04-25-2018 02:25 PM - edited 07-05-2021 08:34 AM
Hi, my question is how we can upgrade firmware of Air AP 1242AG-E-K9 ?
I am with these things:
-Cisco console cable
-Cisco Air AP 1242AG-E-K9
-Cisco Poe adapter
-Cisco AP antennas
- And I am with access to Cisco resources to download firmwares.
But how I can install new firmware?
Am I on the right way?
First I find that link:
https://www.cisco.com/c/en/us/support/wireless/aironet-1240-ag-access-point/model.html#~tab-downloads
I want Lightweight AP IOS Software.
And I should download it:
Solved! Go to Solution.
04-27-2018 06:43 AM
1. Aironet 1240 AG Series Access Points allow for operation at temperatures as low as
-20°C (-4°F) while the connectorized version of the Cisco Aironet 1000 Series Access Point (AP1020) provides a 0°C (32°F) minimum operating temperature. This difference can be critical in certain operating environments.
Please go through this for upgrading Air AP 1242AG-E-K9 How to upgrade firmware lightweight.
04-27-2018 03:22 PM
04-29-2018 02:07 AM
04-29-2018 02:25 AM
@tanner.zaitt wrote:
Now the AP 1242 is with Lightweight IOS and now search and see WLC but can't connect .
Console into the AP and reboot. Post the entire boot-up process.
We want to see what the AP is doing.
04-29-2018 02:40 AM
04-29-2018 03:01 AM
@tanner.zaitt wrote:
Received FATAL : Certificate unknown alert
Bad certificate alert received from peer
You really, really need to read this: FN - 63942 - Wireless Lightweight Access Points and WLAN Controllers Fail to Create CAPWAP/LWAPP Connections Due to Certificate Expiration - Software Upgrade Recommended
The AP is probably >10 years old and the MIC has expired. This is why the AP won't join the controller.
04-29-2018 03:06 AM - edited 04-29-2018 03:26 AM
Thank you so much !
You are right.
My AP is too old:
https://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/unified-ip-phone-7900-series/end_of_life_notice_c51-726425.html
I read what you posted me.
I will try this:
"This workaround should only be used in order to allow the APs with expired certificates to join the WLCs just long enough to upgrade the software.
If the certificates have expired, disable Network Time Protocol (NTP), and then change the WLC clock time to a recent earlier time when the certificates were still valid. If you set the clock back too far, the newer APs might not be able to join. Once the software has been upgraded, and the affected APs have joined, the WLC clock should be reset to the valid time."
But before try it I will try this:
(WLC)>config ap cert-expiry-ignore {mic|ssc} enable
With few words this is the way to connect AP with expired certificate?
05-13-2018 12:39 AM - edited 05-13-2018 01:36 AM
Hi I need your help because I am not sure in myself.
I didn't do anything with WLC, because it is in production environment.
Can you tell me someone what will happen if I change date of WLC to past date where AP with expired certificate will valid and they will talk each other and AP will join to WLC?
What will happen to other APs that already joined to WLC while I do this change with date?
And If AP is joined with expired certs and another AP's not affected of these changes, what will happen when I set the actually date and time?
And the same question what will happen if I use this command in WLC :
(WLC)>config ap cert-expiry-ignore {mic|ssc} enable
And join AP and after that if I use this command:
(WLC)>config ap cert-expiry-ignore {mic|ssc} disable
I only think what will happen but I am not sure :
If I set WLC to ignore expired certs, then the AP will join to WLC and WLC will load in to AP new IOS with valid certs I am right?
And now I can disable ignoring expired certs?
The WLC is 5500 series.
I tried to install the newest and the oldest IOS for this AP, but it didn't help, only I receive IP address from dhcp of vlan network of WLC and I receive errors with certificates.
Is it possible to write new valid certificates in AP?
Or delete expired certificates and export from another AP valid certificates and import them in this AP ?
My question with one sentence is how can I join this AP with expired certs to WLC elegantly without break production environment ?
Notes about troubleshooting and gathering information:
Ignoring expired certs:
For Version 7.0.252.0, use this command:
(WLC)>config ap lifetime-check {mic|ssc} enable
For Versions 7.4.140.0 and later, use this command:
(WLC)>config ap cert-expiry-ignore {mic|ssc} enable
Finding SN to identify from Cisco web site information of certificates status
(Cisco Controller) >show ap inventory all Inventory for lap1130-sw3-9 NAME: "Cisco AP" , DESCR: "Cisco Wireless Access Point" PID: AIR-LAP1131AG-E-K9, VID: V01, SN: FCZ1128Q0PE NAME: "Dot11Radio0" , DESCR: "802.11G Radio" PID: UNKNOWN, VID: , SN: GAM112706LC? NAME: "Dot11Radio1" , DESCR: "802.11A Radio" PID: UNKNOWN, VID: , SN: ALP112706LC
To find in AP information about MICs (Manufacturer Installed Certificates):
AP_CLI#show crypto pki certificates CA Certificate Status: Available... ... Certificate Status: Available Certificate Serial Number: 728AF4350000001E4C89 Certificate Usage: General Purpose Issuer: cn=Cisco Manufacturing CA o=Cisco Systems Subject: Name: C1130-001c58b5b3a4 ea=support@cisco.com cn=C1130-001c58b5b3a4 o=Cisco Systems l=San Jose st=California c=US CRL Distribution Points: http://www.cisco.com/security/crl/cmca.crl Validity Date: start date: 04:22:10 UTC Jul 11 2007 end date: 04:32:10 UTC Jul 11 2017 Associated Trustpoints: Cisco_IOS_MIC_cert
To find information about SSCs (Self-Signed Certificates):
AP_CLI >show auth-list ... AP with Self-Signed Certificate................ yes ... All AP SSCs have an expiration date of January 1, 2020.
Find WLC serial number:
WLC_CLI>show inventory Burned-in MAC Address............................ 24:E9:B3:43:C4:E0 Maximum number of APs supported.................. 75 NAME: "Chassis" , DESCR: "Cisco 2500 Series Wireless LAN Controller" PID: AIR-CT2504-K9, VID: V04, SN: PSZ17441ANT
To see all certificates in WLC:
WLC_CLI: show certificate all Certificate Name: Cisco SHA1 device cert Subject Name : C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT2504-K9-d0c282d65a20, MAILTO=support@cisco.com Issuer Name : O=Cisco Systems, CN=Cisco Manufacturing CA Serial Number : 454384735992863371807890 Validity : Start : 2011 Jul 26th, 20:17:17 GMT End : 2021 Jul 26th, 20:27:17 GMT Signature Algorithm : rsa-pkcs1-sha1 Hash key : SHA1 Fingerprint : 98:89:eb:12:2a:98:bc:fe:ad:5b:8f:23:63:0f:47:d1:36:ce:f5:be MD5 Fingerprint : ba:f3:98:9a:cd:f8:01:08:84:b8:66:3c:6a:6c:d3:05
05-14-2018 10:36 PM - edited 05-14-2018 10:37 PM
I solve my problem completely....
Just I removed all content from flash memory of AP1242AG exclude the current IOS Image.
I used to transfer c1240-k9w7-tar.124-25d.JA2.tar with Hyper Terminal xmodem 1k protocol in special mode where the host name of ap is "ap:".
This mode is accessible while turn on AP, holding 20 seconds mode button.
I run command :
set BAUD 115200
Then I run:
copy xmoedm: flash: <name of IOS.tar>
I started Hyper Terminal and send the IOS.tar file.
After ten minutes, my IOS.tar file is there.
I reloaded the the AP with current IOS and run:
debug lwapp client no-reload
debug capwap console cli
archive download-sw /force-reload /overwrite flash:/IOS.tar
Now I am ready with the latest IOS LW for AP!
Now we update WLC with the latest IOS where the command:
(WLC)>config ap cert-expiry-ignore {mic|ssc} enable
Is supported!
And now we can join AP to the WLC successfully.
My mistakes are to much:
I transferred ios to ap with tftp with udp, it's not good practice.
I transferred only one file, only the ios without other files from archive and that is my wrong.
And finally when I do it with right way with Hyper Terminal and with archive of IOS in .tar everything is okay.
08-06-2021 07:58 AM
Looking for latest lightweight firmware. c1240-k9w8-tar.124-25e.JAP12.tar or newer. Air AP 1242AG-E-K9 is not supported.(
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide