Cisco Aironet 3700i Access Point刷胖模式Web不能访问

sufee · ‎04-11-2020

Cisco Aironet 3700i Access Point刷了最新版本ap3g2-k9w7-tar.153-3.JPJ3.tar固件，Web页面不能登录，什么原因？IOS Bootloader - Starting system.
flash is writable
Tide XL MB - 40MB of flash
Xmodem file system is available.
flashfs[0]: 242 files, 7 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 41158656
flashfs[0]: Bytes used: 14002688
flashfs[0]: Bytes available: 27155968
flashfs[0]: flashfs fsck took 10 seconds.
Base Ethernet MAC address:
Ethernet speed is 1000 Mb - FULL Duplex
Loading "flash:/ap3g2-k9w7-mx.153-3.JPJ3/ap3g2-k9w7-mx.153-3.JPJ3"...#########################
File "flash:/ap3g2-k9w7-mx.153-3.JPJ3/ap3g2-k9w7-mx.153-3.JPJ3" uncompressed and installed, entry point: 0x2003000
executing...
Secondary Bootloader - Starting system.
Montserrat Board
40MB format
Tide XL MB - 40MB of flash
Xmodem file system is available.
flashfs[0]: 242 files, 7 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 41158656
flashfs[0]: Bytes used: 14002688
flashfs[0]: Bytes available: 27155968
flashfs[0]: flashfs fsck took 10 seconds.
flashfs[1]: 0 files, 1 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 12257280
flashfs[1]: Bytes used: 1024
flashfs[1]: Bytes available: 12256256
flashfs[1]: flashfs fsck took 1 seconds.
Base Ethernet MAC address: f0:7f:06:cb:1b:b8
Boot CMD: 'boot flash:/ap3g2-k9w7-mx.153-3.JPJ3/ap3g2-k9w7-xx.153-3.JPJ3;flash:/ap3g2-k9w7-mx.153-3.JPJ3/ap3g2-k9w7-xx.153-3.JPJ3'
Loading "flash:/ap3g2-k9w7-mx.153-3.JPJ3/ap3g2-k9w7-xx.153-3.JPJ3"...###########################################
File "flash:/ap3g2-k9w7-mx.153-3.JPJ3/ap3g2-k9w7-xx.153-3.JPJ3" uncompressed and installed, entry point: 0x1003000
executing...
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, C3700 Software (AP3G2-K9W7-M), Version 15.3(3)JPJ3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Mon 23-Mar-20 16:21 by prod_rel_team
Montserrat Board
40MB format
Tide XL MB - 40MB of flash
Initializing flashfs...
flashfs[2]: 242 files, 7 directories
flashfs[2]: 0 orphaned files, 0 orphaned directories
flashfs[2]: Total bytes: 40900608
flashfs[2]: Bytes used: 14002688
flashfs[2]: Bytes available: 26897920
flashfs[2]: flashfs fsck took 12 seconds.
flashfs[2]: Initialization complete.
flashfs[4]: 0 files, 1 directories
flashfs[4]: 0 orphaned files, 0 orphaned directories
flashfs[4]: Total bytes: 11999232
flashfs[4]: Bytes used: 1024
flashfs[4]: Bytes available: 11998208
flashfs[4]: flashfs fsck took 0 seconds.
flashfs[4]: Initialization complete.
Copying radio files from flash: to ram:
Copy in progress...CCCCC
Copy in progress...CCC
Copy in progress...CCCC
Copy in progress...CCCC
Copy in progress...CC
Copy in progress...CC
Copy in progress...CCCC
Copy in progress...CC
Copy in progress...CCCCCCCC
Copy in progress...CCCC
Copy in progress...CC
Copy in progress...C
Uncompressing radio files...
...done Initializing flashfs.
Radio0 present 8764 8000 0 A8000000 A8010000 0
Rate table has 650 entries (20 legacy/224 11n/406 11ac)
POWER TABLE FILENAME = ram:/Q2.bin
Radio1 present 8864 8000 0 80000000 80100000 4
POWER TABLE FILENAME = ram:/Q5.bin
Radio2 not present 0 0 0 0 0 8
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco AIR-SAP3702I-A-K9 (PowerPC) processor (revision A0) with 376814K/134656K bytes of memory.
Processor board ID
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address:
Part Number :
PCB Serial Number :
Top Assembly Part Number :
Top Assembly Serial Number :
Top Revision Number : A0
Product/Model Number : AIR-CAP3702I-A-K9
Selected country China
Selected country China
System is configured with default enable secret.Please change it before enabling HTTP Server
Translating "time.windows.com"...domain server (255.255.255.255)
Translating "time.windows.com"...domain server (255.255.255.255)
Press RETURN to get started!
*Mar 1 00:00:16.959: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed (15)
*Mar 1 00:00:23.095: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 (4)
*Mar 1 00:00:23.207: loading Power Tables from ram:/Q2.bin. Class = A
*Mar 1 00:00:23.211: record size of 3ss: 1168 read_ptr: 47AA116
*Mar 1 00:00:28.407: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 (4)
*Mar 1 00:00:28.451: loading Power Tables from ram:/Q5.bin. Class = A
*Mar 1 00:00:28.483: record size of vht: 2904 read_ptr: 47AA116
*Mar 1 00:00:28.623: SCHED: Ethernet Bridge Process: install watched boolean System Initialized(479235C), os:1 ah:0
*Mar 1 00:00:30.715: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:31.119: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to the reason code 39
*Mar 1 00:00:31.119: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 39
*Mar 1 00:00:31.119: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:00:31 UTC Mon Mar 1 1993 to 08:00:31 +0800 Mon Mar 1 1993, configured from console by console.
*Mar 1 00:00:31.135: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to the reason code 40
*Mar 1 00:00:31.163: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to the reason code 10
*Mar 1 00:00:31.175: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 40
*Mar 1 00:00:31.195: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 10
*Mar 1 00:00:31.223: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to the reason code 40
*Mar 1 00:00:31.511: %SYS-5-CONFIG_I: Configured from memory by console
*Mar 1 00:00:31.627: Starting Ethernet promiscuous mode
*Mar 1 00:00:31.627: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3700 Software (AP3G2-K9W7-M), Version 15.3(3)JPJ3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Mon 23-Mar-20 16:21 by prod_rel_team
*Mar 1 00:00:31.627: %SNMP-5-COLDSTART: SNMP agent on host Cisco is undergoing a cold start
*Apr 12 01:43:06.027: SCHED: Ethernet Bridge Process: remove watched boolean System Initialized(479235C)
*Apr 12 01:43:06.027: SCHED: Ethernet Bridge Process: install watched queue Soap BVI input queue(4784974), os:0 ah:0
*Apr 12 01:43:06.027: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Apr 12 01:43:06.027: %CDP_PD-4-POWER_OK: Full power - HIGH_POWER inline power source
*Apr 12 01:43:06.039: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 12 01:43:06.039: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Apr 12 01:43:06.063: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Apr 12 01:43:07.027: %DOT11-4-NO_SSID_VLAN: No SSID with VLAN configured. Dot11Radio0 not started.
*Apr 12 01:43:07.039: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Apr 12 01:43:07.039: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Apr 12 01:43:08.027: %DOT11-4-NO_SSID_VLAN: No SSID with VLAN configured. Dot11Radio1 not started.
*Apr 12 01:43:08.027: %LINK-6-UPDOWN: Interface BVI1, changed state to down
*Apr 12 01:43:10.679: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed (0-0)
*Apr 12 01:43:10.679: DPAA Initialization Complete
*Apr 12 01:43:10.679: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited
*Apr 12 01:43:11.679: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Apr 12 01:43:13.679: %LINK-6-UPDOWN: Interface BVI1, changed state to up
*Apr 12 01:43:14.679: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Apr 12 01:43:20.119: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.1.180, mask 255.255.255.0, hostname Cisco
Translating "time.windows.com"...domain server (192.168.1.1)

YilinChen · ‎04-13-2020

尝试换个版本式一下吧

sufee · ‎04-13-2020

Cisco#configure terminal
Cisco(config)#ip http authentication enable
Cisco(config)#ip http authentication local
Cisco(config)#ip http server
Cisco(config)#end
默认关闭了HTTP服务。

Rps-Cheers · ‎04-13-2020

sufee 发表于 2020-4-13 15:42
Cisco#configure terminal
Cisco(config)#ip http authentication enable
Cisco(config)#ip http authent ...

解决了吧？

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

sufee · ‎10-05-2023

重新刷了ap3g2-k9w7-tar.153-3.JPQ.tar版本，默认Cisco用户登录反复登录弹窗，不能登录，是何原因？

sufee · ‎04-13-2020

可以登录，保存配置出现404 Not Found，又什么问题？

HaifengLi · ‎04-13-2020

sufee 发表于 2020-4-14 06:26
可以登录，保存配置出现404 Not Found，又什么问题？

有可能和CSCvs28965有关

敏民 · ‎04-14-2020

刷jF10.稳定版本..可以在WEB界面保存配置....能把您的新固件发我邮箱吗?我正好手中有这AP
..851168934@qq.com..感谢

18653465190 · ‎04-14-2020

sufee 发表于 2020-4-13 15:42
Cisco#configure terminal
Cisco(config)#ip http authentication enable
Cisco(config)#ip http authent ...

楼上好厉害。长见识了。

sufee · ‎04-14-2020

证书问题怎么解决啊？看了说明文档不知道用。

sufee · ‎04-17-2020

Workaround 1

Install a certificate from a CA.

In this workaround, a certificate request is generated and displayed by Cisco IOS. The administrator then copies the request and submits it to a third-party CA and retrieves the result.

Note: Use of a CA to sign certificates is considered to be a security best-practice. This procedure is provided as a workaround in this Field Notice. However, it is preferable to continue to use the third-party CA-signed certificate after you apply this workaround, rather than to use a self-signed certificate.

In order to install a certificate from a third-party CA, complete these steps:

Create a Certificate Signing Request (CSR).
Router# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# crypto pki trustpoint TEST
Router(ca-trustpoint)# enrollment term pem
Router(ca-trustpoint)# subject-name CN=TEST
Router(ca-trustpoint)# revocation-check none
Router(ca-trustpoint)# rsakeypair TEST
Router(ca-trustpoint)# exit
Router(config)# crypto pki enroll TEST
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=TEST
% The subject name in the certificate will include: Router.cisco.com
% The serial number in the certificate will be: FTX1234ABCD
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
-----BEGIN CERTIFICATE REQUEST-----
A Base64 Certificate is displayed here. Copy it, along with the ---BEGIN and ---END lines.
-----END CERTIFICATE REQUEST-----
---End - This line not part of the certificate request---
Submit the CSR to the third-party CA.
Note: The procedure to submit the CSR to a third-party CA and retrieve the resulting certificate varies based on the CA that is being used. Consult the documentation for your CA for instructions on how to perform this step.
Download the new identity certificate for the router along with the CA certificate.
Install the CA certificate on the device.
Router# conf tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# crypto pki auth TEST Enter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE-----REMOVED-----END CERTIFICATE----- Certificate has the following attributes: Fingerprint MD5: 79D15A9F C7EB4882 83AC50AC 7B0FC625 Fingerprint SHA1: 0A80CC2C 9C779D20 9071E790 B82421DE B47E9006 % Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.% Certificate successfully imported
Install the identity certificate on the device.
Router(config)# crypto pki import TEST certificate Enter the base 64 encoded certificate.End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE-----REMOVED-----END CERTIFICATE----- % Router Certificate successfully imported

Workaround 2

Use the local Cisco IOS CA server to generate and sign a new certificate.

Note: The local CA server feature is not available on all products.

Router# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip http server
Router(config)# crypto pki server IOS-CA
Router(cs-server)# grant auto
Router(cs-server)# database level complete
Router(cs-server)# no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
% Certificate Server enabled.
Router# show crypto pki server IOS-CA Certificates
Serial Issued date Expire date Subject Name
1 21:31:40 EST Jan 1 2020 21:31:40 EST Dec 31 2022 cn=IOS-CA
Router# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# crypto pki trustpoint TEST
Router(ca-trustpoint)# enrollment url http://:80 # Replace with the IP address of an interface on the router
Router(ca-trustpoint)# subject-name CN=TEST
Router(ca-trustpoint)# revocation-check none
Router(ca-trustpoint)# rsakeypair TEST
Router(ca-trustpoint)# exit
Router# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# crypto pki auth TEST
Certificate has the following attributes:
Fingerprint MD5: C281D9A0 337659CB D1B03AA6 11BD6E40
Fingerprint SHA1: 1779C425 3DCEE86D 2B11C880 D92361D6 8E2B71FF
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
Router(config)# crypto pki enroll TEST
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: CN=TEST
% The subject name in the certificate will include: Router.cisco.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: FTX1234ABCD
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose TEST' command will show the fingerprint.

Workaround 3

Use OpenSSL to generate a PKCS12 certificate bundle and import the bundle to Cisco IOS.

Generate a PKCS12 certificate bundle:
Linux, UNIX, or macOS example
User@linux-box$ openssl req -newkey rsa:2048 -nodes -keyout tmp.key -x509 -days 4000 -out tmp.cer -subj
"/CN=SelfSignedCert" &> /dev/null && openssl pkcs12 -export -in tmp.cer -inkey tmp.key -out tmp.bin
-passout pass:Cisco123 && openssl pkcs12 -export -out certificate.pfx -password pass:Cisco123 -inkey
tmp.key -in tmp.cer && rm tmp.bin tmp.key tmp.cer && openssl base64 -in certificate.pfx
MIII8QIBAzCCCLcGCSqGSIb3DQEHAaCCCKgEggikMIIIoDCCA1cGCSqGSIb3DQEH
BqCCA0gwggNEAgEAMIIDPQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIGnxm
t5r28FECAggAgIIDEKyw10smucdQGt1c0DdfYXwUo8BwaBnzQvN0ClawXNQln2bT
vrhus6LfRvVxBNPeQz2ADgLikGxatwV5EDgooM+IEucKDURGLEotaRrVU5Wk3EGM
mjC6Ko9OaM30vhAGEEXrk26cq+OWsEuF3qudggRYv2gIBcrJ2iUQNFsBIrvlGHRo
FphOTqhVaAPxZS7hOB30cK1tMKHOIa8EwygyBvQPfjjBT79QFgeexIJFmUtqYX/P

tT6r4SuibYKu6HV45ffjSzOimcJI+D9LKhLWR6pK/k5ge8v7aK9/rsVbjavbdy7b
CSqGSIb3DQEJFTEWBBS96DY/gRfN1dSx46P1EqjPvSYiETAxMCEwCQYFKw4DAhoF
AAQU+EX0kNvuNz6XmFxXER8wlqKTGvgECA+D+Z81uwafAgIIAA==
Import the certificate to a Cisco IOS or IOS XE Router:
Router# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# crypto pki trustpoint TEST
Router(ca-trustpoint)# enrollment terminal
Router(ca-trustpoint)# revocation-check none
Router(ca-trustpoint)# exit
R1(config)#crypto pki import TEST pkcs12 terminal password Cisco123
Enter the base 64 encoded pkcs12.
End with a blank line or the word "quit" on a line by itself:
MIII8QIBAzCCCLcGCSqGSIb3DQEHAaCCCKgEggikMIIIoDCCA1cGCSqGSIb3DQEH
BqCCA0gwggNEAgEAMIIDPQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQItyCo
Vh05+0QCAggAgIIDENUWY+UeuY5sIRZuoBi2nEhdIPd1th/auBYtX79aXGiz/iEW

IY1l273y9bC3qPVJ0UGoQW8SGfarqEjaqxdAet66E5V6u9Yvd4oMsIYGsa70m+FN
CsUVj+ll5hzGjK78L0ycXWpH4gDOGYBVf+D7mgWqaqZvxYUoEkOrTMmW5zElMCMG
CSqGSIb3DQEJFTEWBBSgiBJIYpJLzo/GYN0sesZh3wGmPTAxMCEwCQYFKw4DAhoF
AAQUdeUrLIC2uo/mbyE86he5+qEjmPYECKu76GWaeKb7AgIIAA==
quit
CRYPTO_PKI: Imported PKCS12 file successfully.
R1(config)#
Verify that the new certificate is installed:
R1#show crypto pki certificates TESTLoad for five secs: 5%/1%; one minute: 2%; five minutes: 3%Time source is SNTP, 15:04:37.593 UTC Mon Dec 16 2019CA Certificate Status: Available Certificate Serial Number (hex): 00A16966E46A435A99 Certificate Usage: General Purpose Issuer: cn=SelfSignedCert Subject: cn=SelfSignedCert Validity Date: start date: 14:54:46 UTC Dec 16 2019 end date: 14:54:46 UTC Nov 28 2030

moonieni · ‎04-27-2020

感谢楼主分享资讯

sufee · ‎08-05-2021

胖模式只能刷JF10版本吗？新版本c3700-k9w7-tar.153-3.JPK2解决证书问题了吗？

wanhuaye · ‎08-08-2021

ap3g2-k9w7-xx.153-3.JF10谁有，发我一个，我有最新的固件，也是保存404。可以用新固件换，邮箱136487910@qq.com.。可以加QQ探讨。

sufee · ‎04-05-2023

ap3g2-k9w7-tar.153-3.JPP.tar版本有吗？可以分享吗？谢谢！