Re: Field Notice: FN - 63942 - 5508 expired MIC

jon.ellis · ‎01-17-2020

Hi All,

Wondered if anyone could advise?. I'm seeing quite a few cases of WLC 5508 with expired MIC's(10year), does the below bug address the fix on the WLC will it actually fix the certificate ignore error so that we don't need to disable NTP and roll back the time prior to the cert expiry?. While the fix works it's not good in the long run. Is the a plan from Cisco to address this in a main release?, will I need to raise a TAC case should the software have the fix in the engineering release mentioned?.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb93909

Kind Regards Jon

Leo Laohoo · ‎01-17-2020

Read this: FN - 63942 - Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP/LWAPP Connections Due to Certificate Expiration - Software Upgrade Recommended

It is stated in the FN that: Upgrade to a software version that contains the fix. Cisco has released the fix for Cisco bug ID CSCuq19142 for AireOS Versions 7.0.252.0, 7.4.140.0, 8.0.120.0, 8.1.102.0, and later.

jon.ellis · ‎01-17-2020

Hi Leo,

I don't believe the software mentioned works for the WLC 5508?, this is to ignore the MIC expired on the access points? mainly 1131,1142 were the issue then? with the config ap cert-expiry-ignore {mic|ssc} enable which was indeed introduced on the earlier 8.0.x.x release. Customer is running 8.3.143.0

Kind Regards Jon

Leo Laohoo · ‎01-17-2020

@jon.ellis wrote:

I don't believe the software mentioned works for the WLC 5508?

Why not? The last firmware 5508 will support is 8.5.X.X.

@jon.ellis wrote:

Customer is running 8.3.143.0

Upgrade to the latest 8.3.X.X.

jon.ellis · ‎01-20-2020

Thanks again for response Leo, :)

They have a large amount of 1142's model AP's so 8.5 is not an option at the moment, but if they upgrade to the latest 8.3.150.0 and this will have the fix in it?, or will it need a maintenance release 8.3.150.X from Cisco TAC as per the bug?. There are a few controllers with the issue so will need to be providing the fixed in version(bug).

Kind Regards Jon

Leo Laohoo · ‎01-20-2020

Yes.

jon.ellis · ‎01-21-2020

Hi Leo,

Thanks again, so yes go to 8.3(150.5)?as per bug fix?. So I will need to raise a TAC case to be able to get this release?.

Kind Regards Jon

Leo Laohoo · ‎01-21-2020

No, download the latest 8.3.X.X and the fix will be there.

jon.ellis · ‎01-22-2020

Thanks Leo,

Will upgrade one of the controllers as a test and see how it goes, will keep you posted.

Kind Regards Jon

jon.ellis · ‎03-05-2020

Hi Leo,

Customer upgraded to 8.3.150.0 and this did not resolve their issue, I'm opening a TAC case for the 8.3.150.5 and will let you know if this will fix the join issue because of expired MIC on controller.

Kind Regards Jon

ChuckHaynes · ‎06-05-2020

I am curious if this fixed your issue? We have a 5508 and are running 8.3.150.6. We have both checks disabled. We have disabled NTP and set the time back and allowed all WAPs to join the controller and update. Then we re-enable NTP and after a while, several WAPs will unjoin the controller? So we have been keeping NTP disabled and setting the time/date back a couple years...

ChuckHaynes · ‎06-24-2020

I checked into this further. Apparently there are two bugs that are similar. We are actually hitting this bug.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs22835

The only fix is to upgrade to version 8.5.154.31 or later. We can't go past 8.3 or we will lose support for several of our AP models. So we will continue to use the workaround of disabling NTP and setting the date back. This isn't a horrible solution if you aren't using SNMP 3 (we are using SNMP 2c).

Thanks