Joining a Cisco LWAP to a vWLC

In this video, we take a look at what is required to join a Cisco Lightweight Access Point (LWAP) to a Cisco Virtual Wireless Controller (vWLC).

Devices in this video include:
  1. Cisco vWLC
  2. Cisco LWAP c1600 series
  3. Windows Server 2012 R2 




    Updated Notes: 28/09/2019
    Having worked with AP’s and WLC’s some more, I wanted to share some more notes from things observed in my lab.
    The output below is generated from a C1600 series AP that I have in my lab. The syslog output is generated when the AP attempts to join the WLC. While looking into this, I found a few workarounds and potential bugs associated with this.



*Sep 28 19:38:19.066: AP has SHA2 MIC certificate – Using SHA2 MIC certificate for DTLS.

*Sep 28 19:38:18.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: peer_port: 5246

*Sep 28 19:38:23.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:929 Unexpected message received while expecting HelloVerifyRequest

*Sep 28 19:38:23.999: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to

*Sep 28 19:38:24.003: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to


You can find some potential workarounds in the above field notice, however if the field notice doesn’t provide you with a solution, you could try the following.
  • Configure the WLC to ignore expired certificates using the following command: 

config ap cert-expiry-ignore ssc enable

config ap cert-expiry-ignore mic enable


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: