11-03-2022 10:19 AM - edited 05-01-2023 03:39 PM
As of 2-Dec-2022, the 8.10.181.3 Escalation Special has been superseded by the 8.10.182.0 public release. 8.10.181.3 will continue to be TAC supported, but customers should upgrade to 8.10.182.0 or above when convenient.
8.10.181.3, 8.10.182.0 and above contain the following bugfixes:
CSCwd37092 Slow TCP downloads, failing EAP-TLS in 8.10.181.0/17.3.6 - 2800/3800/4800/1562/6300 series
CSCwc78435 9130 sending incorrect channel list on out of band DFS event causing client connectivity issues
My original comment here was removed as I seemed to be mistaken according to the bug notes!
But actually it turns out that "config ap cert-expiry-ignore mic enable" will not work for most APs after all - see the latest comments below.
All: we are actively working on messaging the CSCwd80290 IOS AP image Dec. 4 cert expiry issue. We will have a Field Notice on it published soon.
@Rich R: "config ap cert-expiry-ignore mic enable" does help with this issue, as long as you push it out to the APs before they get into the bad state (i.e. before you do the code upgrade.) Once they're in the bad state (i.e. the WLC clock is after Dec. 4, and the APs are in a download loop), configuring this command won't fix them; you'll have to set the clock back, and then the APs will finish downloading, reboot, and rejoin, and then they will get the "config ap cert-expiry-ignore" setting ... so then the next time that they need to upgrade/downgrade/join a 9800, they'll be OK.
@Aaron so we now have a TAC case open for this as "config ap cert-expiry-ignore mic enable" does not seem to work for APs with SHA-2 certificates. Some APs (older maybe?) default to using SHA-1 which works (and I don't think config ap cert-expiry-ignore mic enable makes any difference to that) while others default to using SHA-2 and fail even with the config ap cert-expiry-ignore mic enable configured.
Thanks @patoberli Interesting that that makes no mention of config ap cert-expiry-ignore mic enable…
@Rich R : that's really excellent analysis - our preliminary testing indicated that "config ap cert-expiry-ignore mic enable" was an effective workaround, but, upon further testing and analysis, found that indeed it may work on SHA-1 APs, but not on SHA-2 APs (actually it's more complicated than that.) So our general guidance for now, is just to turn back the clock till the APs download and rejoin.
A field notice is forthcoming soon, as will be software respins. (It never rains but it pours!)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: