Guest

Cisco 3700 Series Multiservice Access Routers

Field Notice: FN - 62379 - Wireless LAN Controller Network Module does not Authenticate with Cisco/Airespace Access Points - Hardware Upgrade


 

Revised April 4, 2007
April 10, 2006


NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Products Affected

Products Affected Top Assembly Part Number
NM-AIR-WLC6-K9 800-27210-01
NM-AIR-WLC6-K9= 800-27210-01

Serial Numbers

Random #

FOC09400PK7
FOC09400PKC
FOC09400PKU
FOC09400PKV
FOC09400PKZ
FOC09400PL1
FOC09400PL2
FOC09400PL4
FOC09400PL8
FOC09400PL9
FOC09400PLB
FOC09400PLC
FOC09400PLK
FOC09400PLM
FOC09400PLP
FOC09400PLS
FOC09400PLU
FOC09400PM3
FOC09400PM7
FOC09400PM9
FOC09400PMC
FOC09400PMD
FOC09400PME
FOC09400PMG
FOC09400PN2
FOC09400PNK
FOC09400PNL
FOC09400PNP
FOC09400PNS
FOC09400PNT
FOC09400PNV
FOC09400PNW
FOC09400PNY
FOC09400PP1
FOC09400PP6
FOC09400PP9
FOC09400PPA
FOC09400PPB
FOC09400PPD
FOC09400PPH
FOC09400PPQ
FOC09400PPR
FOC09400PPW
FOC09400PPX
FOC09400PPY
FOC09400PQ1
FOC09400PQ5
FOC09400PQA
FOC09400PQB
FOC09400PQC
FOC09400PQD
FOC09400PQE
FOC09400PQG
FOC09400PQH
FOC09400PQN
FOC09400PQQ
FOC09400PQS
FOC09400PQZ
FOC09400PR0
FOC09400PR1
FOC09400PR2
FOC09400PR4
FOC100722SY
FOC100722T0
FOC100722T1
FOC100722T2
FOC100722T3
FOC100722T7
FOC100722T8
FOC100722TB
FOC100722TE
FOC100722TF
FOC100722TH
FOC100722TJ
FOC100722TK
FOC100722TP
FOC100722TQ
FOC100722TR
FOC100722TT
FOC100722TU
FOC100722TV
FOC100722TX
FOC100722TY
FOC100722TZ
FOC100722U0
FOC100722U2
FOC100722U4
FOC100722U5
FOC100722UG
FOC100722UH
FOC100722UJ
FOC100722UK
FOC100722UL
FOC100722UN
FOC100722UP
FOC100722UR
FOC100722US
FOC100722UT
FOC100722UV
FOC100722UX
FOC100722UZ
FOC100722V0
FOC100722V1
FOC100722V2
FOC100722V3
FOC100722V4
FOC100722V5
FOC100722V7
FOC100722V8
FOC100722V9
FOC100722VA
FOC100722VB
FOC100722VC
FOC100722VD
FOC100722VE
FOC100722VH
FOC100722VJ
FOC100722VL
FOC100722VN
FOC100722VQ
FOC100722VR
FOC100722VS
FOC100722VY
FOC100722W2
FOC100722W5
FOC100722W6
FOC100722W7
FOC100722WA
FOC100722WB
FOC100722WD
FOC100722WE
FOC100722WG
FOC100722WH
FOC100722WJ
FOC100722WL
FOC100722WM
FOC100722WR
FOC100722WS
FOC100722WT
FOC100722WV
FOC100722WW
FOC100722WX
FOC100722WY
FOC100722X0
FOC100722X3
FOC100722X4
FOC100722X5
FOC100722X6
FOC100722X7
FOC100722X8
FOC100722XA
FOC100722XC
FOC100722XD
FOC100722XE
FOC100722XH
FOC100722XJ
FOC100722XK
FOC100722XL
FOC100722XM
FOC100722XN
FOC100722XR
FOC100722XS
FOC100722XT
FOC100722Y0
FOC100722Y2
FOC100722Y6
FOC100722Y8
FOC100722Y9
FOC100722YB
FOC100722YC
FOC100722YD
FOC100722YF
FOC100722YG
FOC100722YH
FOC100722YM
FOC100722YN
FOC100722YP
FOC100722YQ
FOC100722YR
FOC100722YS
FOC100722YT
FOC100722YU
FOC100722YW
FOC100722YY
FOC100722Z1
FOC100722Z4
FOC100722Z5
FOC100722Z6
FOC100722Z7
FOC100722Z9
FOC100722ZA
FOC100722ZB
FOC100722ZC
FOC100722ZD
FOC100722ZH
FOC100722ZK
FOC100722ZP
FOC100722ZU
FOC100722ZV
FOC100722ZW
FOC100722ZY
FOC10072301
FOC10072302
FOC10072303
FOC10072305
FOC10072307
FOC10072308
FOC10072309
FOC1007230C
FOC1007230D
FOC1007230E
FOC1007230F
FOC1007230H
FOC1007230J
FOC1007230K
FOC1007230L
FOC1007230N
FOC1007230S
FOC1007230T
FOC1007230Y
FOC10072310

Problem Description

Wireless LAN Controller Network Modules NM-AIR-WLC6-K9 and NM-AIR-WLC6-K9= were shipped with incorrect certificates, causing the WLCNM to not be authenticated by Cisco/Airespace Access Points. Wireless LAN Controller Network Modules shipped between February 1, 2006 and March 22, 2006 are affected. A manufacturing process failure did not copy the correct certificates to WLCNM devices. The incorrect certificate creates an RSA key mismatch, which causes LWAPP-based Access Points to fail to join/associate/register to WLCNM.

Background

On March 20, 2006, a bug was logged indicating that Access Points were not authenticating to NM-AIR-WLC6-K9 or NM-AIR-WLC6-K9= network modules. It was found that an RSA key mismatch causes LWAPP-based Access Points to fail to join/associate/register to WLCNM. The cause of the incorrect certificate was related to a manufacturing process failure which prevented copying of the correct certificate to WLCNM devices. The manufacturing anomaly has since been corrected and Wireless LAN Controller Network Modules produced as of March 23, 2006 should no longer experience this problem.

Problem Symptoms

The issue can be seen when issuing the show ap summary command. Access points will lose their association.

(Cisco Controller) >show time

Time............................................. Fri Mar 24 11:21:48 2006

(Cisco Controller) >show ap summary

AP Name Slots AP Model Ethernet MAC Location Port
------------------ ----- ------------------- ----------------- ---------------- ----
xxxxxxxxxxxxxxxx 2 AP1242 xx:xx:xx:xx:xx:xx default_location 1
xxxxxxxxxxxxxxxx 2 AP1242 xx:xx:xx:xx:xx:xx default_location 1

(Cisco Controller) >show time

Time............................................. Fri Mar 24 11:24:21 2006


(Cisco Controller) >show ap summary

AP Name Slots AP Model Ethernet MAC Location Port
------------------ ----- ------------------- ----------------- ---------------- ----

Access point console log will show it is unable to decode the JOIN response:

LWAPP_CLIENT_ERROR_DEBUG: peer RSA public key decrypt failed
LWAPP_CLIENT_ERROR_DEBUG: spamDecodeJoinReply :
sessionId 0x7E7F8081 does not match sent 0xDD2439D8
LWAPP_CLIENT_ERROR_DEBUG: Unable to decode join reply

LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not recieve the Join response
LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses remain.
%SYS-5-RELOAD: Reload requested by LWAPP CLIENT.
Reload Reason: DID NOT GET JOIN RESPONSE.
%LWAPP-5-CHANGED: LWAPP changed state to DOWN

Additional output from debugs from the WLCNM will display that the controller has lost association when NM-AIR-WLC6-K9 continually receives discover requests from the Access Point. In this example, the MAC address of NM-AIR-WLC6-K9 was changed to 00:00:00:00:00:02 and the Access Point is 00:00:00:00:00:01. Debugs used to generate output in this example: debug lwapp event enable, debug lwapp error enable, debug lwapp detail enable.

1. NM-AIR-WLC6-K9 receives a discovery request from Access Point:

Received LWAPP DISCOVERY REQUEST from AP 00:00:00:00:00:01 to 00:00:00:00:00:02 on port '1'

2. NM-AIR-WLC6-K9 sends a discovery response to Access Point:

Successful transmission of LWAPP Discovery-Response to AP 00:00:00:00:00:01 on Port 1

3. NM-AIR-WLC6-K9 receives a JOIN request from Access Point:

Received LWAPP JOIN REQUEST from AP 00:00:00:00:00:01 to 00:00:00:00:00:02 on port '1'

4. NM-AIR-WLC6-K9 sends a JOIN-Reply to Access Point:

Successfully transmission of LWAPP Join-Reply to AP 00:00:00:00:00:01

5. The problem is seen at this point because the Access Point sends another discovery request to NM-AIR-WLC-K9:

Received LWAPP DISCOVERY REQUEST from AP 00:00:00:00:00:01 to 00:00:00:00:00:02 on port '1'

Workaround/Solution

The upgrade program has expired. Failed products need to be replaced using normal RMA process.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered customer and you must be logged in.

DDTS Description
CSCsd71425 (registered customers only) WLCNM cannot join LAP1242, LAP1131, or AP1020 due to peer RSA certificate

Revision History

Revision Date Comment
1.3 04-APR-2007 Retired Umpire program and updated Workaround/Solution section to reflect this.
1.2 18-MAY-2006 Updated Umpire Form
1.1 27-APR-2006 Updated Serial Number Section
1.0 10-APR-2006 Initial Public Release

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.