cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9452
Views
6
Helpful
7
Replies

2700 AP stuck "downloading" loop on C9800 WLC

Charlie Grey
Level 1
Level 1

hi,

2700 AP forever stuck downloading..

C9800 WLC is on 17.3.x software.

below are the logs. think is the MIC on the AP expired.

Any advise?

extracting ap3g2-k9w8-mx.153-3.JPJ9/R2.bin (15184 bytes)!!
extracting info.ver (291 bytes)
*Dec 7 03:11:22.359: Currently running a Release Image

*Dec 7 03:11:22.379: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:169 Pkt too old last_seq_num : 11109,Received sequence num: 1 distance: -11108
*Dec 7 03:11:22.383: Using SHA-2 signed certificate for image signing validation.
*Dec 7 03:11:22.451: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 4E78A210000000000007) has expired. Validity period ended on 21:43:46 UTC Dec 4 2022
*Dec 7 03:11:22.451: Image signing certificate validation failed (1A).

*Dec 7 03:11:22.455: Failed to validate signature
*Dec 7 03:11:22.455: Digital Signature Failed Validation (flash:/update/ap3g2-k9w8-mx.153-3.JPJ9/final_hash)
*Dec 7 03:11:22.455: AP image integrity check FAILED
Aborting Image Download


Download image failed, notify controller!!! From:8.5.151.0 to 17.3.6.76, FailureCode:3

 

 

 

 

 

2 Accepted Solutions
7 Replies 7

Arshad Safrulla
VIP Alumni
VIP Alumni
This is a known ongoing issue for Cisco for now, I am not sure any FN or bug has been created by Cisco. Advise given to us was to stop all the WLC upgrades whatever the code until further notice only if you have any WAVE1. (X700 series APs)

Fix is change the time, you may have yo rewind it by couple of years. Reach out to TAC for further assistance

CSCwd80290, there should be a Field Notice soon.

jtrombley
Level 1
Level 1

Wow, I have been banging my head on a wall trying to get an AP added to our WLC since 12/6 (the same day as the bug).  Re-image the AP, factory reset, converted to Auto mode and back to Lightweight.  Then I noticed the cert error on the console log.  Google brought me here.  Reset time to Jan 2022 and the AP joined!  Thanks for posting this question and thanks for the work-around!  Now I have a couple of days to catch up on...

athan1234
Level 3
Level 3

Hello

I experience the same issue. What would happen if I modified the controller's date while having 65 working AP and only 9 having the bug? Will the rest of Ap experience any effects, when I altered the controller's date?

@athan1234 , When I was having the issue, I was configuring a backup unit.  it was not production.  There was only 1 AP associated to the WLC.  As I understand it, the issue is due to the controller trying to verify the expired certificate, which fails.  I don't think the date should affect APs that are already joined.  However, I am not sure, so hopefully someone else can confirm.  If not, you may want to try after hours, but I think you will be okay to temporarily change.

Agreed should not impact APs already joined but might have other unpredictable effects so do it during down-time hours.

But the *real* solution is upgrading the software to eliminate the problem completely.  Refer to TAC recommended link below - currently 17.9.3 would be best.

Review Cisco Networking for a $25 gift card