Solved: Re: 5520 to 9800 migration and AP image certificate issues

rajitoor55 · ‎03-21-2023

We are about to start to migration from 5520 AireOS to 9800-40 IOS-XE

To test, I attempted to move couple of 2702I APs by blocking AP communication to old WLCs, because AP's just won't forget old controllers.

With current clock time APs won't register to new WLC and gets stuck in downloading and AP log shows image verification failed because Cert expired on Dec 4 2022

DTLS cert for capwap has start date of 24 Dec 2022, which allows for capwap tunnel to be established for image downloading.

AP keeps repeating this process in a loop.

How its working for me

Remove NTP from WLC
Manually set WLC clock after Dec 24 2022
I let AP attempt make a connection to WLC and let it start download.
And after that I change the clock on WLC to be before Dec 4 2022, this allows for image verification on AP to pass and do the upgrade.
I again manually set the clock to be after Dec 24 2022, so AP's can create capwap tunnel and join the new WLC
AP finally registers to new WLC

If there is no other way I would have to repeat the same for all the 150+ APs. I am also thinking of upgrading old WLCs to 8.10.183 for mobility tunnel, maybe that is the way to go and resolves certificate issues aswell. I am not sure.

I also saw another issue, when upgrading WLC to 17.3.6 from 17.3.4, APs that were on 17.3.4 would still exhibit same behavior and I had to move the clocks again, which I thought would get resolved after upgrading to 17.3.4 from 8.5.161.

I also notice AP's still continue to attempt to reach old controllers even after they have successfully registered to new WLC

Any help to ease the process and any potential future upgrade issues.

Thanks

Rasika Nayanajith · ‎03-21-2023

Refer below

https://www.cisco.com/c/en/us/support/docs/wireless/aironet-700-series-access-points/218447-ios-ap-image-download-fails-due-to-expir.html

I would upgrade 5520 to 8.10.183.0 which got the fix for cert issue.

Regarding 9800 code version, I would suggest go to 17.9.3 as it support Wave 1 APs. (17.3.x last supported 31st March 2023 and no more maintenance releases expected)

https://mrncciew.com/2023/03/20/9800-wave-1-ap-support/

HTH
Rasika
*** Pls rate all useful responses ***

View solution in original post

Rasika Nayanajith · ‎03-21-2023

Refer below

https://www.cisco.com/c/en/us/support/docs/wireless/aironet-700-series-access-points/218447-ios-ap-image-download-fails-due-to-expir.html

I would upgrade 5520 to 8.10.183.0 which got the fix for cert issue.

Regarding 9800 code version, I would suggest go to 17.9.3 as it support Wave 1 APs. (17.3.x last supported 31st March 2023 and no more maintenance releases expected)

https://mrncciew.com/2023/03/20/9800-wave-1-ap-support/

HTH
Rasika
*** Pls rate all useful responses ***

rajitoor55 · ‎03-22-2023

@Rasika Nayanajith I upgraded WLC's to 17.9.3 and I am able to join APs to 9800 now, without having to change NTP. Thanks for pointing to that.

Would there be any reason to still upgrade old WLCs to 8.10.183?

Rasika Nayanajith · ‎03-22-2023

if you ever want to use 5520 as a back up then I would get it upgraded to 8.10.183.0. Otherwise simply migrate APs to 9800 & without worrying about 5520 code upgrade

HTH
Rasika
*** Pls rate all useful responses ***

ypambhar88 · ‎07-13-2023

Hi @rajitoor55

Let’s say that I have a 3802i AP connected to a 5520 controller, and the controller is replaced by a 9800 series controller with the same IP address while the AP is online.

Does the 3802i AP notice that its CAPWAP tunnel is broken, tries to re-establish connectivity, and then notices that it is connected to a newer controller that requires the AP to receive a code upgrade?

Rasika Nayanajith · ‎07-14-2023

Yes, 5520 & 9800 got two different AP images for APs, in that way it needs to get image from 9800

HTH
Rasika