Revised April 4, 2007
April 10, 2006
NOTICE:
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Products Affected
| Products Affected | Top Assembly Part Number |
|---|---|
| NM-AIR-WLC6-K9 | 800-27210-01 |
| NM-AIR-WLC6-K9= | 800-27210-01 |
Serial Numbers
| Random # |
|---|
|
FOC09400PK7 |
Problem Description
Wireless LAN Controller Network Modules NM-AIR-WLC6-K9 and NM-AIR-WLC6-K9= were shipped with incorrect certificates, causing the WLCNM to not be authenticated by Cisco/Airespace Access Points. Wireless LAN Controller Network Modules shipped between February 1, 2006 and March 22, 2006 are affected. A manufacturing process failure did not copy the correct certificates to WLCNM devices. The incorrect certificate creates an RSA key mismatch, which causes LWAPP-based Access Points to fail to join/associate/register to WLCNM.
Background
On March 20, 2006, a bug was logged indicating that Access Points were not authenticating to NM-AIR-WLC6-K9 or NM-AIR-WLC6-K9= network modules. It was found that an RSA key mismatch causes LWAPP-based Access Points to fail to join/associate/register to WLCNM. The cause of the incorrect certificate was related to a manufacturing process failure which prevented copying of the correct certificate to WLCNM devices. The manufacturing anomaly has since been corrected and Wireless LAN Controller Network Modules produced as of March 23, 2006 should no longer experience this problem.
Problem Symptoms
The issue can be seen when issuing the show ap summary command. Access points will lose their association.
(Cisco Controller) >show time
Time............................................. Fri Mar 24 11:21:48 2006
(Cisco Controller) >show ap summary
AP Name Slots AP Model Ethernet MAC Location Port
------------------ ----- ------------------- ----------------- ---------------- ----
xxxxxxxxxxxxxxxx 2 AP1242 xx:xx:xx:xx:xx:xx default_location 1
xxxxxxxxxxxxxxxx 2 AP1242 xx:xx:xx:xx:xx:xx default_location 1
(Cisco Controller) >show time
Time............................................. Fri Mar 24 11:24:21 2006
(Cisco Controller) >show ap summary
AP Name Slots AP Model Ethernet MAC Location Port
------------------ ----- ------------------- ----------------- ---------------- ----
Access point console log will show it is unable to decode the JOIN response:
LWAPP_CLIENT_ERROR_DEBUG: peer RSA public key decrypt failed
LWAPP_CLIENT_ERROR_DEBUG: spamDecodeJoinReply :
sessionId 0x7E7F8081 does not match sent 0xDD2439D8
LWAPP_CLIENT_ERROR_DEBUG: Unable to decode join reply
LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not recieve the Join response
LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses remain.
%SYS-5-RELOAD: Reload requested by LWAPP CLIENT.
Reload Reason: DID NOT GET JOIN RESPONSE.
%LWAPP-5-CHANGED: LWAPP changed state to DOWN
Additional output from debugs from the WLCNM will display that the controller has lost association when NM-AIR-WLC6-K9 continually receives discover requests from the Access Point. In this example, the MAC address of NM-AIR-WLC6-K9 was changed to 00:00:00:00:00:02 and the Access Point is 00:00:00:00:00:01. Debugs used to generate output in this example: debug lwapp event enable, debug lwapp error enable, debug lwapp detail enable.
1. NM-AIR-WLC6-K9 receives a discovery request from Access Point:
Received LWAPP DISCOVERY REQUEST from AP 00:00:00:00:00:01 to 00:00:00:00:00:02 on port '1'
2. NM-AIR-WLC6-K9 sends a discovery response to Access Point:
Successful transmission of LWAPP Discovery-Response to AP 00:00:00:00:00:01 on Port 1
3. NM-AIR-WLC6-K9 receives a JOIN request from Access Point:
Received LWAPP JOIN REQUEST from AP 00:00:00:00:00:01 to 00:00:00:00:00:02 on port '1'
4. NM-AIR-WLC6-K9 sends a JOIN-Reply to Access Point:
Successfully transmission of LWAPP Join-Reply to AP 00:00:00:00:00:01
5. The problem is seen at this point because the Access Point sends another discovery request to NM-AIR-WLC-K9:
Received LWAPP DISCOVERY REQUEST from AP 00:00:00:00:00:01 to 00:00:00:00:00:02 on port '1'
Workaround/Solution
The upgrade program has expired. Failed products need to be replaced using normal RMA process.
DDTS
To follow the bug ID link below and see detailed bug information, you must be a registered customer and you must be logged in.
| DDTS | Description |
|---|---|
| CSCsd71425 (registered customers only) | WLCNM cannot join LAP1242, LAP1131, or AP1020 due to peer RSA certificate |
Revision History
| Revision | Date | Comment |
|---|---|---|
| 1.3 | 04-APR-2007 | Retired Umpire program and updated Workaround/Solution section to reflect this. |
| 1.2 | 18-MAY-2006 | Updated Umpire Form |
| 1.1 | 27-APR-2006 | Updated Serial Number Section |
| 1.0 | 10-APR-2006 | Initial Public Release |
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.