Wednesday, July 6, 2016

Clearing CAPWAP AP config

Got multiple disks failure in my lab yesterday and fortunately not a lot of crucial VMs are affected.  One of those is the vWLC that I've used for my home AP.  As I've configured FlexConnect, the AP still works fine without the presence of the controller, however I still want to fix it otherwise I can't make changes in the future.

After rebuilding the vWLC with the same IP address, the AP failed to register to the new vWLC.

*Jul  5 10:56:02.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: peer_port: 5246
*Jul  5 10:56:02.015: %CAPWAP-1-SSC_CERT_AUTH_FAILED: Failed to authorize controller, SSC certificate validation failed.Peer certificate verification failed FFFFFFFF
*Jul  5 10:56:02.015: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:509 Certificate verified failed!
*Jul  5 10:56:02.015: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to
*Jul  5 10:56:02.015: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to

It didn't look right to me, and after trying a few things, this error didn't go away.  So what I have to do is to remove write erase the AP.  You can do it from console or telnet, if telnet is enabled.  I have got telnet enabled so I telnet to my AP, and use the following commands:

! This command is the most important, without this you can't use the clear capwap commands
debug capwap console cli


clear capwap private-config

Or you can also simply write erase the AP.  After that, configure option 43 hex in the dhcp pool.  I've only one controller so the prefix to add is f104, follows by the hex of my controller IP address

option 43 hex f104.c0a8.1846

Too lazy to convert it manually, I just used the calculator here:

And now all works great!  Everything back to normal!

No comments: