https://community.cisco.com/t5/%E6%97%A0%E7%BA%BF%E8%AE%A8%E8%AE%BA%E5%8C%BA/cisco-3802i-me-8-10-190-0-%E4%B8%8B-airprint-%E7%AD%89%E5%9F%BA%E4%BA%8E-mdns-%E5%BA%94%E7%94%A8%E6%97%A0%E6%B3%95%E6%AD%A3%E5%B8%B8%E5%B7%A5%E4%BD%9C/m-p/5543891#M16992 <P>从你的log中能看到如下两点问题：</P> <P>1.validate_sha2_block: Failed to get certificate chain Using SHA-1 signed certificate for image signing validation.</P> <P>日志表明 AP 在尝试验证 SHA-2 证书链时失败，因此回退使用旧版的 SHA-1 证书。思科在 2005 年至 2017 年间生产的大量 AP（如 1140, 1600,2600,3600，2700, 3700, 1532 等系列），其内置的 10 年期 MIC（制造安装证书）在近年已陆续过期（参考思科官方的 Field Notice FN63942 和 FN72524）。当 WLC 收到过期的 SHA-1 证书时，会拒绝 AP 的 CAPWAP/LWAPP 隧道建立请求，导致 AP 卡在当前状态无法加入。</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html</A></P> <P>2.%Default route without gateway, if not a point-to-point interface, may impact performance</P> <P>AP 获取到了 IP 地址，但没有获取到默认网关。如果你的 AP 和 WLC 在同一个 VLAN/网段（二层直连），这个警告可以忽略。但如果 AP 需要跨网段（三层路由）去寻找 WLC，没有网关将导致 AP 根本无法将注册数据包发送到 WLC 的 IP 地址上。</P> <P>AP的镜像校验看是通过的，应该没啥问题。所以主要可能证书过期的概率较大，你可以尝试通过config ap cert-expiry-ignore mic enable这类似的命令忽略或修改系统时间。</P> <P>&nbsp;</P> Wed, 08 Apr 2026 05:40:06 GMT Rps-Cheers 2026-04-08T05:40:06Z https://community.cisco.com/t5/%E6%97%A0%E7%BA%BF%E8%AE%A8%E8%AE%BA%E5%8C%BA/cisco-3802i-me-8-10-190-0-%E4%B8%8B-airprint-%E7%AD%89%E5%9F%BA%E4%BA%8E-mdns-%E5%BA%94%E7%94%A8%E6%97%A0%E6%B3%95%E6%AD%A3%E5%B8%B8%E5%B7%A5%E4%BD%9C/m-p/5091690#M16639 <P>环境描述</P><UL><LI>WPA2-PSK 的 SSID</LI><LI>电脑、手机和 HP Deskjet 打印机均连接至同一个 VLAN，且这些设备此前在 Aruba 的 AP 下均正常工作、打印</LI><LI>SSID 高级设置中 mDNS 已启用，VLAN 列表中已经添加 VLAN #1</LI><LI>Services 菜单下，Global Multicast 和 Multicast Direct 已启用，mDNS Global Snooping 已启用，其余设置保持默认</LI><LI>手机和电脑都可以 ping 通打印机的 IP 地址</LI><LI>交换机为 L2 的非网管 PoE 交换机，不存在任何 ACL 策略</LI></UL><P>观察发现默认设置下，某些 mDNS 服务例如 IPP 的 Query Status 为 No。手动修改所有服务的 Query Status 为 Yes 且全部添加至 default mdns profile 后，AirPrint 间歇性工作。</P><P>使用 debug mdns all enable 观察日志输出，可以得到&nbsp;<SPAN class=""><SPAN class="">&nbsp; </SPAN>UNSUPPORTED QUERY Service Name: HP5C60BA959ADE.local. 的日志内容。</SPAN></P><P><SPAN class="">检查 <A href="https://www.cisco.com/c/en/us/td/docs/wireless/access_point/feature-matrix/ap-feature-matrix.html#:~:text=the%20BLE%20feature.-,FlexConnect%20Feature%20Matrix%20(AireOS,and%20Cisco%20Mobility%20Express,-Features" target="_self">Feature Matrix for Cisco Wireless</A>&nbsp;发现，AP4800/3800/2800 在 ME Flexconnect 模式下不支持 mDNS。</SPAN></P><P><SPAN class="">通过搜索不难发现有许多 wlc 用户也出现了<A href="https://www.reddit.com/r/Cisco/comments/ezoxqy/cisco_wlc_bonjour_mdns_hp_photosmart/" target="_self">同样的问题</A>，并非个例。因此问题确实出在 ME 的 mDNS 相关设置上。</SPAN></P><P><SPAN class="">将 SSID 高级设置中的 mDNS Profile 设置为 None 后，AirPrint 间歇性工作。</SPAN></P> Mon, 06 May 2024 21:48:18 GMT https://community.cisco.com/t5/%E6%97%A0%E7%BA%BF%E8%AE%A8%E8%AE%BA%E5%8C%BA/cisco-3802i-me-8-10-190-0-%E4%B8%8B-airprint-%E7%AD%89%E5%9F%BA%E4%BA%8E-mdns-%E5%BA%94%E7%94%A8%E6%97%A0%E6%B3%95%E6%AD%A3%E5%B8%B8%E5%B7%A5%E4%BD%9C/m-p/5091690#M16639 aironetlap 2024-05-06T21:48:18Z https://community.cisco.com/t5/%E6%97%A0%E7%BA%BF%E8%AE%A8%E8%AE%BA%E5%8C%BA/cisco-3802i-me-8-10-190-0-%E4%B8%8B-airprint-%E7%AD%89%E5%9F%BA%E4%BA%8E-mdns-%E5%BA%94%E7%94%A8%E6%97%A0%E6%B3%95%E6%AD%A3%E5%B8%B8%E5%B7%A5%E4%BD%9C/m-p/5543734#M16990 <P>AP3802i刷成Cisco Mobility Express 8.5.182.0版本，AP3602i刷ap3g2-k9w8-tar.153-3.JF15廋固件，不能join</P><P>*Mar 1 00:00:45.335: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed (2-16)<BR />*Mar 1 00:00:45.335: DPAA Initialization Complete<BR />*Mar 1 00:00:45.335: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited<BR />*Mar 1 00:00:46.335: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up<BR />*Mar 1 00:00:50.587: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.1.103, mask 255.255.255.0, hostname APfc99.47c8.4193</P><P>*Mar 1 00:00:55.375: Currently running a Release Image<BR />validate_sha2_block: Failed to get certificate chain<BR />*Mar 1 00:00:55.399: Using SHA-1 signed certificate for image signing validation.<BR />%Default route without gateway, if not a point-to-point interface, may impact performance<BR />*Mar 1 00:01:08.611: AP image integrity check PASSED</P><P>*Mar 1 00:01:08.619: Non-recovery image. PNP Not required.</P><P>*Mar 1 00:01:08.631: validate_sha2_block:No SHA2 Block present on this AP.</P><P>*Mar 1 00:01:08.651: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset<BR />*Mar 1 00:01:09.751: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up<BR />*Mar 1 00:01:09.759: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset<BR />*Mar 1 00:01:10.751: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up<BR />*Mar 1 00:01:10.859: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to upChanspec set to 0xE02A</P><P>*Mar 1 00:01:10.867: %LINK-5-CHANGED: Interface Dot11Radio2, changed state to reset<BR />*Mar 1 00:01:11.859: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up<BR />*Mar 1 00:01:12.323: %LINK-6-UPDOWN: Interface Dot11Radio2, changed state to up<BR />*Mar 1 00:01:13.323: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio2, changed state to up<BR />*Mar 1 00:01:18.751: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 0 CLI Request Triggered<BR />*Mar 1 00:01:19.755: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 514 started - CLI initiated%No matching route to delete<BR />Translating "CISCO-CAPWAP-CONTROLLER"...domain server (192.168.1.1)</P><P>*Dec 1 18:15:26.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.240 peer_port: 5246<BR />*Dec 1 18:15:27.207: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 192.168.1.240<BR />*Dec 1 18:15:27.207: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.240:5246<BR />*Dec 1 18:16:31.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.240 peer_port: 5246<BR />*Dec 1 18:16:31.207: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 192.168.1.240<BR />*Dec 1 18:16:31.207: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.240:5246<BR />*Dec 1 18:18:02.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.240 peer_port: 5246<BR />*Dec 1 18:18:02.207: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 192.168.1.240<BR />*Dec 1 18:18:02.207: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.240:5246<BR />*Dec 1 18:19:07.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.240 peer_port: 5246<BR />*Dec 1 18:19:07.207: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 192.168.1.240<BR />*Dec 1 18:19:07.207: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.240:5246</P><P>请问大神是证书过期问题吗？</P><H1>&nbsp;</H1><H1>&nbsp;</H1> Tue, 07 Apr 2026 14:01:52 GMT https://community.cisco.com/t5/%E6%97%A0%E7%BA%BF%E8%AE%A8%E8%AE%BA%E5%8C%BA/cisco-3802i-me-8-10-190-0-%E4%B8%8B-airprint-%E7%AD%89%E5%9F%BA%E4%BA%8E-mdns-%E5%BA%94%E7%94%A8%E6%97%A0%E6%B3%95%E6%AD%A3%E5%B8%B8%E5%B7%A5%E4%BD%9C/m-p/5543734#M16990 sufee 2026-04-07T14:01:52Z https://community.cisco.com/t5/%E6%97%A0%E7%BA%BF%E8%AE%A8%E8%AE%BA%E5%8C%BA/cisco-3802i-me-8-10-190-0-%E4%B8%8B-airprint-%E7%AD%89%E5%9F%BA%E4%BA%8E-mdns-%E5%BA%94%E7%94%A8%E6%97%A0%E6%B3%95%E6%AD%A3%E5%B8%B8%E5%B7%A5%E4%BD%9C/m-p/5543891#M16992 <P>从你的log中能看到如下两点问题：</P> <P>1.validate_sha2_block: Failed to get certificate chain Using SHA-1 signed certificate for image signing validation.</P> <P>日志表明 AP 在尝试验证 SHA-2 证书链时失败，因此回退使用旧版的 SHA-1 证书。思科在 2005 年至 2017 年间生产的大量 AP（如 1140, 1600,2600,3600，2700, 3700, 1532 等系列），其内置的 10 年期 MIC（制造安装证书）在近年已陆续过期（参考思科官方的 Field Notice FN63942 和 FN72524）。当 WLC 收到过期的 SHA-1 证书时，会拒绝 AP 的 CAPWAP/LWAPP 隧道建立请求，导致 AP 卡在当前状态无法加入。</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html</A></P> <P>2.%Default route without gateway, if not a point-to-point interface, may impact performance</P> <P>AP 获取到了 IP 地址，但没有获取到默认网关。如果你的 AP 和 WLC 在同一个 VLAN/网段（二层直连），这个警告可以忽略。但如果 AP 需要跨网段（三层路由）去寻找 WLC，没有网关将导致 AP 根本无法将注册数据包发送到 WLC 的 IP 地址上。</P> <P>AP的镜像校验看是通过的，应该没啥问题。所以主要可能证书过期的概率较大，你可以尝试通过config ap cert-expiry-ignore mic enable这类似的命令忽略或修改系统时间。</P> <P>&nbsp;</P> Wed, 08 Apr 2026 05:40:06 GMT https://community.cisco.com/t5/%E6%97%A0%E7%BA%BF%E8%AE%A8%E8%AE%BA%E5%8C%BA/cisco-3802i-me-8-10-190-0-%E4%B8%8B-airprint-%E7%AD%89%E5%9F%BA%E4%BA%8E-mdns-%E5%BA%94%E7%94%A8%E6%97%A0%E6%B3%95%E6%AD%A3%E5%B8%B8%E5%B7%A5%E4%BD%9C/m-p/5543891#M16992 Rps-Cheers 2026-04-08T05:40:06Z https://community.cisco.com/t5/%E6%97%A0%E7%BA%BF%E8%AE%A8%E8%AE%BA%E5%8C%BA/cisco-3802i-me-8-10-190-0-%E4%B8%8B-airprint-%E7%AD%89%E5%9F%BA%E4%BA%8E-mdns-%E5%BA%94%E7%94%A8%E6%97%A0%E6%B3%95%E6%AD%A3%E5%B8%B8%E5%B7%A5%E4%BD%9C/m-p/5544416#M16993 <P><SPAN>config ap cert-expiry-ignore mic enable 就可以解决证书问题，谢谢大神！</SPAN></P> Thu, 09 Apr 2026 16:04:46 GMT https://community.cisco.com/t5/%E6%97%A0%E7%BA%BF%E8%AE%A8%E8%AE%BA%E5%8C%BA/cisco-3802i-me-8-10-190-0-%E4%B8%8B-airprint-%E7%AD%89%E5%9F%BA%E4%BA%8E-mdns-%E5%BA%94%E7%94%A8%E6%97%A0%E6%B3%95%E6%AD%A3%E5%B8%B8%E5%B7%A5%E4%BD%9C/m-p/5544416#M16993 sufee 2026-04-09T16:04:46Z