cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2198
Views
30
Helpful
24
Replies
Highlighted
Beginner

Re: AP 1131AG cannot upgrade from version3.0.51.0 to 7.3.101.0 (

I think now that it is definitely a certificate issue and I hate x509 certs...

Is one can tell me how to retreive the ssc certificate hash on the AP ?

I plan to switch back the AP to autonomous mode and to convert it again to LAP mode.

A certificate issue might have appened during the conversion process.

Any other ideas guys ?

V.

Highlighted

Re: AP 1131AG cannot upgrade from version3.0.51.0 to 7.3.101.0 (

when you do the deb mac addr < ap mac> also do debug pm pki enable...watch for the AP mac address and you will see the SSC hash, if there is one.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Highlighted
Beginner

Re: AP 1131AG cannot upgrade from version3.0.51.0 to 7.3.101.0 (

Hello Stephen,

there is no certificate hash for me in "debug pm pki enable".

It's a very bad idea to put certificate in there !!!

V.

Highlighted
Hall of Fame Master

AP 1131AG cannot upgrade from version3.0.51.0 to 7.3.101.0 (vwlc

Make sure the time is correct and then look at disabling the hash: configure certificate ssc hash validation disable

http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml#hash

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
Highlighted
Hall of Fame Master

AP 1131AG cannot upgrade from version3.0.51.0 to 7.3.101.0 (vwlc

Here is a linke that David W posted on another thread regarding these older AP's connecting to the vWLC.  You need the latest software downloaded to the AP.

The virtual wireless LAN controller does not have a Manufacturer Installed Certificate (MIC). Therefore, APs cannot validate the virtual controller unless they are using a 7.3-based image such as the follows:

12.4(25e)JAL for 1130/1240 series APs

15.2(2)JA for 1250/1260/1140/2600/3500/3600 series APs

http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn73.html#wp784178

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
Highlighted
Beginner

Re: AP 1131AG cannot upgrade from version3.0.51.0 to 7.3.101.0 (

Hello,

to summarize :

- Both clocks are ok.

- IOS version is :c1130-k9w8-mx.124-25e.JAL and LWAPP image version 7.3.101.0.

- the AP says (on and on) :

-----------------------------------

%CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.6.30 peer_port: 5246% Be sure to ask the CA administrator to revoke your certificates

Feb 19 14:55:59.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.6.30 peer_port: 5246

Feb 19 14:56:00.332: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.6.30 peer_port: 5246

Feb 19 14:56:00.333: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.6.30

Feb 19 14:56:00.491: %DTLS-5-ALERT: Received WARNING : Close notify alert from 192.168.6.30

Feb 19 14:56:00.491: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.6.30:5246

Feb 19 14:56:00.554: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255

Feb 19 14:56:00.689: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down

Feb 19 14:56:00.689: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down

--------------------------------------------------

AND

the vwlc says : (no hash in there...)

*spamApTask1: Feb 19 16:08:04.327: Invalid channel 1 spacified for the AP AP0021.d837.1eea, slotId = 0

*spamApTask1: Feb 19 16:08:04.327: Invalid channel 44 spacified for the AP AP0021.d837.1eea, slotId = 1

along with :

---------------------------------------

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: called to evaluate

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: called to get cert for CID 1e6401b5

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultIdCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: called to evaluate

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetSshPrivateKeyFromCID: called to get key for CID 1e6401b5

*spamApTask1: Feb 19 15:58:36.986: sshpmGetSshPrivateKeyFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetSshPrivateKeyFromCID: comparing to row 1, certname >bsnDefaultIdCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetSshPrivateKeyFromCID: comparing to row 2, certname >cscoDefaultIdCert<

*spamApTask1: Feb 19 15:58:36.986: sshpmGetSshPrivateKeyFromCID: match in row 2

*spamApTask1: Feb 19 15:58:37.145: sshpmGetIssuerHandles: locking ca cert table

*spamApTask1: Feb 19 15:58:37.145: sshpmGetIssuerHandles: calling x509_alloc() for user cert

*spamApTask1: Feb 19 15:58:37.145: sshpmGetIssuerHandles: calling x509_decode()

*spamApTask1: Feb 19 15:58:37.146: sshpmGetIssuerHandles: C=US, ST=California, L=San Jose, O=Cisco Systems, CN=C1130-0021d8371eea, MAILTO=support@cisco.com

*spamApTask1: Feb 19 15:58:37.146: sshpmGetIssuerHandles:   O=Cisco Systems, CN=Cisco Manufacturing CA

*spamApTask1: Feb 19 15:58:37.146: sshpmGetIssuerHandles: Mac Address in subject is 00:21:d8:37:1e:ea

*spamApTask1: Feb 19 15:58:37.146: sshpmGetIssuerHandles: Cert Name in subject is C1130-0021d8371eea

*spamApTask1: Feb 19 15:58:37.146: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.

*spamApTask1: Feb 19 15:58:37.146: sshpmGetCID: called to evaluate

*spamApTask1: Feb 19 15:58:37.146: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamApTask1: Feb 19 15:58:37.146: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamApTask1: Feb 19 15:58:37.146: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamApTask1: Feb 19 15:58:37.146: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamApTask1: Feb 19 15:58:37.146: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamApTask1: Feb 19 15:58:37.146: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamApTask1: Feb 19 15:58:37.146: sshpmGetCertFromCID: called to get cert for CID 2e935675

*spamApTask1: Feb 19 15:58:37.146: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<

*spamApTask1: Feb 19 15:58:37.146: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<

*spamApTask1: Feb 19 15:58:37.146: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<

*spamApTask1: Feb 19 15:58:37.146: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<

*spamApTask1: Feb 19 15:58:37.146: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<

*spamApTask1: Feb 19 15:58:37.146: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<

*spamApTask1: Feb 19 15:58:37.146: ssphmUserCertVerify: calling x509_decode()

*spamApTask1: Feb 19 15:58:37.147: ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<

*spamApTask1: Feb 19 15:58:37.147: sshpmGetIssuerHandles: ValidityString (current): 2013/02/19/14:58:37

*spamApTask1: Feb 19 15:58:37.147: sshpmGetIssuerHandles: ValidityString (NotBefore): 2008/08/08/14:41:43

*spamApTask1: Feb 19 15:58:37.147: sshpmGetIssuerHandles: ValidityString (NotAfter): 2018/08/08/14:51:43

*spamApTask1: Feb 19 15:58:37.147: sshpmGetIssuerHandles: getting cisco ID cert handle...

*spamApTask1: Feb 19 15:58:37.147: sshpmGetCID: called to evaluate

*spamApTask1: Feb 19 15:58:37.147: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamApTask1: Feb 19 15:58:37.147: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamApTask1: Feb 19 15:58:37.147: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamApTask1: Feb 19 15:58:37.147: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamApTask1: Feb 19 15:58:37.147: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamApTask1: Feb 19 15:58:37.147: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamApTask1: Feb 19 15:58:37.147: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamApTask1: Feb 19 15:58:37.147: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamApTask1: Feb 19 15:58:37.147: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamApTask1: Feb 19 15:58:37.147: sshpmFreePublicKeyHandle: called with 0x2b8c22bf83e8

*spamApTask1: Feb 19 15:58:37.147: sshpmFreePublicKeyHandle: freeing public key

Highlighted
Beginner

Re: AP 1131AG cannot upgrade from version3.0.51.0 to 7.3.101.0 (

I have something new to show up. Juste take a look at attached file ?

What's the problem with radius ?

What's the Regulatory domain check ? ( I am in France, the AP come from the US, vwlc code is FR ) (something missing in vwlc during the setup ?)

thank you all for helping, I am desesperate trying to fix this problem...

I hate X509...

V.

Highlighted
Beginner

Re: AP 1131AG cannot upgrade from version3.0.51.0 to 7.3.101.0 (

Turned the vwlc to "US" as the AP is a "AG-A-K9"

....

does not improve the case !!

....

Highlighted
Beginner

Re: AP 1131AG cannot upgrade from version3.0.51.0 to 7.3.101.0 (

OK guys, finally got it right  !!!!!

After the country code has been changed to US, I had this message while the AP reboots :

----------------------------

*Feb 18 15:20:08.916: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to resetlwapp_crypto_init: MIC Present and Parsed Successfully

-----------------------------

I've just add the AP's mac address with certificate type "MIC" in Security>AAA>AP Policies.

Now the AP has joined !!!

To summarize :

for an AP 1131-AG-A-K9 to join a vwlc :

- IOS c1130-k9w8-mx.124-25e.JAL

- Country code : set the same code on the AP and the controler

- Add the MAC address in AP Policies along with MIC as the certificate type.

Thanks to all of you for helping.

V.

Beginner

AP 1131AG cannot upgrade from version3.0.51.0 to 7.3.101.0 (vwlc

Hi There,

I had the same issue , I spent two weeks trying and trying !! till I lost the hope.

I was trying using "c1130-k9w7-tar.124-25d.JA".

I will give it try again .....

Thanks.

WM

CreatePlease to create content
Content for Community-Ad

August's Community Spotlight Awards