.1X. The remote site where authentication fails is a different domain; the other three sites are the same domain.
I can see the failed authentication attempts in my ACS "Monitoring and Reports | Reports | Catalog | AAA Protocol | RADIUS Authentication" report. They all fail with the same PEAP error: 12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate. The ACS local certificate works fine at three sites--just not at the fourth. Is my problem the certificate or is it an 802.1X client problem?
View 4 Replies
View Related
Dec 10, 2012
From 6.0.199.4 to AIR-CT5500-K9-7-3-101-0.aes. Get the error below halfway through download of file to controller.
*Dec 11 14:18:55.775: %UPDATE-3-FTP_TRANSFER_FAIL: updcode.c:4158 Error FTP file Transfer [ftp_get], <28>, No space left on device.
I have no idea how to delete files form the storage on the 5508? TFTP transfer gives me this error after the upload is done:
% Error: Code file transfer failed - Error while writing output file
*Dec 11 15:11:45.514: %TFTP-3-FILE_WRITE_FAIL: tftp_client.c:517 Error while writing 512 bytes to file. Tftp error.
*Dec 11 15:11:45.514: %TFTP-3-WRITE_NOCLOSE_FAIL: tftp_client.c:147 Error while writing the local file: No space left on device
*Dec 11 15:11:45.514: %OSAPI-3-FILE_WRITENOCLOSE_FAILED: osapi_file.c:582 Failed to write 512 bytes (FileDesc:64). file write no close failed
View 6 Replies
View Related
Jan 12, 2011
I have just upgraded one of our 4400 to 7.0.98.0. Most of the AP re-registered with out issues. I have two AIR-LAP1142N-E-K9 on a remote site that will not re-register.I have pointed them to another 2125 WLC (7.0.98.0) and they register fine. Point them to yet another 4400 (7.0.98.0) I get the same issue.I am getting this error when the register on the 4400s.*Jan 11 14:39:24.000: %CAPWAP-3-ERRORLOG: Selected MWAR 'abzewwlc'(index 1).*Jan 11 14:39:24.000: %CAPWAP-3-ERRORLOG: Go join a capwap controller *Jan 11 07:05:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 144.46.211.5 peer_port: 5246*Jan 11 07:06:55.000: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 144.46.211.5:5246 I suspect it may be as they both have In the client config.Then again maybe not.Configured Switch 1 Addr 158.139.177.203Configured Switch 2 Addr 144.46.214.25
Question 1 if I do a "clear config except static IP" will I still be able to telnet tp them or will they default to no telnet no ssh ?
Question 2 any idea how to get past this DTLS error ?
View 4 Replies
View Related
Apr 4, 2012
I have an ASA 5510 running 8.2.2 code with 30 VPN Phones connected. Of the 30 phones, I have 5 that do not negotiate DTLS and I'm having quality issues with these phones. I've checked the login process and I don't see any errors when these phone connect, they just don't even attempt DTLS. All the phones use the same VPN configuration.
View 4 Replies
View Related
Sep 17, 2012
My work laptop uses a Cisco AnyConnect VPN Client (Software Version 2.5.2006). The connection protocol is DTLS.I recently upgraded to a Cisco RV180 at home at it is running the latest software version (1.0.1.9).
Since the RV180 went into service the work laptop will connect intermittantly. Usually email works but web browsing and and other services do not. It is slight strange behaviour- and seems to defy what a VPN should do......
The behaviour is very repeatable. For example from the customers office the laptop connects perfectly via VPN and if I swap back to an older inferior make of router at home VPN also works normal without changes to the laptop configuration.
I work for a large company (70,000+ employees) and we use "standard" builds so altering the laptop configuration is not really an option.
It seems to me that the RV180 doesn't support the DLTS VPN connection (indeed DLTS passthrough isn't an option in the VPN passthrough list) and is possibly blocking some incoming packets on the WAN interface.
I haven't yet tried a firewall rule to allow a DLTS (or UDP perhaps?) connection back in from the WAN side (obviously from just the IPs at my work end) but this is the only option I can think of to make this machine connect "correctly".
View 3 Replies
View Related
Nov 25, 2012
I've been labbing on my asa5505 at home, setting up different VPN solutions for testing purposes. However, I can't get my anyconnect client to establish a DTLS tunnel when connecting (anyconnect only shows tls, and does not display any errors about not connecting with dtls)I have set dtls port to 444 and this port is open on the other side.
View 2 Replies
View Related
Jan 18, 2013
I am setting up office extend with 1142 APs on a 5508 controller. All seems ok and I see my SSIDs on the remote AP. However when I try to connect I don't get a dhcp address and the connection fails. When I look at logs and some debugs I see dtls keepalive failures and the AP is actually disconnecting and re-associating with the controller.
View 24 Replies
View Related
Dec 25, 2012
I have a WLC 5508 and several 1142 access points. The APs are not showing up in the WLC. When i console into the APs, im getting the following errors,
*Dec 26 23:04:28.035: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 65.125.15.212:5246
*Dec 26 23:04:28.074: %CAPWAP-5-CHANGED: CAPWAP changed state to
[Code]....
Ive tried resetting the WLC, reloading the APs. I even factory defaulted one of the APs and still getting the same message.Ive verified that the WLC is set to accept MICs and SSCs.
View 6 Replies
View Related
Jun 17, 2012
Flex 7500
Software Version: 7.2.103.0
I have a Flex 7500 with 200 1142AP's working fine in remote office and local setup. We have since purchased 3 OEAP 602's and looking to distribute to teleworkers.
I have configured the OEAP to point to the NAT'd IP of the WLC, the OEAP does connect and is listed briefly in the WLC wireless listing but I am not able to make any configuration changes, it will then dissassociate and try the join process all over again. I have attached below the OEAP 600 event log. I see that the WLC does not support data DTLS encryption and looking to make this work.
I have tried to install the DTLS license file from the Cisco website, but says license failed to install, with no other errors.
*Jun 18 15:18:43.938: Build version 7.0.112.72 (compiled Feb 3 2012 at 01:56:39, [L]).
*Jun 18 15:18:47.859: CAPWAP State: Init.
*Jun 18 15:18:47.860: CAPWAP State: Discovery.
[Code]....
View 2 Replies
View Related
Feb 19, 2011
I recently purchases new E3000. I setup the E3000 with static IP from border router rather DCHP which seemed to default to the same IP address and DNS. The laptops tied to the E3000 have their own IP's that are different from the IP of the border router. E3000 is configured with no firewall an minimal protection, for now. The reason for minimal protection was to get the handshaking to work between the two routers. The border router is a Verizon product. The old router that I was using is a Netgear that did handshake with the border router. I have the latest firmware for the E3000 namely Firmware version: 1.0.04 build 6. Router will not handshake either with wired or wireless connections. Laptop used to connect to the E3000 is running Windows 7 Ultimate. In fact all laptops here are using the same OS and connect using wireless. I tried the included software package from the website, which housed a diagnostic that apparently couldn't fix the problem as well. I don't have clue as to the reason for E3000 not to handshake with the border router.
View 3 Replies
View Related
Jan 19, 2012
I am having Cisco 3845 series router with c3900-universalk9-mz.SPA.151-4.M2.bin IOS . I want to install new Licence on it for DATA. When i am trying to install licence on it i am facing the error "% Error: License installation failed with error: XML parsing failed".
View 4 Replies
View Related
Mar 16, 2011
I installed the quickVPN Client for use with RVS4000 small business router/VPN on a platform with Windows 7. It was not able to complete the VPN connection. I installed on Windows XP machine, both on the same network. The XP machine was able to connect just fine.
View 1 Replies
View Related
