msgbartop
msgbarbottom

25 Nov 16 Cisco 1142 not joining Cisco 2504 WLC

%PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID

Recently I was setting up my lab environment with a Cisco 1142 Access Point and a Cisco 2504 Wireless LAN Controller and I ran into a minor issue. Cisco 1142 Access Point was not joining the WLC. I was getting the following error message when I consoled into the access point.

*Jan 1 04:35:10.126: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jan 1 04:35:10.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.10.41 peer_port: 5246
*Jan 1 04:35:10.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Jan 1 04:35:10.316: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed. The certificate (SN: 4E0E3D20000000116445) is not yet valid Validity period starts on 21:44:46 UTC Dec 7 2011
*Jan 1 04:35:10.317: %LWAPP-3-CLIEN2.16TERRORLOG: Peer certificate verification failed
*Jan 1 04:35:10.317: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Jan 1 04:35:10.317: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:333 Certificate verified failed!
*Jan 1 04:35:10.317: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.10.41
*Jan 1 04:35:10.318: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.10.41:5246
*Jan 1 04:35:10.318: %DTLS-3-BAD_RECORD: Erroneous record received from 19: Malformed Certificate

Initially I kinda jumped on the certificate issue and ran the following commands to resolve the issue, thinking perhaps there actually is an issue with the certificate on the WLC or the Access Point:

(WLC1) >show certificate summary
Web Administration Certificate………………. 3rd Party
Web Authentication Certificate………………. Locally Generated
Certificate compatibility mode:……………… off
Lifetime Check Ignore for MIC ………………. Disable
Lifetime Check Ignore for SSC ………………. Disable

(WLC1) >config ap cert-expiry-ignore mic enable

(WLC1) >config ap cert-expiry-ignore ssc enable

(WLC1) >show certificate summary
Web Administration Certificate………………. 3rd Party
Web Authentication Certificate………………. Locally Generated
Certificate compatibility mode:……………… off
Lifetime Check Ignore for MIC ………………. Enable
Lifetime Check Ignore for SSC ………………. Enable

This however did not resolve my issue and Cisco 1142 still was not joining the 2504 WLC. With a little bit more checking I felt pretty embarrassed because I realized that the time on the Cisco 2504 WLC was wrong. So I fixed the time and date on the Cisco 2504 WLC, end result Cisco 1142 Access Point Successfully joined the Controller.
Lesson in this is sometimes issue is right there in front of you and is pretty simple :). By the way here is a good write up on Access Points and certificates. Lightweight AP – Fail to create CAPWAP/LWAPP connection due to certificate expiration

Tags: , ,

11 Nov 16 Brocade ICX 6450 PoE Configuration

Enabling Power over Ethernet on Brocade ICX6450

Recently I configured a Brocade ICX6450 PoE switch on the network and all was working well until my customer hooked up a phone to one of the ports I configured. I was told that the phone won’t power on. Now on a Cisco PoE Switch, I’m used to just simply plugging in phones and getting power. With the Brocade ICX6450 I needed to perform some additional steps to get it working.

First I ran the following command to check the PoE Status on the port in question:


show inline power 3/1/17
This gave me the following results:
Port Admin Oper ---Power(mWatts)--- PD Type PD Class Pri Fault/
State State Consumed Allocated Error
--------------------------------------------------------------------------
3/1/17 Off Off 0 0 n/a n/a 3 n/a

As you can see under the “Admin State/Oper State” both are showing “Off”. Which means there is no Power over Ethernet is enabled on these ports. So in order to enable it I needed to do the following:


conf t
!
interface ethernet 3/1/17 to 3/1/24
inline power (***note: no inline power will disable it)
-------------------------------------------------------------------
Now lets look at it again
Port Admin Oper ---Power(mWatts)--- PD Type PD Class Pri Fault/
State State Consumed Allocated Error
--------------------------------------------------------------------------
3/1/17 On Off 0 0 n/a n/a 3 n/a


Port Admin Oper ---Power(mWatts)--- PD Type PD Class Pri Fault/
State State Consumed Allocated Error
--------------------------------------------------------------------------
3/1/1 Off Off 0 0 n/a n/a 3 n/a
3/1/2 Off Off 0 0 n/a n/a 3 n/a
3/1/3 Off Off 0 0 n/a n/a 3 n/a
3/1/4 Off Off 0 0 n/a n/a 3 n/a
3/1/5 Off Off 0 0 n/a n/a 3 n/a
3/1/6 Off Off 0 0 n/a n/a 3 n/a
3/1/7 Off Off 0 0 n/a n/a 3 n/a
3/1/8 Off Off 0 0 n/a n/a 3 n/a
3/1/9 Off Off 0 0 n/a n/a 3 n/a
3/1/10 Off Off 0 0 n/a n/a 3 n/a
3/1/11 Off Off 0 0 n/a n/a 3 n/a
3/1/12 Off Off 0 0 n/a n/a 3 n/a
3/1/13 Off Off 0 0 n/a n/a 3 n/a
3/1/14 Off Off 0 0 n/a n/a 3 n/a
3/1/15 Off Off 0 0 n/a n/a 3 n/a
3/1/16 Off Off 0 0 n/a n/a 3 n/a
3/1/17 On Off 0 0 n/a n/a 3 n/a
3/1/18 On Off 0 0 n/a n/a 3 n/a
3/1/19 On Off 0 0 n/a n/a 3 n/a
3/1/20 On Off 0 0 n/a n/a 3 n/a
3/1/21 On Off 0 0 n/a n/a 3 n/a
3/1/22 On Off 0 0 n/a n/a 3 n/a
3/1/23 On Off 0 0 n/a n/a 3 n/a
3/1/24 On On 2441 4955 802.3af Class 2 3 n/a

Now you can see that the “Admin State” of Power over Ethernet is showing “On”. When my customer plugged in the phone, it came online successfully. I do not know why Brocade ICX6450 has it like this, seems very unproductive but oh well its Brocade.

I’d like to also add a link to Brocades Switch Administration Guide that has some additional details if someone is interested. FastIron Ethernet Switch Administration Guide Supporting FastIron Software Release 08.0.30

Tags: , ,

07 Oct 16 Brocade 6450 switching to Routing Code

Brocade 6450 switching to routing Code

So recently I had to work on a Brocade 6450 Switch. I needed to create SVI’s on the switch but I was not able to do that with a switch right out of the box. Reason is because by default it uses the “switching code”, when you do “show ver” you will see “S” in the code. But you can do “show flash” and you will see a secondary flash code with “R” in there. That is the code that allows you to make it a L3 switch. Here is what I did to make it a L3 switch:

conf t
!
boot system flash secondary
wr mem
##### Verify ######
show boot (Make sure secondary is default)
###################
reload

Once the switch comes back up now you it was in L3 mode and I was able to create SVI’s. This was done on a switch with no configuration on it. If someone decides to do it on a production switch make sure you back up your configuration and keep in mind that this process will cause down time.

Tags:

29 Aug 16 Password Recovery Cisco 1841 Router

Password Recovery on Cisco Router

This is just a quick post for my reference on how to do password recovery on a Cisco Router. Recently I had to do it on a Cisco 1841. Here are my steps:

    Boot up the router with a console cable and then from terminal emulation software hit pause/break
    Router will get to prompt
    Type confreg 0x2142
    Next prompt
    Type reset
    Once the router reloads it will not have a password.

First thing I like to do is right away run the following commands other wise if I reboot the router it will continue to go back to the default settings and nothing will be saved.

config t
!
config-register 0x2102

Tags: , ,

21 Apr 16 PRI Error – L2IF_SendPkt Failed

Voice PRI Error on Cisco Router – TEI_ASSIGNED – **ERROR**: L2IF_SendPkt: idb is NULL – **ERROR**: process_rxdata:L2IF_SendPkt Failed

Recently I ran into a voice PRI issue. Customer was unable to make any calls and the command show isdn status displayed the following result:

Global ISDN Switchtype = primary-ni
ISDN Serial0/1/0:23 interface
dsl 0, interface ISDN Switchtype = primary-ni
Layer 1 Status:
ACTIVE
Layer 2 Status:
TEI = 0, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
Layer 3 Status:
0 Active Layer 3 Call(s)
Active dsl 0 CCBs = 0
The Free Channel Mask: 0x807FFFFF
Number of L2 Discards = 0, L2 Session ID = 33
Total Allocated ISDN CCBs = 0

After reviewing everything in the Cisco Call Manager and physical connectivity as well as verifying that circuit is good I decided to run a debug with the following command. debug isdn q921. I received the following output:

Apr 5 15:08:15.976: ISDN Se0/1/0:23 Q921: User RX <- SABMEp sapi=0 tei=0 Apr 5 15:08:15.976: ISDN Se0/1/0:23 **ERROR**: L2IF_SendPkt: idb is NULL Apr 5 15:08:15.976: ISDN Se0/1/0:23 **ERROR**: process_rxdata:L2IF_SendPkt Failed Apr 5 15:08:16.980: ISDN Se0/1/0:23 Q921: User RX <- SABMEp sapi=0 tei=0 Apr 5 15:08:16.980: ISDN Se0/1/0:23 **ERROR**: L2IF_SendPkt: idb is NULL Apr 5 15:08:16.980: ISDN Se0/1/0:23 **ERROR**: process_rxdata:L2IF_SendPkt Failed Apr 5 15:08:17.984: ISDN Se0/1/0:23 Q921: User RX <- SABMEp sapi=0 tei=0 Apr 5 15:08:17.984: ISDN Se0/1/0:23 **ERROR**: L2IF_SendPkt: idb is NULL Apr 5 15:08:17.984: ISDN Se0/1/0:23 **ERROR**: process_rxdata:L2IF_SendPkt Failed Apr 5 15:08:19.036: ISDN Se0/1/0:23 Q921: User RX <- SABMEp sapi=0 tei=0 Apr 5 15:08:19.036: ISDN Se0/1/0:23 **ERROR**: L2IF_SendPkt: idb is NULL Apr 5 15:08:19.036: ISDN Se0/1/0:23 **ERROR**: process_rxdata:L2IF_SendPkt Failed Apr 5 15:08:30.028: ISDN Se0/1/0:23 Q921: User RX <- SABMEp sapi=0 tei=0 Apr 5 15:08:30.028: ISDN Se0/1/0:23 **ERROR**: L2IF_SendPkt: idb is NULL Apr 5 15:08:30.028: ISDN Se0/1/0:23 **ERROR**: process_rxdata:L2IF_SendPkt Failed Apr 5 15:08:31.032: ISDN Se0/1/0:23 Q921: User RX <- SABMEp sapi=0 tei=0 Apr 5 15:08:31.032: ISDN Se0/1/0:23 **ERROR**: L2IF_SendPkt: idb is NULL Apr 5 15:08:31.032: ISDN Se0/1/0:23 **ERROR**: process_rxdata:L2IF_SendPkt Failed Apr 5 15:08:32.036: ISDN Se0/1/0:23 Q921: User RX <- SABMEp sapi=0 tei=0 Apr 5 15:08:32.036: ISDN Se0/1/0:23 **ERROR**: L2IF_SendPkt: idb is NULL Apr 5 15:08:32.036: ISDN Se0/1/0:23 **ERROR**: process_rxdata:L2IF_SendPkt Failed Apr 5 15:08:33.036: ISDN Se0/1/0:23 Q921: User RX <- SABMEp sapi=0 tei=0 Apr 5 15:08:33.036: ISDN Se0/1/0:23 **ERROR**: L2IF_SendPkt: idb is NULL Apr 5 15:08:33.036: ISDN Se0/1/0:23 **ERROR**: process_rxdata:L2IF_SendPkt Failed

After some research and looking at the router config this ended up being the culprit:

interface Serial0/1/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
isdn bind-l3 ccm-manager (THIS COMMAND WAS MISSING)
no cdp enable

After I added that command isdn bind-l3 ccm-manager back under the interface calls started to work and my show isdn status returned to MULTIPLE_FRAME_ESTABLISHED. You can see actually between the two results working one shows that q.931 is backhauled to CCM Manager however non working one does not say that.

Global ISDN Switchtype = primary-ni

%Q.931 is backhauled to CCM MANAGER 0x0003 on DSL 0. Layer 3 output may not apply

ISDN Serial0/1/0:23 interface
dsl 0, interface ISDN Switchtype = primary-ni
L2 Protocol = Q.921 0x0000 L3 Protocol(s) = CCM MANAGER 0x0003
Layer 1 Status:
ACTIVE
Layer 2 Status:
TEI = 0, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
Layer 3 Status:
0 Active Layer 3 Call(s)
Active dsl 0 CCBs = 0
The Free Channel Mask: 0x807FFFFF
Number of L2 Discards = 0, L2 Session ID = 33
Total Allocated ISDN CCBs = 0

Tags: , , ,

09 Apr 15 ip nat outside

IP NAT Outside

NAT – Network Address Translation, at times can be a complicated process depending on what you are trying to do and how it gets configured on a Cisco Router vs Cisco ASA’s is a bit different as well. This post is about recent NAT – Network Address Translation on a Cisco Router configuration that I had to do. Need was to translate an Outside IP address that belonged to a server in our Data Center (Outside Global) into another IP address at a branch location as an Outside Local. Example Network scenario:

Local Subnet at Branch = 172.16.1.0/24
Server IP at Data Center = 10.10.10.250
NAT IP for the server = 2.2.2.2

Basically the need was to translate 10.10.10.250 to 2.2.2.2 at the local branch. Usually it is the other way around where we NAT all the internal IP Addresses going out. However in this case we were trying to do the reverse. Following commands were used:

ip nat outside source static 10.10.10.250 2.2.2.2
!
Interface fa0/0
description ### WAN ###
ip nat outside
!
interface fa0/1
description ### LAN ###
ip nat inside

Now when the clients from 172.16.1.0/24 network attempted to connect to 2.2.2.2, branch router would translate that to 10.10.10.250 and route it to the Data Center server. Return packet would come from 10.10.10.250 and would get translated to 2.2.2.2 and then to the client(s) on the 172.16.1.0/24 network.

Tags: , ,

09 Mar 15 SNMP Communication issue between Cisco Prime and Cisco WLC

Cisco Prime 1.2 Unable to communicate via SNMP with Cisco Wireless LAN Controller

Recently had an issue with where Cisco Prime 1.2 started to show one of our Cisco Wireless LAN Controllers as Unreachable. I looked at the SNMP settings on Cisco Prime as well as the Controller and nothing changed. I even deleted the settings and tried to re add the Cisco WLC in Cisco Prime same results. After testing different things it ended up being an issue with a new dynamic interface that was added on the Cisco WLC for testing. This dynamic interface was on the same VLAN as the Cisco Prime’s interface.

So it looks like since there was an interface on the WLC that was on the same Subnet as Cisco Primes interface. SNMP requests were hitting that interface. But since Cisco WLC does not do Inter VLAN Routing like a L3 Switch. Those packets from the new dynamic Interface were not reaching the Management Interface. As soon as I deleted that new dynamic interface from Cisco WLC, SNMP started to work successfully.

By reading this site/post(s) you are agreeing to the Terms and Conditions of using this website

Tags: ,

05 Mar 15 Configure Primary and Secondary WLC on Cisco Light Weight Access Points

How to configure Primary and Secondary Wireless LAN Controller IP’s on Cisco Light Weight Access Points

I use this method to specify Primary and Secondary Wireless LAN Controller’s IP and Name on Cisco Light Weight Access Points. This can also be used if you want some Access Points on one Wireless LAN Controller and some on the other. This is strictly via controllers command line. It can be done via Controllers GUI as well but that will take forever especially if you are configuring multiple Access Points. Because you will need to put that information in one by one. Using Cisco Wireless LAN Controllers command line interface I can usually get this done faster.

config ap primary-base WLC-01 AP-01 10.10.10.10
config ap secondary-base WLC-02 AP-01 10.10.10.11
config ap primary-base WLC-01 AP-02 10.10.10.10
config ap secondary-base WLC-02 AP-02 10.10.10.11
|
|
| and so on….

There is one more easy way to do this is via Cisco Prime I will write a separate post on that. But this method can be used quickly if there is no Cisco Prime

By reading this site/post(s) you are agreeing to the Terms and Conditions of this website.

Tags: , , ,

26 Feb 15 Rename Access Points Cisco WLC – Wireless LAN Controller

How to rename Cisco Light Weight Access Points on Cisco Wireless LAN Controller

When I am configuring a Cisco Wireless LAN Controller and Access Points are added to it, I have to rename them to something meaningful from their default naming convention of APabcd.fghi.1234. Now I have been accomplishing this task via GUI by going to the Wireless Tab –> All APs and then renaming them one by one. It is really no big deal if you have to rename few of them. However if you are standing up a new site and there are like 30, 50, 100 etc Cisco light weight access points on that Cisco Wireless LAN Controller, it can take forever to do this via Controllers GUI. I like/try my best to work smarter and optimize the way I do things, so I decided to start using the CLI of the Cisco WLC to rename the Access Points.

First and most important thing is to make sure we have the inventory of the AP’s or get a list of their names from Prime. Then using Excel I simply created CLI configuration lines to rename the Cisco light weight access points.

config ap name AP-01 APtttt.abcd.1111
config ap name AP-02 APffff.1234.0asd
config ap name AP-03 APgggg.1234.uut7
config ap name AP-04 APhhhh.1234.6688
config ap name AP-05 APiiii.1234.9999

Now you can utilize this simple method to rename all the AP’s real quick. Here is a quick break down of the syntax:

config ap name NEW-NAME OLD-AP-NAME or Ethernet MAC or SerialNumber

Note: AP names are case sensitive

By reading this site/post(s) you are agreeing to the Terms and Conditions of this website.

Tags: , , ,

24 Feb 15 DHCP options for Cisco 2600 Series Access Points

Configuring DHCP Options for Cisco 2600 Series Access Points

I do not have to do this much so when I do I have to always look it up hence I decided to write it in my own words for my reference. Normally when I put Cisco Access Points on the same VLAN as the Wireless LAN Controllers Management Interface. Access Points have no issue joining the controller. However if the Cisco light weight access Points are on a different VLAN, they will not be able to join the controller initially and that usually requires DHCP Options 43 and 60. Below is an overview of how to configure DHCP Options 43 and 60 for Cisco light weight access points on a Cisco IOS Router.

I will use 192.168.10.0/24 network as an example where all the Cisco light weight access points will reside. Controller IP would be lets say 192.168.1.11. So now since the Cisco Access Points and the Wireless LAN Controller are on two different subnets. I would need to configure DHCP Options 43 and 60

ip dhcp pool AP_POOL
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
option 60 ascii “Cisco AP c2600” (I found this from Cisco website and is considered as the VCI String – Vendor Class Identifier)
option 43 hex f104c0a8010b

Note: Option 60 is not required when using Cisco IOS DHCP Server. But having that option will basically not send option 43 to clients that do not require it

Now getting the option 60 part is easy. DHCP Option 43 calculation requires further explanation:

  • Option 43 is basically Type(f1) + Length(Number of Controller Management IP’s x 4) + Value (IP Address in Hex)
  • Type = Will always be f1
  • Length = This value comes from taking the number of Controllers Management IP’s and multiplying it with 4. So if there is a single controller then 1 X 4, if there are two then 2 X 4. so in our cause it would be 1 X 4 = 04
  • Value = This is basically the IP address of the Controllers management interface into Hex so 192.168.10.11 = c0.a8.01.0b

Tags: , ,

WordPress SEO