FortiExtender
FortiExtender offers wireless connectivity for nearly any operational network.
vpatil
Staff
Staff
Article Id 358439
Description This article explains the steps to overcome CAPWAP DTLS alert - 'Description: Bad Certificate (42)' to address the FortiExtender CAPWAP management issue on the FortiGate.
Scope FortiExtender v7.2 and FortiGate v7.2
Solution

 

  1. In the FortiGate Interface CAPWAP (UDP ports 5246, 5247) captures, it can be noted that after FortiExtender and FortiGate Client and Server Hello Done message exchange, the captures show 'Description: Bad Certificate (42)' DTLS Alert - as shown below:

Disc Req Resp.PNG

 

 

DTLS Alert.PNG

 

 

  1. This DTLS Alert can occur when the Date & Time on the FortiGate is not valid. In the above picture, it can be noted that the Year is 2000. Therefore, to resolve the CAPWAP connection issue between FortiGate and the FortiExtender, set the Date & Time manually (workaround) or synchronize the FortiGate Date & Time with NTP.

 

 

 

  1. The 'get extender status' output on the FortiExtender CLI will show 'CWWS_RUN' after the CAPWAP DTLS connection is successful with the FortiGate:

     

 

# get extender status
Extender Status
name : FXE11FTQ22XXXXX
mode : CAPWAP
fext-addr : 192.168.10.2
ingress-intf : port4
fext-wan-addr : 0.0.0.0
controller-addr : 192.168.10.1:5246,25246
controller-name : FGT60FTKXXXXX
uptime : 0 days, 0 hours, 0 minutes, 23 seconds
management-state : CWWS_RUN

 

CAPWAP Control Channel state machine.

Contributors