Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
10158
Views
20
Helpful
36
Comments

AireOS 8.10MR8 Escalation Special

Aaron
Cisco Employee
Cisco Employee

‎11-03-2022 10:19 AM - edited ‎05-01-2023 03:39 PM

Update

As of 2-Dec-2022, the 8.10.181.3 Escalation Special has been superseded by the 8.10.182.0 public release.  8.10.181.3 will continue to be TAC supported, but customers should upgrade to 8.10.182.0 or above when convenient.

8.10.181.3, 8.10.182.0 and above contain the following bugfixes:

CSCwd37092 Slow TCP downloads, failing EAP-TLS in 8.10.181.0/17.3.6 - 2800/3800/4800/1562/6300 series
CSCwc78435 9130 sending incorrect channel list on out of band DFS event causing client connectivity issues

Preview file
196 KB
Comments
Rich R
VIP
VIP
‎12-07-2022 08:04 AM

My original comment here was removed as I seemed to be mistaken according to the bug notes!
But actually it turns out that "config ap cert-expiry-ignore mic enable" will not work for most APs after all - see the latest comments below.

Aaron
Cisco Employee
Cisco Employee
‎12-07-2022 08:24 AM

All: we are actively working on messaging the CSCwd80290 IOS AP image Dec. 4 cert expiry issue.  We will have a Field Notice on it published soon.

@Rich R: "config ap cert-expiry-ignore mic enable" does help with this issue, as long as you push it out to the APs before they get into the bad state (i.e. before you do the code upgrade.)  Once they're in the bad state (i.e. the WLC clock is after Dec. 4, and the APs are in a download loop), configuring this command won't fix them; you'll have to set the clock back, and then the APs will finish downloading, reboot, and rejoin, and then they will get the "config ap cert-expiry-ignore" setting ... so then the next time that they need to upgrade/downgrade/join a 9800, they'll be OK.

Rich R
VIP
VIP
‎12-08-2022 03:45 AM

@Aaron so we now have a TAC case open for this as "config ap cert-expiry-ignore mic enable" does not seem to work for APs with SHA-2 certificates.  Some APs (older maybe?) default to using SHA-1 which works (and I don't think config ap cert-expiry-ignore mic enable makes any difference to that) while others default to using SHA-2 and fail even with the config ap cert-expiry-ignore mic enable configured.

Rich R
VIP
VIP
‎12-08-2022 07:44 AM

Thanks @patoberli Interesting that that makes no mention of config ap cert-expiry-ignore mic enable…

Aaron
Cisco Employee
Cisco Employee
‎12-08-2022 10:26 AM

@Rich R : that's really excellent analysis - our preliminary testing indicated that "config ap cert-expiry-ignore mic enable" was an effective workaround, but, upon further testing and analysis, found that indeed it may work on SHA-1 APs, but not on SHA-2 APs (actually it's more complicated than that.)  So our general guidance for now, is just to turn back the clock till the APs download and rejoin.

A field notice is forthcoming soon, as will be software respins.  (It never rains but it pours!)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents